pablovs 0 Posted May 4 Share Posted May 4 I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot Link to comment
Level 5* gazumped 11,771 Posted May 4 Level 5* Share Posted May 4 Hi. Evernote do try to protect users from security breaches, and in this instance may have been a little over the top. On this sort of issue I'd rather they overreact than take no action at all. I don't know exactly what warning message you were shown, but you were never 'blocked' from your notes - changing the password was always the way forward. (Since Evernote should have its own unique password - there's no need to change the way you design the rest.) Link to comment
VincentC 275 Posted May 4 Share Posted May 4 "Considered secure" (I wonder by whom) or not, it's possible, perhaps likely, that your old password was compromised. I can't remember where I read this - or it might have been an interview with Federico - but my understanding is that Evernote checks user passwords against the Have I Been Pwned database or a similar service. My understanding is that, if the login credentials you are using have been reported by that service to have been compromised in a data breach somewhere, Evernote will require a password change. In any event, I myself am quite happy that Evernote goes to such "paternalistic" lengths to keep bad actors out of the Evernote servers. Vinnie 1 Link to comment
Jon/t 1,377 Posted May 4 Share Posted May 4 45 minutes ago, VincentC said: Checks user passwords against the Have I Been Pwned database They do. Advise the OP to check their details against this database and maybe change other sites passwords. 1 Link to comment
pablovs 0 Posted May 18 Author Share Posted May 18 Thanks for the feedback. It is true that it is a minor issue and that prioritizing security is a better solution than doing nothing and exposing my data to irregular access. However, in this case, what I think failed is communication. If a company detects a possible risk of my passwords being exposed, they should communicate it to me in that way, and not say that my password uses words they do not consider secure. In this case, what seems to have happened is that some programmed algorithm acted on its own and decided to block access to my account instead of informing me of their analysis so that I can decide what to do with my data. And, if that was the case, what worries me is that another algorithm might someday decide that some content in my account is not acceptable to them, or any other similar AI system error. By the way, it wasn't me who considered my password secure, but all the systems that evaluate passwords as you type them. In any case, I continue to use Evernote because I like it (more now than before). Link to comment
Level 5* gazumped 11,771 Posted May 18 Level 5* Share Posted May 18 4 hours ago, pablovs said: they should communicate it to me in that way, and not say that my password uses words they do not consider secure Hi. Evernote had something in the hundreds of millions of users, and Bending Spoons has more... I don't think a polite exchange of emails is a timely way to deal with anything perceived as a security issue... Unless you specifically request it however, there is zero oversight of your note content in your own account. (Other than, if you are particularly conspiracy minded, your friendly neighbourhood intelligence service). - All bets are off, of course if you share content with anyone... Link to comment
Level 5 PinkElephant 8,281 Posted May 19 Level 5 Share Posted May 19 BTW this function is found in more and more services. My browser has this type of warnings now, my password manager has it since quite a while. They don't actually compare passwords in all cases, they often only compare hashes of passwords (a hash is like an electronic fingerprint - same password generates the same hash, but it is not possible to compute the password from the hash). I think if there are other anomalies (like maybe a login attempt from an unusual IP) it's reasonable to block the account, to make sure only the legitimate user will have access. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now