You’ve probably read about how Evernote was hacked over the weekend by now. According to the popular productivity service, no user data was accessed, though it admitted that the hackers succeeded in gaining access to, and copying out the email addresses and hashed passwords of its users. As a result, the company has initiated a password reset for its 50 million users.
So what are some lessons that small and mid-sized businesses can glean from this unfortunate incident?
The first lesson that SMBs can learn from the Evernote hack is the importance of not storing passwords in plaintext. Clearly, hackers do place a priority on seizing the password file or database once they gain unauthorized access to a server. As such, it is imperative that programmers take steps to protect passwords by salting and hashing them prior to storing them to disk.
For those not familiar with the term, hashing refers to the use of a cryptographic function that takes an arbitrary block of data and returns a fixed-sized string. The algorithm behind a good hash function is essentially a one-way function that is impractical to reverse by computational means. This makes it possible to store passwords with greatly reduced risks since only the hashes are stored.
On the other hand, salting involves an additional step of concatenating a random non-secret value (salt) in order to defeat rainbow tables. Rainbow tables are essentially huge tables of pre-computed hashes used to find a match to recover the original plaintext password. The use of a salt renders using a rainbow table infeasible.
One common misconception on this front is how this seemingly complex procedure needn’t be of concern to smaller businesses. This is an erroneous assumption though, since all software that requires the use of a password will need to store the login credentials somewhere. As such, it is in the interest of SMBs to ensure that they use proper salting and hashing techniques where applicable.
Finally, the Evernote hack is a somber reminder that users should use a different password for each online service. Think about it: What if the hackers had successfully made off with the Evernote password file without anyone being the wiser? Indeed, it is entirely plausible that hackers may have succeeded in breaking into other popular Web services.