JoeBB 5 Posted November 9, 2010 Share Posted November 9, 2010 I would love to see Two Factor Authentication for accessing my Evernote account.It doesn’t completely prevent password-stealing or phishing.. But It would be nice to have an additional layer of security.Like: http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.htmlThanks Link to comment
engberg 89 Posted November 9, 2010 Share Posted November 9, 2010 Thanks for the suggestion. Link to comment
jfwarrior 6 Posted November 12, 2010 Share Posted November 12, 2010 +1 The more security there is, the better. Another excellent idea would be to have a limited account system - For example, you could have Evernote installed on your iPhone as well as your Android phone. What if it gets stolen? Basically all your notes are vulnerable to be read.What I'm suggesting here in this new idea is not a two-factor authentication, but a limited account system where you can choose which folders are available to be edited without an extra login/confirmation.However, this might get a little tedious and people might not like it, so perhaps this could be an opt-in option. Link to comment
JoeBB 5 Posted November 14, 2010 Author Share Posted November 14, 2010 On personal devices like your phone/laptop/pc you should add your own security. Nothing should be accessible when it gets stolen not even limited! (Although securing your phone can still be a pain.. but that’s another discussion ) Two factor authentication should kick-in when accessing your data from a public computer. Maybe with a separate password and a “single-use code” like Microsoft offers with logging into Hotmail.. Dear Evernote representatives, is there any change that Evernote is working on such a security feature?? Link to comment
engberg 89 Posted November 15, 2010 Share Posted November 15, 2010 We haven't started this in the 5 days since my last post, but a bunch of the executives at the company come from an enterprise government security background, so we're familiar with the issues involved and how we would approach this. It's a little more tricky for us than your average web site, since we have clients on many platforms, which would all need to implement this multi-factor security scheme for it to be meaningful.Thanks Link to comment
Level 5 jbenson2 2,149 Posted November 15, 2010 Level 5 Share Posted November 15, 2010 Dave Engberg mentioned:* an enterprise government security background* the issues involved* It's a little more tricky for us* we have clients on many platforms* would all need to implement this multi-factor security schemeReading between the lines:Certainly there are some business users who will say they are more than willing to pay extra for all this.From my perspective, I am very happy with the current premium pricing structure. Link to comment
engberg 89 Posted November 15, 2010 Share Posted November 15, 2010 I guess I wasn't even thinking about the business model, more of the tech stuff. I just happen to have a background in this sort of thing, and it's a little more complicated for us.Background, e.g.:http://middleware.internet2.edu/pki05/p ... _cards.ppthttp://middleware.internet2.edu/pki05/p ... _cards.pdfhttp://www.corestreet.com/about/library ... 53,396.pdf Link to comment
jfwarrior 6 Posted November 18, 2010 Share Posted November 18, 2010 Dave Engberg mentioned:* an enterprise government security background* the issues involved* It's a little more tricky for us* we have clients on many platforms* would all need to implement this multi-factor security schemeReading between the lines:Certainly there are some business users who will say they are more than willing to pay extra for all this.From my perspective, I am very happy with the current premium pricing structure.So am I regarding the pricing structure. I'm quite afraid that Evernote might go into the path that Microsoft does with their software pricing model. ... I hope that we won't be seeing Evernote Home Premium, Business, and Ultimate any time soon. Link to comment
stroem 1 Posted April 1, 2011 Share Posted April 1, 2011 Two factor authentication would be quite an uplift to Evernote. There is no other feature that is more important to me at this point.Google has done it in a very elegant way, that doesn't disable older devices and software versions from using the service, by use of special passwords that can be enabled and disabled one by one. Such an approach would allow Evernote to implement two factor authentication even though all platforms had not been updated yet.Or the user could simply choose to log in via Goggle ID ..? Link to comment
Level 5 jbenson2 2,149 Posted April 1, 2011 Level 5 Share Posted April 1, 2011 Two factor authentication with Evernote?Check out the Ubico with LastPass packagehttps://store.yubico.com/store/catalog/index.php?cPath=6 Link to comment
culmore 3 Posted April 26, 2011 Share Posted April 26, 2011 I love Evernote. Such a simple concept, such a useful system! I have even gone paid and I am pretty mean about paying for computer software! The stronger the security the more we can store there. At the moment I have stuff in TrueCrypt that I want to move into Evernote but I fear doing so Two factor authentication would be a big help. Also can U make it so I can at least DECRYPT messages on my android device? I don't really need encrypt on Android. PS Suggestion (maybe a stupid one) Let me logging with my google account I have two factor authentication turned on there and turn off my evenote login? But any way u folks can do it would be great. Link to comment
skellam 114 Posted April 29, 2011 Share Posted April 29, 2011 +1 on two-factor authentication for Evernote. The Yubico/Lastpass example is a good one. I use it all the time and it is great. Plug the Yubikey in to any computer and it types in a long one-time password for you. On their website, you can enable each of your individual mobile devices not to require the Yubikey for log in as needed. Google Apps does a nice job as mentioned above providing individual passwords for clients that don't yet support two-factor authentication. Link to comment
amer 19 Posted April 30, 2011 Share Posted April 30, 2011 I prefer that Evernote concentrates on core functionalities such as improving search bar in Windows client (to bring it on the level of Android client's one), note linking..... For folks that would like to improve security there are specialized apps and services like lastpass, preyproject etc. Link to comment
cgknight 2 Posted May 6, 2011 Share Posted May 6, 2011 I see two-factor *as* core functionality so would like to see it. Link to comment
eventmain 2 Posted September 5, 2011 Share Posted September 5, 2011 +1 for Two factor authentication. Really important core feature I believe. Google's implementation is fantastic. Link to comment
gospelgreedy 1 Posted October 15, 2011 Share Posted October 15, 2011 +1Given the amount of sensitive info that people are encouraged to store in EverNote, surely this should be a priority feature?I know you can use encryption with EverNote, but that makes EverNote less useful. Link to comment
BurgersNFries 2,407 Posted October 15, 2011 Share Posted October 15, 2011 Given the amount of sensitive info that people are encouraged to store in EverNote, surely this should be a priority feature?I know you can use encryption with EverNote, but that makes EverNote less useful.IME, EN is very clear that their data is not stored encrypted & does not wholeheartedly encourage people to store "sensitive" data. Instead, they encourage you to do what you feel comfortable with. Link to comment
gospelgreedy 1 Posted October 16, 2011 Share Posted October 16, 2011 A "simple" fix by adding TFA would enhance the security of the product.Is it on the EverNote todo list? Link to comment
garychenc00l 13 Posted October 17, 2011 Share Posted October 17, 2011 From my perspective, I am very happy with the current premium pricing structure.So am I regarding the pricing structure. I'm quite afraid that Evernote might go into the path that Microsoft does with their software pricing model. ... I hope that we won't be seeing Evernote Home Premium, Business, and Ultimate any time soon.Actually, having packages like what Microsoft would be pretty useful. I mean, a lot use evernote for business and specific business features and integration for that specific business version pack would be the right package for the right person. This also allows users to not pay for features they dont use, if they dont use it and theirs a package for it. Link to comment
garychenc00l 13 Posted October 17, 2011 Share Posted October 17, 2011 A "simple" fix by adding TFA would enhance the security of the product.Is it on the EverNote todo list?It was always on their agenda Link to comment
