fiffen 0 Posted July 18, 2014 Share Posted July 18, 2014 I lost my laptop. The first thing I did was change my password. Obviosly the peson has access to all my notes on that laptop. But soon I discovered that this did not prevent the thief to access my account and possibly deleting notes. Even access to new notes that I created. Can someone elaborate on that. I had to do a "rewoke".? Why? So simply changing the password is not enough? Link to comment
BurgersNFries 2,407 Posted July 18, 2014 Share Posted July 18, 2014 I lost my laptop. The first thing I did was change my password. Obviosly the peson has access to all my notes on that laptop. But soon I discovered that this did not prevent the thief to access my account and possibly deleting notes. Even access to new notes that I created. Can someone elaborate on that. I had to do a "rewoke".? Why? So simply changing the password is not enough? Changing your password indeed does prevent anyone from adding, changing or deleting notes from the EN servers. However, yes, they have access to your notes on your local database on your hard drive. If you "revoked" that (IME) is for third party apps that have access to your Evernote account. Sorry your laptop got lost. But I would suggest in the future, to keep your local database in an encrypted container. This has been discussed at great length already. Please search the board on 'security' for more information. Link to comment
fiffen 0 Posted July 18, 2014 Author Share Posted July 18, 2014 I lost my laptop. The first thing I did was change my password. Obviosly the peson has access to all my notes on that laptop. But soon I discovered that this did not prevent the thief to access my account and possibly deleting notes. Even access to new notes that I created. Can someone elaborate on that. I had to do a "rewoke".? Why? So simply changing the password is not enough? Changing your password indeed does prevent anyone from adding, changing or deleting notes from the EN servers. However, yes, they have access to your notes on your local database on your hard drive. If you "revoked" that (IME) is for third party apps that have access to your Evernote account. Sorry your laptop got lost. But I would suggest in the future, to keep your local database in an encrypted container. This has been discussed at great length already. Please search the board on 'security' for more information. You are wrong. I tested this. I changed my password. A day after i added a new note. Then I opened evernote on a device that had not used for a while and not having to enter a new password. And shure enough. I could see all the new notes that I had created. Amazed and terrified of this. I logged into my account and changed the password again and pushed the "rewoke" button. Then adding a new note. This time I could not see new notes on that device. Please elaborate. Thanks. Link to comment
BurgersNFries 2,407 Posted July 18, 2014 Share Posted July 18, 2014 You are wrong. I tested this. I changed my password. A day after i added a new note. Then I opened evernote on a device that had not used for a while and not having to enter a new password. And shure enough. I could see all the new notes that I had created. Amazed and terrified of this. I logged into my account and changed the password again and pushed the "rewoke" button. Then adding a new note. This time I could not see new notes on that device. Please elaborate. Thanks. If this doesn't work for you, then you'll have to take it up with Evernote by submitting a support ticket. Link to comment
fiffen 0 Posted July 18, 2014 Author Share Posted July 18, 2014 You are wrong. I tested this. I changed my password. A day after i added a new note. Then I opened evernote on a device that had not used for a while and not having to enter a new password. And shure enough. I could see all the new notes that I had created. Amazed and terrified of this. I logged into my account and changed the password again and pushed the "rewoke" button. Then adding a new note. This time I could not see new notes on that device. Please elaborate. Thanks.If this doesn't work for you, then you'll have to take it up with Evernote by submitting a support ticket. Yes, someone shure do. Just tested this again. Changed the password. Added a few notes. Opened evernote on the other device that know nothing about the password change. The notes appeared on that device. Then deleted the notes. And now the the notes are deleted on the device that I did the password change. Major security flaw. Link to comment
Level 5* phils 220 Posted July 18, 2014 Level 5* Share Posted July 18, 2014 I tested this. I changed my password. A day after i added a new note. Then I opened evernote on a device that had not used for a while and not having to enter a new password. And shure enough. I could see all the new notes that I had created. Amazed and terrified of this. I logged into my account and changed the password again and pushed the "rewoke" button. Then adding a new note. This time I could not see new notes on that device. The "Revoke" option on one's Evernote Account > Security > Applications page applies to Evernote client applications also, not just third-party applications. So in the case of a lost/stolen laptop, phone, etc., you can visit that page and revoke access to the missing device. Then it will no longer be able to access or update your information on the Evernote service. As BurgersNFries pointed out, though, the person who has your device will have access to your local Evernote information on that device. Link to comment
