[ale] evernote security breach

Jay Lozier jslozier at gmail.com
Mon Mar 4 21:41:38 EST 2013


On 03/04/2013 09:18 PM, Ron Frazier (ALE) wrote:
>
> Jay Lozier <jslozier at gmail.com> wrote:
>
>> On 03/04/2013 12:38 PM, Ron Frazier (ALE) wrote:
>>> "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
>>>
>>>> On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:
>>>>> Hi all,
>>>>> I first saw the link to this article on the dc404 mailing list.  If
>>>> you're an evernote user, you need to know about this.
>>>>
>>>>> http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
>>>> If you are an Evernote user, you need to change your password.  The
>>>> attackers had access to user-id's and password hashes.  The
>> passwords
>>>> where hashed and salted but simple passwords are still subject to
>>>> off-line brute force and rainbow table attacks.  Change your
>> password
>>>> to
>>>> a good, high complexity, password or passphrase.
>>>>
>>> Do you think a 15 character random alphanumeric generated by Lastpass
>> is good enough?  Or, should you go longer if the site will let you?
>> I tend to use very long gibberish passwords (Keypassx) that include any
>>
>> keyboard character including punctuation. I consider 15 characters
>> unacceptably short.
>>
>> The reason for both is the potential complexity of the password is
>> increased forcing hackers to use purely  brute force methods which can
>> become time consuming with very long passwords. My goal is to be hard
>> enough that the hackers will eventually give up.
>>
>> Also, every site has its own password so even if they crack one
>> password
>> it not used any where else.
>> <xnip>
>>
>> -- 
>> Jay Lozier
>> jslozier at gmail.com
>>
> My wife, who's not a super geek, rightly pointed out that the weak link in my chain is now the master password to the lastpass database.  If that were cracked at the lastpass website, or on a stolen PC, I'd be in trouble.  I do have to remember that one, and I do have to type it, every time I want to access the passwords for ANY site.  I'll have to give that some more thought.
>
> Sincerely,
>
> Ron
>
I only keep a the encrypted file on a device or stick that I personally 
control. Even then I am try to minimize the number devices/sticks the 
information is one.

-- 
Jay Lozier
jslozier at gmail.com



More information about the Ale mailing list