MiriamP 0 Posted January 19, 2022 Share Posted January 19, 2022 I just activated 2FA with an Authenticator app. The flow was not-very-straightforward - I can't reproduce exactly, but there was at least one loop in it because the email arrived on mobile while I was doing my changes on desktop. But in the end, after two tries, I had it activated. I then decided to change my password, as it was old. Two strange things happened: - to had to enter my old password, then my new password, twice, then press Next. Then I had to reconfirm the change, again, using the old password. For anyone who uses a password manager that you can have update immediately (something you want!), this is pretty terrible, because the old password has then been, you guessed it, overwritten. I also can't remember in a password changing flow having to reconfirm with the old password after the password has changed. Does this seem strange to anyone else? So, I lost my brand new password because of this. - I then requested a password reset. I got a reset option sent by mail. When I used it, on desktop, I fully expected to be asked to Authenticate. I just activated 2FA, after all. I wasn't asked to authenticate a password change at all. I tried again on mobile - same deal, no authentication asked. The only explanation I can think of is that authentication lasts an x amount of time, and I'd turned it on only 30 minutes before that, but I'm not sure this should be a thing. I would expect any and all password changes, especially, to need authentication. Is there an idea behind this? Thanks. Link to comment
Level 5* gazumped 12,031 Posted January 19, 2022 Level 5* Share Posted January 19, 2022 34 minutes ago, MiriamP said: Is there an idea behind this? Hi. I doubt it - it looks like you just managed to find a gap somewhere between being logged in with an old password and authenticated a couple of different ways where the system thinks you're in the middle of changing the password and just let it go. As long as you do have 2FA active and a unique password used only in Evernote, you should be as safe as it is possible to be. We're a user-supported forum though, so with all matters connected to security - contact Support if you want a specific answer. Link to comment
Level 5 PinkElephant 8,710 Posted January 20, 2022 Level 5 Share Posted January 20, 2022 Good password managers hold a password history. I am using 1Password, and it keeps track of all former passwords. If I need to, I can recall them from the apps memory. About the rest of your description I really can't follow it through. I think something got mixed up while trying. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now