Jump to content
JoeBB

Two step authentication (e.g. via Google authenticator) and encryption

Recommended Posts

Kind of ignoring your childish response to Jbenson, if 2fa is such a big deal to you and you know Evernote doesn't currently support it and may never do so, why haven't you moved your tank onto someone else's lawn?

Read what i wrote fully before passing a comment. I am still stuck here , because there has been no clear response from EN yet on this issue. I never denied that i like EN a lot, but for me, data security is more important than data organization and archiving.

Share this post


Link to post

This surprises me big time. This request was made 2 years ago , and still no official reply on this topic, and Evernote claims that it is fully committed to protection of user data?

Share this post


Link to post

Completely wrong, 2fa does in no way mean that your data is 100% safe. It seems that you are ignoring the reality of data breaches, they do not in any great number come from individual users. They come from the supplier, 2fa doesn't provide you any further significant protection in this case.

I'd take issue with that.

When you browse news coverage of website breaches, the ones I'm seeing, the vast majority involve the leaking of account credentials, rather than data. At least first.

Unlike say with Google, with an Evernote account I can't see a list of logins. Once my credentials have been lost, there's no insight into a data leak happening over an extended period of time.

Business staff will be inclined to log in from home PC's, or Hotel kiosks on trips, Internet Cafe's, any number of places where the credentials will be sniffable.

One will counter with, "that's why we rotate passwords frequently". That's a magnitude more inconvenience across clients over time than 2fa (and other methods), and pushes a businesses staff to them doing all the wrong things. Passwords on sticky notes, password gaming (guessable prefix/suffix based on the year etc).

As you look back as items that hit the news with embarrassing items released when a celebrities account, be it Paris Hiltons phone (server side picture storage), or Sarah Palin's email, or whatever... Imagine the mayhem that can happen from the release of an Evernote account. Especially when you have businesses now starting to use it.

Put it in the context of the Evernote pushing the Document capture feature on the mobile clients. Sure... take pictures of all your important documents. Except that images can't be encrypted like the body of a note can. Nevermind the tedium of encrypting and decrypting whole notebooks of stuff (IT will tire real soon of having to hound users to use encryption, to the point users just stop putting stuff in there), just to compensate for a weak authentication system.

You don't think there'll be a huge surge of hackers looking to get into Evernote to look for stored "documents" like those being advocated on the Evernote blog and others: "Make sure to save important travel documents like your passport (photo or scanned copy), immunizations (if you’re traveling abroad), phone numbers and addresses of people at home as well as the places you might be staying."

You'll start to see some nasty identity theft issues, early product announcement leaks, and the like.

  • Like 1

Share this post


Link to post

I'm a sophisticated user, 20 years enterprise IT experience, I've worked on major projects on 4 continents with massive commercial, financial and networking customers. 2fa is a nice to have, but the reality of data loss is that I am much more likely to have my data compromised by an attack directly on Evernote's server side security, or by a mistake by an employee than I am by a random attack on my own computer. The people who make a living out of attacking personal data don't do so by breaking one password at a time, they do it by either taking advantage of an existing server side hole or creating their own one through physical theft or social engineering.

I would imagine that Evernote's user base which is close to 40m would probably lose a tiny percentage if they announced that 2fa is not on their roadmap. They will never make this announcement and they may even introduce it tomorrow, but to imply that by not having it your data is at some massive risk or that we are on the verge of a large closure of accounts shows little understanding of what data security really means.

I have the same IT experience, and that's not what I see.

Most of our clients use 2 factor (mostly my least favorite, RSA SecureID) to protect their VPN, email, and PC logins, etc.

They have to ship us a dongle, to be able to log in and help them with our product.

When you look at the cloud services the fortune 500 tend to use, there are additional mechanisms than a simple login.

At a minimum, if you log into Salesforce from a different browser (even on the same PC, on the same IP), or from a different location, that is blocked until you respond to a link in an email sent to you (using your email account as a second factor for new untrusted connections).

There are lots of options.

I deal with cleaning up lots of break-ins of many types. Sometimes there are weak or shared passwords involved, but even strong ones.

When your value proposition is easy to access anywhere with only a browser, eventually that's exactly what people will do. And do so in one of the many places where you wouldn't want them to.

That gets compounded by no ability to see that you made a mistake and you've lost control of your data (no list of logins and IP's ala Google and others).

Metrodon, I believe you're mistaken in the idea that attacks are bulk and not onesy twosy.

  • Firstly there's the high profile targets that WILL be spearfished in one way or another.
  • For the bulk of the remainder, it's either a cross-site scripting or automated collection via installed botnet infection. The credentials are aggregated by the botnet herder, and then the data is mined in bulk. But the credentials were taken one set at a time from individual PC's. Many of these instances I've dealt with, the password used were strong. Where a breach occurred, none to date involved 2 factor authentication. 2 factor takes the burden off the end user, and forces the attack to be directly at the data behind Evernote's locked front door, rather than at the flimsy key in the hand of an evernote user.
  • Some of the highly public leaked credentials were collected right from insecurities of the public website itself (again, not a biggie if it takes 2factor to get in).
  • But I also see the onesy twosy attacks on every exposed network interface, from blogs, to phone systems, and mail systems, each and every day. The fact is we're just creatures of habit when it comes to passwords and accounts. We're not unique and clever in choosing them when you look at a large enough sample (and the lists of Stolen passwords circulated are just too rich). The whole thing is automated, and done every day.

Maybe I can just start with something simple... Why can I not lock myself out of my evernote web account with 10 wrong passwords? And not just any 10, picked from the top 25 that are released every year as the top hacked passwords. Wow, just... Wow.

  • Like 2

Share this post


Link to post

I'm a sophisticated user, 20 years enterprise IT experience, I've worked on major projects on 4 continents with massive commercial, financial and networking customers. 2fa is a nice to have, but the reality of data loss is that I am much more likely to have my data compromised by an attack directly on Evernote's server side security, or by a mistake by an employee than I am by a random attack on my own computer. The people who make a living out of attacking personal data don't do so by breaking one password at a time, they do it by either taking advantage of an existing server side hole or creating their own one through physical theft or social engineering.

I would imagine that Evernote's user base which is close to 40m would probably lose a tiny percentage if they announced that 2fa is not on their roadmap. They will never make this announcement and they may even introduce it tomorrow, but to imply that by not having it your data is at some massive risk or that we are on the verge of a large closure of accounts shows little understanding of what data security really means.

I have the same IT experience, and that's not what I see.

Most of our clients use 2 factor (mostly my least favorite, RSA SecureID) to protect their VPN, email, and PC logins.

They have to ship us a dongle, to be able to log in and help them with our product.

When you look at the cloud services the fortune 500 tend to use, there are additional mechanisms than a simple login.

At a minimum, if you log into Salesforce from a different browser (even on the same PC, on the same IP), or from a different location, that is blocked until you respond to a link in an email sent to you (using your email account as a second factor for new untrusted connections).

There are lots of options.

I deal with cleaning up lots of break-ins of many types. Sometimes there are weak or shared passwords involved, but even strong ones.

When your value proposition is easy to access anywhere with only a browser, eventually that's exactly what people will do. And do so in one of the many places where you wouldn't want them to.

That gets compounded by no ability to see that you made a mistake and you've lost control of your data (no list of logins and IP's ala Google and others).

Metrodon, I believe you're mistaken in the idea that attacks are bulk and not onesy twosy.

  • Firstly there's the high profile targets that WILL be spearfished in one way or another.
  • For the bulk of the remainder, it's automated collection via installed botnets. The credentials are aggregated by the botnet herder, and then the data is mined in bulk.
  • But I also see the onesy twosy attacks on every exposed interface, from blogs, to phone systems, and mail systems, each and every day. The fact is we're just creatures of habit when it comes to passwords and accounts. We're not unique and clever in choosing them when you look at a large enough sample (and the lists of Stolen passwords circulated are just too rich). The whole thing is automated, and done every day.

Maybe I can just start with something simple... Why can I not lock myself out of my evernote web account with 10 wrong passwords? And not just any 10, picked from the top 25 that are released every year as the top hacked passwords. Wow, just... Wow.

I think they have it set at 20 or so before you get locked.

Share this post


Link to post

I think they have it set at 20 or so before you get locked.

Nope.

Not 30 either.

It was consecutive counting up as the password.

No lockout, no pattern ban, no throttling, no email notification of failed password attempts.

Sort of feels like the security stance, is "come one, come all, have at it".

Share this post


Link to post

Or, this from the same piece:

[EDIT: link is gone -- it was an older piece, but the point remains, 2fa is probably not as easy to implement as it might seem, and I am not surprised that Evernote hasn't invested in implementing it.]

"Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions of dollars outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

Share this post


Link to post

We recommend to our clients that they protect their smart phone with a 4 character password and set it to wipe their device if the password is entered incorrectly 3 or 4 times.

If the phone is lost or stolen and someone attempts to access it, EN, along with everything else is erased and the phone is disabled.

We also recommend using a web service which allows you to remotely disable and wipe the phone. The next time it is in a location where service is available, the device will erase and disable, whether there have been any failed password tries or not. The GPS continues to work and the phone's location is monitored and logged.

Our logic on the simple password is that it is highly unlikely, even with only 10,000 possible password combinations, that someone could guess the password in 3 or 4 tries.