amer 19 Posted November 23, 2011 Share Posted November 23, 2011 I freaked out today when I saw that my Gmail account was accessed from the United States while I was nowhere close to the US.... I immediately changed passwords and turned on 2-step verification for my Google and Lastpass accounts.... I now fell than my Evernote account is less secured than it should be. And it is not a nice felling. Please implement 2-step verification through Google Authenticator of something similar. Thanks Link to comment
Limegreen 8 Posted November 24, 2011 Share Posted November 24, 2011 I have also suggested this recently in a thread.I don't know wether it is an unreasonable request. Perhaps the additional infrastructure it would take would be too costly, or however otherwise it might be difficult to implement such a system.But Evernote is basically the only thing I use extensively on the internet that doesn't have a two-step verification system. At this point I certainly wouldn't have my mail just a password away from access. And I'm really glad that steam implemented steam guard before this latest row with the hacking.As it is, a hacker that gets into any machine I use, whether physically or electronically could access and delete all my data and it is not clear that I would be able to stop it or even be notified that a breach was attempted. If a hacker also needed something i possessed, say my phone, that would change the situation significantly. If it is too expensive to run such a system then maybe they could have it as an extra premium feature, like that newly announced extra upload GB's? There has to be some way of protecting our data. Link to comment
Limegreen 8 Posted November 27, 2011 Share Posted November 27, 2011 Does anyone have any comment on this? It seems like a rather obvious functionality considering the data evernote handles. Maybe something is in the works? Link to comment
Limegreen 8 Posted December 8, 2011 Share Posted December 8, 2011 I have decided that I will bump this, if its not too much trouble, until we get a remark of some sort - or at least some attention. I would accept this as a premium feature even. And I would pay top dollar. TOP DOLLAR. Link to comment
amer 19 Posted December 8, 2011 Share Posted December 8, 2011 I second that because I simply do not feel that my account with piles of personal data is currently secure enough... Link to comment
Level 5* Metrodon 2,188 Posted December 8, 2011 Level 5* Share Posted December 8, 2011 Link to comment
amer 19 Posted December 8, 2011 Share Posted December 8, 2011 http://discussion.ev...h__1#entry83685This topic is apparently about "enterprise clients". Not sure if is is the same thing but we argue here that 2-step verification as Google and Lastpass offer for personal accounts is really a must for any program handling huge amounts of personal data. Link to comment
Limegreen 8 Posted December 8, 2011 Share Posted December 8, 2011 http://discussion.ev...h__1#entry83685That thread leaves the question sort of unanswered. Also this thread was made with two factor verification, for individuals specifically, in mind.As I've stated, I use no other service at all with this low of a security standard.While I'm not expecting them to come up with something as polished as Googles system, keep in mind that a business like Blizzard Entertainment uses an advanced form of this configuration to protect their consumers game accounts (Indeed, for a GAME!).Now Steam, by Valve, has recently adopted, and just in time, as sort of middle ground at least. Steamguard demands that, if you log in from a new machine, that you verify that machine from your e-mail address. Now that is very simple technology that just offers a layer of protection that is to be expected.Now think of Evernote, who soon has almost as many users as Steam - and stores some of the most sensitive information on the web - could be fully and surreptitiously breached by just compromising a single password. I do adore Evernote but this is rather jarring. If Valve can do a simple verification guard system (that effectively piggybacks on the E-mails security measures) then I'm sure Evernote - now that they're expanding - could see themselves to just adding one layer of protection.The Evernote concept is indeed to be the guardian of all your memories and thoughts (remarkably personal stuff). Would it be too much to ask for some moderate movement on this front? Link to comment
tyrellcorp 2 Posted December 10, 2011 Share Posted December 10, 2011 I definitely think Evernote should use the google 2 step app! Lastpass does it... and I have just as much sensitive information stored in Evernote as I do in Lastpass!!!!Please do this!!!! Link to comment
Limegreen 8 Posted December 11, 2011 Share Posted December 11, 2011 The best way for Evernote to do this would simply be to develop an iOS / Android app that generates a code that you'll need to log in on a new machine (and to log in every 30 days). This is simple two factor authentication. There are already three Evernote apps on mobile so I think this ought to be next.The steamguard I mentioned before is a system that requires the hacker to have access two at least two passwords:"Steam Guard is an additional level of security that can be applied to your Steam account. The first level of security on your account is your login credentials: your Steam account name and password. With Steam Guard, a second level of security is applied to your account, making it harder for your Steam account to fall into the wrong hands.When Steam Guard is enabled on your account, anyone attempting to login to your Steam account from an unrecognized computer must provide additional authorization. A special access code will be sent to your contact email address, and this code must be entered into Steam before your login is complete.Once you've verified your email address with Steam, Steam Guard becomes available for your use. Once enabled, you will be required to access your email and provide the special access code from Steam Support when logging into Steam from any computer which we don't recognize."From Steampowered.comValve didn't develop a mobile application just to log into steam (Steam isn't really a place people store very personal information) they just require you to know more than a single password. And since many people have advanced security options for their mail - steam becomes significantly more secure.I would be more than happy if Evernote would only ask for an e-mailed code whenever you log in from a new machine, like steamguard. This means you are also alerted if someone else knows your Evernote password. As it is now, its impossible for me to know whether someone is accessing my account.Now it is fairly common on these boards to say something in the vein of "if you don't like it - don't use it!" and it is true that I am rambling on about this, but this is only because I do really like Evernote. I've tried Onenote and Simplenote and I found them not quite up to snuff.But since people are storing their memories here, and it will be progressively difficult 'move out' the longer you use it, I think we deserve to know soon what Evernote has in mind for security in the future.I'm sort of working under the assumption that Evernote will get better security option down the line. I might be naïve but I took it the idea of "Remember everything" literally. On its face that would imply that people are putting in stuff that they have no business putting into a service that does not have the security options a e-mail might have.I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this. Link to comment
BurgersNFries 2,407 Posted December 11, 2011 Share Posted December 11, 2011 I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.In a nutshell, if you wouldn't email it, then don't put it in Evernote. this thread discusses the various aspects of Evernote & security. As discussed in that thread, there's more to "security" than logging in. And IMO, much if the responsibility is on the users, as it should be. IE use a strong password that is different for all your various logins, store your desktop database in an encrypted volume, don't use free wifi (where someone can use a keylogger or packet sniffer), etc. Additionally, Evernote's stance is that security is a very personal issue. IE I only put copies of our tax returns in Evernote after they are password encrypted. Yet at least one EN employee (Heather?) puts their taxes in EN w/o encrypting them. (shrug) We each have to decide what we feel comfortable with & that may include adding our own level of security on our end. Link to comment
