Jump to content

(Archived) Change encryption password


reck

Recommended Posts

As is good practice with passwords I like to change them periodically. Is there a way to change my evernote encryption password apart from going through and manually de-encrypt\re-encrypt every bit of encrypted text?

Link to comment

hmmm i'm not seeing any global option here.

Surely we're not expected to go through and call up each note (using the attribute "contains encrypted text"), find the encrypted bit of text, highlight, de-crypt and then encrypt again. Then do it all over again (no doubt with more notes) further down the line next time it's password change time.

Link to comment

Yes, the encryption for each region may be separate -- there's no global "passsphrase" to change for security reasons. So you can set each region separately, and if you want to change them, you need to change them individually.

Link to comment
Yes, the encryption for each region may be separate -- there's no global "passsphrase" to change for security reasons. So you can set each region separately, and if you want to change them, you need to change them individually.

Could you explain what do you mean by "region" here. I did not know there is such a term in EN.

Link to comment

It’s quite ironic that you chose not to implement a global setting for “security reasons” as it’s down to security reasons that I want to change my password in the first place.

For users with large amounts of notes containing encrypted text built up over a number of years it’s just not practical to go through and manually change each and every instance of a password protected piece of text in evernote. Therefore the password has to remain the same for ever, even if you think it may have been compromised at some point. Doesn’t this limitation present a greater security risk than allowing users to easily change their encryption password periodically?

Cpchang, maybe region just means the area of text that you’ve chosen to encrypt?

Link to comment

Cpchang, maybe region just means the area of text that you’ve chosen to encrypt?

I guess so.

I hope the whole EN data file can be encrypted. I do not mind de-encrypt every time I open it. Once I am done I hope I can close the file encrypted.

Link to comment
I hope the whole EN data file can be encrypted. I do not mind de-encrypt every time I open it. Once I am done I hope I can close the file encrypted.

The EN database on the EN servers is not encrypted. You can encrypt the EN database on your Windows desktop by moving it to a Truecrypted container. This has been discussed a lot on the board, so you can search on the word "encrypt" to find more info on the subject.

Link to comment
I hope the whole EN data file can be encrypted. I do not mind de-encrypt every time I open it. Once I am done I hope I can close the file encrypted.

The EN database on the EN servers is not encrypted. You can encrypt the EN database on your Windows desktop by moving it to a Truecrypted container. This has been discussed a lot on the board, so you can search on the word "encrypt" to find more info on the subject.

Yes I have read about this work around. Not sure why EN does not want to have this option. Anyway, does Truecrypt run on all the platforms that EN runs, such as the smart phones?

Link to comment
Yes I have read about this work around. Not sure why EN does not want to have this option.

It's discussed in the various threads. In a nutshell, true encryption requires they not know the password which means they cannot index the database in order to do the searching.

Anyway, does Truecrypt run on all the platforms that EN runs, such as the smart phones?

No. It does run on Windows but for other clients, you'd need to research how best to protect your data on each of the clients you use.

Link to comment
Yes I have read about this work around. Not sure why EN does not want to have this option.

It's discussed in the various threads. In a nutshell, true encryption requires they not know the password which means they cannot index the database in order to do the searching.

Thanks. I have been a user of InfoSelect for two decades. I wonder why InfoSelect data can be password protected, yet its lightening fast and very versatile searching is much faster and more powerful than Evernote. :?

Link to comment
  • Level 5

Thanks. I have been a user of InfoSelect for two decades. I wonder why InfoSelect data can be password protected, yet its lightening fast and very versatile searching is much faster and more powerful than Evernote. :?

$250 smackers for InfoSelect and $100 for each upgrade?

They better be a lot more powerful at that price.

Link to comment
If you lose or forget the password, there is no way to retrieve it.

By definition, this would be the case with any "true" encrypted system. If you can request your password via a "forgot your password" link, that means the board/company/service knows how to retrieve your password. And so would/could a hacker. The most secure encryption means the board/company/service has no way to access your encryption password.