Some problems with that approach:

  • While it's locked, it's still yours, track-able and recoverable. Anyone who wants the phone just iterates through the passwords to start the wipe. It saves them even needing to say "may I have this please", and decreases the likelihood of the police showing up at their door. Automatic wipe is the worst thing you can do in my opinion.
  • Those you're actually likely to be worried about taking the data behind PIN protection will never enter the pin. They'll use a security tool like Elcomsoft's to guess the PIN without triggering a wipe or registering a failed attempt, since the hardware encryption protecting the data behind the PIN is not feasibly crack-able. The key is a longer pin. The standard 4 digit pin is estimated at 40 minutes, vs 9 digit at 2.5 years, 10 digit - 25 years.

Evernote's 4 digit pin though depends on the speed of your bandwidth. It's however long it takes to delete and re-install the app.

Share this post


Link to post

Or, this from the same piece:

"Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions of dollars outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

Did I miss the piece you reference? I presume you mean: http://www.schneier.com/essay-083.html ?

Let's not over-simply. As I said as well, this doesn't prevent MITM attacks, but that's not the focus here, and proper use of SSL does mitigate that (Evernote has one part - using HTTPS, and the user has one part, noticing invalid browser certificates or mixed content pages). The other issue he alludes to are Trojans. But let's remember that's theoretical. It's real on PC's, and to some extent on Android. Not so on other mobile clients, and for practical purposes thus far on other desktop OS's.

The point of 2factor here is to protect the web interface from others using your account (wether you use it or not). That's different from his banking examples. I could never use the evernote web client, instead using just a sandboxed locked down iPad client (who am I kidding, the ipad client is nearly unusable), and yet 2 factor authentication on the web interface is still of value, protecting my data from not just brute force, but SQL injection attacks on gleaning account access.

And let's also be complete and include his follow up essay 4 days later (remembering that he wrote these 7 years ago, ahem *cough* asleep at the switch evernote): http://www.schneier.com/essay-370.html

Recently I published an essay arguing that two-factor authentication is an ineffective defense against identity theft (see
)

Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It's simply a matter of understanding the threats and the attacks.

Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember.
About five years ago
, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security,
the era of passwords is over
.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

Two-factor authentication is a long-overdue solution to the problem of passwords.
I welcome its increasing popularity
, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

As to the spending of millions, remember that was 7 years ago. 2 factor can be had with open source code on server and client sides at no cost, or hardware keys for $5-$15 per user. The thing that's also different is in the days of RSA SecureID, the vendor had to buy and supply them. The key/dongle was encoded to them. You'd have one dongle for every service. Now it's BYOD. It costs nothing for Evernote to protect my account with a Yubikey when I already own it. It sits on my keychain with the rest of my keys, and opens hundreds of websites. Either directly because they support Yubikey, or indirectly because they support OpenID, and I use a Yubikey enabled OpenID provider, or all the rest whose passwords are auto-generated, stored, synced, and entered for me by my Yubikey protected LastPass. Of the multiple hundreds of passwords I have, I could type maybe 2 or 3 of them on my own. Don't need to. Even on my iPhone, it's a copy and paste from the lastpass app to the evernote client. The key bit though is that unless the website supports 2 factor directly, my safely protected passwords don't help protect the data. It's still just the password protecting that. It just means that if the password is leaked and used, it's not because I stored or carried it around insecurely. With uncompromised SSL it would be lost in transit, but it can still be lost on either end, and then used by others, anywhere in the world, as much as they want, without my knowledge.

Clear away all the fog and theory. One thing that Bruce Schneier and every sound thinking security researcher has been able to agree on is that passwords alone (particularly if people selecting and using them are involved) is dead. It's dead today. It was dead 7 years ago when the essay was written, and it's argued in the piece they were dead 5 years before that.

The important part for Evernote is to embrace that it's time to move on. Debate may be had on the direction to move, the solution. But standing pat should not be an option.

  • Like 2

Share this post


Link to post

Or, this from the same piece:

"Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions of dollars outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

Did I miss the piece you reference? I presume you mean: http://www.schneier.com/essay-083.html ?

Let's not over-simply. As I said as well, this doesn't prevent MITM attacks, but that's not the focus here, and proper use of SSL does mitigate that (Evernote has one part - using HTTPS, and the user has one part, noticing invalid browser certificates or mixed content pages). The other issue he alludes to are Trojans. But let's remember that's theoretical. It's real on PC's, and to some extent on Android. Not so on other mobile clients, and for practical purposes thus far on other desktop OS's.

The point of 2factor here is to protect the web interface from others using your account (wether you use it or not). That's different from his banking examples.

And let's also be complete and include his follow up essay 4 days later (remembering that he wrote these 7 years ago, ahem *cough* asleep and the switch evernote): http://www.schneier.com/essay-370.html

Recently I published an essay arguing that two-factor authentication is an ineffective defense against identity theft (see
)

Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It's simply a matter of understanding the threats and the attacks.

Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember.
About five years ago
, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security,
the era of passwords is over
.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

Two-factor authentication is a long-overdue solution to the problem of passwords.
I welcome its increasing popularity
, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

As to the spending of millions, remember that was 7 years ago. 2 factor can be had with open source code on server and client sides at no cost, or hardware keys for $5-$15 per user. The thing that also different is in the days of RSA SecureID, the vendor had to buy and supply them. They key/dongle was encoded to them. You'd have one dongle for every service. Now it's BYOD. It costs nothing for Evernote to protect my account with a Yubikey when I already own it. It sits on my keychain with the rest of my keys, and opens hundreds of websites. Either directly because they support Yubikey, or indirectly because they support OpenID, and I use a Yubikey enabled OpenID provider, or all the rest whose passwords are auto-generated, stored, synced, and entered for me by my Yubikey protected LastPass. Of the multiple hundreds of passwords I have, I could type maybe 2 or 3 of them on my own. Don't need to. Even on my iPhone, it's a copy and paste from the lastpass app to the evernote client.

I think it would cost Evernote money to employ this system. And, I am guessing that is why we do not have the option. If it cost them nothing to do, then I imagine they would have put it in place a long time ago. I wish I knew what the costs were to implement a 2fa system for an application across multiple platforms with a user base of 40 million + users. Surely, it isn't a minor task. As I have no data about this, I cannot say much.

The password thing is something else. LastPass enables you to have random, unique, long, and regularly changing passwords. His opinion on passwords is outdated.

Frankly, I have no concerns about someone hacking into my account via my password. The odds are probably higher that I get hit by lightning. If it costs much in terms of resources, I'd prefer they invest it elsewhere, because I don't think the risks (assuming users follow good password practices) are high. When was the last time you heard of someone using good password practices getting hacked?

I do, however, worry about Evernote getting hacked, someone leaving a computer full of customer information on an airplane, or a silly mistake that exposes our data. This kind of stuff happens with alarming regularity by people who really ought to know better. My university, for example, got hacked and all of my medical records were stolen along with everyone else's. I don't even want to know how many criminals have my social security number and other "private" information. *sigh* Go to this site for a depressing read.

http://www.privacyrights.org/data-breach?order=field_breach_date_value_1&sort=asc

This is why I would really like to see our databases (or at least a portion of them) encrypted. Once that happens, I will be a lot more keen to worry about 2fa and other less likely forms of attacks.

Share this post


Link to post

I think it would cost Evernote money to employ this system. And, I am guessing that is why we do not have the option. If it cost them nothing to do, then I imagine they would have put it in place a long time ago. I wish I knew what the costs were to implement a 2fa system for an application across multiple platforms with a user base of 40 million + users. Surely, it isn't a minor task. As I have no data about this, I cannot say much.

It's not zero, but it's certainly a favorable comparison to the money lost in the case of a breach, the money lost in increased cost of customer acquisition, and the money not earned from companies and individuals not signing on due to lack of the strong authentication.

Most of the heavy lifting has already been done with the switch to Oauth. Meaning that all clients bring up a web page to get the authentication token. This means that clients don't have to be re-written, the second factor can be prompted for then, without re-writing any clients.

It's only the server side that needs an extra field and some additional logic for minimum functionality.

Effort-wize, I added yubikey and google authenticator to a wordpress blog in 5 minutes, zero cost. At that point it matters not if one person or 40 million use it. The cost is the same on the server side.

The password thing is something else. LastPass enables you to have random, unique, long, and regularly changing passwords. His opinion on passwords is outdated.

It's not outdated at all. Do you know what the adoption rate is for LastPass like solutions? You've always been able to "change" a password. That doesn't mean people do. The barrier is still that most people don't rotate passwords because then they have to type in a really long random thing on a whole bunch of devices to reconnect to the service.

In our company, I don't enforce frequent password changes. It conditions the wrong behavior. You've got a password you like? Great. Lets make sure it's long enough and random enough, and where possible, not re-used. But then keep them for a good little while. Get comfortable with it so you don't have to keep looking it up, remembering it, whatever. We use 2 factor to make up the difference and prevent someone else using the password. That's the only reason for rapid changing passwords. Because you don't know if someone else knows it and is using it. So you prevent re-use wether it is or isn't be changing it. With two factor. That's not a consideration. No one else is using it. Publish it in the newspaper if you like (ok don't). The password then becomes instead what prevents someone finding and using a lost "something you have".

