Jump to content
  • 11

Require security Pin when opening Evernote


zotje

Idea

There needs to be a security pin that locks Evernote from being accessed by strangers.  If someone loses or gets their laptop stolen, all the notes are there for the picking. A security pin is the least we would need to put up a barrier.  It would also be great if we could remove the laptop from accessible devices and make it trigger a deletion of all the data from the laptop before it can be accessed.  Right now, it just stops anyone from syncing the account, but all data is still there to view.

 

Thanks,

Glenn

Link to comment

39 replies to this idea

Recommended Posts

  • 1
  • Level 5*
1 hour ago, zotje said:

If someone loses or gets their laptop stolen, all the notes are there for the picking. A security pin is the least we would need to put up a barrier. 

I have password on my computer to control access to the device; also a screensaver password
I also have a password on my evernote account to control access to my notes

I also have an encryption password on sensitive data in my notes

I do like the PIN feature on my iPad; I use Touch ID (fingerprint)

  • Like 1
Link to comment
  • 1
  • Level 5*
35 minutes ago, zotje said:

There needs to be a security pin that locks Evernote from being accessed by strangers.  If someone loses or gets their laptop stolen, all the notes are there for the picking. A security pin is the least we would need to put up a barrier.  It would also be great if we could remove the laptop from accessible devices and make it trigger a deletion of all the data from the laptop before it can be accessed.  Right now, it just stops anyone from syncing the account, but all data is still there to view.

 

Thanks,

Glenn

They are there for the picking anyway. Your Evernote database on your PC/Mac is largely clear-text. You should both encrypt your hard drive and secure your device with a password.

  • Like 2
Link to comment
  • 1
  • Level 5*
5 minutes ago, DTLow said:

Good point, on Macs we have FileVault built into the OS https://support.apple.com/en-ca/HT204837

PCs have Bitlocker depending on the version of Windows you have or you can right-click and encrypt your Evernote folder - it will turn green when encrypted.

You can use VeraCrypt on both platforms too. There are others as well. Always ALWAYS encrypt your machine. Otherwise, I can steal it, take out the HD and attach it to a USB enclosure and have full access to your data.

  • Like 1
Link to comment
  • 0
  • Level 5*
22 minutes ago, EdH said:

They are there for the picking anyway. Your Evernote database on your PC/Mac is largely clear-text. You should both encrypt your hard drive and secure your device with a password.

Good point, on Macs we have FileVault built into the OS https://support.apple.com/en-ca/HT204837.  This also has a remote-wipe feature

  • Like 1
Link to comment
  • 0

Thanks everyone!  I already had my personal laptop's drive encrypted with bitlocker.  I am probably just paranoid but I wanted some sort of functionality similar to keepass where it prompts me for a passcode when it times out or the computer has been locked.  Maybe it is just overkill, but when you sit in the airport in Atlanta and realize you left your laptop in a TSA bin in North Carolina, it would definitely calm my anxiety.

Link to comment
  • 0
  • Level 5*
2 hours ago, zotje said:

Thanks everyone!  I already had my personal laptop's drive encrypted with bitlocker.  I am probably just paranoid but I wanted some sort of functionality similar to keepass where it prompts me for a passcode when it times out or the computer has been locked.  Maybe it is just overkill, but when you sit in the airport in Atlanta and realize you left your laptop in a TSA bin in North Carolina, it would definitely calm my anxiety.

Your laptop should be configured to lock when the lid is closed (assuming not on a docking station.) So for the TSA scenario to work, you'd have to turn your laptop on, log in, then walk away. I'd never log my laptop in for the TSA or anyone without a warrant.

Link to comment
  • 0

I would like Evernote's security to work on my PC the same way it does on my smartphone.  There should be a parameter such that if Evernote has not been used for a specified number of minutes, it should require the password.

