[ale] evernote security breach

Michael H. Warfield mhw at WittsEnd.com
Mon Mar 4 14:19:40 EST 2013 

On Mon, 2013-03-04 at 13:33 -0500, Richard Bronosky wrote:
> I use XKCD passwords http://xkcd.com/936/

> I've been pleasantly surprised to find most of the services I care
> about don't complain about my 30+ character passwords. I really wish
> they would be smarter about entropy measurement rather than just
> insisting on some stupid rules be satisfied.

Entropy is intrinsicly impossible to measure based on a single presented
password.  You have no way, based on the password alone, to know the
distribution set, be it a character set or a word lexicon or some
combination, on which the password is based and from which it was
chosen.  The entropy is fundamentally tied to the size of that
distribution set and is unknowable based on a single example derived
from that set.  You MIGHT be able to tell that it was incredibly poor
("password" chosen from a pool with a 128 bit entropy still sucks) but
it's still not possible to tell what the entropy of the pool was.

I did a system, recently, based on the IETF OPIE 2048 word lexicon (13
bit entropy per word).  System used 12 words, case independent, no
requirement for punctuation or numbers.  Could be read over a phone with
little chance of mistake (it was a help desk emergency recovery related
system).  Passphrases like that will always stand up to cracklib and
John the Ripper tests but will consistently fail content complexity
rules.  Still, it had 156 bits of entropy in the system and I would
certainly trusted it.

> On Mon, Mar 4, 2013 at 12:58 PM, Michael H. Warfield
> <mhw at wittsend.com> wrote:
>         On Mon, 2013-03-04 at 12:38 -0500, Ron Frazier (ALE) wrote:
>         >
>         > "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
>         >
>         > >On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:
>         > >> Hi all,
>         > >
>         > >> I first saw the link to this article on the dc404 mailing
>         list.  If
>         > >you're an evernote user, you need to know about this.
>         > >
>         > >>
>         http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
>         > >
>         > >If you are an Evernote user, you need to change your
>         password.  The
>         > >attackers had access to user-id's and password hashes.  The
>         passwords
>         > >where hashed and salted but simple passwords are still
>         subject to
>         > >off-line brute force and rainbow table attacks.  Change
>         your password
>         > >to
>         > >a good, high complexity, password or passphrase.
>         > >
>         
>         > Do you think a 15 character random alphanumeric generated by
>         Lastpass is good enough?  Or, should you go longer if the site
>         will let you?
>         
>         
>         That's probably reasonable although my personal preference is
>         for pass
>         phrases.  I take several words (jaberwocky style) and mix in
>         some
>         numbers and punctuation.  Much easier to remember and type
>         (especially
>         on a smart phone) and very much easier to remember.
>         
>         I run into more dain-bramaged sites that don't allow
>         punctuation than
>         really limit the length but there are some still out there
>         that haven't
>         gotten the memo and restrict your length to negligently short
>         lengths.
>         
>         > >MOST IMPORTANT!  This is NOT mentioned in the article
>         quoted, but...
>         > >If
>         > >you used the same user id (E-Mail address) or similar and
>         the same
>         > >password on other sites, change all of them and use
>         different passwords
>         > >on each.  It is not uncommon for someone to use the same
>         password and
>         > >id
>         > >on different sites.  It is equally not uncommon for
>         attackers to KNOW
>         > >THIS and, once they break your password on one site, to use
>         a common,
>         > >broken, password to attack other sites.  That includes
>         sites with other
>         > >common variations on your user id.
>         > >
>         >
>         > I've known this for some time, but only recently went to the
>         trouble to do it, after Linkedin had their break in.  I'm now
>         using Lastpass, which is a good way to keep track of many
>         different passwords for different sites.  (I know there are
>         other solutions too.)  It was a major pain to go to every site
>         I had and go through the password change procedure, especially
>         because, for the ones that were already different, I had to
>         look them up.  However, every one is now different and
>         random.  Every time I generate a new password for a new site,
>         or change one on an old site, I let Lastpass handle it.  The
>         password vault is secured by a master password that you don't
>         give out online.  If anyone is interested, I can post my
>         recommended settings for Lastpass preferences.  You can use
>         the service for free on PC's, but have to pay a modest fee for
>         Premium service to use on mobile devices.  I pay the fee, and
>         am glad to support their continued development.
>         >
>         > >> Sincerely,
>         > >
>         > >> Ron
>         > >
>         > >Regards,
>         > >Mike
>         > >
>         > >
>         > >--
>         > >Michael H. Warfield (AI4NB) | (770) 985-6132 |
>          mhw at WittsEnd.com
>         > >/\/\|=mhw=|\/\/          | (678) 463-0932 |
>         > >http://www.wittsend.com/mhw/
>         > >NIC whois: MHW9          | An optimist believes we live in
>         the best of
>         > >all
>         > >PGP Key: 0x674627FF        | possible worlds.  A pessimist
>         is sure of
>         > >it!
>         > >
>         > >
>         > >
>         >
>         > --
>         >
>         > Sent from my Android Acer A500 tablet with bluetooth
>         keyboard and K-9 Mail.
>         > Please excuse my potential brevity if I'm typing on the
>         touch screen.
>         >
>         > (PS - If you email me and don't get a quick response, you
>         might want to
>         > call on the phone.  I get about 300 emails per day from
>         alternate energy
>         > mailing lists and such.  I don't always see new email
>         messages very quickly.)
>         >
>         > Ron Frazier
>         > 770-205-9422 (O)   Leave a message.
>         > linuxdude AT techstarship.com
>         >
>         >
>         
>         --
>         Michael H. Warfield (AI4NB) | (770) 985-6132 |
>          mhw at WittsEnd.com
>            /\/\|=mhw=|\/\/          | (678) 463-0932 |
>          http://www.wittsend.com/mhw/
>            NIC whois: MHW9          | An optimist believes we live in
>         the best of all
>          PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>         sure of it!
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         
> 
> 
> 
> 
> -- 
> .!# RichardBronosky #!.
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130304/8ad796af/attachment.sig>

More information about the Ale mailing list