API tools faq
paste
Advertisement
Guest User

Comment to Evernote

a guest
Mar 4th, 2013
344
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.02 KB | None | 0 0
raw download clone embed print report
  1. Nearly 2 years on from this post and with a serious security incident now on the Evernote timeline, I'm interested if Dave still feels the same about his comments regarding the approach to hashing.
  2.  
  3. Are comments such as "In the case of internal password storage, you don’t have access to the MD5 hashes" and "the hashed password is never exposed outside of our data center" still valid? The blog post from Saturday explains that "the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords".
  4.  
  5. Are these two positions mutually compatible? Can you both not be too concerned about the hashing approach because an attacker "doesn't have access to it" yet also acknowledge that individual(s) gained access to user information? The question may sound rhetorical but it's a serious one insofar as Dave was quite clear in his convictions contrary to some concerned responses. Would you (do you?) do things differently now?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!