I don't have any personal information on my computers for which I would be in trouble if my computer were to be stollen - except what I have in LastPass and in Evernote.  So, I expect my Evernote data to be encrypted and password-protected.  I don't want to have to log in and out of my computer every time I use it.  I don't want to have to enter passwords to access any of my files - except those in LastPass and in Evernote.

So, why does the Evernote team not take security seriously?  It's secured in the cloud but not on our machines?  This should be an easy enhancement to add.  We end-users should not have to take on the job of figuring out how to secure our data.  Evernote should do this.

Link to comment
  • 0
  • Level 5*
12 hours ago, artlieberman said:

I would like Evernote's security to work on my PC the same way it does on my smartphone.  There should be a parameter such that if Evernote has not been used for a specified number of minutes, it should require the password.

I don't have any personal information on my computers for which I would be in trouble if my computer were to be stollen - except what I have in LastPass and in Evernote.  So, I expect my Evernote data to be encrypted and password-protected.  I don't want to have to log in and out of my computer every time I use it.  I don't want to have to enter passwords to access any of my files - except those in LastPass and in Evernote.

So, why does the Evernote team not take security seriously?  It's secured in the cloud but not on our machines?  This should be an easy enhancement to add.  We end-users should not have to take on the job of figuring out how to secure our data.  Evernote should do this.

All of your evernote data is on your PC in plain text unless you have specifically encrypted text in a note.. If you want to take security seriously, encrypt your hard drive and secure your account with a password. That is a better solution than hundreds of app developers creating their own security model. 

The desktop model is quite different than the phone model. Desktops don't segregate data by app into secure databases like apps do, so by using a PIN on an app, the developer is tying into the platform security model and it is secure. If they put a pin on your Evernote app, that would be about as secure as putting a rope around a door handle and looping it to a nail to secure your house. 

Link to comment
  • 0
  • Level 5*
13 hours ago, artlieberman said:

I would like Evernote's security to work on my PC the same way it does on my smartphone.  There should be a parameter such that if Evernote has not been used for a specified number of minutes, it should require the password.

I added my vote to this request (voting buttoms in the top left corner of the discussion)

While I'm sure Evernote "take security seriously", there are limited development resources.  The work must be prioritzed 

 

Link to comment
  • 0
  • Level 5*
5 hours ago, jozefk said:

Without PIN anyone who can access the PC I use at work can read all my notes.

Your Evernote data is protected by your account password; log out of your account.

Link to comment
  • 0

Ok, so my Evernote data is in plain text on my PC somewhere.  But... if someone steals my PC, they might click on the Evernote icon to see what it is.  But they probably won't go scouring the disk drive looking for the actual data files.  If we had a time-out parameter that would require us to re-enter the password after X minutes of disuse [refer to how LastPass works], at least we'd be making it more difficult for someone to see my data.  I don't want to have to remember to log out every time I walk away from my computer.

Link to comment
  • 0
  • Level 5*
13 minutes ago, artlieberman said:

So... why doesn't Evernote encrypt our data?

It is on their servers. They are relying on your PC and local security, just like 99.9% of all apps out there that don't support local data encryption. Your user profile should be locked via password, and your hard drive should be encrypted.

If you don't want anyone able to get to the data at all even if logged in as you, which your IT department could do, you'll need to just use the website. 

Link to comment
  • 0
  • Level 5*
38 minutes ago, artlieberman said:

But... if someone steals my PC, they might click on the Evernote icon to see what it is.  But they probably won't go scouring the disk drive looking for the actual data files.  If we had a time-out parameter that would require us to re-enter the password after X minutes of disuse ...

Do you not have device security?

My local disc is encrypted (Mac FileVault); also screen timeout.

  • Like 1
Link to comment
  • 0
18 hours ago, DTLow said:

Your Evernote data is protected by your account password; log out of your account.

That means I log in and out every moment I leave the desk and come back. Not the best solution.

  • Like 1
Link to comment
  • 0
  • Level 5*
12 hours ago, jozefk said:

That means I log in and out every moment I leave the desk and come back. Not the best solution.