Link to comment
  • Level 5
If you lose or forget the password, there is no way to retrieve it.

By definition, this would be the case with any "true" encrypted system. If you can request your password via a "forgot your password" link, that means the board/company/service knows how to retrieve your password. And so would/could a hacker. The most secure encryption means the board/company/service has no way to access your encryption password.

I believe that is what I said, but thanks for reconfirming my comment.

Link to comment
  • Level 5

Ahh, actually what I said was a fact. Cpchang said he had read about the TrueCrypt workaround. There was no need to add any "good things" to my statement because it stands on its own. If you think my statement is fraudulent, I would love to hear an explanation.

"If you lose or forget the password, there is no way to retrieve it."
Link to comment

Ahh, actually what I said was a fact. Cpchang said he had read about the TrueCrypt workaround. There was no need to add any "good things" to my statement because it stands on its own. If you think my statement is fraudulent, I would love to hear an explanation.

I don't know what you're agenda is, nor am I interested. It's clear I did not say your posting was "fraudulent." It's clear you're going off on tangents here & I'm not interested in any part of that. Carry on.

Link to comment

Ahh, actually what I said was a fact. Cpchang said he had read about the TrueCrypt workaround. There was no need to add any "good things" to my statement because it stands on its own. If you think my statement is fraudulent, I would love to hear an explanation.

I don't know what you're agenda is, nor am I interested. It's clear I did not say your posting was "fraudulent." It's clear you're going off on tangents here & I'm not interested in any part of that. Carry on.

Thank you both to BurgersNFries and jbenson2.

As a non-specialist but advanced user of randam notes organizer, I am simply curious on what seems a simple matter, that is to allow password lock of Eevernote. I wish to be educated and appreciate all the responses. I was the person who first suggested the yahoo group of IS-EN, to help InfoSelect users to convert to Evernote. The vast majority of InfoSelect users around the world are power users, with InfoSelect for decaade or more. One of the biggest difficulties I have to encourage the conversion is the encryption issue. That is why I am always interested in this subject.

Also, as a layman who never used TrueCript, it seems to me that it only encripts the Evernote data on the local computer. Once they are sent to the cloud it is no longer encrypted, or am I wrong? If data are not encrypted in cloud, then TC may be useful for preventing hacking of the local computer, but it does not adderss the concern we have. A password protected data base will.

CP

Link to comment

Also, as a layman who never used TrueCript, it seems to me that it only encripts the Evernote data on the local computer. Once they are sent to the cloud it is no longer encrypted, or am I wrong? If data are not encrypted in cloud, then TC may be useful for preventing hacking of the local computer,

Correct, as previously mentioned:

The EN database on the EN servers is not encrypted. You can encrypt the EN database on your Windows desktop by moving it to a Truecrypted container. This has been discussed a lot on the board, so you can search on the word "encrypt" to find more info on the subject.

but it does not adderss the concern we have. A password protected data base will.

True, and as I mentioned above:

In a nutshell, true encryption requires they not know the password which means they cannot index the database in order to do the searching.

This is why I don't store sensitive info in Evernote (unless it would be text that is encrypted). This has been discussed at length in other threads. The "wide open database" thread is very comprehensive. So if you have any further questions, I would refer you to that, rather than repost info that has already been posted.

Also:

but it does not adderss the concern we have. A password protected data base will.

To clarify, a "password protected database" is not necessarily an encrypted database.

Link to comment
  • Level 5

I don't know what you're agenda is, nor am I interested. It's clear I did not say your posting was "fraudulent." It's clear you're going off on tangents here & I'm not interested in any part of that. Carry on.

Your challenging statement. that what I said was wrong. struck a nerve.

I do not believe what I wrote was wrong. For some unmentioned reason, you do.

But I politely responded and asked you to explain where my statement was wrong. I remained on topic.

I stand by my original comment when using the TrueCrypt workaround - see below:

If you lose or forget the password, there is no way to retrieve it.
Link to comment

BurgersNFries and jbenson2; again thank you both, I have been helped here and elsewhere by your posts. I wish to apologize to both of you for inciting a possible misunderstanding and wish to take all the blames.

