Jump to content

Evernote blocks your log in because they decide your password is not safe enough (though it is really safe)


Recommended Posts

I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot

  • Like 2
Link to comment
  • Level 5*

Hi.  Evernote do try to protect users from security breaches,  and in this instance may have been a little over the top. 

On this sort of issue I'd rather they overreact than take no action at all.  I don't know exactly what warning message you were shown,  but you were never 'blocked' from your notes - changing the password was always the way forward. 

(Since Evernote should have its own unique password - there's no need to change the way you design the rest.)

Link to comment

"Considered secure" (I wonder by whom) or not, it's possible, perhaps likely, that your old password was compromised.  I can't remember where I read this - or it might have been an interview with Federico -  but my understanding is that Evernote checks user passwords against the Have I Been Pwned database or a similar service. My understanding is that, if the login credentials you are using have been reported by that service to have been compromised in a data breach somewhere, Evernote will require a password change.  

In any event, I myself am quite happy that Evernote goes to such "paternalistic" lengths to keep bad actors out of the Evernote servers.  

 

Vinnie

  • Like 1
Link to comment
45 minutes ago, VincentC said:

Checks user passwords against the Have I Been Pwned database

They do. Advise the OP to check their details against this database and maybe change other sites passwords. 

  • Like 1
Link to comment
  • 2 weeks later...

Thanks for the feedback. It is true that it is a minor issue and that prioritizing security is a better solution than doing nothing and exposing my data to irregular access. However, in this case, what I think failed is communication. If a company detects a possible risk of my passwords being exposed, they should communicate it to me in that way, and not say that my password uses words they do not consider secure. In this case, what seems to have happened is that some programmed algorithm acted on its own and decided to block access to my account instead of informing me of their analysis so that I can decide what to do with my data. And, if that was the case, what worries me is that another algorithm might someday decide that some content in my account is not acceptable to them, or any other similar AI system error. By the way, it wasn't me who considered my password secure, but all the systems that evaluate passwords as you type them. In any case, I continue to use Evernote because I like it (more now than before).

Link to comment
  • Level 5*
4 hours ago, pablovs said:

they should communicate it to me in that way, and not say that my password uses words they do not consider secure

Hi.  Evernote had something in the hundreds of millions of users,  and Bending Spoons has more...  I don't think a polite exchange of emails is a timely way to deal with anything perceived as a security issue...  Unless you specifically request it however,  there is zero oversight of your note content in your own account.  (Other than,  if you are particularly conspiracy minded,  your friendly neighbourhood intelligence service). - All bets are off,  of course if you share content with anyone...

Link to comment
  • Level 5

BTW this function is found in more and more services. My browser has this type of warnings now, my password manager has it since quite a while.

They don't actually compare passwords in all cases, they often only compare hashes of passwords (a hash is like an electronic fingerprint - same password generates the same hash, but it is not possible to compute the password from the hash).

I think if there are other anomalies (like maybe a login attempt from an unusual IP) it's reasonable to block the account, to make sure only the legitimate user will have access.

Link to comment
  • 4 weeks later...
On 5/4/2024 at 11:21 AM, pablovs said:

I have a password that is considered very secure to access my Evernote account. However, Evernote has blocked my access to my account because they have decided that my password includes "common names". They didn't advised me to change my account. They didn't allow me to access my data, even if may password was really safe. I had to change the password again, which resulted in significant lost time and, above all, changing the way I design my passwords. This is an anecdote, but important because it indicates a paternalistic and very intrusive attitude, and it makes me think that if Evernote operates like this with everything, I should reconsider maintaining my subscription. And it would be a shame, because in other aspects, they are improving a lot

I agree 100% with that. I have never seen such a dumb process, never! I have enabled 2fa, so the decision belongs to me to make my life easier and choose the correct compromise between security and ease of use, isn't it -- I have no words to say how stupid that move was. Even more, if you are checking the passwords against "common names" as you called it means that you write somewhere those passwords and check them. Is it secure? Are you sure? I'm embarrassed and furious, and I am seriously considering keeping both of my subscriptions -- Yes, I have 2 subscriptions.
You are so dumb Evernote team, seriously!!

Link to comment
  • Level 5*
3 minutes ago, patefoniQ said:

You are so dumb, seriously!!

It is true that I am catastrophically dumb,  but sadly I'm not Evernote. 

We're mainly other users here. For a more timely notification please send a request to feedback@evernote.com (you get a 'thankyou' response but nothing further) or raise this with Support - https://help.evernote.com/hc/requests/new - (be very patient for a response here)

In general: it's far better to send feature requests and minor bug reports via feedback.  With millions of users,  Evernote can't keep individuals in the loop for bug fixes or possible future developments - if and when your issue is resolved it will come as part of a future update.  Support is meant for major issues like access and subscriptions.

Link to comment
1 minute ago, gazumped said:

It is true that I am catastrophically dumb,  but sadly I'm not Evernote. 

I corrected my post, sorry for that. I meant the Evernote team here.

  • Like 1
Link to comment
  • Level 5

Maybe you should learn a little bit about cyber security:

  • Security is created with layers an attacker needs to pass. Having a strong layer enabled (like 2FA) does not excuse having a weak layer (ease of use password - LOL - what do you use, „password“ ?). To get strong passwords with ease of use, use a password manager. 
  • You can find out if passwords used are weak without knowing the password. This is especially true if you are the operator of a service where your users log in. You can work it out based on the hash generated. You just run a file with passwords from web breaches against your hashing algorithm, compare with your logs, and bang - all identical user hashes found use one of these cracked and circulating passwords.

It would be a very stupid idea to offer a cloud service these days allowing users to access with weak credentials. And in my opinion it is stupid to start whining and ranting about being notified - instead of learning what‘s wrong, and fix it.

It is your security in the end. And I am dead sure you apply the same nonsensical strategy to most of your accounts - for the „ease of use“.

This page allows to run your passwords or user names (but not in combination, for obvious reasons) against a database from breaches circulating in the dark net. Check it out - the weekend is coming, you have enough spare time to brew new access credentials for your „ease-of-use“ accounts.

https://haveibeenpwned.com

Link to comment
  • 1 month later...

Personally I think it's my job to decide my password, not someone else's evernote or otherwise.  I see it as, I was under the impression I was the only one evaluating my actual password and it was used only in the instance of logging in to authenticate against some hashed version of it in a database.  But this makes me realize it's open and available for others to just see if their opinion overrides my decision.  I already re-structured my passwords log ago to use Capital letters + lowercase letters + number + special characters in a way I will remember it.  But now that's not enough either???  according to who exactly? This is forcing us as users to actually be less secure if every single software login requires different rules and thus makes it so the only possible way you could remember your password is to write it down.  Which is less secure than if I remember a words, spelled wrong using incorrect grammar, and number or special characters where there should be letters.   Isn't that enough..........?   No worries, I was forced to reset my passwords, making it now unique to only evernote based on whatever rules and wrote it down so anyone who finds that slip of paper will now have my pw.   THANKS for making me LESS SECURE!

  • Like 1
Link to comment
On 6/14/2024 at 2:16 AM, PinkElephant said:

use a password manager. 

Isn't that just writing it down in yet another app for it to be hacked?

  • Like 1
Link to comment
  • Level 5

Most password managers apply additional security checks on their login. The cloud hosted for sure, on those for self hosting you need to care yourself.

The point is another: With the usual volume of logins and other items to protect, you will start repeating passwords (slightly modifying counts as repeated).

And that’s what’s killing your IT security for sure.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...