Evernote blocks your log in because they decide your password is not safe enough (though it is really safe)

[pablovs 0]

I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot

[gazumped 11,771]

Hi.  Evernote do try to protect users from security breaches,  and in this instance may have been a little over the top. 

On this sort of issue I'd rather they overreact than take no action at all.  I don't know exactly what warning message you were shown,  but you were never 'blocked' from your notes - changing the password was always the way forward. 

(Since Evernote should have its own unique password - there's no need to change the way you design the rest.)

[VincentC 275]

"Considered secure" (I wonder by whom) or not, it's possible, perhaps likely, that your old password was compromised.  I can't remember where I read this - or it might have been an interview with Federico -  but my understanding is that Evernote checks user passwords against the Have I Been Pwned database or a similar service. My understanding is that, if the login credentials you are using have been reported by that service to have been compromised in a data breach somewhere, Evernote will require a password change.  

In any event, I myself am quite happy that Evernote goes to such "paternalistic" lengths to keep bad actors out of the Evernote servers.  

 

Vinnie

[Jon/t 1,377]

45 minutes ago, VincentC said:

Checks user passwords against the Have I Been Pwned database

They do. Advise the OP to check their details against this database and maybe change other sites passwords. 

[pablovs 0]

Thanks for the feedback. It is true that it is a minor issue and that prioritizing security is a better solution than doing nothing and exposing my data to irregular access. However, in this case, what I think failed is communication. If a company detects a possible risk of my passwords being exposed, they should communicate it to me in that way, and not say that my password uses words they do not consider secure. In this case, what seems to have happened is that some programmed algorithm acted on its own and decided to block access to my account instead of informing me of their analysis so that I can decide what to do with my data. And, if that was the case, what worries me is that another algorithm might someday decide that some content in my account is not acceptable to them, or any other similar AI system error. By the way, it wasn't me who considered my password secure, but all the systems that evaluate passwords as you type them. In any case, I continue to use Evernote because I like it (more now than before).

[gazumped 11,771]

4 hours ago, pablovs said:

they should communicate it to me in that way, and not say that my password uses words they do not consider secure

Hi.  Evernote had something in the hundreds of millions of users,  and Bending Spoons has more...  I don't think a polite exchange of emails is a timely way to deal with anything perceived as a security issue...  Unless you specifically request it however,  there is zero oversight of your note content in your own account.  (Other than,  if you are particularly conspiracy minded,  your friendly neighbourhood intelligence service). - All bets are off,  of course if you share content with anyone...

[PinkElephant 8,281]

BTW this function is found in more and more services. My browser has this type of warnings now, my password manager has it since quite a while.

They don't actually compare passwords in all cases, they often only compare hashes of passwords (a hash is like an electronic fingerprint - same password generates the same hash, but it is not possible to compute the password from the hash).

I think if there are other anomalies (like maybe a login attempt from an unusual IP) it's reasonable to block the account, to make sure only the legitimate user will have access.