How does EN know my last encryption password?

[Dean Seo 0]

Said it's recommended to encrypt your text on EN for your safe privacy.

 

That's nice. Now I can believe that any text I encrypted will be secure even after synchronized.

 

 

 

Then I see the dialog box saying "The encryption passphrase you entered is different than the one you previously used to encrypt note content",

right after I tried to encrypt with my 'new and different' encryption password.

 

I begin to wonder, how does EN know that?

 

Does this imply that EN keeps my encryption password(at least locally on my desktop)?, which defeats the purpose of encryption somewhat?

 

 

 

I am sorry if this discussion is duplicate.

 

Thank you all in advance.

 

 

EDIT :

 

Thanks for sharing your idea here. I appreciate you all. 

 

So as I mentioned when I try to encrypt with a new password, EN warns me that the new password is different from what I used to encrypt with.

It means that EN does store my encryption password that I am using as a plain text, which I think totally defeats the purpose of encryption, because if somebody else has the encryption key(the password), he/she can easily decrypt.

 

 

The conclusion is as follows:

 

1. Encryption works when I ONLY have the key. 

2. EN, however, stores the key as a plain text somewhere.

3. We do not know where the 'somewhere' is.

4. If EN tries to sync the key stored in my machine, then it automatically breaks the 1 above.

 

 

So at my pure technical view, I think EN better just force the user to enter the same password twice,(like we always do when creating an account)

and leave the user at his own risk.

 

MORE EDIT: 

 

At this point I think a more secure way to keep your sensitive information in EN is :

 

1. Save your information in PDF.

2. Encrypt the PDF.

3. Store the PDF in EN.

[gazumped 11,656]

Hi.  See these two entries for more information.  Briefly,  the encrypted password is kept on your machine,  and in pure risk terms that's not ideal.  

 

But someone would have to get your account access details to be able to use it...

 

How to encrypt content - https://evernote.com/contact/support/kb/#/article/28451608

What encryption is used - https://evernote.com/contact/support/kb/#!/article/23480996

[ScottLougheed 1,316]

 

Hi.  See these two entries for more information.  Briefly,  the encrypted password is kept on your machine,  and in pure risk terms that's not ideal.  

But isn't this a prerequisite for verifying the password entered by the user? If the password wasn't stored on the local machine, how would it know when the user enters the correct password? 

[gazumped 11,656]

You're quite right.  The password (or a matching hash of some sort) obviously has to be kept somewhere,  but in terms of protections (and IMHO),  a password kept on the server and tested by an entry from the user's device over a secure link is more secure than a password kept on a local device that might have all sorts of back doors and keyloggers inflicted on it,  quite apart from the possibility of the device itself being stolen and taken apart at leisure.

 

Security is always on a sliding scale - if you commit something to any medium:  paper,  electronics or someone else's memory,  you just went out of 100% secure and into risk evaluation.  The only way to keep something truly secret is to keep it in your head !!

[eric99 980]

Maybe I  misunderstood the problem, but I don't believe that this is a prerequisite for encrypting text. Encryption is something very different than logging into an account where a password must be validated indeed.

For encryption, the 'password' is just used as a key for scrambling my data and this key should never be stored, except in the memory of the user... For instance, I use 7zip's AES 256 and this will never check or complain when I use another key. 7 zip will never store my key and if I forget it, I loose access to my data for ever.

 

Eric

[JMichaelTX 4,117]

  but in terms of protections (and IMHO),  a password kept on the server and tested by an entry from the user's device over a secure link is more secure than a password kept on a local device that might have all sorts of back doors and keyloggers inflicted on it,  quite apart from the possibility of the device itself being stolen and taken apart at leisure.

 

Really??  

 

A server is just another computer and inherently is no safer than your computer at home.

Actually, it is less safe since, by definition, it is always (or almost always) connected to the Internet, and is much more likely to be hacked than your personal computer.

 

A password stored on your local computer will be highly encrypted, and stored in a hidden, obscure location, very, very unlikely to be discovered and decrypted by an intruder.

 

Think about it, even your computer OS must store your password on your local drive.

[gazumped 11,656]

@eric99 - actually this might be a storm in a teacup;  I just tested a windows note encryption using a pass phrase I've never used before,  and got no challenge whatsoever - I was just asked for my phrase (with warnings about it being unrecoverable if I forgot it) - supplied a few new nonsense words and the text was locked away.  I don't think there is any test here - not in Windows at any rate.

 

@JMichael - that was entirely IMHO,  but I seem to remember reading recently about untold hordes of zombie PC spam and DDOS factories.  That never seems to happen to servers for some reason... 

[gazumped 11,656]

I'd have to refer to my point earlier - "Security is always on a sliding scale...".  My favourite quote being the Pierces and the one about two people keeping a secret - as long as one of them's dead.  http://www.lyricsmode.com/lyrics/t/the_pierces/secret.html

 

[JMichaelTX 4,117]

@Gaz:

 

If you are storing a PW on your local computer, you have to worry ONLY about the security of your computer.

If you are storing a PW on a server, then you have to worry about the server as well, thus doubling the risk, if not more.

