Evernote blocks your log in because they decide your password is not safe enough (though it is really safe)

[pablovs 1]

I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot

[gazumped 11,841]

Hi.  Evernote do try to protect users from security breaches,  and in this instance may have been a little over the top. 

On this sort of issue I'd rather they overreact than take no action at all.  I don't know exactly what warning message you were shown,  but you were never 'blocked' from your notes - changing the password was always the way forward. 

(Since Evernote should have its own unique password - there's no need to change the way you design the rest.)

[VincentC 284]

"Considered secure" (I wonder by whom) or not, it's possible, perhaps likely, that your old password was compromised.  I can't remember where I read this - or it might have been an interview with Federico -  but my understanding is that Evernote checks user passwords against the Have I Been Pwned database or a similar service. My understanding is that, if the login credentials you are using have been reported by that service to have been compromised in a data breach somewhere, Evernote will require a password change.  

In any event, I myself am quite happy that Evernote goes to such "paternalistic" lengths to keep bad actors out of the Evernote servers.  

 

Vinnie

[Jon/t 1,460]

45 minutes ago, VincentC said:

Checks user passwords against the Have I Been Pwned database

They do. Advise the OP to check their details against this database and maybe change other sites passwords. 

[pablovs 1]

Thanks for the feedback. It is true that it is a minor issue and that prioritizing security is a better solution than doing nothing and exposing my data to irregular access. However, in this case, what I think failed is communication. If a company detects a possible risk of my passwords being exposed, they should communicate it to me in that way, and not say that my password uses words they do not consider secure. In this case, what seems to have happened is that some programmed algorithm acted on its own and decided to block access to my account instead of informing me of their analysis so that I can decide what to do with my data. And, if that was the case, what worries me is that another algorithm might someday decide that some content in my account is not acceptable to them, or any other similar AI system error. By the way, it wasn't me who considered my password secure, but all the systems that evaluate passwords as you type them. In any case, I continue to use Evernote because I like it (more now than before).

[gazumped 11,841]

4 hours ago, pablovs said:

they should communicate it to me in that way, and not say that my password uses words they do not consider secure

Hi.  Evernote had something in the hundreds of millions of users,  and Bending Spoons has more...  I don't think a polite exchange of emails is a timely way to deal with anything perceived as a security issue...  Unless you specifically request it however,  there is zero oversight of your note content in your own account.  (Other than,  if you are particularly conspiracy minded,  your friendly neighbourhood intelligence service). - All bets are off,  of course if you share content with anyone...

[PinkElephant 8,418]

BTW this function is found in more and more services. My browser has this type of warnings now, my password manager has it since quite a while.

They don't actually compare passwords in all cases, they often only compare hashes of passwords (a hash is like an electronic fingerprint - same password generates the same hash, but it is not possible to compute the password from the hash).

I think if there are other anomalies (like maybe a login attempt from an unusual IP) it's reasonable to block the account, to make sure only the legitimate user will have access.

[patefoniQ 1]

On 5/4/2024 at 11:21 AM, pablovs said:

I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot

I agree 100% with that. I have never seen such a dumb process, never! I have enabled 2fa, so the decision belongs to me to make my life easier and choose the correct compromise between security and ease of use, isn't it -- I have no words to say how stupid that move was. Even more, if you are checking the passwords against "common names" as you called it means that you write somewhere those passwords and check them. Is it secure? Are you sure? I'm embarrassed and furious, and I am seriously considering keeping both of my subscriptions -- Yes, I have 2 subscriptions.
You are so dumb Evernote team, seriously!!

[gazumped 11,841]

3 minutes ago, patefoniQ said:

You are so dumb, seriously!!

It is true that I am catastrophically dumb,  but sadly I'm not Evernote. 

We're mainly other users here. For a more timely notification please send a request to feedback@evernote.com (you get a 'thankyou' response but nothing further) or raise this with Support - https://help.evernote.com/hc/requests/new - (be very patient for a response here)

In general: it's far better to send feature requests and minor bug reports via feedback.  With millions of users,  Evernote can't keep individuals in the loop for bug fixes or possible future developments - if and when your issue is resolved it will come as part of a future update.  Support is meant for major issues like access and subscriptions.

[patefoniQ 1]

1 minute ago, gazumped said:

It is true that I am catastrophically dumb,  but sadly I'm not Evernote. 

I corrected my post, sorry for that. I meant the Evernote team here.

[PinkElephant 8,418]

Maybe you should learn a little bit about cyber security:

• Security is created with layers an attacker needs to pass. Having a strong layer enabled (like 2FA) does not excuse having a weak layer (ease of use password - LOL - what do you use, „password“ ?). To get strong passwords with ease of use, use a password manager. 
• You can find out if passwords used are weak without knowing the password. This is especially true if you are the operator of a service where your users log in. You can work it out based on the hash generated. You just run a file with passwords from web breaches against your hashing algorithm, compare with your logs, and bang - all identical user hashes found use one of these cracked and circulating passwords.

It would be a very stupid idea to offer a cloud service these days allowing users to access with weak credentials. And in my opinion it is stupid to start whining and ranting about being notified - instead of learning what‘s wrong, and fix it.

It is your security in the end. And I am dead sure you apply the same nonsensical strategy to most of your accounts - for the „ease of use“.

This page allows to run your passwords or user names (but not in combination, for obvious reasons) against a database from breaches circulating in the dark net. Check it out - the weekend is coming, you have enough spare time to brew new access credentials for your „ease-of-use“ accounts.

https://haveibeenpwned.com