Aberdeen Group - Home
Evernote, 50M Passwords, and the Law of Demos
Derek Brink
MAR 25, 2013 08:00 AM
A+ A A-

When visiting my mom, who does not live close by, I try to play Geek Squad and help her with any open technology issues. Most recently, we set up a new Wi-Fi service for her new Windows 8 laptop (that's right, my mom has newer capabilities than I do).

After, I decided to show her Evernote, as an example of an app that I thought she would find useful (as I do). "Password Incorrect." "Password Incorrect." "Please click here to reset your password." I just couldn't get it to work, and after 15 or 20 awkward minutes we had to move on.

The law of demos strikes again. That is, whenever a technology is being demonstrated, that technology will probably fail.

It turns out that Evernote had experienced a security breach, in which intruders gained access to usernames, email addresses associated with Evernote accounts, and encrypted passwords. The result: a decision to force a system-wide password reset for some 50 million Evernote users.

Kudos to Evernote for having implemented the best practice of salting and hashing our passwords — unlike the recent examples of LinkedIn and eHarmony (see my blog Salt With Your Hash = Better for You (Your Passwords, That Is), 18 June 2012).

As I described then, a cryptographic hash is a one-way function that transforms an input of any length to an output of fixed length. Widely-used hash algorithms from the Message Digest (MD) or Secure Hash Algorithm (SHA) families have desirable properties such as:

  • Relatively easy to compute — meaning that there is minimal impact on performance
  • One-way — meaning that going backwards, from the fixed-length output to the variable length input, is computationally infeasible
  • Collision-free — meaning that two different inputs will not result in the same fixed-length output

Another way to think of the fixed-length hash output is as a unique digital fingerprint or signature of the original value. The problem is that for any given original value and a given algorithm, attackers can easily compute the corresponding hashed value – and they can repeat this process to compile a list of known original values and corresponding hashed values. Given end-user propensity to choose "123456", "soccer", "princess" and so on for our passwords, attackers can quickly look for hashed values that they already know.

A cryptographic salt is a long-established technique designed to thwart attackers from pre-computing look-up tables of known hash values, by concatenating a string of random (or pseudo-random) bits with the password before computing the hashed value. So salt + hash = harder to pre-compute or crack = better protection of our passwords. It's a good example of defense-in-depth, and hats off to Evernote for having this in place.

If there's a lesson to be learned from the Evernote example, one might find it in reading the comments that subscribers left on their blog. In general, subscribers complain about the lack of timely communications from Evernote regarding what was happening &38212; to which Evernote gave a predictable "corporate" response:

Our apologies if you didn't receive your email in a more timely manner. Sending emails to our many users is a large project that unfortunately took longer than we expected. In addition to the email going out to our entire user base we also spread the message through our various social channels, homepage and here on the blog. We'll continue to look for ways to improve our communications method with our users. We're truly sorry for any inconvenience this has caused and thank you for using Evernote.

Aberdeen's current study on incident response — if you're interested in participating, you can still respond to our survey — is confirming that crisis communications is one of the most challenging aspects of a best-in-class incident response plan. Testing and exercises of contingency plans for incident response or disaster recovery can range from checklist reviews, walk-throughs and "tabletop reviews", to simulations, parallel testing and full-interruption testing … but full-scale crisis communication to 50M customers is difficult to practice in advance. Look for research publications on this and other aspects of incident response in the coming weeks.

In the meantime, it appears to be crisis averted at Evernote — although at the cost of growing from 50M users to 50M and one. Based on my failed demo, my mom will not be signing up.

Derek Brink
Vice President and Research Fellow
IT Security

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: