More developments on the Evernote front… Apparently they were already planning on deploying two-factor authentication as many have suggested. The latest breach is just going to speed up the deployment process. As mentioned previously, Evernote reported that attackers were able to access usernames, email addresses, and salted password hashes. Later reports pegged the weaker MD5 as the hashing algorithm instead of something more secure like SHA-1 or 2. Best practice the last few years however has been pushing for true password-based key derivation functions such as PBKDF2, SCrypt, or BCrypt but companies continue to lag behind due to implementation difficulties. And of course there are still considerations with these functions due to the potential tradeoff between bruteforce and denial-of-service protection.
Evernote, after suffering a data breach that caused the company to reset passwords for all of its 50 million users, announced that it plans to adopt two-factor authentication as quickly as possible.
“We were already planning to roll out optional two-factor authentication to all of our users later this year,” said Evernote spokeswoman Ronda Scott via email. “We are accelerating those plans now.”
Evernote warned all users Sunday via email that the company had suffered a security breach, after the company’s operations and security team “discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.”
Were you affected by the Evernote breach? Post your comments below. Today’s post pic is from GettyIcons.com.