But regardless of how long, random, and changed my password is, without 2 factor it can still be captured and used in an instant, for as long as it is until I change it. His views on the problems of passwords in the corporate environment as just as valid today.

Frankly, I have no concerns about someone hacking into my account via my password. The odds are probably higher that I get hit by lightning. If it costs much in terms of resources, I'd prefer they invest it elsewhere, because I don't think the risks (assuming users follow good password practices) are high. When was the last time you heard of someone using good password practices getting hacked?

I see.

When 14 million passwords were compromised in the RockYou hack....

When the passwords lost in the Gawker breach were turned into plain text within days...

When 6.5 million LinkedIn password hashes were turned back into plain text within days...

When over 250 million passwords have been harvested and turned back into plaintext passwords in the past couple years.

Would you say it's reasonable to assume an equal number of people were hit by lighting in that time period?

This is why I would really like to see our databases (or at least a portion of them) encrypted. Once that happens, I will be a lot more keen to worry about 2fa and other less likely forms of attacks.

I'm not sure you want to rely on Evernote's encryption for that though. Reportedly even when you use encryption in a note in Evernote the local text is still searchable

http://antivirus.abo...evernotetip.htm

Share this post


Link to post

It's not zero, but it's certainly a favorable comparison to the money lost in the case of a breach, the money lost in increased cost of customer acquisition, and the money not earned from companies and individuals not signing on due to lack of the strong authentication.

Most of the heavy lifting has already been done with the switch to Oauth. Meaning that all clients bring up a web page to get the authentication token. This means that clients don't have to be re-written, the second factor can be prompted for then, without re-writing any clients.

It's only the server side that needs an extra field and some additional logic for minimum functionality.

Effort-wize, I added yubikey and google authenticator to a wordpress blog in 5 minutes, zero cost. At that point it matters not if one person or 40 million use it. The cost is the same on the server side.

Sounds good. This is my main criticism of implementing 2fa, and if I am wrong, then bring it on Evernote.

It's not outdated at all. Do you know what the adoption rate is for LastPass like solutions? You've always been able to "change" a password. That doesn't mean people do. The barrier is still that most people don't rotate passwords because then they have to type in a really long random thing on a whole bunch of devices to reconnect to the service.

In our company, I don't enforce frequent password changes. It conditions the wrong behavior. You've got a password you like? Great. Lets make sure it's long enough and random enough, and where possible, not re-used. But then keep them for a good little while. Get comfortable with it so you don't have to keep looking it up, remembering it, whatever. We use 2 factor to make up the difference and prevent someone else using the password. That's the only reason for rapid changing passwords. Because you don't know if someone else knows it and is using it. So you prevent re-use wether it is or isn't be changing it. With two factor. That's not a consideration. No one else is using it. Publish it in the newspaper if you like (ok don't). The password then becomes instead what prevents someone finding and using a lost "something you have".

But regardless of how long, random, and changed my password is, without 2 factor it can still be captured and used in an instant, for as long as it is until I change it. His views on the problems of passwords in the corporate environment as just as valid today.

I don't know what the adoption rate is, but I do know that even before I used it I followed the same practices. LastPass just made it easier.

Do you know what the adoption rate of 2fa is :)

I see.

When 14 million passwords were compromised in the RockYou hack....

When the passwords lost in the Gawker breach were turned into plain text within days...

When 6.5 million LinkedIn password hashes were turned back into plain text within days...

When over 250 million passwords have been harvested and turned back into plaintext passwords in the past couple years.

Would you say it's reasonable to assume an equal number of people were hit by lighting in that time period?

Even in a worst-case scenario, that service that got hacked is vulnerable, because I use unique passwrods. I don't really care so much about my LinkedIn account, to be honest (I do care about my email, though). If someone were to gain unauthorized access to my account, through a man in the middle attack or something else that 2fa cannot protect me against, then they'd only find encrypted files --- if Evernote encrypted our stuff.

I'm not sure you want to rely on Evernote's encryption for that though. Reportedly even when you use encryption in a note in Evernote the local text is still searchable

http://antivirus.abo...evernotetip.htm

Ah. Mary's smear article. That thing gets cited every time a security issue comes up. I have all sorts of issues with that thing, but regarding the encryption, I believe the article is wrong (). HOWEVER, Evernote's encryption is rather weak, so I also wouldn't recommend it for sensitive stuff. I assume that if Evernote encrypted our databases it would use 256-bit.

Share this post


Link to post

I'll take a moment to restate that:

That I love Evernote and use it everyday.

I just don't use it for things that I would, or in our company because of some deficiencies in the area of search which prevents extending its functionality somewhat and obviously security.

And I just can't wrap my head around what they spend their development money on.

When I think of our company and the number of bugs and features our developers rip through in a week... Whith huge oracle type database sets, an application that's almost 3GB of code (but also with a web front end ;-)

We're sort of the planning and analytics evernote of the nuclear and hydro companies of the world.

Depending on where you live in the world you can blame wether you power costs 6 vs. 8 cents per kilowatt hour, or if you lights are on, on our software.

Yet we've only a handful developers and 0.2% of their funding.

Share this post


Link to post

Even in a worst-case scenario, that service that got hacked is vulnerable, because I use unique passwrods. I don't really care so much about my LinkedIn account, to be honest (I do care about my email, though). If someone were to gain unauthorized access to my account, through a man in the middle attack or something else that 2fa cannot protect me against, then they'd only find encrypted files --- if Evernote encrypted our stuff.

Still don't think we're on the same page.

LastPass is handy but it only protects your passwords, not the data hiding behind a password.

A man in the middle attack is already handled by SSL.

I can see real challenges for Evernote with software encryption and still providing the search functionality. Especially on mobile devices (where it's superflous on say an iPhone/iPad which already has whole device hardware encryption).

My point though is that when you've lost authentication, you've also lost your encryption, wether its on the server side or the client side.

You need to look at encryption options outside of Evernote.

For example, do you log out of your desktop Evernote client each time you close it down?

If not, a stolen laptop or desktop will just have your windows/Mac account reset, login as you, open Evernote and export the data. A logged in Evernote client won't be an encryption barrier.

And that's where a long random password will bite you. It's not convenient to use. So one likely doesn't use the security features available to you. It would be easier to have a simple password and a single tap on a yubikey, or a 6 digit code from a google authenticator.

You asked about 2 factor adoption rate. I have to say I don't know, but we can surmise its far higher than the adoption rate of tools like LastPass.

We know that many banks and like sites insist on some form of it. We know that many corporations enforce its use.

We know that it's an option for large properties like Google, PayPal, Facebook, Dropbox, Wordpress and many others (those come to mind as the ones I use 2 factor on). We don't know the adoption rate but even a small percent would be a lot of users.

Now what can we guess about the LastPass adoption rate?

If you look at the combined leaked list of password hashes from the LinkedIn and eHarmony breaches, it's 8 million passwords.

Only 5.8 million of them were unique.

55% of them were cracked in 24 hours.

All but 98,000 were cracked 6 days

It takes a lightly randomized password of no more than 8 characters to be cracked in 6 days at a billion guesses per second

https://www.grc.com/haystack.htm

Even default settings if I recall in LastPass would produce at least a heavily random password of at least 10 digits, far to difficult to crack in 6 days.

Therefore I postulate that no more than 98,000 of 8,000,000 (1.2%) of a cross section of generally business oriented folks were using a LastPass like solution as of this summer. Likely a great deal less than that.

If that number were 60-80% Instead, I could agree there was no sufficient need for a 2 factor solution. But it's not. People's habits are even more broken than passwords.

If you look at the passwords which were cracked almost immediately you see what keeps IT managers up at night, and Evernote off their networks.

If nothing else, 2 factor is to protect users from their own idiocy:

http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

Source of the numbers:

http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/

You mentioned email as a concern.

As it happens, the only account in our house that to our knowledge was hacked, was my wife's gmail account.

She had a strong password as she was already using LastPass.

To contrast to an Evernote experience, Google emailed my wife to let her know of unusual activity on the account.

Logging in we were able to see an IP address from France connected and outgoing spam in the sent folder.

A password change solved it.

And she was then more than happy to add a yubikey to her LastPass account, and google authenticator to her google account.

Never a hack since.

Without unexplained data changes or getting locked out of your account, how would one ever know if their LastPass account was compromised and being read over a long period?

Share this post


Link to post

You make some good points. Regarding passwords, though, I think you underestimate them.

LastPass is set up with a unique email account, so the username is unknown to hackers. The password is long, unique, and randomly generated, so virtually unbreakable. It exists in an encrypted drive on a computer that is password protected with its own long, unique, and randomly generated password. It remembers all of my passwords, so I cannot remember when I last typed one in. These are the steps LastPass suggests. Nothing could be easier, and I think it is pretty unlikely I will be hacked from my end. You can see a record of LastPass activity, right? So, you can monitor that if you like, and you can even do 2fa with that.

Let's say you have a 20 character, randomly generated password for Evernote that you change every month. How likely is it that you will be hacked? If Evernote encrypted our databases then we could be sure an attack on their servers would yield nothing as well. It could affect search performance, depending on how it is implemented, but my thinking was to have the option for certain notebooks and not to index the contents beyond the metadata.

As you said, 2fa is supposed to protect users against themselves, but as I have said here, if you follow steps like these, you have all the tools you need to be reasonably secure. 2fa is a nice plus alpha, and undeniably stronger, but it doesn't mean that we are exposed without it. Of course, if the costs are really as low as you suggest, then Evernote ought to implement it.

