On February 28, Evernote's Operations & Security team detected that a hacker (or hackers) had accessed usernames, encrypted passwords, and email addresses stored on the Evernote servers. Evernote's hacking follows several high profile hacks in recent weeks, including Facebook, Twitter and Apple. Aside from the Twitter hacks, which are a little amusing--seeing Burger King's verified account masquerading as a subversive McDonalds amused the Twitter world for a few hours--the hacks represent a disturbing trend. No matter how secure your password, there's nothing you can do to stop companies from being backed.
In response to the hack, Evernote changed the passwords of its approximately 50 million users and advised users to create new, secure passwords of their own. Most likely, Evernote got off easy; according to TechCrunch, Evernote's CEO said that the service does not store user payment information (there's a premium version of the service that costs $5 per month), so there was no credit card information at risk.
Still, the hackers were able to access email addresses, usernames, and encrypted passwords. If they retained any of that information, they could potentially put it to use. Evernote's recommendations that users create new, secure passwords may not be enough. Even a 15 character alphanumeric password is insecure if the company you've entrusted it with is hacked. For starters, it's smart to use different passwords on different websites, especially for critical services like email and banking.
But even without your password, a hacker with your email address and personal information could potentially use social engineering to gain access to your accounts. We wrote about how to avoid the holes a hacker discovered in Amazon's and Apple's secuirty policies last August. After being hacked, Wired writer Mat Honan wrote that passwords are no longer the right way to protect our data.
The hacking of Evernote and other services reinforces that argument. Honan suggests that passwords are on the way out as a form of security, but there are a few things we can do to minimize the risks posed by phishing, social engineering, and major hacking breaches at popular web services. Use two-factor authentication wherever possible, but it's especially important to enable it on the email address that all your other services send "lost password emails to". Use fake answers for security questions. Create a unique email address for password recovery so that they aren't linked to your primary account. Use long, long passwords. And never, ever use them on more than one site. These will keep you safer, but never entirely safe--even good passwords can't protect you if the sites you use aren't following best practices. Even if they are, there's always a chance your information will be grabbed in a mass hacking.
It's simple advice, but it all lines up with what other security experts have said. Last year, one expert recommended long words and phrases over jumbles of letters and numbers. Remember that some services you may use every day, like Gmail, Steam, and Dropbox, offer two-factor authentication--it's just up to you to turn it on. A password manager can also help you use unique passwords on every website you visit. Lifehacker has a rescent comparison of several password managers, if you need a tool to help you manage a massive number of passwords.