By Sandra Carielli, Senior Product Manager, Access and Data Protection
If the user passwords in your organization are compromised, do you:
a.) Notify your users and ask them to change their passwords
b.) Pro-actively reset all passwords immediately
As an end user, if your password is compromised, would you rather:
a.) Be asked to reset the password yourself
b.) Have the company reset your password for you
Last year, I received an e-mail from one of the social networking sites I frequent, in the wake of a bulk password theft, asking me to change my password. I went ahead and did so, but I’m sure that many others did not. And some that did change their passwords may not have done so immediately. If, as an organization, you are concerned that attackers may use the credentials they have stolen to access user accounts, then time is of the essence. So you’d want to reset all passwords now.
Over the weekend, Evernote took the proactive approach. After discovering that attackers had managed to steal usernames, e-mail addresses and salted and hashed passwords, the company reset all 50 million of its users’ passwords. Evernote notified their users via a blog post and via e-mail. Based on the comments to Evernote’s blog post, reaction was mixed. Users that suddenly found themselves unable to log in to their accounts (and hadn’t yet read the blog or received the e-mail) feared that their accounts had been hacked. Some users that received the e-mail thought they were being targeted with phishing attacks (we’ve been well trained to be suspicious of e-mails about password resets).
If you are an organization dealing with a smash and grab attack on your stored passwords, the decision about whether to reset all user passwords can be another in a long line of stressful decisions. When I talk to customers about RSA Distributed Credential Protection, one of the areas they get excited about is user transparency; in the event of such an attack, an organization can potentially change the way the password is split and stored without asking the end user to do anything.
From a security standpoint, I think Evernote did the right thing by resetting the passwords. But it’s rough from a usability standpoint. Users will have to log in and create a new password; they’ll also have to enter the new password on other Evernote apps. If they were using the password elsewhere (most of us use the same password on over six unique portals or applications), they may want to think about changing their password on those portals as well. But the password re-use issue is a subject for another day…