It’s the email every Internet business dreads having to compose to its customers but last weekend Evernote became only the latest of a long list of big brands that found itself reluctantly hitting the ‘send’ button.
As a precaution the company was asking its 50 million users to reset their passwords after hackers breached its security and potentiallly accessed information such as user names, email addresses and encrypted passwords.
That the passwords were encrypted and salted isn’t being seen as great news tells you a lot about how vulnerable many of these could be to password cracking. Have a long, complex password? Good. How about a short less complex one? Even with encryption criminals could just bypass it by making a clever guess based on the most common possibilities.
Nobody knows how many Evernote users might be using dodgy passwords but past experience tells us that it will be a significant number. Encrypted or not, how hard is it to guess the password ‘evernote123’? Armed with that one password (they have email addresses too, remember) the hackers will then be able to try similar combinations on many other Internet services.
It’s the dismal arithmetic of passwords that nobody has a cheap, simple way to counter; one database breach can at a stroke compromise accounts across several services because too many users still underestimate their vulnerabiity to attacks.
But is Evernote a significant business risk?
It should be made clear that, so far, there is no evidence that whatever happened at Evernote poses an immediate risk to account holders, which is to say the company has not seen any account hacks or takeovers taking place.
Leaving it at that won’t satisfy any conscientious admins or, for that matter, their user base. So how should sysadmins best approach Evernote-type advisories?
It is an inconvenient fact that online content sharing systems such as Evernote hand a degree of discretion to individual users. Business admins decide which users get to access the service and using which email accounts (i.e an organisation’s domain), as well as which shared notebooks they can see, but (as far as we can tell) applications like Evernote offer little control over the actual password itself.
The Evernote system has started nagging users by email and within the application to reset their passwords, which is a good start but only part of the problem. If passwords are a weakness, admins appear to have no control over the quality of the passwords chosen nor an absolute guarantee that it will be reset in a timely way by every employee.
Uncomfortably, it might take only a few users not resetting their passwords quickly to put others that have done so at risk.
One radical option would be for Evernote admins to force matters by revoking all access, re-enrolling users. We weren’t able to confirm the practicalities of such an approach but suspect it would likely cause more trouble that it is worth.
The password reset is still a good excuse to do an audit of Evernote use inside an organisation, and perhaps what sort of information is being stored there. For the record, if an employee leaves an organisation, they are disconnected from shared workbooks but they retain access to any personal notebooks within the system, including what was copied there.
Remember Evernote is a system built on joining individuals together in a bottom up way (it emerged as a Mac application), which is one reason why it’s had some success in businesses where the traditional top-down approach often falls short (ask any Lotus Notes user).
It’s a fair bet that Evernote will have grown up organically in many enterprises in a ‘bring your own service’ format and organisations might not have fully thought through the security risks this devolved model poses in much detail. Now is a chance to do so.
The service does offer a number of security features such as the ability to encrypt notes, and also for individuals to store data locally but (again, as far as we can tell) this cannot be enforced or managed by admins so it is down to each individual to use the service responsibly.
What about the possibility of a similar attack on Evernote in future? With this sort of issue in mind, the company has announced plans to speed up its roll-out of two-factor authentication (2FA), bolstered by improved encryption in its stored passwords. These will improve Evernote’s security for sure, but the deeper issue of users having some discretion over security remains.
The password problem
Attacks on applications like Evernote tell the world that password-based security is now obsolete, which isn’t the same as saying that adopting secondary layers of security such as 2FA is a long-term solution.
Two-factor authentication can also be attacked and itself starts to become unmanageable when users are asked to authenticate themselves with multiple 2FA interfaces across services. This is a stop gap that works well in places (Banks, Google, PayPal, say), but doesn’t scale.
The realisation of these complexities isn’t new – witness the strenuous efforts to get federated identity systems off the ground over the last half decade – but until users have an open identity standard that works across business with enough complex controls built in, passwords will remain on the frontline.
One way application developers could help the situation is by at least building better password security into the design of their applications, for instance by enforcing complexity and perhaps supporting multiple federated identity systems. They could also demand that users take more responsibility for passwords, mandating regular password changes.
Passwords shouldn't be changed because a worried email turns up asking for that to be done - they should be changed at regular intervals, regardless.
To date, firms have been very reluctant to introduce more authentication hassle because they are still captured by the allure of the ‘build it and the investors will come’ mentality. But security goes beyond mere users numbers.
The lesson of Evernote’s password reset for the industry could be that one million happy and secure users is more important and ten million insecure ones. Admins are definitely in this for the long haul.
Evernote's terms and conditions regarding each user's/admin's responsibilites can be found here.