Share this post


Link to post

Ah. Mary's smear article. That thing gets cited every time a security issue comes up. I have all sorts of issues with that thing, but regarding the encryption, I believe the article is wrong (http://discussion.ev...ues/#entry76535). HOWEVER, Evernote's encryption is rather weak, so I also wouldn't recommend it for sensitive stuff. I assume that if Evernote encrypted our databases it would use 256-bit.

Hmm. Even in your link it appeared to be the case for Windows users, though Evernote seemed to take reasonable steps.

I do grant you though, it doesn't appear to be the case on a Mac.

I just hit a test record 9 ways to sunday, and am satisfied.

Withdrawn.

  • Like 1

Share this post


Link to post

No need to explain LastPass. It's excellent in every way. I'm a locked in customer.

It just doesn't help Evernote that much.

All the security and use logging in the world within LastPass doesn't make the front door of Evernote any more secure. No one but me will be using my LastPass and logging password use.

I don't even have to be using my account for the LinkedIn type breaches of passwords (not data).

And that's far more likely than a loss of data on the Evernote side.

Boosting any amount of data from X millons of customers is not only hard work, but likely extremely noticeable by Evernote security folks.

But passwords are much easier to get a hold of and off a network unnoticed than the data itself.

And once someone has them, Evernote can't tell who is legit and who isn't.

You come in the front door using "valid ID" and whose to say you're not entitled to the data.

Evernote even has to allow multiple concurrent sessions to the same account from geographically different IP's, (a logged in client at home, one at the office, plus a mobile device or a tethered laptop enroute in-between whose mobile IP might appear to come from across the country.

Or you leave evernote running at home and go on a trip, and start using your not encryptable scan of your passport (here and here). Now Evernote sees your account being logged into from two different countries.

That's a nightmare to sort out when one of those IP's is in fact a bad guy.

<insert 2 factor solution rant here>

You ask about the exposure if you rotate strong passwords every month.

I counter that it could be up to a full month.

It's the difference between the moment you change a password and the month starts counting down, and the moment you login somewhere you shouldn't, or a hacker siphons your password from a hole in Evernotes defenses.

You don't need to know when a month has gone by, you need to know the minute someone else knows your password. That's when you need to change it, not a month from the last time. You're limiting an exposure window, not eliminating it. All some dude needs is the 5 minutes right before your monthly password change to suck your account dry. More likely the first you'll know is that YOU can't log in any longer, and your password recovery attempt goes to someone else.

How immediately usable your password would be after an Evernote server hack is at this point an unknown. We don't know how it's stored.

Then you have the practicality.

If we can't get 98% of users to pick a strong password in the first place, how likely are you to get them to pick one every month?

It's not a workable solution. it's already failed and you don't even have everyone at 100% LastPass adoption yet.

For those of us who could buy into that and do it, it's still a pain to do on all the clients, on all phones and tablets.

Remember I'm the guy who lets the office staff keep their login passwords for a year. Pick a good one and get comfy with it, then protect it with 2 factor.

There's no point bringing Evernote to business users when they'll either expose your data with the crappy LinkedIn-esque passwords, or throw up their hands and refuse to use it when you force them to change their passwords so frequently.

Evernote could lose their entire password database in completely unencrypted form.

With 2 factor, still not a single account would be compromised (assumes it was mandatory and that will never happen, that takes an act of Insurance pressure/Lawyer pressure/or clear headed thinking).

There's just no avoiding it.

Make the sign of the cross, read Last Rights, whatever.

Passwords are dead, dead, dead.

...as it was in the beginning, is now, and will be for ever. Amen.

(aka stamped it, locked it, swallowed the key, no erasies...)

Da pacem, Duo Factor, in diebus nostris

Quia non est alius

Qui pugnet pro nobis

Nisi tu.

Share this post


Link to post

If it costs to implement, then so be it. After all, it should be cost effective to implement given that EN has such a huge database. Let them implement the solution and those who wish to use the service pay for the additional security. People who don't want the additional security, simply dont pay extra.

Share this post


Link to post

Passwords are dead, dead,

Just because people don't protect themselves it doesn't mean passwords are failing, any more than people not washing their hands after going to the bathroom means soap doesn't work. As you will surely concede, few people will use 2fa even if Evernote offers it, so, we're back to an age old problem: You have to take responsibility for your security. As I said, 2fa sounds fine to me, as long as it is not prohibitively expensive.

The idea with an encrypted notebook in your account would be that Evernote does not have the password -- it would be a zero knowledge system, like when you encrypt a note now. If you lose the password you are out of luck. Of course, like 2fa, most people will fail to use it. Again, though, this is on them, just like if you upload your passport into Evernote unencrypted.

I assume Evernote stores our passwords securely, hashed and salted, and they are difficult to crack, so we have time to change our passwords (the reason I regularly change mine), but it is true that so many companies that should have known better have failed us. Even with 2fa, if a company is that careless, whose to say someone won't exploit a vulnerability and sneak into our databases another way without passwords in a direct attack (this is how my medical records were stolen)? At some point, we have to trust Evernote to be competent. I do, or I would have left the service long ago.

So, with good password practices (described above) I still maintain we are reasonably secure right now -- if we want to be.

In an ideal world we'd have the ability to view logins to our accounts, login attempts, 2fa, encryptable notebooks, remote wipes, and all sorts of other cool security features. But, in an ideal world I,would also have vertical list view on the Mac! I'm more comfortable with my security than with the interface :)

Share this post


Link to post

There's just no avoiding it.

Make the sign of the cross, read Last Rights, whatever.

Passwords are dead, dead, dead.

...as it was in the beginning, is now, and will be for ever. Amen.

(aka stamped it, locked it, swallowed the key, no erasies...)

Da pacem, Duo Factor, in diebus nostris

Quia non est alius

Qui pugnet pro nobis

Nisi tu.

Wow! What a rant.

Reminds me of the "environmentalists" blogs that claim fossil fuels are dead.

News flash: Passwords are not dead. They will continue to be used for years.

Share this post


Link to post

Wow! What a rant.

Reminds me of the "environmentalists" blogs that claim fossil fuels are dead.

News flash: Passwords are not dead. They will continue to be used for years.

Maybe I should have put <tongue in cheek> tags around that. Just having fun.

To your point though, the fact that something is used, doesn't mean it hasn't lost its effective ability to perform its original function.

Just like say Latin (above). It's still used for different narrow uses that its original use. But it's still a dead language. (or need we debate that too?)

We still have horse, buggy and blacksmiths. And yet we've moved on with progress to new primary transportation and iron forging methods.

You can keep trying to use them, or as a tip of the hat to your "environmentalist" blogs, try to keep that 440 muscle car on the road. But there are newer, better ways of getting from point A to point B. They're no longer the standard because we recognize there are better ways. There are better uses of time and effort, and money.

BTW what's up with y'all and clinging to miles, pounds, feet? Even the original Imperialist's are moving on to the metric system.

Even I said there's a use for passwords. If you took them away, you'd be back to 1 factor.

Where they're dead is as their original purpose, to stand alone as the primary authentication mechanism. They just can't do what we ask them to do now.

clinging to a password only system doesn't help anything. it doesn't help evernote's bottom line and brand, and it doesn't let this topic thread die already.

Share this post


Link to post
few people will use 2fa even if Evernote offers it

I think that you are being very presumptious here. If you don't like toppings on your icecream, fine, but it doesn't make sense to assume that others too wouldn't. In an era where security threats continue to increase , people are bound to increase their protection levels, given a choice.

Share this post


Link to post
few people will use 2fa even if Evernote offers it

I think that you are being very presumptious here. If you don't like toppings on your icecream, fine, but it doesn't make sense to assume that others too wouldn't. In an era where security threats continue to increase , people are bound to increase their protection levels, given a choice.

Well... I had a long post in response, but there you go (http://elephantchannel.net/2012/12/041212-evernote-workshop-verbatim-notes-leweb/). If Phil said it, then there isn't much more to chatter on about here. I didn't realize he had already made that commitment. Well, I guess they decided it was worth the investment after all, and we just have to wait and see.

"Security : 2 factor authentication to come" and "Due dates are coming ! First quarter 2013" in the same post. You know jbenson is going to have some words to say about this :)

Share this post


Link to post

Those "words" should be something along the lines of "I'll believe it when I see it in a shipping product".

Note that the date on this 4/12/12, so it's fairly dated.

Share this post


Link to post

Well... I had a long post in response, but there you go (http://elephantchann...im-notes-leweb/). If Phil said it, then there isn't much more to chatter on about here. I didn't realize he had already made that commitment. Well, I guess they decided it was worth the investment after all, and we just have to wait and see.

"Security : 2 factor authentication to come" and "Due dates are coming ! First quarter 2013" in the same post. You know jbenson is going to have some words to say about this :)

As did I (was there any doubt?).

I'll just clip two points from it then to perhaps help any lingering worries.

The US National Institute of Standards and Technology sponsored a study of Influences on the Adoption of Multifactor Authentication, (because they too agree passwords alone as we use them - are dead).

