MD5? Unbelievable. I was relieved when I read salted and hashed on Evernote's blog post, but trying to sell MD5 as even remotely secure is actively idiotic. I'd rather get a "yeah we fucked up on the whole password storage thing" than "yeah MD5 is secure". Give me a break...

I was particularly impressed that their Android client uses the ultra secure XOR crypto scheme.