Windows+L to lock your machine when you leave it.

  • Thanks 1
Link to comment
  • 0
  • Level 5*
11 hours ago, jozefk said:

Everybody already know the PIN and that's how it should be anyway. It's company's PC not my personal one.

Then you shouldn't install Evernote on your company PC unless you agree to effectively share that data with your company. It is their PC. You can uninstall Evernote, remove the folders, then use the web version.

I honestly cannot think of a single app on Windows that has a PIN lock on it. Or my Mac. It is something that has become a bit more common on mobile platforms as parents let kids play games or watch netflix, but don't want them to have access to apps like Evernote, Lastpass, etc. Plus, it is strangely common that people don't lock their phone, which is why most apps with confidential info have their own password schemes, but those all hook (generally, on iOS at least) into TouchID/FaceID.

If you only have some notes that are sensitive, you can encrypt those individually by selecting the text, right-clicking, and encrypt. Just don't forget your password. There is no recovery available for a lost password on an encrypted note.

  • Like 2
Link to comment
  • 0
17 minutes ago, EdH said:

I honestly cannot think of a single app on Windows that has a PIN lock on it.

LastPass on my PC.   I have it's settings such that it will require the access password to be typed again if LastPass has not been used for 30 minutes.  This would be a really simple thing for Evernote to implement.

Link to comment
  • 0
  • Level 5*
Just now, artlieberman said:

LastPass on my PC.   I have it's settings such that it will require the access password to be typed again if LastPass has not been used for 30 minutes.  This would be a really simple thing for Evernote to implement.

I understand it is simple to say that, but Lastpass is nothing but a password manager. A 100% password manager and it is encrypted on all platforms everywhere. Totally different purpose. I don't know about an app for Windows. I use it, but it is an extension in Chrome and Brave for me, not an app in the start menu or an app that even resides on my PC - other than wherever Chrome keeps Extension information.

And again, a PIN is 100% useless for Evernote even if they created it. The evernote database is essentially PLAIN TEXT. You can read it in Notepad.

Link to comment
  • 0
  • Level 5*
36 minutes ago, artlieberman said:

Well, then, the bigger question:  Why doesn't Evernote encrypt the data?

I would like to see end-to-end encryption.  

We can encrypt our own data but we lose Evernote features; OCR, indexing for search, ...

 

Link to comment
  • 0
1 hour ago, artlieberman said:

Well, then, the bigger question:  Why doesn't Evernote encrypt the data?

I would expect a significant performance penalty when working with a large encrypted database, but if they were able to make encryption optional, that may be a reasonable compromise for those who require encryption, I would think.

On the other hand, encryption could turn out to be a support nightmare for them.  A business level subscription option, maybe?

Link to comment
  • 0
  • Level 5*
9 minutes ago, Don Dz said:

I would expect a significant performance penalty when working with a large encrypted database, but if they were able to make encryption optional, that may be a reasonable compromise for those who require encryption, I would think.

On the other hand, encryption could turn out to be a support nightmare for them.  A business level subscription option, maybe?

Or, encrypt the hard drive via Bitlocker (Windows) or FileVault (macOS).

  • Free
  • Very fast
  • often handled at hardware level vs software encryption
Link to comment
  • 0
  • Level 5*
3 minutes ago, Don Dz said:

With Home it only works with devices with TPM chips, apparently the Surface is one of them.

Bitlocker requires a TPM chip.  I don't think it is limited to Home.

Link to comment
  • 0
11 minutes ago, s2sailor said:

Bitlocker requires a TPM chip.  I don't think it is limited to Home.

Search for either "bitlocker without tpm chip windows 10", or “Allow Bitlocker without compatible TPM chip”.

It is my understanding the workarounds only works with Windows Pro or Enterprise, with Home you need TPM.

Not an expert, just reading the sites.

Link to comment
  • 0
  • Level 5*

Most PCs today have a TPM. 