Limegreen 8 Posted December 11, 2011 Share Posted December 11, 2011 I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.In a nutshell, if you wouldn't email it, then don't put it in Evernote. this thread discusses the various aspects of Evernote & security. As discussed in that thread, there's more to "security" than logging in. And IMO, much if the responsibility is on the users, as it should be. IE use a strong password that is different for all your various logins, store your desktop database in an encrypted volume, don't use free wifi (where someone can use a keylogger or packet sniffer), etc. Additionally, Evernote's stance is that security is a very personal issue. IE I only put copies of our tax returns in Evernote after they are password encrypted. Yet at least one EN employee (Heather?) puts their taxes in EN w/o encrypting them. (shrug) We each have to decide what we feel comfortable with & that may include adding our own level of security on our end.I would email it, that was the point.The E-mail has enough security measures to my satisfaction. But Evernote does not meet that security standard for personal information. I could store such information on my mail client, but that would be structurally inconvenient.That thread you linked to is about someone physically accessing his machine and not, as you said, how to gain the access credentials. I do not have that particular problem, and this thread is explicitly about access credentials, which is the lion share of the security concerns for many people. Two factor authorisation - that you would need something I have on top of knowing the password, is employed in mail services, in banking, in social games (where personal information may be exchanged, such as Warcraft) and in social communities such as steam. That is what I would call the standard for private and personal information. All I want to know if Evernote plans to meet that standard, which the the tagline might suggest? Maybe I'm asking Evernote to reveal features that they are not ready to reveal yet. But if Evernote does not even plan to offer the dual layer protection you would secure your e-mail behind, then there is the risk that many people, as evidenced by how often this comes up, are being led astray and find themselves unable to use this product after investing a long time in it. Link to comment
BurgersNFries 2,407 Posted December 11, 2011 Share Posted December 11, 2011 That thread you linked to is about someone physically accessing his machine and not, as you said, how to gain the access credentials. I do not have that particular problem, and this thread is explicitly about access credentials, which is the lion share of the security concerns for many people.It also discusses that your note are not encrypted on EN servers. Hence "if you wouldn't email it, don't put it in Evernote". I'm less concerned about anyone getting my password (b/c I don't use free wifi & have strong passwords & can change my password at any given time) than I am about a hacker getting into EN servers. I know they (EN) take the best precautions. But it even happened to Dropbox. This thread may be about access credentials. But my point is that there are IMO, greater concerns if you are putting "highly personal information" (your words) into Evernote. Link to comment
Limegreen 8 Posted December 12, 2011 Share Posted December 12, 2011 It also discusses that your note are not encrypted on EN servers. Hence "if you wouldn't email it, don't put it in Evernote". I'm less concerned about anyone getting my password (b/c I don't use free wifi & have strong passwords & can change my password at any given time) than I am about a hacker getting into EN servers. I know they (EN) take the best precautions. But it even happened to Dropbox. This thread may be about access credentials. But my point is that there are IMO, greater concerns if you are putting "highly personal information" (your words) into Evernote.I'm sorry but these are all near irrelevant arguments.The probability of someone, wanting to pry in my account, to get into the Evernote servers and extract that information is basically not on the radar at all.I haven't even changed my Steam password because I will know if someone is trying to access my account. And if you do recall the Steam incident - they probably didn't get anything beyond forum information because it was an entire server they were hacking. That is millions of users of information to try to extract in a short period. The only reason you heard about the Dropbox hacking is because it is very rare for someone to hack into the server of a big software service, while single passwords are compromised all the time.I'll put it like this - That someone is going to physically break into my desktop: Low probability - That someone is going to extract my database from the Evernote servers: Low probabilityI would venture that 99% account breaches are from some form of phising, keylogging, maleware or misstakes and slip ups on the part of the user. I'd be surprised if even 1% were due to server attacks. I hope you come to see that that there is a reason that Google, Banking and even game services didn't argue the way you do about security, pointing to the 1% to justify the absence of something that might help 99%. I would call that making the perfect the enemy of the good. I'm fine about the 1%. All I want Evernote to do is the get the security standard up to that of an e-mail service. Link to comment
Level 5* GrumpyMonkey 4,320 Posted December 28, 2011 Level 5* Share Posted December 28, 2011 two-step verification with a password + security question would be ok. i don't want to have to get out my phone (google system). still, the only time i need a password is when i login to the website, which i rarely do, so it probably isn't much help. i have unique passwords for everything, they are long, and i change them all regularly, so i am not terribly concerned about stolen passwords. as long as evernote secures our passwords, salts them, and separates our credit card information, we ought to be ok. do they? that is more important than any two-step verification. the problem with google is that it is the key to everything, and too many people share their passwords with it. a friend recently had a spurious charge and discovered that their amazon account had been hacked (two "refund"s of 500 through the seller account?), the hackers went into the google account, and they set all messages from amazon to go into the trash, and the trash to be deleted. it was quite nefarious anyhow, the hackers were successful (probably) because the friend used the same password on every site, even sketchy ones, and all the hackers had to do was get into the google account with this master password to start changing passwords to paypal and everything else, because gmail was used as the account for everything. two-step verification would have helped, but the real culprit was poor password practices. Link to comment
BurgersNFries 2,407 Posted December 28, 2011 Share Posted December 28, 2011 I'm sorry but these are all near irrelevant arguments.No, they are not. The probability of someone, wanting to pry in my account, to get into the Evernote servers and extract that information is basically not on the radar at all.Then it should be. Link to comment
Level 5 jbenson2 2,149 Posted December 28, 2011 Level 5 Share Posted December 28, 2011 Keep in mind that the Evernote cloud based system is less than 4 years old.Evernote does react to pressing security issues. When Firesheep hit the malware stage, Evernote adopted SSL across the board for all users.I would be surprised if Evernote doesn't already has two factor authentication on their roadmap. But don't hold your breath waiting for a confirmation. Evernote seldom comments on expected release dates. They've been burned in the past and now have a stricter announcement policy. There have been exceptions however. It would be nice if an Evernote employee said something short and sweet like this about two factor authentication.Evernote has to balance a lot of competing priorities from their 20+ million users. Some people think two factor authenication is the most important issue facing Evernote. Other users have similar intense feelings about other topics. There is an avid group pushing for bullet-point improvements. Another group wants task management implementation. Another wants better text editing. Others want photo-editing capabilities. Link to comment
misterbreen 4 Posted February 3, 2012 Share Posted February 3, 2012 Any news on get this core feature implemented?I appreciate you should only store in EN what you would feel comfortable with, but I will be willing to use EN more if the security was enhanced. Link to comment