fiffen 0 Posted July 18, 2014 Author Share Posted July 18, 2014 I tested this. I changed my password. A day after i added a new note. Then I opened evernote on a device that had not used for a while and not having to enter a new password. And shure enough. I could see all the new notes that I had created. Amazed and terrified of this. I logged into my account and changed the password again and pushed the "rewoke" button. Then adding a new note. This time I could not see new notes on that device. The "Revoke" option on one's Evernote Account > Security > Applications page applies to Evernote client applications also, not just third-party applications. So in the case of a lost/stolen laptop, phone, etc., you can visit that page and revoke access to the missing device. Then it will no longer be able to access or update your information on the Evernote service. As BurgersNFries pointed out, though, the person who has your device will have access to your local Evernote information on that device. phils. I understand that the person will have access to the local Evernote information on that device I lost. But that the person is able to access new notes and delete notes after that I have changed my password I do not understand. Link to comment
BurgersNFries 2,407 Posted July 18, 2014 Share Posted July 18, 2014 phils. I understand that the person will have access to the local Evernote information on that device I lost. But that the person is able to access and delete notes after that I have changed my password I do not understand. Simply revoke, since that worked. The more I think about it, when you don't LOG OUT of Evernote, it doesn't require a password when you go back in. This allows people to access their local database on their computer, even if they don't have internet access. If you had logged out on your device or computer, then a password is required to get back in. But if you only close the app, then that's apparently why you must do the revoke. It makes sense, now. Link to comment
fiffen 0 Posted July 18, 2014 Author Share Posted July 18, 2014 phils. I understand that the person will have access to the local Evernote information on that device I lost. But that the person is able to access and delete notes after that I have changed my password I do not understand.Simply revoke, since that worked. The more I think about it, when you don't LOG OUT of Evernote, it doesn't require a password when you go back in. This allows people to access their local database on their computer, even if they don't have internet access. If you had logged out on your device or computer, then a password is required to get back in. But if you only close the app, then that's apparently why you must do the revoke. It makes sense, now. Thanks BurgersNFries. That makes some sence. But keep in mind that it was several days between I last accessed that device and the password change. A cached login sould not be able to access my Evernote database in the sky after I have changed my password. Period. Link to comment
BurgersNFries 2,407 Posted July 18, 2014 Share Posted July 18, 2014 Thanks BurgersNFries. That makes some sence. But keep in mind that it was several days between I last accessed that device and the password change. A cached login sould not be able to access my Evernote database in the sky after I have changed my password. Period. But unless the laptop has access to the internet, then it doesn't know the password was changed. Link to comment
ScottLougheed 1,316 Posted July 19, 2014 Share Posted July 19, 2014 Also, presumably your user account on that computer was password protected right? So they'd have to break through your user password before they could actually access any of your personal files. Also, Evernote is not the only culprit. Did you happen to have an email client configured? Even if you password protected that client, the emails are stored locally and accessible without a password. Dropbox, or any other cloud service? Those local files are accessible even if you change your password for that cloud service. Losing your laptop is a big deal and Evernote is definitely not the only thing to be concerned about! Link to comment
BurgersNFries 2,407 Posted July 19, 2014 Share Posted July 19, 2014 Also, presumably your user account on that computer was password protected right? So they'd have to break through your user password before they could actually access any of your personal files. I don't know about Macs, but on Windows, this only prevents them from logging into your computer, which is a good thing. But it doesn't prevent them from accessing your files, if they are savvy enough to remove the hard drive and/or connect it to another computer. OTOH, if the database is stored in an encrypted container, then it's a lot more difficult to access the files (assuming the container has been closed/dismounted) & usually too much trouble. Link to comment
ScottLougheed 1,316 Posted July 19, 2014 Share Posted July 19, 2014 It is about the same on the mac. If a thief were to somehow gain access to a guest account or create an account of their own, they would still need to know the user's password to access that user's files. If the mac has a conventional spinning disk HD, then it could potentially be removed and sifted through with some labour just like a Windows machine. On the mac, there is also the built in FileVault encryption that can optionally be enabled which encrypts the entire contents of the hard drive, and can only be decrypted using a zero knowledge (unless otherwise configured) pass phrase, so if the user has FileVault enabled (And it is silly not to, in most cases), then that decryption phrase would also have to be known. This means if the computer has a conventional spinning HD, even removing it and sifting through it would be largely futile. If it is any of the computers with an SSD, the drives are (with a few exceptions) soldered to the motherboard, and so the very act of removing the storage from the computer might actually just render it inaccessible! Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.