By now, you have heard about the latest in SaaS security woes: Evernote. As a user of the service, I was notified of the breach on Saturday. Evernote’s systems were compromised to the extent that individuals were able to access user information, which included encrypted passwords. Unlike the LinkedIn breach, where the passwords were encrypted, but not “salted” (which provides protection against brute force dictionary attacks,) Evernote’s passwords were both encrypted and salted. Evernote, correctly in my view, decided to implement a system-wide password reset, even though there was no evidence of a breach of customer content or credit card information. But this episode does have me thinking about a couple of things.
The Future Of Passwords: One reason why Evernote likely called for a system-wide password reset is it’s unknown whether brute force attacks would have yielded passwords to the attackers. Question is, would a system wide reset have even been necessary if two-factor authentication was in use? “Oh, it’s too hard.” “Too expensive.” Not really. As usual, the gaming world leads technology. Blizzard Entertainment’s Battle.Net gaming service offers a $ 6.50 hardware authentication token, and if that presents too much of a challenge to people using the service, Blizzard also offers a mobile phone two-factor authenticator.
There are bright spots in the enterprise when it comes to two-factor authentication, notably in highly regulated industries. However, while most enterprises finally have complexity requirements when it comes to passwords, far too few enterprises support two-factor authentication on all of their remotely-accessible apps.
Attack Surface: The cloud naysayers are always saying that cloud is less secure. That’s not quite true — as I’ve pointed out before, many cloud provider data centers have a cleaner audit than many mid-sized enterprises. And, these providers have crackerjack security teams at their beck and call due to their scale. But, the bigger you are, the more of an attack surface you present to attackers. So, to that extent, I think that cloud providers have their work cut out for them.