Their findings:

  • User resistance after (multi-factor) implementation is a non-issue among their reviewed adoptors.
    • "once users enrolled in the MFA program, their complaints diminished greatly"
    • "In many ways, users welcome MFA," from the functional advantages of reduced risk, but also "relief from the burden of memorizing a lot of passwords"

    [*](multi-factor) adoption tends to "stick". In no case did they see adoption of multi-factor, and then a change of mind, they almost never stop using it. Their stated reasons:

    • "the threat environment keeps getting worse" - the original rationale remains as valid as ever
    • "there is a dearth of serious user complaint"

And on the plus side, if Q1 holds, my "serious user complaint" shuts up. And a cheer was heard throughout the land...

Share this post


Link to post

Well... I had a long post in response, but there you go (http://elephantchann...im-notes-leweb/). If Phil said it, then there isn't much more to chatter on about here. I didn't realize he had already made that commitment. Well, I guess they decided it was worth the investment after all, and we just have to wait and see.

"Security : 2 factor authentication to come" and "Due dates are coming ! First quarter 2013" in the same post. You know jbenson is going to have some words to say about this :)

As did I (was there any doubt?).

I'll just clip two points from it then to perhaps help any lingering worries.

The US National Institute of Standards and Technology sponsored a study of Influences on the Adoption of Multifactor Authentication, (because they too agree passwords alone as we use them - are dead).

Their findings:

  • User resistance after (multi-factor) implementation is a non-issue among their reviewed adoptors.
    • "once users enrolled in the MFA program, their complaints diminished greatly"
    • "In many ways, users welcome MFA," from the functional advantages of reduced risk, but also "relief from the burden of memorizing a lot of passwords"

    [*](multi-factor) adoption tends to "stick". In no case did they see adoption of multi-factor, and then a change of mind, they almost never stop using it. Their stated reasons:

    • "the threat environment keeps getting worse" - the original rationale remains as valid as ever
    • "there is a dearth of serious user complaint"

And on the plus side, if Q1 holds, my "serious user complaint" shuts up. And a cheer was heard throughout the land...

Anecdotally, as a 2fa user, I loathe the system. It is such an incredible pain when you want to get stuff done and you are prompted to go through the annoying process. Nevermind when you have a lack of cell access (thanks Sandy), or when it inexplicably locks you out (there are always ways around, but it is just an unnecessary hassle "for me" right now). Those are my complaints. I guess I am an anomaly then, according to your data.

Anyhow, you've made good points. I was never against 2fa as a feature, just recommending good password practices to deal with the current conditions, and questioning whether it was worth it for Evernote to do this. Obviously, they have decided it is, so that's that :)

Share this post


Link to post

Note that the date on this 4/12/12, so it's fairly dated.

A whole TWO days old.

Remember the world doesn't agree on month/day/year day/month/year.

(ahem, you have a little um, ethno-centricity on your sleeve there...)

But you'll see it falls into the December 2012 archives. And after all it's about the launch of Evernote Business which just happened.

And the title mentioned LeWeb, in Paris, which wraps up today.

Other hints are the French flavor of the names and content, and the fact he charges for his services in Euro's.

FWIW, I prefer day/month/year, natural progression and all.

If it had been said and posted back in April the 2 factor threads wouldn't be this long.

Share this post


Link to post

(ahem, you have a little um, ethno-centricity on your sleeve there...)

Now, now. Simmer down with the labels. Much of the world uses YYYYMMDD, so it is a long way from mistaking the date format, which looks just like the US dating system at first glance, to ethnocentrism, especially since he may well be the same ethnicity, and yet still use another dating system :)

Share this post


Link to post
Note that the date on this 4/12/12, so it's fairly dated.

A whole TWO days old.

Remember the world doesn't agree on month/day/year day/month/year.

(ahem, you have a little um, ethno-centricity on your sleeve there...)

My mistake. It is ambiguous, though. As GM points out, it would be cultural-centricity more than ethno-centricity.

Still believe it when I see it, which is my usual stance anyhow...

Share this post


Link to post

Sorry, but it appears to me this thread has outlived any useful purpose. As per usual, we all can debate back & forth until the cows come home. (Personally, I wouldn't know what to do if any cows came to my home.) But at the end of the day, Evernote is going to do what they think is the right thing for their product. As well they should. We may or may not agree. Such is life.

  • Like 1

Share this post


Link to post

Sorry, but it appears to me this thread has outlived any useful purpose. As per usual, we all can debate back & forth until the cows come home. (Personally, I wouldn't know what to do if any cows came to my home.) But at the end of the day, Evernote is going to do what they think is the right thing for their product. As well they should. We may or may not agree. Such is life.

It's even more dead than that. Apparently, Phil has already said Evernote will do it, so there is no more convincing to be done. Now, it is just waiting. In the meantime, please consider following some of the password suggestions I made to keep your stuff secure.

Share this post


Link to post

Sorry, but it appears to me this thread has outlived any useful purpose. As per usual, we all can debate back & forth until the cows come home. (Personally, I wouldn't know what to do if any cows came to my home.) But at the end of the day, Evernote is going to do what they think is the right thing for their product. As well they should. We may or may not agree. Such is life.

It's even more dead than that. Apparently, Phil has already said Evernote will do it, so there is no more convincing to be done. Now, it is just waiting. In the meantime, please consider following some of the password suggestions I made to keep your stuff secure.

Yeah, there goes Phil (Phil the "leader of their tribe* ") not to be confused with the Phil who's name carries no weight when I file a support ticket (who you say???)) mouthing off again. :P I can just see the EN crew thinking "WTF?" when they hear him stating something will be rolled out "soon". (Been there a few times myself. Lots of "what were you thinkin' convos with my manager as followups. ) Just an observation...but I believe that's how/why stacks were rolled out. B) Phil (leader of their tribe) spoke & they were mostly able to deliver.

Apologies - don't mean to be doggin' the big Phil...

* Mel Brooks/Carl Reiner - 2000 Year Old Man - Phil

Share this post


Link to post

Hello guys,

I am glad you enjoyed my verbatim notes from the workshop Evernote did at Leweb this week.

On security he said that many more features are coming up. They just need to implement it properly so it works fine with their search engine because if something is encrypted it cannot be searched or something around those lines.

For the 3rd time I had the opportunity to interview Phil at Leweb. This time I did it in video, here's a pic extracted from the video file. I will publish the full interview next week.

21664_453681304689742_1453968779_n.png

In the mean time you can always my previous two audio interview following the links below :

http://elephantchannel.net/2011/12/tec-011-phil-libin-interview-leweb-2011/

http://elephantchannel.net/2011/08/phil-libin-interview-at-leweb-2010/

Cheers,

Pierre.

  • Like 2

Share this post


Link to post

Hello guys,

I am glad you enjoyed my verbatim notes from the workshop Evernote did at Leweb this week.

On security he said that many more features are coming up. They just need to implement it properly so it works fine with their search engine because if something is encrypted it cannot be searched or something around those lines.

For the 3rd time I had the opportunity to interview Phil at Leweb. This time I did it in video, here's a pic extracted from the video file. I will publish the full interview next week.

21664_453681304689742_1453968779_n.png

In the mean time you can always my previous two audio interview following the links below :

http://elephantchann...iew-leweb-2011/

http://elephantchann...-at-leweb-2010/

Cheers,

Pierre.

Keep up the good work. Thanks!

  • Like 1

Share this post


Link to post

Thanks. The Evernote CEO said a few days ago that Evernote will implement 2fa at some point.

Great. Lets hope accounts don't get compromised before it's implemented. Do you have a link to that announcement?

As for accounts getting compromised, if you read my posts above and follow my suggestions about good password practices, it is exceedingly unlikely that your account will be compromised. We've already gone over all that, though.

The announcement? Apparently, Phil said it at LeWeb. There is no date for a rollout, but he has apparently made the decision.

http://elephantchannel.net/

  • Like 1

Share this post


Link to post

Thanks. The Evernote CEO said a few days ago that Evernote will implement 2fa at some point.

Great. Lets hope accounts don't get compromised before it's implemented. Do you have a link to that announcement?

As for accounts getting compromised, if you read my posts above and follow my suggestions about good password practices, it is exceedingly unlikely that your account will be compromised. We've already gone over all that, though.

The announcement? Apparently, Phil said it at LeWeb. There is no date for a rollout, but he has apparently made the decision.

http://elephantchannel.net/

Yes, we've covered how the practice of strong passwords can fail when followed by the general public.

Thanks for the link.

  • Like 1

Share this post


Link to post

Thanks. The Evernote CEO said a few days ago that Evernote will implement 2fa at some point.

Yes at the Evernote workshop at Leweb this year according to sSee Pierre Journal's notes on the workshop on The Elephant Channel blog:

Security : 2 factor authentication to come

http://elephantchannel.net/2011/12/tec-011-phil-libin-interview-leweb-2011/

-- roschler

Share this post


Link to post
few people will use 2fa even if Evernote offers it

I think that you are being very presumptious here. If you don't like toppings on your icecream, fine, but it doesn't make sense to assume that others too wouldn't. In an era where security threats continue to increase , people are bound to increase their protection levels, given a choice.

Agreed, many people will use 2fa. It looks like Evernote agrees that 1fa (passwords) are not enough. Can't wait till its implemented.

Share this post


Link to post

My Evernote account has a lot of my personal information, and I'm worried about its safety. I know it's secured by a password, but after reading this article, the doubts began to creep in. Some of the other big companies — Google and Dropbox — already recognized this threat. What do you think about it?