Level 5* Metrodon 2,188 Posted February 3, 2012 Level 5* Share Posted February 3, 2012 I haven't seen any indication that it is coming or whether it is a core feature.... Link to comment
Level 5* GrumpyMonkey 4,320 Posted February 3, 2012 Level 5* Share Posted February 3, 2012 i haven't heard anything either. i don't consider it a core feature of evernote or gmail either. in gmail, it is that screen and message i avoid, because i don't want it Link to comment
hostricity 12 Posted February 3, 2012 Share Posted February 3, 2012 We recommend to our clients that they protect their smart phone with a 4 character password and set it to wipe their device if the password is entered incorrectly 3 or 4 times.If the phone is lost or stolen and someone attempts to access it, EN, along with everything else is erased and the phone is disabled.We also recommend using a web service which allows you to remotely disable and wipe the phone. The next time it is in a location where service is available, the device will erase and disable, whether there have been any failed password tries or not. The GPS continues to work and the phone's location is monitored and logged.Our logic on the simple password is that it is highly unlikely, even with only 10,000 possible password combinations, that someone could guess the password in 3 or 4 tries. Link to comment
Brendan 17 Posted February 10, 2012 Share Posted February 10, 2012 The best way for Evernote to do this would simply be to develop an iOS / Android app that generates a code that you'll need to log in on a new machine (and to log in every 30 days). This is simple two factor authentication. There are already three Evernote apps on mobile so I think this ought to be next.http://discussion.ev...h__1#entry83685While I'm not expecting them to come up with something as polished as Googles system, keep in mind that a business like Blizzard Entertainment uses an advanced form of this configuration to protect their consumers game accounts Evernote don't need to code their own app to generate the unique codes, they can just use the open source Google Authenticator app to generate the codes.The code for adding support for Google Authenticator is quite simple http://www.brool.com/index.php/using-google-authenticator-for-your-website.It should probably be an optional premium option, so those that don't want to use it don't have to. Link to comment
amer 19 Posted February 10, 2012 Share Posted February 10, 2012 I agree. If Lastpass, which is all about security, uses Google Authenticator guess it is good enough for Evernote too. I already have Google Authenticator app installed with Google and Lastpass accounts attached to it. Not sure if it is bullet proof but I feel comfortable when thinking that my account can be accessed only from machines I use.... But it seems that this is not a priority for Evernote as they have never commented on it. Link to comment
Level 5* JMichaelTX 4,118 Posted February 10, 2012 Level 5* Share Posted February 10, 2012 See Response by Evernote's Heather, made today. Link to comment
Limegreen 8 Posted February 10, 2012 Share Posted February 10, 2012 See Response by Evernote's Heather, made today.It's sort of a shame that after a year of internal discussion they are still at the "if/when" stage. Then again this is the same company that began working on due dates a year ago and are still trying to figure it out. Good to see some form of progress though. I mean they've built an entire app around food, perhaps they'll be circling back to their main product soon. Link to comment
Level 5* jefito 5,598 Posted February 10, 2012 Level 5* Share Posted February 10, 2012 Honestly. It's actually a good thing that they're thinking this through. Just imagine the griping if they released something half-baked, or worse, something broken. And after all, it's not as if they've exactly stood still during the whole of last year. But what the heck, it's only their business and livelihoods at stake.BTW, the Food app was developed by a different team than the core group (for example, see http://discussion.evernote.com/topic/22350-new-evernote-iphone-apps-in-the-app-store-food-hello). Just so you know. But if you want to believe that they haven't paid attention to their main product, go ahead. Link to comment
BurgersNFries 2,407 Posted February 10, 2012 Share Posted February 10, 2012 It's sort of a shame that after a year of internal discussion they are still at the "if/when" stage. Then again this is the same company that began working on due dates a year ago and are still trying to figure it out.Good to see some form of progress though. I mean they've built an entire app around food, perhaps they'll be circling back to their main product soon.If they're still at if/when, then apparently it's never passed the "if" part. Apparently not a high priority to the EN team & it's their product, their choice. It certainly is not an indication they are neglecting their main product.And, FYI, their main product is really the service, since no one pays for any of their clients. So anything that feeds their service is indeed supporting their main product. That whole razor/razorblade model. Link to comment
ThatAdamGuy 15 Posted April 3, 2012 Share Posted April 3, 2012 Hi there,I continue to love Evernote and also continue to pour really private info into the service. I'd really have a greater peace of mind if there were an option to require two-factor authentication for access to either the web or client-side apps. For those who are unfamiliar with two-factor authentication, it refers to security in which two pieces of identity proof are required: something you know (like a password) and something you have (a one-time-password dongle, numbers generated on a smartphone app, etc.). This way, even if someone guesses or brute-forces or otherwise discovers your password, they still can't access your account without your keychain dongle or your personal cell phone, etc.http://en.wikipedia.org/wiki/Two-factor_authenticationAnd to learn more about how Google offers this service free to all its users, go here:http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.htmlI can't stress highly enough how awesome this is and how much super-security it adds to accounts (so if you have any private info with Google, SIGN UP for 2fa!)So, Evernote... could you please consider offering this? Thank you!!! Link to comment
Level 5* GrumpyMonkey 4,320 Posted April 3, 2012 Level 5* Share Posted April 3, 2012 This has come up on the forums before. I don't think this is just a Windows issue. I think Evernote has said they are thinking about it. Personally, I don't think it is needed, and I don't use it for Google. If you use a regularly changed, unique, long, and random password then a brute force attack will take the government's best servers several years to crack. If people just do that, why spend Evernote resources on adding this security feature? Here is a freebie 9Jy84t5$9mX4PBM Link to comment
Level 5 jbenson2 2,149 Posted April 3, 2012 Level 5 Share Posted April 3, 2012 If you use a regularly changed, unique, long, and random password then a brute force attack will take the government's best servers several years to crack. If people just do that, why spend Evernote resources on adding this security feature? Here is a freebie 9Jy84t5$9mX4PBM Here is a site that generates a unique set of custom, high quality, completely random (maximum entropy) without any pattern, cryptographic-strength password strings. Click your web browser's "refresh" button a few times and watch the password strings change each time. https://www.grc.com/passwords.htm Link to comment
Level 5 jbenson2 2,149 Posted April 3, 2012 Level 5 Share Posted April 3, 2012 I use LastPass to manage my passwords. Very long with upper case, lower case, numbers, and special characters.I have some reservations about two factor authentication. I have it on my GMail account, and every 30 days, I am locked out so I try to locate the tiny authenticator icon on my Blackberry, get the 6 digit code, and get back to business.My concern is that I will be switching to a new cell phone & cell provider in July. I am not looking forward to the inevitable problems I expect to encounter.I'll probably try to cancel the two factor authentication a couple weeks before I make the phone switch. Link to comment
