Last week’s data breach of online information storage firm Evernote caused quite a stir in the IT security world. Of course, when you have 50 million users whose names, email addresses and encrypted passwords may have been accessed, you have to expect to see your company’s name in the headlines.
But now that we’re several days past the initial report of the Evernote breach, it’s starting to seem like the loss of the encrypted password files is probably a non-event, because the ability to figure out the actual passwords is pretty much impractical.
I believe that the company’s executives decided to ask users to change their passwords as a precaution, and as protection against a potential lawsuit. The fact is that as systems become increasingly populated with ever more valuable resources (welcome to the cloud!), these types of flaws become harder to find – while the value of discovering a flaw becomes higher.
Privileged Account Management and Non-Disclosed Passwords
From a self-serving point of view, I could say that the Evernote breach shows why organizations should purchase our privileged account management product - because it regularly changes the passwords for accessing systems, without disclosing the passwords. In essence, this practice places an automatic password randomizer between the customers and their cloud or internal systems.
In this scenario, the actual passwords are never known by the user and are frequently changing on the remote systems (in the background). This moves the burden from the cloud provider and requires local users to go through a security intermediary (our product) for proxied logon to weak systems – or to overcome the dangerous use of maintaining common credentials across multiple internal systems.
This is a great way to thwart hackers. Imagine, after all of their hard work, they get – at best – access to only one system, rather than being able to use common credentials to leapfrog from one system to another throughout the network.
Of course, all of this essentially means paying more for authentication, but nobody credible ever said that security was free.