Share this post


Link to post

My Evernote account has a lot of my personal information, and I'm worried about its safety. I know it's secured by a password, but after reading this article, the doubts began to creep in. Some of the other big companies — Google and Dropbox — already recognized this threat. What do you think about it?

Hi. I have merged your thread with this existing one. Please see the post before yours about Evernote's recent plans (http://discussion.ev..._80#entry176426).

As for the article, we get doom and gloom news from people all of the time. The comments under it are far better than the scare article -- with automatic lockouts this is a pretty unlikely scenario. If you have sensitive information in your account, I recommend encrypting it with a strong password, and it has been more than a decade now since I considered an eight-character password to be OK :)

Share this post


Link to post

Definitely. Two-step authentication is not at all optional anymore. And a company like Evernote has all the resources in the world to go ahead and implement two-factor authentication as soon as possible. I know of a company called TeleSign which provide excellent 2 factor authentication solutions.

[MODERATOR] Link removed.

Share this post


Link to post

What does encryption have to do with this? I would certainly HOPE that Evernote already had encryption in place of some fashion and aren't really storing the entire world's information in clear text. 2-Step-Authentication should simply be an extra step to access that information. Evernote needs to stop dragging their feet on this because judging by what I've seen this feature has been requested for YEARS. Hell, make it a premium only feature. I WILL PAY FOR IT. Or make several options, like Google Authentication is free or a key fob can be provided for $15 plus requiring a premium subscription. I don't care.

I'm literally edging closer to abandoning this platform because of this. I LOVE LOVE LOVE the Evernote interfaces across all platforms. But the fact that I could migrate all my data to Secure Notes at LastPass, who also has a wide-array of platform support although their interfaces suck, but DOES provide two-step authentication FOR FREE is fast becoming my only option.

Share this post


Link to post

What does encryption have to do with this? I would certainly HOPE that Evernote already had encryption in place of some fashion and aren't really storing the entire world's information in clear text. 2-Step-Authentication should simply be an extra step to access that information. Evernote needs to stop dragging their feet on this because judging by what I've seen this feature has been requested for YEARS. Hell, make it a premium only feature. I WILL PAY FOR IT. Or make several options, like Google Authentication is free or a key fob can be provided for $15 plus requiring a premium subscription. I don't care.

I'm literally edging closer to abandoning this platform because of this. I LOVE LOVE LOVE the Evernote interfaces across all platforms. But the fact that I could migrate all my data to Secure Notes at LastPass, who also has a wide-array of platform support although their interfaces suck, but DOES provide two-step authentication FOR FREE is fast becoming my only option.

I think encryption is related, because our data is currently stored un-encrypted, and that concerns me more than anyone somehow figuring out my password (see all of my many posts on the topic already). However, I understand the reasoning behind Evernote's decision, and I am pleased that they take the security of the servers quite seriously, so it is an acceptable trade-off for me.

As for the 2fa, Evernote has already said they will be implementing it (see discussion above).

Share this post


Link to post

Ahhh i originally read it to mean that they were trying to come up with an encryption method before they could implement 2fa which made no sense to me because those seem like separate features.

  • Like 1

Share this post


Link to post

+1

This is also pretty easy to implement now, using the freely available Google Authenticator.

  • Like 1

Share this post


Link to post

That's 250,000 Twitter account passwords stollen (well, the encrypted/hashed version).

http://www.telegraph...0000-users.html

Affected users are being told to reset their password.

Also from the article:

But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people's Twitter passwords are identical to those they use for other purposes, including banking.

Lets hope we get 2FA shortly for Evernote where lots of personal information is stored.

  • Like 1

Share this post


Link to post

But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people's Twitter passwords are identical to those they use for other purposes, including banking.

Thanks for posting this. For those who haven't been following this thread, I offered some advice about how to use the tools we have available now to protect ourselves:

http://discussion.evernote.com/topic/24995-security-two-factor-authentication-please/page__st__20#entry156886

Share this post


Link to post

But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people's Twitter passwords are identical to those they use for other purposes, including banking.

Thanks for posting this. For those who haven't been following this thread, I offered some advice about how to use the tools we have available now to protect ourselves:

http://discussion.ev..._20#entry156886

GM, I don't see how that helps in the least for the hack on Twitter. Only 2FA would render what the hackers did totally irrelevant.

Share this post


Link to post

But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people's Twitter passwords are identical to those they use for other purposes, including banking.

Thanks for posting this. For those who haven't been following this thread, I offered some advice about how to use the tools we have available now to protect ourselves:

http://discussion.ev..._20#entry156886

GM, I don't see how that helps in the least for the hack on Twitter. Only 2FA would render what the hackers did totally irrelevant.

I disagree. I think my points were relevant to what the poster said, and I think that we have quite powerful tools at our disposal now even without 2fa.

- Twitter used bcrypt to encrypt the passwords, which means it will be some time before the hackers are able to crack passwords

- If you have a long password of a dozen or more characters, it may well take the hackers a month or more to discover your password

- If you regularly change your password (about once a month), by the time the hackers crack your password, it will already have changed

- If you use unique passwords on every site, even if they cracked your password, only one site (Twitter) would be compromised

Evernote is planning to implement 2fa, but in the meantime, the problem that the poster mentioned (of passwords shared across sites) is not a problem if you follow the suggestions that I made (especially the one about using unique passwords).

  • Like 1

Share this post


Link to post

But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people's Twitter passwords are identical to those they use for other purposes, including banking.

Thanks for posting this. For those who haven't been following this thread, I offered some advice about how to use the tools we have available now to protect ourselves:

http://discussion.ev..._20#entry156886

GM, I don't see how that helps in the least for the hack on Twitter. Only 2FA would render what the hackers did totally irrelevant.

I disagree. I think my points were relevant to what the poster said, and I think that we have quite powerful tools at our disposal now even without 2fa.

- Twitter used bcrypt to encrypt the passwords, which means it will be some time before the hackers are able to crack passwords

- If you have a long password of a dozen or more characters, it may well take the hackers a month or more to discover your password

- If you regularly change your password (about once a month), by the time the hackers crack your password, it will already have changed

- If you use unique passwords on every site, even if they cracked your password, only one site (Twitter) would be compromised

Evernote is planning to implement 2fa, but in the meantime, the problem that the poster mentioned (of passwords shared across sites) is not a problem if you follow the suggestions that I made (especially the one about using unique passwords).

But if Twitter used 2FA, you can eliminate all of those if's above. and some of the suggestions are unreasonable. I have over 200 passwords to different sites. It would be a full time job to change those passwords monthly.

  • Like 1

Share this post


Link to post

My post did not comment on whether Twitter ought / ought not have 2fa. The poster quoted a passage that warned about people not using unique passwords on each site, and I responded with concrete steps that users can take immediately to significantly improve their security. The steps are easily followed, and I have found using a password manager to handle hundreds of sites to be relatively painless. The "full time job" takes me maybe thirty minites every month.

As I said, Evernote has already said 2fa is coming. I am offering suggestions that will help until then. Feel free to adopt some, all, or none of them :) I do think they are relevant and pertinent suggestions, though.

Share this post


Link to post

Even if you never change your passwords, having a strong, unique password means a coworker or family friend isn't going to guess it. It also means it would require a true hacker quite a while to crack it. It's not going to be worth their CPU cycles to crack those passwords unless you work for the CIA or have access to millions/billions of dollars. It also means if they do crack it, they've only cracked that one password. It's good to be aware of security issues & store your passwords in a true password manager rather than on a Post-It. But I also think sometimes (like in this case) people focus & obsess on a lesser issue.

  • Like 2

Share this post


Link to post

Yep. Even if you just choose to take up just one of my password suggestions, you'll tremendously increase your security. At the very least, you make yourself less appealing than the "password123" crowd.

Share this post


Link to post

I'm starting to get the impression that Evernote is only intended for recipes and stuff that really isn't that important. I'm actually a bit offended that the company has invested so much in these novelty spin-offs (which I consider noise, btw) while ignoring something as simple and fundamental as 2FA security. I first requested 2FA in March 2012. I think I will give it a few more months and if the security isn't improved, I will switch to Google Drive or something else that offers some 2FA protection.

BTW, EN, I am currently paying for premium - not because I use anything near quota, just for the https.

Share this post


Link to post
I'm starting to get the impression that Evernote is only intended for recipes and stuff that really isn't that important.

That's an incorrect impression, both in terms of Evernote's intent and in terms of Evernote's customer practice.

I'm actually a bit offended that the company has invested so much in these novelty spin-offs (which I consider noise, btw) while ignoring something as simple and fundamental as 2FA security. I first requested 2FA in March 2012. I think I will give it a few more months and if the security isn't improved, I will switch to Google Drive or something else that offers some 2FA protection.

Offended? Why? -- it's not your money (hint -- nobody can offend you without your permission, to paraphrase Eleanor Roosevelt). I don't use the other spinoffs myself, except for Skitch on occasion, but Evernote itself remains a tool that I use every day. Well, maybe 2FA will appear in a few more months, who knows? Looks like Twitter will be getting it.

Share this post


Link to post

Sorry, didn't read all of the previous posts, but I also strongly urge Evernote to add 2-step verification using the same approach as Dropbox...basically making it a preference to enable this, and making it so that users can enter the key using something like the Google Authenticator app on a smart phone.