ThatAdamGuy 15 Posted April 3, 2012 Share Posted April 3, 2012 GrumpyMonkey, yeah, I meant to post this in the Evernote Web forum. Oops. re: picking a tough password enough in itself... I respectfully but heartily disagree. Here are all the instances in which that's Not Good Enough: - You get phished and accidentally type in your password on a rogue site. - You type your password while on an insecure wifi connection and it gets sniffed. - You either get a keylogged installed on one of your own PCs or (this is apparently disturbingly common) a keylogger ends up on a PC you use on a cruise ship, in a hotel, at a youth hostel, etc and your password is compromised. Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most. jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay *DISCLAIMER: I work for Google, but I don't work on anything related to 2fa, and I've very, very willingly turned 2fa on my personal @gmail account and urged family and friends to do the same. Link to comment
Level 5 jbenson2 2,149 Posted April 3, 2012 Level 5 Share Posted April 3, 2012 jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay Thanks for the tip. [Evernoted] 6 different phones in the past 2 years - Wow! I'd go broke if I tried that with my T-Mobile contract Link to comment
BurgersNFries 2,407 Posted April 3, 2012 Share Posted April 3, 2012 .Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most..I make it a point to never use wifi that's not mine for these reasons. If I'm not at home, I use the 3G on my iPhone and/or tether my wifi device to my iPhone. Claiming "most" people do is much like saying "most" people leave their keys in their unlocked car & then being annoyed because some unscrupulous person stole their car. Let's be responsible for our own actions. You don't even have to be "super super super careful", just careful & use common sense. Link to comment
Level 5* GrumpyMonkey 4,320 Posted April 3, 2012 Level 5* Share Posted April 3, 2012 GrumpyMonkey, yeah, I meant to post this in the Evernote Web forum. Oops. re: picking a tough password enough in itself... I respectfully but heartily disagree. Here are all the instances in which that's Not Good Enough: - You get phished and accidentally type in your password on a rogue site. - You type your password while on an insecure wifi connection and it gets sniffed. - You either get a keylogged installed on one of your own PCs or (this is apparently disturbingly common) a keylogger ends up on a PC you use on a cruise ship, in a hotel, at a youth hostel, etc and your password is compromised. Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most. jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay *DISCLAIMER: I work for Google, but I don't work on anything related to 2fa, and I've very, very willingly turned 2fa on my personal @gmail account and urged family and friends to do the same. Great response. I suppose I could fall prey to any of those scenarios, except that I don't usually use my Evernote password. My computer browser remembers it and so do all of my mobile devices. I don't remember when I last typed in my Evernote password. That isn't to say that everyone is like this, of course. I bet lots of users just type "password123" for all of their stuff. I'm thinking more about how Evernote ought to be spending their time. I don't know how Evernote decides their priorities, but if it were me, this would not be high on my list. If they have the time and money to burn on this, then I wouldn't mind, even if I don't end up using it. But, it seems to me that there are so many other projects that really need to be tackled: beefing up the iOS app, fixing search inconsistencies, fixing formatting issues on the OSX / iOS platforms, etc., etc. Link to comment
Level 5* Metrodon 2,188 Posted April 3, 2012 Level 5* Share Posted April 3, 2012 All previous discussion on this indicates that it isn't a high priority for them and so won't be arriving imminently. No security system is infallible, doesn't matter how many passwords you have, how long they are or where you store them. It's up to the user to balance out what data he wants to store in a service based on the security that is currently available. Link to comment
Level 5* EdH 1,670 Posted April 4, 2012 Level 5* Share Posted April 4, 2012 jbenson2, consider ditching the key generating app and use SMS. That is what I do. now no matter what phone I have, Google sends me a code via SMS to key in. As long as my phone number doesn't change, the phone I have is irrelevant. Link to comment
misterbreen 4 Posted August 4, 2012 Share Posted August 4, 2012 EverNote should add 2FA for the reasons given. Strong passwords are not good enough. Strong passwords are also not practical. Link to comment
MystaMax 0 Posted August 7, 2012 Share Posted August 7, 2012 I'll start this off by saying I ABSOLUTELY LOVE EVERNOTE...I definitely agree with the OP here. While a lot of my data on Evernote isn't "super" confidential, it would ease my mind knowing that my info was protected by another layer of security with 2 factor authentication (2fa). I currently use it w/ various other services and its extremely easy.This post on wired.com talks about a writer who was recently hacked. Yes, he could of done more to protect himself (for starters, he didn't have 2fa enabled on his google accounts). If you read it, you'd agree that apple & amazon were both at fault as well with their lack security measures. The hacker (he was only 19) hacked him because he wanted his twitter handle. That is all it took to be targeted.Dropbox recently decided they're adding 2fa as a result of their security blunder. Evernote adding 2fa is a step in the right direction and tells me they take securing my private data extremely serious.I hope Evernote considers this as it is extremely important that our data is protected. Its more important than any new feature they are in the process of developing. What good is this new feature if I'm not protected? Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 LinkedIn was also hacked revealing passwords and compromising accounts:http://news.cnet.com...-leaked-online/2FA would have helped keep the accounts safe. Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 Here is another example:http://lifehacker.com/5932501/strong-passwords-arent-enough-how-to-to-ensure-the-apple-and-amazon-exploit-never-happens-to-youThey conclude: Enable Two-Factor Authentication to Ensure No One Gets In Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 7, 2012 Level 5* Share Posted August 7, 2012 There are a lot of issues involved in each of these recent incidents (Matt Honan, Yahoo!, Linked-In, Dropbox, etc.). As Matt said, the most damaging thing about the attack was the data he lost, and I think Lifehacker (in the linked article above) got it wrong: 4 million factor authentication wouldn't have helped, because Apple opened the door and let the hacker inside. At best, it would have protected his Gmail account and stopped them from reaching their goal -- his Twitter account. Same thing for Dropbox last year when they exposed everyone's accounts by opening up every account to public access. Unfortunately, whenever your data leaves your laptop (anyone connected to the Internet faces this possibility) you are taking a risk. Don't get me wrong. I wouldn't mind seeing two-factor authentication, so I am not writing against it. But, would I use it? I don't think so. I find it to be very tedious, and it pretty much ruins the convenience of working with cloud systems. So, I will probably continue trading security for convenience. Perhaps Evernote ought to begin by offering this as a premium feature to the security-concerned. What can you do to protect yourself? These are some of the things I recommend. Security experts should feel free to jump in and tear the recommendations apart -- I am very open to suggestions for improving my personal security.(1) EncryptionFirst of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary. (2) Strong Passwords What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors).(3) Watch out for CylonsAlso, think like Commander Adama and resisting networking everything so that access to your Gmail account gives a hacker access to your entire life: use separate emails for professional, personal, and "cloudy" services. It is a pain, to be sure, but something I am slowly implementing myself. To sum up: If you are encrypting sensitive data, using strong passwords, and have your accounts differentiated, I think it is very unlikely that you will be hacked. If/when Evernote institutes two-factor authentication, you will be in a strong position to take advantage of it. Still, in Matt's case (the reporter who got hacked) none of these security precautions would have helped much, because the hacker(s) were let in and erased his data. So, the most important thing of all is to: back up your data. I recommend Time Machine or a Windows equivalent. Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 (1) Encryption First of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary. (2) Strong Passwords What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors). (1) I don't want to use encryption, as that would prevent me using the cool EverNote features. (2) Strong passwords (which I use) are difficult to remember and are a single line of defence (1FA). If the password is compromised (as happened with LinkedIn), hackers have access to your account. If 2FA is used, they don't have access to your account if the password is compromised. So, EverNote should make 2FA available. It should be optional (as it is with GMail). People that want to use it will, and be secure. People that don't use it can share their data with the world Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 From the LifeHacker article: Enable Two-Factor Authentication to Ensure No One Gets InMat didn't have his passwords "hacked" in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won't be let in unless she also types in a code sent to or generated by your phone, which only you have.Takeaway lesson: Set up two-factor authentication on every account you can, like Google,Facebook, and other high-profile services. It's one of the best ways to protect yourself againstany kind of breach. Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 Or a YouTube video if that helps: Link to comment
