Login with gmail concern/question

[verando 4]

Hi.  I have a question related to login with Gmail.  So I created my EN account using the "Login with Gmail" option.  I noticed that after my account was created, I can also try logging in using the regular email option, putting in my Gmail address.  Of course, since I used "Login with Gmail" I don't have a password.

     My question is: is there somehow a password that was created that I don't know about (that could be brute-forced?)

What I would have liked is that EN should say "There is no account for the username or email you entered." if I logged in, but I guess on the back end my account has been associated to the email address associated with the Gmail account I used.

This scenario reminded me of one EN user on reddit who complained that he/she got hacked even if they used login with Gmail account option.  I thought one way that user got hacked is if they inadvertently supplied a password when they logged in using actual gmail email address, then forgot about it, then they got brute-forced.  But that's just my guess.

P.S. - since I was paranoid about this, I just enabled 2FA to add an extra layer of login security.

[agsteele 2,955]

Adding the 2FA stuff was absolutely the correct thing to do regardless of your concern.

It is sometime since I operated Evernote using Google login. My recollection was that to switch to regular Email login I had to generate a password via the list password process. But I may be incorrect since it was many years back and I now have a forgettery rather than a memory.

I don't generally use Google SSO login on any service so would commend the standard login myself and use a password cache program such as KeePassXC, 1password, NordPass etc.

[gazumped 11,704]

Just to note that you can add (or change) a password - details here:  https://help.evernote.com/hc/en-us/articles/230436427

[verando 4]

Thanks for your replies agsteele and  gazumped !

Generally when I sign up for web services I use Google SSO for convenience (and thinking it was the safe option since I don't have to create/remember easy passwords).  Only recently it got me thinking about the mentioned brute-force scenario.  But each site implements it differently, so to be on the safe side I'll just follow the general recommendation to turn on 2FA / use a good password manager.