 

Evernote is a great product (I'm a premium user), and I'm putting more and more of my life on there. So, I would really feel much safer is it has this additional level of protection.

Share this post


Link to post

Sorry, didn't read all of the previous posts, but I also strongly urge Evernote to add 2-step verification using the same approach as Dropbox...basically making it a preference to enable this, and making it so that users can enter the key using something like the Google Authenticator app on a smart phone.

 

Evernote is a great product (I'm a premium user), and I'm putting more and more of my life on there. So, I would really feel much safer is it has this additional level of protection.

Hi. Please do read the previous posts, because Evernote has already said they are working on it :)

Share this post


Link to post

Today's breach and massive password reset reminded me of how I wish Evernote had two-factor authentication.

  • Like 3

Share this post


Link to post

Why not let users who are security conscious and are willing to pay for it use 2FA. A password generator costs less than 1 USD. Shipping - also to places outside the US -  will not cost a fortune, either. For covering admin overhead EN can raise the annual fee for Premuim users. NO PROBLEM. Regards. H.

Share this post


Link to post

Today's breach and massive password reset reminded me of how I wish Evernote had two-factor authentication.

Yup.

Share this post


Link to post

I did hope Evernote would get 2fa in place before the next security black eye.

Share this post


Link to post

If Dropbox and Gmail can do it, so can Evernote!   Evernote needs to get two factor implemented preferably before the next security breach occurs.

Share this post


Link to post

If Evernote truly wants me to trust them to "remember everything", Evernote needs to offer more credible security options than they do now.

 

I would be willing to pay Evernote more money a month for enhanced security options.

 

Evernote security wishlist:

SMS authentication

hardware/software based security tokens

device security certificates

Encrypted storage

Share this post


Link to post

Dear Evernote,

I love your product, but am always fearful of the usename/password security Achilles heel of this extremely valuable tool.

Two-step authentication is no longer optional. Enough mechanisms exist for Evernote to make this happen and help us secure our data.

Evernote, PLEASE step up to the plate and activate this mission critical safety feature.

Thank you

Hi. Thanks for posting your thoughts. I have deleted your other posts, though. Please do not spam the forums by posting the same things in multiple threads. If you want to link to those threads from one post, that is fine, of course.

As for your request, I think it has been made before, and discussed at length. Could you share your reasons for wanting it, though? It might help the developers to know what your specific concerns are when they consider whether or not to implement the feature.

Hopefully now you understand why users want it, security!! Who cares if they have our passwords if they need our cellphone's to log in also. Don't know about anyone else, but I'm seriously considering dropping evernote completely.

Share this post


Link to post

I'm just saying that they have other higher priorities, apparently. They seem to know a little bit about security, I'd be surprised if they're not thinking about the issue. But if it were as easy as is claimed (I don't know whether it is or isn't), and it were so important as is claimed (ditto previous), I'm thinking it would have been done by now.

 

trala. hopefully someone at evernote should be thinking about reconsidering this now. 

Share this post


Link to post

This has come up on the forums before. I don't think this is just a Windows issue. I think Evernote has said they are thinking about it.

Personally, I don't think it is needed, and I don't use it for Google. If you use a regularly changed, unique, long, and random password then a brute force attack will take the government's best servers several years to crack. If people just do that, why spend Evernote resources on adding this security feature?

Here is a freebie :)

9Jy84t5$9mX4PBM

Thinking, about all the mistakes I have been making......sure, right. why do you cover their ass? Even dropbox has 2FA implemented :)

Share this post


Link to post

Well Seth this is much worse than the Evernote fanboys realize. 2fa would protect you from being hacked but doesn't protect your data when Evernote has been compromised from the inside. That would have require Evernote to actually encrypt your data which they do not do because they've somehow rationalized that you're better off just not keeping anything private on Evernote.

 

 

Unfortunately 2fa has been "in the works" it would seem for quite some time. The interview was almost a year ago which means it's been under works for longer than that. The problem is much worse that you would think. Since Evernote does not store data encrypted if your notes had been accessed then your data would belong to the world. Anyway, I beat this subject into the ground. No worries evangelists, I've said my peace just moving on. I moved all my secure information to Lastpass last week.

Share this post


Link to post

Agreed 2FA all the way.... Although on your desktop and iPhone I hope its a one off when you set it up (then secured by the device itself) perhaps +security code as in App.

The Lastpass grid is an interesting low tech solution http://helpdesk.lastpass.com/security-options/grid-multifactor-authentication/

Yeah, I have a bank that uses the grid system. It is a real pain, but probably effective. It discourages me and hackers from logging in! Still, at least there are options :)

Guess the hackers just logged in. So what do you think now then? 

Share this post


Link to post

Thanks for the suggestion.

Do bad you did not act upon it

Share this post


Link to post

jefito said: Offended? Why? -- it's not your money (hint -- nobody can offend you without your permission, to paraphrase Eleanor Roosevelt). I don't use the other spinoffs myself, except for Skitch on occasion, but Evernote itself remains a tool that I use every day. Well, maybe 2FA will appear in a few more months, who knows? Looks like Twitter will be getting it.

Offended because EverNote should make the security of it's customers a priority.  I'm not offended that Evernote is making new products that I consider derivative, trivial and pointless.  I'm offended because Evernote is putting effort into such products without first providing adequate protection for its current paying customers.  As the EverNote security breach notice that I received today makes clear, EverNote is an attractive target for black hats.  It is a trivial amount of work for Evernote to implement some sort of 2FA solution.  Google Authenticator and YubyKey are both extremely simple to implement.  So yes, I'm offended that years after I and others brought it to EverNote's attention, the request remains ignored while bulls#$t spinoffs are cropping up and notices of EverNote security breach notices include ***** such as  "We take our responsibility to keep your data safe very seriously".  That's just not true.  Evernote is not taking security seriously.  And you're damned right, I'm offended.

  • Like 2

Share this post


Link to post

Can anyone tell me why the requested two-factor authorization, which is intended to be used to log in to your Evernote account, would have helped in this situation (hacking into the Evernote servers)? Maybe they wouldn't have needed to force password resets, perhaps, but otherwise I don't see the connection. 

  • Like 1

Share this post


Link to post

@thommango: Ok, fine, whatever, but when someone or something offends me, and I have control over their presence in my life, I have a simple strategy for the situation. 

 

One thing, though -- I asked about 2FA in a separate topic, in the context of the recent security breach. My question is (and it's a sincere question; I am a software dev of some experience, but would never claim to be a security expert): how would the presence of 2FA in Evernote user account logins have helped in this situation? The only thing I can think of is that they would not have needed to force password resets, but I don't even know whether that's true or not.

Share this post


Link to post

I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.

In a nutshell, if you wouldn't email it, then don't put it in Evernote. this thread discusses the various aspects of Evernote & security. As discussed in that thread, there's more to "security" than logging in. And IMO, much if the responsibility is on the users, as it should be. IE use a strong password that is different for all your various logins, store your desktop database in an encrypted volume, don't use free wifi (where someone can use a keylogger or packet sniffer), etc. Additionally, Evernote's stance is that security is a very personal issue. IE I only put copies of our tax returns in Evernote after they are password encrypted. Yet at least one EN employee (Heather?) puts their taxes in EN w/o encrypting them. (shrug) We each have to decide what we feel comfortable with & that may include adding our own level of security on our end.

 

Well, i suppose even if you have the strongest of passwords, something like this can happen:

 

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

 

And yeah, if our accounts do get hacked, off course, we are responsible. Responsible, for having trusted EN in the first place.

Share this post


Link to post

@thommango: Ok, fine, whatever, but when someone or something offends me, and I have control over their presence in my life, I have a simple strategy for the situation. 

 

One thing, though -- I asked about 2FA in a separate topic, in the context of the recent security breach. My question is (and it's a sincere question; I am a software dev of some experience, but would never claim to be a security expert): how would the presence of 2FA in Evernote user account logins have helped in this situation? The only thing I can think of is that they would not have needed to force password resets, but I don't even know whether that's since i would care two hoots if some hacker in an unknown village on the North pole managed to get my account password but was unable to enter the second factor which i had in my mobile phone in India.

 

Neither do i claim to be a software developer nor am i a security expert, I am just a layman who understands the benefits of 2 factor authentcation. 2 factor is obviously not fool proof, but it certainly offers an additional layer of security over the current single factor. I would care two hoots if an unknown hacker living in the North pole managed to get access to my password but was not able to key in the second key which is with my mobile phone in India. But sadly, that's not the case today.

 

What i said is not rocket science, and i am sure that you as a software developer understand and appreciate the fact, but as a stubborn EN evangelist, you are simply trying to defend the indefensible.

Share this post


Link to post

What does encryption have to do with this? I would certainly HOPE that Evernote already had encryption in place of some fashion and aren't really storing the entire world's information in clear text. 2-Step-Authentication should simply be an extra step to access that information. Evernote needs to stop dragging their feet on this because judging by what I've seen this feature has been requested for YEARS. Hell, make it a premium only feature. I WILL PAY FOR IT. Or make several options, like Google Authentication is free or a key fob can be provided for $15 plus requiring a premium subscription. I don't care.