BurgersNFries 2,407 Posted August 7, 2012 Share Posted August 7, 2012 From the LifeHacker article: Enable Two-Factor Authentication to Ensure No One Gets InMat didn't have his passwords "hacked" in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won't be let in unless she also types in a code sent to or generated by your phone, which only you have.Takeaway lesson: Set up two-factor authentication on every account you can, like Google,Facebook, and other high-profile services. It's one of the best ways to protect yourself againstany kind of breach.I'm pretty sure the EN folks understand 2fa. Whether they choose to implement it or not is anyone's guess. Repeatedly bumping up the thread by adding new posts every five minutes probably is not going to be a factor in the decision but rather an annoyance for those reading the board. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 7, 2012 Level 5* Share Posted August 7, 2012 (1) Encryption First of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary. (2) Strong Passwords What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors). (1) I don't want to use encryption, as that would prevent me using the cool EverNote features. (2) Strong passwords (which I use) are difficult to remember and are a single line of defence (1FA). If the password is compromised (as happened with LinkedIn), hackers have access to your account. If 2FA is used, they don't have access to your account if the password is compromised. So, EverNote should make 2FA available. It should be optional (as it is with GMail). People that want to use it will, and be secure. People that don't use it can share their data with the world (1) I agree. I don't want to use encryption either, because I like to be able to search my data. If it is in Evernote, then it is important to me and sensitve to begin with. If I just wanted an app to store useless data that doesn't matter to me, I'd use another service. However, the fact is that anything on a server is vulnerable to some degree. Encryption of especially sensitive data makes sense... (2) The LinkedIn password debacle wasn't all that serious if you had a strong password. The hackers are probably still trying to figure it out. So, 1FA worked pretty well. 2FA would have been better. However, some of us are going to be too lazy to use it, so for those people I recommend following the steps I outlined. And, in the end, if LinkedIn, Apple, or Dropbox open up your account to a hacker, 2FA won't do you a bit of good. I think 2FA will almost certainly be optional. Like I said, I am not against 2FA, but I am probably going to be too lazy to use it. Maybe, if I worked in a field that necessitated better security (I am a researcher, and I doubt there is more than a few dozen people in the world who could read the stuff I have in my account, much less find any use for it). As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet. [EDIT:] I am probably wrong about a company overriding the 2FA. They would probably reset the password if the hacker managed to fool them, but the hacker would have to have your phone to complete the process. Link to comment
misterbreen 4 Posted August 7, 2012 Share Posted August 7, 2012 As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet.It's a google video. It's pretty informative. If the service owner does give away your password, that is only one part. They still wouldnt be able to access your account without the 2nd physical device. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 7, 2012 Level 5* Share Posted August 7, 2012 As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet.It's a google video. It's pretty informative. If the service owner does give away your password, that is only one part. They still wouldnt be able to access your account without the 2nd physical device.I was thinking that Apple (or whoever you call) would reset your password and this would override the 2FA, but I guess (if their security is set up correctly) they could do that and require you to use the 2FA you had set up, so even if a hacker got through and fooled them, as long as they didn't have your phone, you'd be OK. Good point then. Link to comment
Owyn 457 Posted August 7, 2012 Share Posted August 7, 2012 FWIW. LastPass now includes several audit tools and published a very good set of "Security Challenge" blog posts at the start of the year.https://lastpass.com...detailedresultsThe latest feature they added was restricting login to specific countries.http://blog.lastpass...r-lastpass.htmlAnd yes, they do support 2FA. Link to comment
skellam 114 Posted August 11, 2012 Share Posted August 11, 2012 I think 2Fa is a great idea and I would use it if it was implemented well. I personally like the way Google has set it up and I use it without much hassle. Ultimately, convenience does trump security and if something is too difficult or time-consuming it won't be utilized. They could implement something like Facebook and Google do. Lastpass does it as well. I have a Yubikey token set up for my Lastpass account. It requires that I have the Yubikey in my possession to access all my passwords. I can authorize certain machines that I use daily to not require the Yubikey. So, it provides a higher level of protection since anyone trying to access my Lastpass account online would need the Yubikey but I don't need to use it everyday on my authorized machines. Google does a similar thing and allows me to authorize certain machines to not require the Google Authenticator every time (They do require that the Google Authenticator be used every 30 days to refresh the account).Given the fact that so much of my data would be available through the web interface if someone were somehow able to obtain my password, I think it would give me peace of mind to know that at least it would require a second form of authentication (Something that I have in my possession not just something that I know) to get access to it. Evernote could have an option to enable two factor authentication using something like Yubikey or Google authenticator. once it is set up, the user could authorize certain machines to access his Evernote account. Then if a non-recognized computer or ipad/iphone tries to access it, it would be presented with a request for the second factor. If something bad happens and some visible person like Mat Honan gets hacked and has his Evernote account breached through social engineering, it would be very bad for Evernote and I think 2Fa should be very high on the priority list. Link to comment
amer 19 Posted August 12, 2012 Share Posted August 12, 2012 I guess that the last two standing major services (ok, I might be exaggerating a bit) which store personal data but do not have two-factor authentication are Dropbox and Evernote. Recently, after a security breach, Dropbox has announced that they are working on security enhancements including the two-factor authentication. Come on Evernote, it is your turn to announce this feature. It is really hard to argue against beefing up security for services dealing with private notes and documents. You could offer it as a premium feature.Some of current premium users like me would be pleased and some of free account might be converted... and users who do not like it, do not have to use it... Link to comment
jemostrom 5 Posted August 13, 2012 Share Posted August 13, 2012 I agree, some kind of added security would be nice. Link to comment
