Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

The scrutiny of Evernote's security comes two days after Evernote officials disclosed a breach that exposed names, e-mail addresses, and password data for the service's 50 million end users. Evernote blog posts published over the past few years show that the company protects passwords and sensitive user data with encryption algorithms and schemes that contain known weaknesses. That is prompting criticism that the company's security team isn't doing enough to protect its customers in the event that hackers are able to successfully compromise the servers or end-user phones.

The chief complaint involves Evernote's use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts because the algorithm is an extremely fast and computationally inexpensive way to convert plaintext such as "password" into a unique string of characters such as "5f4dcc3b5aa765d61d8327deb882cf99." MD5 makes an attacker's job of cracking the hashes much easier by allowing billions of guesses per second, even on computers of relatively modest means.

By comparison, the use of slow algorithms such as bcrypt, which Twitter uses to protect its passwords, adds considerable time and computing requirements to the task of converting the hashes into the underlying plaintext passwords. Even when hashes are generated using cryptographic salt to add randomness—as Evernote says it does—MD5 is still considered a poor choice.

"When you can do five billion [guesses] per second on one GPU, the salting doesn't make that much of a difference," Adam Caudill, a security consultant and software developer, told Ars. "You need something else, something like bcrypt, scrypt, or PBKDF2 to slow things down so you can't do 5 billion [guesses] per second."

In a blog post from 2011, Evernote engineer Dave Engberg seemed oblivious to this well-understood truism.

"In the case of a purely back-end MD5 hash," he wrote in response to a reader challenging the MD5 choice, "any hypothetical attacker doesn’t have access to either the output (the MD5 hash) or the original input (the user’s password and our salt), so there really isn’t any productive attack based on MD5 vulnerabilities."

Of course, the attackers who gained access to Evernote servers did have the ability to read the MD5 hash, we now know. Server breaches such as the one that hit the company are precisely the reason passwords aren't stored in plaintext to begin with. By requiring attackers to crack the hashes, the practice buys the breached company and affected end users time to reset passwords before the compromised data can be used to gain unauthorized access to accounts. In the case of Evernote, much of that benefit is lost, since the use of MD5 speeds up the cracking process.

To Evernote's credit, the security team appears to have caught the compromise quickly, and the service reset user passwords before the data could be used to hijack accounts. But given the high incidence of password reuse—the average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them—the hashes exposed in the Evernote hack could still be used against tens of millions of account users unless they change the corresponding passcodes on any other sites that used them. Evernote's decision to employ MD5 means those users have less time to reset those passwords than if the site used a more suitable algorithm.

Caudill criticized Evernote for other security omissions as well. For instance, the Evernote app for Android smartphones stores user passwords in encoded form using a scheme known as XOR. As a result, hackers who gain physical access to a phone, depending on the specific model, may be able to extract the passcode in a matter of minutes and then use it to gain unauthorized access to the Evernote account. He has also released a short script that streamlines the extraction process. In stark contrast to the Evernote design, standard practices call for login credentials to be stored on smartphones as an encrypted token or as a one-way hash.

Caudill also criticized Evernote's use of the RC2 cipher to encrypt sensitive user data. RC2 fell out of favor in the late 1990s, after researchers devised a simple attack that makes it relatively easy to extract the key used to secure the underlying data.

As online services try to convince us to trust them with more and more of our sensitive data, they have a responsibility to employ state-of-the-art software and techniques to harden their systems to hacking and minimize the damage when compromises do happen. Those consuming such services would do well to follow the example of security researcher Troy Hunt and call on them to publicly disclose their password storage regimen.

In an e-mail, Evernote spokeswoman defended the security of the service.

"We think our password storage systems are secure, both in terms of the encryption algorithms and other measures, but we'll be reassessing every detail in response to this breach and will will continue to stay up to date with the technology," she wrote. "We were also planning on rolling out optional two-factor authentication to all of our users later this year and are accelerating those plans now."

Scott also said Evernote engineers are planning a "significant upgrade" to the optional client-side encryption protection for later this year. She went on to say that an update planned for later this week will remove the current password-storage mechanism in the Evernote app for Android handsets. Security permissions allow the information to be accessed only by the app itself and to those with root permissions to the device.

Post updated to include comment from Evernote.