EVERNOTE passwords were hacked

[gardenstate]

Although I own Sony PRS-T1 and 950 ebook readers, I came across this news article that may be of concern to the T2 (and other?) users that use EVERNOTE:

http://gma.yahoo.com/evernote-hacked...opstories.html

part of the article..
"The next time you log in to your Evernote account, don't be surprised when you are asked to reset your password. The web and app-based digital notebook service reset all user passwords after a "coordinated attempt to access secure areas of the Evernote Service."

[SeaKing]

Quote:

Originally Posted by gardenstate

Although I own Sony PRS-T1 and 950 ebook readers, I came across this news article that may be of concern to the T2 (and other?) users that use EVERNOTE:

http://gma.yahoo.com/evernote-hacked...opstories.html

part of the article..
"The next time you log in to your Evernote account, don't be surprised when you are asked to reset your password. The web and app-based digital notebook service reset all user passwords after a "coordinated attempt to access secure areas of the Evernote Service."

Why would Evernote be targeted?
Is some valuable kept there? I thought it was just a note taker and writer.

[taustin]

Quote:

Originally Posted by SeaKing

Why would Evernote be targeted?
Is some valuable kept there? I thought it was just a note taker and writer.

People tend to use the same passwords everywhere, and an account on any web site will very likely have an email address in it. Spammers love to get hold of other people's email passwords.

[WT Sharpe]

I know this is no laughing matter (I'm an Evernote customer myself), but I couldn't hold it in after reading this comment by "Ralf The Dog" at the Huffington Post's article on this subject:

Quote:

I am safe. My password "W0rdP4$$" has upper and lower case letters as well as numbers and symbols. No one will ever be able to get W0rdP4$$ from a dictionary attack.

[holymadness]

Quote:

Originally Posted by taustin

People tend to use the same passwords everywhere, and an account on any web site will very likely have an email address in it. Spammers love to get hold of other people's email passwords.

They love the email addresses, even without the passwords. I read that Dropbox users whose accounts were hacked months ago have recently been bombarded with junk mail.

[afv011]

Quote:

Originally Posted by WT Sharpe

I know this is no laughing matter (I'm an Evernote customer myself), but I couldn't hold it in after reading this comment by "Ralf The Dog" at the Huffington Post's article on this subject:

That's pretty much the end goal, to get dictionary passwords that can be used on more lucrative websites. Unfortunately most people use a single password throughout most, if not all, the websites they visit.

[Ninjalawyer]

Quote:

Originally Posted by afv011

That's pretty much the end goal, to get dictionary passwords that can be used on more lucrative websites. Unfortunately most people use a single password throughout most, if not all, the websites they visit.

I'm somewhat guilty of this. Aside from my bank and email accounts, I was using the same password for most sites with a login.

As of yesterday though, I've started using LastPass, and now have a different password for every site. The passwords are generally 12 to 16 character long strings of random letters, numbers and symbols to avoid an easy dictionary-based attacks, and I've also setup two-factor authentication where it's available. Even with all that, I still feel like my data on any given site is easy prey to a hacker with enough time or skill.

Edit

If anyone is interested in setting up a password manager, LifeHacker has a tutorial on LastPass here.

[jamadams]

Quote:

Originally Posted by Ninjalawyer

Even with all that, I still feel like my data on any given site is easy prey to a hacker with enough time or skill.

I think that's a safe and sensible assumption to make.

These hacks are a pain in there backside but at least it's making people think about security.

[Apache]

I have multiple passwords of differing difficulties depending on the sites.
Apache

[JoeD]

I only trust open source password managers and of those I've looked over, two that look like they cover everything are Password Safe and Keepassx. Not done a detailed analysis though, just had a brief read the source to see how they handle key generation/storage and password stretching and to build a version for myself.

Whilst there could be bugs, they at least appear to do everything needed, which is more than can be said for many of the closed source offerings. Some were found to use weak encryption or stored a master password with the db or didn't perform key stretching...

Not looked at last pass, but I wouldn't trust any online service with my passwords even with client side encryption.

[WT Sharpe]

Quote:

Originally Posted by afv011

That's pretty much the end goal, to get dictionary passwords that can be used on more lucrative websites. Unfortunately most people use a single password throughout most, if not all, the websites they visit.

Good point. It makes sense to use a different password on every site that requires one.

[EowynCarter]

Quote:

Originally Posted by WT Sharpe

Good point. It makes sense to use a different password on every site that requires one.

I use mostly the same passord. Except for account that mater (ie gmail account and other linked to credit card accounts)

[Apache]

Banks in the US are required to make you change your password every six months. And you can not use the last four previous passwords. The logic behind this is that it is supposed to make your account more secure. I find that it does the opposite. Changing your password frequently will make most people use something that is easy to remember or write down their current password. I prefer to just use one really strong one that I have memorized.
A corollary is people that right down safe combinations and leave them on their desk or carry them on them. Anytime you have a password written down someone can use it. Even if you have it stored encrypted electronically it can be hacked. The only safe password is the one that stays in your brain and nowhere else.
Every one of my employees that has access to my security system has his own unique code. Whenever my system is accessed it is logged and I receive email and text alerts allowing me to see which code is being used. Your security is important and everyone should always be aware of theirs.
Apache

[bullet]

Quote:

Originally Posted by Apache

Banks in the US are required to make you change your password every six months. And you can not use the last four previous passwords.
Apache

All of my banks are all in the U.S. and none of them require me to change my password. I googled it and see where experts recommend it but see no mention of it being required. Am I missing something or did you mean to say it is recommended?

[Apache]

I have business and personal accounts in different banks. All of them have told me they are required to do so by the Fed.
Apache