I'm literally edging closer to abandoning this platform because of this. I LOVE LOVE LOVE the Evernote interfaces across all platforms. But the fact that I could migrate all my data to Secure Notes at LastPass, who also has a wide-array of platform support although their interfaces suck, but DOES provide two-step authentication FOR FREE is fast becoming my only option.

I think encryption is related, because our data is currently stored un-encrypted, and that concerns me more than anyone somehow figuring out my password (see all of my many posts on the topic already). However, I understand the reasoning behind Evernote's decision, and I am pleased that they take the security of the servers quite seriously, so it is an acceptable trade-off for me.

As for the 2fa, Evernote has already said they will be implementing it (see discussion above).

 

Hmm, yeah, let us take a 100 years before we implement it. Until then let all our accounts get hacked. This happened to me last week.

 

http://discussion.evernote.com/topic/35337-note-from-jalan-professor-doktor-satrio-in-jakarta-selatan/

Share this post


Link to post

Can anyone tell me why the requested two-factor authorization, which is intended to be used to log in to your Evernote account, would have helped in this situation (hacking into the Evernote servers)? Maybe they wouldn't have needed to force password resets, perhaps, but otherwise I don't see the connection. 

Perhaps if most accounts had 2fa there would be little point in someone hacking the user/password list?

Also with the delay in EN realising the breach etc. your notes could have been downloaded... You will never know. If your account has 2fa you don't care much that someone has your username and password for a few days.

Share this post


Link to post

Neither do i claim to be a software developer nor am i a security expert, I am just a layman who understands the benefits of 2 factor authentcation. 2 factor is obviously not fool proof, but it certainly offers an additional layer of security over the current single factor. I would care two hoots if an unknown hacker living in the North pole managed to get access to my password but was not able to key in the second key which is with my mobile phone in India. But sadly, that's not the case today.

You can claim to understand it, but if you can't explain it, then you really don't understand it. And you didn't explain it (though perhaps you could).

 

What i said is not rocket science, and i am sure that you as a software developer understand and appreciate the fact, but as a stubborn EN evangelist, you are simply trying to defend the indefensible.

You didn't actually say anything meaningful, much less rocket science, and I wasn't defending Evernote. I was asking a question because I don't know the answer, and I want to find out about a topic that seems important to some people here. The claim that I am hearing here appears to be that if Evernote had implemented 2FA for their clients, then the security breach either wouldn't have happened, or would have been less serious. I haven't actually had an explanation as to why that would be.

Share this post


Link to post

Neither do i claim to be a software developer nor am i a security expert, I am just a layman who understands the benefits of 2 factor authentcation. 2 factor is obviously not fool proof, but it certainly offers an additional layer of security over the current single factor. I would care two hoots if an unknown hacker living in the North pole managed to get access to my password but was not able to key in the second key which is with my mobile phone in India. But sadly, that's not the case today.

You can claim to understand it, but if you can't explain it, then you really don't understand it. And you didn't explain it (though perhaps you could).

 

>What i said is not rocket science, and i am sure that you as a software developer understand and appreciate the fact, but as a stubborn EN evangelist, you are simply trying to defend the indefensible.

You didn't actually say anything meaningful, much less rocket science, and I wasn't defending Evernote. I was asking a question because I don't know the answer, and I want to find out about a topic that seems important to some people here. The claim that I am hearing here appears to be that if Evernote had implemented 2FA for their clients, then the security breach either wouldn't have happened, or would have been less serious. I haven't actually had an explanation as to why that would be.

 

 

The question of whether 2fa would have saved this breach or not is immaterial. The question is if i was a hacker, would it be optimal for me to throw my lot on attempt breaking through a system that has multiple security layers or a single one? I hope that answers your question in a different form.

Share this post


Link to post

The question of whether 2fa would have saved this breach or not is immaterial. The question is if i was a hacker, would it be optimal for me to throw my lot on attempt breaking through a system that has multiple security layers or a single one? I hope that answers your question in a different form.

OK, I hear that, and Mike Wood said something similar elsewhere, but I'm not a hacker, either, and I can't claim to understand what they want or how much effort they may want to apply towards their ends. Maybe other hackers would want the account details of Evernote users, who knows? Again, this isn't particularly technical, nor fact-filled. Regardless, if they want access to notes, then they could have a stab at getting into the mother lode, which is the actual Evernote servers that contain the notes...

Share this post


Link to post

Just to clear up a point of confusion / misunderstanding. The existence of 2fa does not equate to the use of 2fa. In other words, when Evernote implements 2fa, I do not expect more than a tiny percentage of users to actually take advantage of this additional security. Just as many users prefer shockingly weak, but easily remembered passwords to the strong ones that could better protect them, many will not use 2fa. Studies show a large number of users are interested in having two-factor authentication, but few actually use it. The conclusion for hackers? Evernote (and other services) will remain targets.

 

This is not to say that Evernote should not implement 2fa. Rather, it is to say that implementing it will not suddenly make Evernote less attractive to hackers. 

Share this post


Link to post

Just to clear up a point of confusion / misunderstanding. The existence of 2fa does not equate to the use of 2fa. In other words, when Evernote implements 2fa, I do not expect more than a tiny percentage of users to actually take advantage of this additional security. Just as many users prefer shockingly weak, but easily remembered passwords to the strong ones that could better protect them, many will not use 2fa. Studies show a large number of users are interested in having two-factor authentication, but few actually use it. The conclusion for hackers? Evernote (and other services) will remain targets.

 

This is not to say that Evernote should not implement 2fa. Rather, it is to say that implementing it will not suddenly make Evernote less attractive to hackers. 

 

I wasn't aware there was any misunderstanding. If users choose not to use 2FA on their account, their data will be at much greater risk of unauthorised access. 

 

Do you have links to the studies you mention?

Share this post


Link to post

Grumpy, it is eventually a matter of choice. I can choose to either have a complex password ( which is more prone to risk) or choose to have an additional layer of secuirty along with the additional headache of user experience. But when a company chooses to remain silent, you leave the latter group to get all grumpy. :wacko: oops.. i didn't mean you. :ph34r:

Share this post


Link to post

The existence of 2fa does not equate to the use of 2fa. ...... The conclusion for hackers? Evernote (and other services) will remain targets.

 

This is not to say that Evernote should not implement 2fa. Rather, it is to say that implementing it will not suddenly make Evernote less attractive to hackers. 

 

Agreed it will be the minority who use 2fa but this minority will likely have the more valuable data. I guess we could argue that having people able to use 2fa might attract more valuable data to EN and thus increase the interest of hacks!...  

 

2fa is to some extent a marketing/psychological tool. I use it on some of my cloud services and not on others. All I know is, I will have calls from some clients on Monday, who will be concerned about their data. If we had 2fa in place I could use it as a shield against some criticism I will receive (rightly or wrongly) for recommending a service which has been hacked and doesn't have a second level of security (2fa) like Google/Dropbox etc. 

 

No doubt they wouldn't be using it, but I could say they should be!

Share this post


Link to post

Perhaps if most accounts had 2fa there would be little point in someone hacking the user/password list?

Also with the delay in EN realising the breach etc. your notes could have been downloaded... You will never know. If your account has 2fa you don't care much that someone has your username and password for a few days.

Hmmm, maybe. Still not wholly convinced, though -- other data than password data was stolen.

Share this post


Link to post

The existence of 2fa does not equate to the use of 2fa. ...... The conclusion for hackers? Evernote (and other services) will remain targets.

 

This is not to say that Evernote should not implement 2fa. Rather, it is to say that implementing it will not suddenly make Evernote less attractive to hackers. 

 

Agreed it will be the minority who use 2fa but this minority will likely have the more valuable data. I guess we could argue that having people able to use 2fa might attract more valuable data to EN and thus increase the interest of hacks!...  

 

2fa is to some extent a marketing/psychological tool. I use it on some of my cloud services and not on others. All I know is, I will have calls from some clients on Monday, who will be concerned about their data. If we had 2fa in place I could use it as a shield against some criticism I will receive (rightly or wrongly) for recommending a service which has been hacked and doesn't have a second level of security (2fa) like Google/Dropbox etc. 

 

No doubt they wouldn't be using it, but I could say they should be!

 

Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!

 

As for the misunderstanding, there was a claim earlier in the thread that 2fa would discourage hackers. I doubt it. I don't have links to all the studies about 2fa (or, password security in genera), because I don't usually take note of them. The most recent one I came across was this (http://www.roboform.com/press/Siber_Trust_Survey_Release.pdf). It doesn't tell you anything about actual usage, but gives some sense of where people stand on two-factor authentication and passwords. If anyone has links to other studies, I'd be interested in reading them. 

Share this post


Link to post

@Grumpy "Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!"

Agreed so let's get on with it, by the end of March please! (annoucement of such would be good in the next 48 hours)

Share this post


Link to post

Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!

Hmm, given that iPad finally has a list view, and some of the underwhelmed commentary, are you really sure that you want to claim that the appearance of security is such a good thing? :)

Share this post


Link to post

Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!

Hmm, given that iPad finally has a list view, and some of the underwhelmed commentary, are you really sure that you want to claim that the appearance of security is such a good thing? :)

 

LOL. It was a real shame about that rollout getting bungled, because without the crashing it would have really impressed people (I think). Now, with the hacking thing, no one is even paying attention to the app. The iOS team deserves a lot more positive attention than they are getting on this one!

  • Like 2

Share this post


Link to post

×
×
  • Create New...