musashi 0 Posted August 13, 2012 Share Posted August 13, 2012 One more vote for 2FA: not too much of an hassle when done properly, and anything that can get my data more secure is welcomed..... Link to comment
misterbreen 4 Posted August 13, 2012 Share Posted August 13, 2012 Some useful background reading for those unsure about 2FA:http://lifehacker.co...-authentication Link to comment
RNTfuture 0 Posted August 14, 2012 Share Posted August 14, 2012 Will there ever be a 2-step-authentication option for Evernote? I really think that should be possible to keep all the data save. Lastpass uses Googles 2-step-authentication so I think it's also possible for Evernote. Let me know what you all think of this. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 14, 2012 Level 5* Share Posted August 14, 2012 Will there ever be a 2-step-authentication option for Evernote? I really think that should be possible to keep all the data save. Lastpass uses Googles 2-step-authentication so I think it's also possible for Evernote. Let me know what you all think of this. Hi. Welcome to the forums! I merged the thread you started with the existing thread on the topic. Link to comment
Level 5* JMichaelTX 4,118 Posted August 14, 2012 Level 5* Share Posted August 14, 2012 Google already has 2-step-authentication, and DropBox recently announced that they plan to add it very soon.Evernote, do you plan to step up to current security standards any time soon? Link to comment
Mike Wood 139 Posted August 14, 2012 Share Posted August 14, 2012 Perhaps one answer would be to implement SAML and then you could utilise a solution like http://www.onelogin.com/We can already utilise onelogin with EN but in the end it's just filling in the password for you. With SAML you lock the cloud to this authentication method only and then the system becomes more like online banking.... Link to comment
idoc 411 Posted August 23, 2012 Share Posted August 23, 2012 There are times that I need to access EN from the web at other computers eg: when I travel. For this reason I have resisted using Lastpass to generate an impossible password (I wouldn't remember it). Therefore, I am using a pass phrase (much longer than a password but easy for me to remember). I think that pass phrases are more secure than passwords. Link to comment
misterbreen 4 Posted August 24, 2012 Share Posted August 24, 2012 http://xkcd.com/936/http://lifehacker.com/5932700 Link to comment
Owyn 457 Posted August 24, 2012 Share Posted August 24, 2012 http://xkcd.com/936/http://lifehacker.com/5932700Yep.I have switched to xkcd style pass phrases for passwords that I have to frequently type.I use LastPass generated random passwords if they are only used on Web login and LastPass can handle the auto fill.I am working through the personal implications of 2FA. Link to comment
amer 19 Posted August 24, 2012 Share Posted August 24, 2012 I guess that the last two standing major services (ok, I might be exaggerating a bit) which store personal data but do not have two-factor authentication are Dropbox and Evernote. Dropbox just did it: https://forums.dropbox.com/topic.php?id=66910 . Now Evernote is the last service I use for storing personal data without advanced security ): Link to comment
grivp 2 Posted August 26, 2012 Share Posted August 26, 2012 Two step verification is becoming critical for me. Link to comment
Mike Wood 139 Posted August 26, 2012 Share Posted August 26, 2012 @grivp Have you looked at onelogin.comYou can use it to access Evernote with 2 factor etc. Its not perfect as only apps/cloud services which are locked down to SAML only are fully secured, but it does mean you can happily access your EN on other peoples PC's etc without fear of key loggers etc. Link to comment
nordi 0 Posted August 28, 2012 Share Posted August 28, 2012 I really desperately need that feature. Its a shame that Evernote doesnt manage to implement it. Link to comment
spaet_m 0 Posted August 29, 2012 Share Posted August 29, 2012 I'd like to support the notion that EN add 2FA. Those who don't want to use it, don't have to. Link to comment
Michael S. 0 Posted August 29, 2012 Share Posted August 29, 2012 +1Another vote for this feature. I'm a new user and this is the first thing I looked for. A bit shocked really that there's even an argument here given that the purpose of Evernote is supposedly to by my entire digital memory. Link to comment
Level 5* jefito 5,598 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 There's no real argument here, and besides, this is a user forum. If Evernote has two-factor authorization in the works, they just may not be talking about it until it's ready to go, because that's their general policy. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 Agreed. No argument against the feature. Heck, the more features the better (in general). However, with finite resources (time and manpower), I have lots of other priorities for Evernote myself. My "argument" is against people who think no two-factor authentication = exposed and naked in in the digital landscape. I think you could boil down my point to something very simple: you already have many protection "tools" at your disposal.As I have mentioned here and elsewhere, good security practices will be a powerful defense against any unauthorized intrusion:1. long2. unique (not shared by other sites)3. random4. regularly changed5. Set up an email account (choose one made up of random characters) tied only to your password manager (like Roboform or LastPass) and do not use the email for anything else (just the email to set it up, and then you won't need to log into it again)6. Encrypt sensitive information in your account7. Encrypt your hard drive Link to comment
Level 5* EdH 1,670 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 As I have mentioned here and elsewhere, good password practices will be a powerful defense against any unauthorized intrusion: long, unique (not shared by other sites), random, and regularly changed ones work well. In addition, if you have Evernote (and all of your other important sites) tied to a private email account you have shared with no one else, it is very unlikely that your information will be compromised. Finally, if you encrypt sensitive information in your account, even if someone managed to get into your account, they wouldn't find anything damaging.GrumpyMonkey, you are missing the point. Single authentication is going to go away. It is no longer practical to use long random and regularly changed passwords. For example, everytime you change your password on the Windows Phone client, it erases all of your notes and settings, as if you had uninstalled EN and started over. Plus, I have EN installed on 6 clients (PCs and mobile). It is a major hassle to do a password change.The old practices just aren't keeping up with hackers today. 2FA is the way to go, especially for a service that touts itself as your electronic brain.I know you aren't advocating against 2FA - you are clear about that, but please, stop defending the status quo. I've seen to many companies defend the status quo until one of two things happen - it is definitively proved wrong, or the company goes out of existence. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 As I have mentioned here and elsewhere, good password practices will be a powerful defense against any unauthorized intrusion: long, unique (not shared by other sites), random, and regularly changed ones work well. In addition, if you have Evernote (and all of your other important sites) tied to a private email account you have shared with no one else, it is very unlikely that your information will be compromised. Finally, if you encrypt sensitive information in your account, even if someone managed to get into your account, they wouldn't find anything damaging. GrumpyMonkey, you are missing the point. Single authentication is going to go away. It is no longer practical to use long random and regularly changed passwords. For example, everytime you change your password on the Windows Phone client, it erases all of your notes and settings, as if you had uninstalled EN and started over. Plus, I have EN installed on 6 clients (PCs and mobile). It is a major hassle to do a password change. The old practices just aren't keeping up with hackers today. 