Evernote hacked

[baggy]

The online note keeping website Evernote has been hacked and account details taken. They are urging users to go to the website where they will be asked to choose a new password.

[steeeve66]

..what's Evernote??

[chris.biker]

..what's Evernote??

Not secure Apparently! 

[baggy]

Its a website where you can keep notes, photos, web links etc and sync them with you phone and tablets etc.

And yes not secure

[goldfazer]

Why don't these sites encrypt the passwords. It ain't rocket science!!

[rayburn600]

Why dont you keep your own photos and info on an external hard drive? Its not rocket science!!

[Thorn]

Why don't these sites encrypt the passwords. It ain't rocket science!!

Hi,

Unfortunately encryption doesn't really solve the problem. You can pretty much gaurantee they have hashed their passwords using an MD5 or SHA algorithm, mostly SHA-256 in this day and age.

The issues arise when you have an entire database of hashed passwords, you can be certain that a dictionary attack will weed out thousands of the more simple passwords within seconds.

For example, let's say your password is "lexicon", which hashes (via MD5) into "42d48e292d15d4fd85050e15e00ad591".
That is an encrypted password, but inevitably a dictionary attack will attempt the word "lexicon" and as the hash matches the password hash in the SQL database, your password has been discovered.

Due to computational requirements it's generally not worth the time to attempt to find a single users password, but when you have an entire database of hashed passwords, you can be sure a dictionary attack will turn up results within seconds, however it would be almost impossible to retrive all the passwords in the database, unless they were all ridiculously simple. The time required for a full brute-force attack would likely be in the range of a few centuries/millenia.

[baggy]

Exactly what I was thinking 

[Chillum]

This is why you should choose your passwords along the lines of phrases and use numerics as well as symbols (assuming the sometimes archaic password system allows you to).

For example:
The quick brown fox jumps over the lazy dog.

tQBfj0T!d.

and every character you use more than 8 makes it that much harder to crack.

[Dead Eye]

I can testify to this as during my final year of University we were assigned to write a program to perform this very task - breaking hashed passwords. Including generating our own Rainbow Tables and using them as well

Up to 6 characters alphanumeric (ignoring case) would take a fair amount of time to brute force but its easily within a few hours. Increasing it to 8 characters can take days, and longer becomes pointless to ever bother cracking as it takes too long. Dictionary attacks are common and this is why most reasonable sites force you to use both numbers and letters.

This is also why my password for a lot of secure things is 21 characters in length using upper case letters, lower case letters, special characters and numbers with no dictionary words

[Grahamm]

Unfortunately encryption doesn't really solve the problem. You can pretty much gaurantee they have hashed their passwords using an MD5 or SHA algorithm, mostly SHA-256 in this day and age.

The issues arise when you have an entire database of hashed passwords, you can be certain that a dictionary attack will weed out thousands of the more simple passwords within seconds.

Unless they use a "salted" hash...

[goldfazer]

Still better than not encrypting them !! - or write your own one way algorithm.

[Chillum]

A couple of years ago I download the dictionary files for password hacking which included common letter/number substitutions and lots of iterations - it was over 5 GB of text !!!

This stuff is out there and easy to get, along with programs like satan to help you use the files.

I love trying to break my own wi-fi passwords (Kismet is your first tool for this by the way, and if you like Linux, look up backtrack)