On March 2nd, Evernote announced a major data breach of their network. Hackers managed to steal user information including usernames, email addresses, and encrypted passwords. They confirm that their paying customers financial details have not been compromised. Evernote did though enforce stored hashed and salted passwords – this means passwords are more difficult to reverse engineer. Thumbs up here.
The main purpose of the salt is to actually create some randomness which is similar to extending the minimum strength of the password – this makes offline password cracking (think rainbow tables – see Bootnote) a little more difficult and resource intensive. I like to think of salting as nothing more than altering the hashing algorithm. I’ve even heard some talk about double salting, but this doesn’t really impact the security. The real problem will be when the binary is known to the hacker, who will then use reverse engineering to highlight the algorithm as well as the coded salt. Not good.
TIP: If you are looking after a user center database then it’s important that the keys and salts for the passwords remain dynamic and not static!
In Evernotes case I’m not 100% sure whether the salts were dynamic but even if they were not, salting the passwords was a sensible move. So what happens next in the event of a breach like this? In nearly every instance of a data breach, a company should institute a mandatory password change for ALL users but this should only be done from a web site address and not from say an mobile app – not all mobile apps are good at supporting password resets.
The major problem with this type of data breach is that all/some of your data services are stored in the cloud. Cloud storage isn’t 100% secure (Evernote is a good example of this), so you run the risk of exposing all your data. What about your passwords? If you use the same password for multiple websites, you will also need to change the password for those websites as well. Evernote is a recent example http://www.evernote.com/ of the problems facing cloud-based storage and securing user account data – it will not the last either!
Update 7th March: Evernote have announced that they will be introducing two-factor authentication. They will no doubt take the mobile route here.
Safe surfing folks!
Bootnote: If a hacker uses a rainbow table this will require all of the salts for the string. Salting passwords protects against rainbow table attacks – A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.