2FA is the way to go, especially for a service that touts itself as your electronic brain. I know you aren't advocating against 2FA - you are clear about that, but please, stop defending the status quo. I've seen to many companies defend the status quo until one of two things happen - it is definitively proved wrong, or the company goes out of existence. You are right. I didn't know the point was that single authentication was going away. If that is the point, then I can't really say, because I am not a prognosticator, and I will have to remain blissfully ignorant of 2FA's necessity I imagine it will come someday, but my point is that we are already well-protected. Moreover, I believe users also have to take responsibility for their data security, regardless of what Evernote decides about 2FA. As for the specific methods I suggested, I have Evernote on six devices as well (not Windows phone) and I regularly change my password. Using a password service makes this a breeze. And, to the best of my knowledge, all of the intrusions that have been brought forth in this thread as evidence for the need for 2FA would have prevented just as effectively with my methods. That seems like a useful thing to point out. There isn't much you can do in a case like Matt Honan's, when a company you trust gives out your password information. Presumably, Apple would have bypassed 2FA when they opened up his iCloud account. However, if Matt had been using a private email that he had not told anyone about (as I suggested above), he would have been fine. The hackers wouldn't have gotten past his iCloud account. Of course 2FA for Gmail would have protected him as well. My point is that even without 2FA you are well-protected. You can take that for what it is worth, but rest assured that my support for better password practices will not affect Evernote's course of action one bit. I am sure they are well-aware of 2FA and its benefits. The question (in my mind) is whether they want to devote their resources to it. I am not convinced that they need to do it right now. Link to comment
Level 5* EdH 1,670 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 GrumpyMonkey, check out this article http://arstechnica.com/security/2012/08/passwords-under-assault/It explains why hackers have a vast arsenal of data to work with now that passwords and hashes have been exposed (linkedin for example) - nothing related to the Matt Honan case. Sure, you can change your password, and should, but now that they know more how users think, they can tweak their code and it no longer becomes random brute force attacks. They are focused brute force attacks with millions of entries from databases they are building, and millions can be processed very quickly. Link to comment
jss92 0 Posted August 29, 2012 Share Posted August 29, 2012 I won't post anything I think is 'too sensitive' to Evernote as I don't think the security is robust enough. AND Evernote wants ~$44/yr to add a passcode to it's app as additional 'security' (and I know some other options too) - LMAO for a app passcode! Now i WOULD consider paying $44/yr if it got me something like two-factor authentication along with the other upgraded features. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 29, 2012 Level 5* Share Posted August 29, 2012 GrumpyMonkey, check out this article http://arstechnica.c...-under-assault/It explains why hackers have a vast arsenal of data to work with now that passwords and hashes have been exposed (linkedin for example) - nothing related to the Matt Honan case. Sure, you can change your password, and should, but now that they know more how users think, they can tweak their code and it no longer becomes random brute force attacks. They are focused brute force attacks with millions of entries from databases they are building, and millions can be processed very quickly.Yep. A good article. Thanks for that!But, in the conclusion (page 4) it comes up with the same advice that I gave, right? Random, unique (don't use the same one on every site), long, and regularly changed passwords. Link to comment
Level 5* EdH 1,670 Posted August 30, 2012 Level 5* Share Posted August 30, 2012 No, not technically. It says if you want your password to not be "trivial to break" and not be "toppled in a matter of hours" you should do that.I want something virtually unbreakable, and encryption cannot get you there. 2FA can. I can give you my userID and password to my Gmail account and unless you knock me over the head and take my phone (and can crack my phone PIN), you still cannot get in my email. Someone sitting in Russia with their high powered computer cannot do it either - not unless they hack Google itself and bypass account authentication.I think Evernote data falls under this umbrella. I don't want 2FA for EN forums, or other forums. It isn't that big of a deal. But email, EN data, Facebook and other sites with sensitive info, 2FA is the way to go. Dropbox just enabled it this week and I will be setting it up in the next few days. Link to comment
Level 5* GrumpyMonkey 4,320 Posted August 30, 2012 Level 5* Share Posted August 30, 2012 No, not technically. It says if you want your password to not be "trivial to break" and not be "toppled in a matter of hours" you should do that.I want something virtually unbreakable, and encryption cannot get you there. 2FA can. I can give you my userID and password to my Gmail account and unless you knock me over the head and take my phone (and can crack my phone PIN), you still cannot get in my email. Someone sitting in Russia with their high powered computer cannot do it either - not unless they hack Google itself and bypass account authentication.I think Evernote data falls under this umbrella. I don't want 2FA for EN forums, or other forums. It isn't that big of a deal. But email, EN data, Facebook and other sites with sensitive info, 2FA is the way to go. Dropbox just enabled it this week and I will be setting it up in the next few days.Again, I am not arguing against 2FA. I am clarifying what is available to us already.As the article said, there is an exponential wall for brute force hacking. Let's say Evernote gets hacked and (assuming good password storage practices on Evernote's part) the hackers will have to work a bit to get the passwords. If you have a 20, 25,or 30 character password then the hackers will need weeks, months, or maybe years to break the password. If you follow the suggestions I made (regularly changing passwords), then you'll have changed your password long before they complete the process. If Evernote is not hacked, the process becomes even more lengthy, because Evernote blocks repeated, failed login attempts. It is, for all intents and purposes, unbreakable. I agree that 2FA is more secure, but I want to emphasize to users that good practices (not just here, but on every site) will go a long ways towards protecting your data. We are still at the point where users have shockingly simple passwords shared with everything from banks to one-off sites that require accounts to do anything (a great way to gather sensitive information from users). I have seen it firsthand. Until 2FA comes, whenever that may be, users have tremendous power to protect themselves with just a tiny bit of effort. Link to comment
Level 5* FactMan 196 Posted August 30, 2012 Level 5* Share Posted August 30, 2012 As the article said, there is an exponential wall for brute force hacking. Let's say Evernote gets hacked and (assuming good password storage practices on Evernote's part) the hackers will have to work a bit to get the passwords. If you have a 20, 25,or 30 character password then the hackers will need weeks, months, or maybe years to break the password. If you follow the suggestions I made (regularly changing passwords), then you'll have changed your password long before they complete the process. If Evernote is not hacked, the process becomes even more lengthy, because Evernote blocks repeated, failed login attempts. It is, for all intents and purposes, unbreakable.I agree that 2FA is more secure, but I want to emphasize to users that good practices (not just here, but on every site) will go a long ways towards protecting your data. We are still at the point where users have shockingly simple passwords shared with everything from banks to one-off sites that require accounts to do anything (a great way to gather sensitive information from users). I have seen it firsthand. Until 2FA comes, whenever that may be, users have tremendous power to protect themselves with just a tiny bit of effort.So, to be able to access all our long, impossible to remember passwords that we change every 90 days (or whenever we remember to do it), how should we store them - something like Roboform, or a password locker program? I use Keepass, but not sure that is the best way. I am also presuming that for that I should use a complex password with a key file? Any other thoughts? I am not arguing against the additional security - I just want to know the latest thinking on the best way to implement it. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.