You have control over your computer, but not the server.  So you really don't know what security measures the Server has.

Whatever risks you have on your compute, like capturing keystrokes, would still apply even though you are entering a PW to be sent to the server.

 

This is pretty obvious.

[gazumped 11,656]

We're heading steadily off topic here,  because it is impossible to quantify the security of a PC vs the security of a server - it depends entirely on the competence of the operators at both ends.  If the PC owner is an 'average' Evernote user,  and the server belongs to Evernote,  I'd be pretty convinced who's likely to have more protections in place.  In this case the encryption is saved on the PC so the point is moot.

[Frank.dg 1,385]

[JMichaelTX 4,117]

We're heading steadily off topic here,  

 

Yep,  You could have chosen to stop with the off-topic responses, but you didn't.  

 

Since you are not a security expert, and neither am I for that matter, it seems useless to continue to discussion.  No need to repeat anything -- I'm pretty sure the other readers have the information they need to further investigate security issues.  I strongly recommond that no one rely on any of these posting to understand IT security.  Do your own reaearch.

[gazumped 11,656]

Sometimes,  I agree,  it's much more sensible to say nothing and move on. 

[CalS 5,280]

Out of interest, per eric99, I always thought the key was just used to start the encryption monster or to reverse the process.  So not really stored anywhere. 

 

Which gives me pause, since when I do a test and I try and enter a different key, I get the below, which says my key is stored somewhere....  or I am missing something.

 

 

 

[JMichaelTX 4,117]

Out of interest, per eric99, I always thought the key was just used to start the encryption monster or to reverse the process.  So not really stored anywhere. 

 

 

I think you're onto something here, Cal.

IMO, there is no need to store the encryption key anywhere.

[CalS 5,280]

I shut down EN all the way and tried again, to be sure it wasn't just sitting in memory from me decrypting something.  Got the same splash.

 

Makes you wonder about the statements of your data is gone if you forget the password doesn't it.

[gazumped 11,656]

Evernote provided what could be a very sensible protection - imagine your pass phrase is "one two three" and (bearing in mind the warnings issued when you first enter a phrase) you mistakenly enter "onetwo three" - if the app encrypted the content without comment,  you could spend a lot of time unsuccessfully trying your pass phrase without realising you had -effectively- changed it.

 

On the other hand - and to keep your content more secure - you might be deliberately changing the pass phrase each time you use the feature.  This is an effective "are you sure?" prompt at a point when you might actually be encrypting your data in such a way you won't ever be able to retrieve it.

 

As to the security of keeping passwords on the PC - Evernote are clear up front that's what's happening.  It's up to the user whether they feel their own security is good enough to protect specific information.

[JMichaelTX 4,117]

Evernote provided what could be a very sensible protection

 

I don't buy it.  This is the same company that doesn't provide common user protection against accidental Note deletion.

So Gaz, how much does Evernote pay you to always come up with rationale in their behalf?

[JMichaelTX 4,117]

You really crossed the line with the "I don't buy it" part.

 

 

Hmm, I don't think so.  I didn't/don't see any lines.  LOL

[Frank.dg 1,385]

 

You really crossed the line with the "I don't buy it" part.

 

 

Hmm, I don't think so.  I didn't/don't see any lines.  LOL

 

 

... which means that I'm really referring to the other part. But you knew that. Also, I like hyperboles. 

[JMichaelTX 4,117]

... which means that I'm really referring to the other part. But I'm sure you knew that. Also, I like hyperboles. Now you just have to figure out whether or not I was being serious, and if so, to what degree.

 

 

you're off-topic, so I'm ignoring you.  you just have to figure out whether or not what I said was in jest, and then go back to your playroom.  LOL

[CalS 5,280]

Evernote provided what could be a very sensible protection - imagine your pass phrase is "one two three" and (bearing in mind the warnings issued when you first enter a phrase) you mistakenly enter "onetwo three" - if the app encrypted the content without comment,  you could spend a lot of time unsuccessfully trying your pass phrase without realising you had -effectively- changed it.

 

On the other hand - and to keep your content more secure - you might be deliberately changing the pass phrase each time you use the feature.  This is an effective "are you sure?" prompt at a point when you might actually be encrypting your data in such a way you won't ever be able to retrieve it.

 

As to the security of keeping passwords on the PC - Evernote are clear up front that's what's happening.  It's up to the user whether they feel their own security is good enough to protect specific information.

I don't want to test it, but I read the message as your previously entered passphrase, not that much different than password in effect but more in usage, will be supplanted by the new passphrase.  Not a different passphrase for a different bit of encrypted text but a new passphrase in general.  Which makes no sense if the passphrase drives the algorithm.  That and why is my passphrase being remembered.  Getting above my pay grade at this point.

[gazumped 11,656]

Wow.  Being in a slightly different time zone I went to bed around post #17 when I thought we'd already done this topic to death.  Coming back to the ongoing discussion - and just for the record - I do not get paid anything by Evernote for not going all Henny Penny on each real or imagined bug.

