[ale] evernote security breach

Richard Bronosky richard at bronosky.com
Mon Mar 4 13:33:04 EST 2013


I use XKCD passwords http://xkcd.com/936/

I've been pleasantly surprised to find most of the services I care about
don't complain about my 30+ character passwords. I really wish they would
be smarter about entropy measurement rather than just insisting on some
stupid rules be satisfied.


On Mon, Mar 4, 2013 at 12:58 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Mon, 2013-03-04 at 12:38 -0500, Ron Frazier (ALE) wrote:
> >
> > "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> >
> > >On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:
> > >> Hi all,
> > >
> > >> I first saw the link to this article on the dc404 mailing list.  If
> > >you're an evernote user, you need to know about this.
> > >
> > >> http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
> > >
> > >If you are an Evernote user, you need to change your password.  The
> > >attackers had access to user-id's and password hashes.  The passwords
> > >where hashed and salted but simple passwords are still subject to
> > >off-line brute force and rainbow table attacks.  Change your password
> > >to
> > >a good, high complexity, password or passphrase.
> > >
>
> > Do you think a 15 character random alphanumeric generated by Lastpass is
> good enough?  Or, should you go longer if the site will let you?
>
> That's probably reasonable although my personal preference is for pass
> phrases.  I take several words (jaberwocky style) and mix in some
> numbers and punctuation.  Much easier to remember and type (especially
> on a smart phone) and very much easier to remember.
>
> I run into more dain-bramaged sites that don't allow punctuation than
> really limit the length but there are some still out there that haven't
> gotten the memo and restrict your length to negligently short lengths.
>
> > >MOST IMPORTANT!  This is NOT mentioned in the article quoted, but...
> > >If
> > >you used the same user id (E-Mail address) or similar and the same
> > >password on other sites, change all of them and use different passwords
> > >on each.  It is not uncommon for someone to use the same password and
> > >id
> > >on different sites.  It is equally not uncommon for attackers to KNOW
> > >THIS and, once they break your password on one site, to use a common,
> > >broken, password to attack other sites.  That includes sites with other
> > >common variations on your user id.
> > >
> >
> > I've known this for some time, but only recently went to the trouble to
> do it, after Linkedin had their break in.  I'm now using Lastpass, which is
> a good way to keep track of many different passwords for different sites.
>  (I know there are other solutions too.)  It was a major pain to go to
> every site I had and go through the password change procedure, especially
> because, for the ones that were already different, I had to look them up.
>  However, every one is now different and random.  Every time I generate a
> new password for a new site, or change one on an old site, I let Lastpass
> handle it.  The password vault is secured by a master password that you
> don't give out online.  If anyone is interested, I can post my recommended
> settings for Lastpass preferences.  You can use the service for free on
> PC's, but have to pay a modest fee for Premium service to use on mobile
> devices.  I pay the fee, and am glad to support their continued development.
> >
> > >> Sincerely,
> > >
> > >> Ron
> > >
> > >Regards,
> > >Mike
> > >
> > >
> > >--
> > >Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> > >/\/\|=mhw=|\/\/          | (678) 463-0932 |
> > >http://www.wittsend.com/mhw/
> > >NIC whois: MHW9          | An optimist believes we live in the best of
> > >all
> > >PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of
> > >it!
> > >
> > >
> > >
> >
> > --
> >
> > Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9
> Mail.
> > Please excuse my potential brevity if I'm typing on the touch screen.
> >
> > (PS - If you email me and don't get a quick response, you might want to
> > call on the phone.  I get about 300 emails per day from alternate energy
> > mailing lists and such.  I don't always see new email messages very
> quickly.)
> >
> > Ron Frazier
> > 770-205-9422 (O)   Leave a message.
> > linuxdude AT techstarship.com
> >
> >
>
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
.!# RichardBronosky #!.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130304/9602449d/attachment.html>


More information about the Ale mailing list