I am a happy user of Evernote, a fantastic web-based clipping service that I (and 65 million others) use to remember stuff. Folks who know me, know I need the help. 😉
I recently received an email from them – about a data breach involving passwords. They were concerned for my security regarding access to my Evernote account.
But wait a minute – didn’t I already get this email from them last week? No wait, that was Eventbrite – similar name, different service. They sent me a similar note a week ago. Hmmm…. So what’s up?
As online users, I think we’ve gotten a bit used to reports on hacked sites – data breaches online at various retailers and services where we live, work and play online. Understandable. The Office of Inadequate Security over at databreaches.net averages three or four posts a DAY. And while monthly numbers are down a bit, according to datalossdb.org, there are already 32 incidents for November.
So, my receiving an email like this – you might say it’s not so unusual, and you’d be right. Here is what is unusual though. Neither Evernote nor Eventbrite was breached or hacked. Adobe was. And yet Evernote and Eventbrite each sent me an email about it.
What? Why on earth would they do that? Answer: They know users. We are super busy (and perhaps a little lazy).
Yep. We’ve got lots going on – we like our internet tools and services and we participate extensively. Along with that, well – we don’t particularly like remembering stuff. Especially complicated stuff. So when it comes to passwords, we make them easy, and we use them everywhere.
In April 2013, Dark Reading cited a survey by Varonis – reporting that password reuse was “rampant”. According to Varonis, some 61% of users are sharing passwords across accounts. In September 2011 ZDnet reported on a CIS survey that also pegged this number at 60%.
So yes, despite the ongoing incidents of sites being hacked – with our data is at risk – we are demonstrably lazy and forgetful, and we are staying that way.
Hence, my delight in this email from Evernote. While they were not hacked, they know Adobe recently was – to the tune of 150 Million accounts or more… And they know us and our habits – and they dutifully considered the likelihood that we may be using the same login credentials for their system as we used for Adobe’s.
Evernote did a number of great things here:
- Analysis – they took the opportunity to obtain the stolen data which had been posted to the web. They compared that to their users and identified a set of users who may be at risk
- They sent email communication to warn their users and provide tips and advice on how to increase security
- They did NOT point a finger at Adobe. Data breaches happen and online providers realize that they are in this together – in fact – WE are in this together.
Additionally they provided some other key, basic guidance that as users we should all embrace and implement:
- Avoid using simple password based on dictionary words
- Never use the same password on multiple sites or services
- Never click on ‘reset password’ requests in emails – instead go directly to the service
- Consider use of Two-Step or Two Factor Authorization – for those sites like Evernote which offer it
WRONG! Trick question – and I know you didn’t fall for it…
You should not store your passwords this way. Consider online tools and software that give us what we need – strength in passwords and organization and just in time availability to help us manage or forgetfulness.
For my friends and family, I recommend Lastpass – but there are many options. The key is – we don’t want to give up convenience. Convenience is the death knell of security. Yes, strength in systems comes with practices which are kinda a pain in the rear. But – these tools will actually make your lives better. Many can be embedded in your browser – and when used PROPERLY – they will allow to seamlessly access your online sites. They will also allow you to share credentials with others securely – either for one time use or in a way that doesn’t actually expose the credentials. Nice!
Interested? Check out this article by LifeHacker: Do You Use a Password Manager? Pick one out and tighten thing up!
So, to wrap up. I LOVE the efforts here by Eventbrite and Evernote – and Adobe (they of course sent me a notice directly about the breach). Others – like Facebook, Diapers.com and Soap.com were reportedly doing the same thing.
I REALLY love the thought that these communications may be directly connected – that Adobe possibly encouraged these other entities to communicate to their users. That would show incredible community spirit – and though we may not be to that point yet – these providers are showing they really care about us and our safety.
What we can do for them is our part – use of strong passwords, unique across our sites, and managed securely. That, in the end, will help all of us.