Meanwhile, I hope you guys can put up for repeated questions on matters that have been discussed previously, even extensively and repeatedly. I am pretty sure there are many other new Evernote converts who have more and more questions as they learn to use EN, but for one reason or another did not do a thourough search of the forum. And there may also be posts that tried to give what the poster thinks are additional reasons to support a desired feature, even though these reasons may sound the same to old hands.

They will benefit from your patience and help.

CP

Link to comment
  • 1 year later...

hmmm i'm not seeing any global option here.

Surely we're not expected to go through and call up each note (using the attribute "contains encrypted text"), find the encrypted bit of text, highlight, de-crypt and then encrypt again. Then do it all over again (no doubt with more notes) further down the line next time it's password change time.

I have to agree.  Now that EN has been hacked, I'm facing the annoyance of updating each of my notes' passwords individually.  Please give users a global encryption option.

Link to comment
  • Level 5*

hmmm i'm not seeing any global option here.

Surely we're not expected to go through and call up each note (using the attribute "contains encrypted text"), find the encrypted bit of text, highlight, de-crypt and then encrypt again. Then do it all over again (no doubt with more notes) further down the line next time it's password change time.

I have to agree.  Now that EN has been hacked, I'm facing the annoyance of updating each of my notes' passwords individually.  Please give users a global encryption option.

It's not clear to me that you need to do this, but it's a fair question, that doesn't seem to have been addressed in light of the breach. I'm pretty sure that passwords for these are not stored on the Evernote servers in the area that was hacked, but it would be good to get an official word on this. I'll report this to a higher power.

Link to comment

hmmm i'm not seeing any global option here.

Surely we're not expected to go through and call up each note (using the attribute "contains encrypted text"), find the encrypted bit of text, highlight, de-crypt and then encrypt again. Then do it all over again (no doubt with more notes) further down the line next time it's password change time.

I have to agree.  Now that EN has been hacked, I'm facing the annoyance of updating each of my notes' passwords individually.  Please give users a global encryption option.

 

You do NOT need to worry about text you've encrypted with the EN encryption feature.  Well, unless you used your login password or a weak password or did something silly like keep the encryption password in another EN note that is not encrypted.  That's kind of the point of true encryption.  EN does not have the encryption passphrase & cannot help you recover the encrypted data if you lose/forget the password. Therefore, even if someone DID gain access to your encrypted notes on the EN server, they would have to attempt to crack your encryption password because Evernote does not have your encryption password.  (This is also why EN cannot index your encrypted text.)  And, IMO, unless you work for the CIA or have immediate access to millions/billions of dollars, us regular Joes are probably not going to be worth the time & CPU cycles of cracking strong encryption passwords.

Link to comment

 

hmmm i'm not seeing any global option here.

Surely we're not expected to go through and call up each note (using the attribute "contains encrypted text"), find the encrypted bit of text, highlight, de-crypt and then encrypt again. Then do it all over again (no doubt with more notes) further down the line next time it's password change time.

I have to agree.  Now that EN has been hacked, I'm facing the annoyance of updating each of my notes' passwords individually.  Please give users a global encryption option.

 

You do NOT need to worry about text you've encrypted with the EN encryption feature.  Well, unless you used your login password or a weak password or did something silly like keep the encryption password in another EN note that is not encrypted.  That's kind of the point of true encryption.  EN does not have the encryption passphrase & cannot help you recover the encrypted data if you lose/forget the password. Therefore, even if someone DID gain access to your encrypted notes on the EN server, they would have to attempt to crack your encryption password because Evernote does not have your encryption password.  (This is also why EN cannot index your encrypted text.)  And, IMO, unless you work for the CIA or have immediate access to millions/billions of dollars, us regular Joes are probably not going to be worth the time & CPU cycles of cracking strong encryption passwords.

 

Exactly.  We do not store these, so there is nothing to be taken.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...