 

Back on topic,  Cal - I haven't used text encryption for a while,  and things might have changed;  but I do remember testing out the 'passphrase change' thing a couple of years ago when notes that I had encrypted with one pass phrase were only unencryptable with that phrase,  even though I had saved content with another phrase since.  The new content was unencryptable only with the new phrase.  YMMV on the current EN version(s).

 

For that reason,  where I've encrypted notes I've also added a pass phrase hint in clear text so I use the correct one.  I'd strongly advise anyone using encryption to test whether one phrase = one note still,  and if so,  consider using a different phrase for each encryption.  (There's presumably a limit to how many phrases can be stored - if there is I don't know it...)

 

I don't see a difference between a pass phrase and a password - I use phrases as my more secure passwords anyway;  they're easier to remember than random "0yuP8h9Dy" strings.  

 

If you use "I wandered lonely" for encryption,  the actual text,  or an encrypted hash of some sort might be saved on your hard drive to compare with the next entry.  If the new submission doesn't match,  then the logic apparently wants a confirmation that you actually meant what you typed before it processes the content.

 

The hashed pass phrase might be 'visible' on your hard drive if you knew where to look,  but even if it was crackable,  you'd still need the account password and a note ID to have access and know where to apply it,  and you still won't know whether you're getting someone's offshore banking details or a 'secret' recipe for clam chowder.

 

As has already been said a couple of times - We. Just. Don't. Know. enough about the context here to make a value judgement.  The basic consideration is:  if you want something kept totally secret,  don't put it somewhere that might - even with million-to-one odds - be cracked.

 

Evernote would - of course - say that they take "every precaution" to protect our security.  Others apparently want military grade security.  The problem with security is that the more you talk about it,  the less secure it is. The more details Evernote confirms on the forums here,  the less flailing around any black hat might have to do in a search for paydirt.  So I'd very strongly recommend that anyone with more queries,  raises them directly with EN as a support request ("by choosing the appropriate option in the first dropdown after logging in here > https://www.evernote.com/SupportLogin.action").  

 

If you're not yet premium,  you might want to look at other providers of secure storage to see whether it might not be more economic to use a different service.

 

Edit:  Forgot to add - from https://evernote.com/security/

 

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

[CalS 5,280]

@Gaz,

 

Thanks for the reply.  First, I have a small test account so I decided to verify one way or another multiple passphrases in an account.  It turns out you can have multiple passphrases in an account.  Why they would not recommend it is a bit of a mystery, nanny state I suppose.  Anyway, you get this splash screen to enter the passphrase which begs the question relative to the warning - if EN does not store a copy of the phrase how do you get prompted that you are entering something different?  Back to OT.

 

 

 

"I don't see a difference between a pass phrase and a password" - may be semantics, but one difference, maybe the only one, is that the phrase is used to generate to encryption, so different result different phrase, I think anyway.

 

Not from you, "We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data." - so again how does EN know I'm entering something different?

 

The world won't stop spinning, but this has fallen into one of those how come - for why areas for me.  Just would like to know how it actually works.  An inquisitive mind and a dose of OCD are never a good combination. 

[gazumped 11,656]

I find that keeping the coffee intake down to single figures (ie < 10) also helps...  

[eric99 980]

I did a small test confirming that the pass phrase is just stored on the local PC and not in the cloud (as Gaz explained before) : 

So far, I always did encryption on my old PC. When I try to encrypt on my new PC with another pass phrase, it does not complain. That means that my pass phrase never left my old PC.

 

This protection level is sufficient for me, but it is different from what evernote tells us. I also would like to know from Evernote whether this is a bug or a feature...

 

 

 

[gazumped 11,656]

Evernote don't often comment on threads in general and security issues even less,  so if you really need an answer I'd suggest raising a support ticket (referring back to this thread) by choosing "report a bug..." in the first dropdown after logging in here> https://www.evernote.com/SupportLogin.action

 

If you're a Premium / Business user you'll have access to a Chat option (7am-7pm PST weekdays) - click 'continue' on the support page after logging in.

 

Evernote do say that the password is retained on the local machine,  so I don't see that it's a bug (as such) that the 'old' pass phrase isn't referenced on a new installation - if you can still unencrypt your text,  the "has this phrase been used before" test is apparently something separate from the actual encryption process.

[CalS 5,280]

Being redundant, but it is interesting trying to reconcile "we can't help you if you forget your passphrase" with "oh by the way this isn't your usual passphrase".  Just saying... 

[eric99 980]

Of course, only a small CRC (16 or 32 bit) needs to be stored on the PC for the pass phrase comparision. This CRC code can never be reversed to the original pass phrase anyway.

[eric99 980]

To explain this in more detail:

 

Only a CRC ( checksum), calculated from the pass phrase, is stored on disk. The next time, it recalculates a checksum from the entered pass phrase and compares this checksum with the previous one. This way, the previous pass phrase isn't required for just checking equality.

 

This is simular to your bank acount number, which ends with a checksum of 1 or 2 digits. If you make a typo while entering  the number, it will refuse the number just like evernote does. However, it is absolutely impossible to reconstruct the 10 digit bank account number from just these two checksum  digits...

 

Conclusion:  Evernote does not store the pass phrase, and  therefore can not help you if you forget your pass phrase.