 

Besides, this is a red herring. The OP was about installing Evernote on a work pc and not wanting the company to have access. That isn’t Home, it is probably encrypted anyway, and anything you install on your work PC is available to your company. Period. 

  • Thanks 1
Link to comment
  • 0

As i've seen from searching the community feedbacks on the privacy problem that i have - Evernote PC has no password nor pin - turns out i'm not the only one, and i'm very late at this issue too.

I've seen old post that talk about this as old as 5 years old and even more.. I don't get the idea why this isn't a basic priority for the user experience. I know some of the user here will probably  recommend "It's no big deal, you can lock your PC anyway.. or You can just log off from your Evernote account and just log back in when you need to" as they have replied the previous thread before, but why do we even need to discuss?

Lock feature exist in a lot of other pc app for a reason and surely it makes me feel more secure, especially knowing that this particular app stores many personal ideas and important information. Adding a lock feature by password or pin should be a reasonable option knowing the service that Evernote provide, and i wonder will does it harm the company to apply lock feature in windows in any way? There are emerging rival note app that i've tried such as J*****y that provide more privacy and plenty of features that Evernote doesn't have - yet i still love Evernote and already get used to it as my main note app and i really want to keep it that way. I feel like the dev doesn't pay attention enough by the fact that this problem exist for years and suggested by multiple users already, i hope i'm wrong and they are actually considering this atm. 

There are various background and condition of users that would get benefit from adding the security feature. For me i am an older brother of 2 younger sisters who rely on my laptop for their school assignments. I dont like the idea of log off my account everytime they borrow because this is my laptop, also sometimes i need to access Evernote quickly since i oftenly got random complex ideas that i need to write asap and i know logging in compare to pin or pass would surely feel a lot longer and inconvenient in such a hurry moment. 

Please.. add this feature for i have been enjoying this app for years and Evernote has been my pal through many hard times in high school and college. My thoughts and ideas are very important for me and i want to store it from my pc safely too.

Link to comment
  • 0
  • Level 5*

Hi.  There's a votable request for this function here but basically what you're asking Evernote to do boils down to inventing some way to get around the fact you're using a laptop in an insecure way.  It should be possible to set up suitably limited profiles in the OS that your sisters can use,  and which will allow you to interrupt -if necessary- to log on as another user with full access to your own notes and software,  then return access to them.  There will be some logging on and off involved - but that's what you're asking Evernote to set up anyway.  I'm guessing that despite the age and apparent popularity in the forums of this request it's not a significant request amongst the 250M or so current users.  

Link to comment
  • 0
  • Level 5*
On 9/18/2020 at 4:49 PM, AnandaRami said:

Adding a lock feature by password or pin should be a reasonable option

Merged with an ongoing discussion for this feature   
To  indicate support, use the vote button at the top left corner of the discussion

Link to comment
  • 0
On 3/14/2019 at 4:39 PM, EdH said:

Or, encrypt the hard drive via Bitlocker (Windows) or FileVault (macOS).

  • Free
  • Very fast
  • often handled at hardware level vs software encryption

Bitlocker is great but totally useless in the scenarios described here, which is a shared user environment with the decryption key already running in memory, so on a shared system where everyone knows the Windows logon password it is utterly useless to have Bitlocker. What matters is encryption being enabled on the database separate and apart from any Windows security control. Having layers of security controls is literally the cornerstone of good security.

Also, despite your claims to the contrary here, TouchID has existed for years for both OneNote & Notes on OS X and Windows Hello for OneNote using fingerprint or IR cams. They cannot be edited in Notepad.

Link to comment
  • 0
  • Level 5

Nobody will change anything on 6.25 any more. This legacy client is end of life.

Regarding the new client the answer is as before: On any computer the personal accounts should be secured by a user and password.

If this is not possible, use the web client, or log out of the desktop client, removing all data through the correct settings.

If you don’t remove the local data even if the client would be pin-protected, the local database is readable without opening the client.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...