Jump to content
Sign in to follow this  
Manitook

(Archived) Changing password on desktop version

Recommended Posts

Well, I read most of the posts so far and have not ran across this yet.

When I signed up for the beta I used a long password with numbers and letters that is very hard to enter from a phone to access the mobile version. So last night I changed it on the web site to something really short and easy. That broke Synch with the desktop version.

Is there a way to change the password for the desktop version to match the web view?

If not, there needs to be.

For security I change all my important passwords once a month and any site that holds my personal data is important.

Share this post


Link to post

I haven't tried changing my password yet, but I notice that under the Account menu in the desktop version, there's a Switch... item. Have you tried "switching", i.e., logging out of the old account (old password) and logging into the new one?

Share this post


Link to post

Just gave that a try.

No go. Here is the Sync log.

09:15 * loaded updateCount: 3684

09:15 Authenticating user "manitook"

09:15 EDAMUserException: errorCode=INVALID_AUTH parameter="password"

09:15 Session terminated abnormally, elapsed time: 0s

09:15 * 0s (0%) spent in EDAM RPC

Share this post


Link to post

Changing password with Switch option does not do anything. I just changed password to blabla and can still synch. It does check user name but not password.

Share this post


Link to post

I'd send some official feedback to EN then - go through the desktop send feedback menu item.

Share this post


Link to post

Ok, I just wanted to check here first to see if it has been covered yet.

Is there a list of known issues that we can check before submitting an official report?

I hate wasting the devs time for the same thing everybody else has reported.

Share this post


Link to post

No actual list anywhere, unfortunately. The best you can do is see if it's been discussed in the forum. And even that's not great, since some things get discussed by users, but not responded to EN folks. Myself, if it's something that I want to make sure (well, as sure as possible) that EN sees, I use the feedback form. They have been known to not read the forum :D

Share this post


Link to post
Changing password with Switch option does not do anything. I just changed password to blabla and can still synch. It does check user name but not password.

It's a bug. Do 'Account > Close' instead of 'Account > Switch' and then provide your username and new password.

Share this post


Link to post

It's a bug. Do 'Account > Close' instead of 'Account > Switch' and then provide your username and new password.

The bug is still present doing that way also. I am even able to reboot the machine. It is also present with the portable flashdrive client on a machine without the desktop client installed even with a reboot. The password function is broken on the client.

This is starting to raise doubts in my my mind about the security of the web based notebooks. Where can I find some details about it. Specifically are our notebooks on your servers encrypted and with what algorithm.

Share this post


Link to post
They have been known to not read the forum :)

Us - not reading the forum? No way! :D

Well, we do turn away once in a while to follow up on what we read here...

Share this post


Link to post
The password function is broken on the client.

We are aware of this problem and are treating it as a high-priority one.

Share this post


Link to post
This is starting to raise doubts in my my mind about the security of the web based notebooks. Where can I find some details about it. Specifically are our notebooks on your servers encrypted and with what algorithm.

Notes in the Evernote service are protected like email at a high-end email service:

We have a private, locked cage at a guarded data center that can only be accessed by a small number (3) of Evernote operations staff that have a key and are on an access list at the data center. All system and database access is also restricted to these three staff members. Network traffic from the Internet can only reach these servers through a set of firewalls and Level 7 switches. The user database is on a separate subnet that is only accessible from the application servers. All remote administrative access to these servers is restricted through a hardened gateway server that requires encrypted communications and a password known to the same 3 people.

User passwords are not stored on the server and are only transmitted to our servers over SSL. (For web logins and client authentication.) The passwords are compared against a stored value via an MD5 checksum, but the password is never stored on disk in a usable form.

Phil (Evernote's CEO) and I came to Evernote from a company we founded that builds and sells millions of dollars of security/cryptography software to large governments and corporations. We explored the idea of only storing encrypted notes, but this basically means that you wouldn't be able to have a web-only UI for your notebooks. I.e. if the data is encrypted, the servers wouldn't be able to search your notes unless the servers also have access to all of the encryption keys, which basically defeats the whole point of encrypting the data. (If a server has encrypted data and a copy of the decryption key, then a successful attacker has everything they need to read the data.)

A service that only stored encrypted notes would look a lot different than Evernote. It would be more like a backup service for your desktop application, with no web UI at all. There are plenty of options for encrypted offsite PC backup, so we didn't think there was much of a reason to do this for a single desktop app. I.e. you could achieve this effect by using Evernote 2.2 and signing up for (e.g.) Iron Mountain's encrypted offsite backup service for your PC files.

Again, the Evernote service offers the same type of protection you get for your private emails when you use any popular mail service like gmail, hotmail, yahoo, etc.

If you have a few notes that you don't want to be accessible on the web, you have two options:

You can put these in a "local only" notebook that won't be synched to the service at all.

On the Windows application, you can encrypt a region of your Note so that it will only be accessible if you reenter the passphrase. This content will not be readable (or searchable) on the Web. This feature uses the symmetric RC2 cypher (64 bits, due to US export restrictions).

Share this post


Link to post
If you have a few notes that you don't want to be accessible on the web, you have two options:

You can put these in a "local only" notebook that won't be synched to the service at all.

On the Windows application, you can encrypt a region of your Note so that it will only be accessible if you reenter the passphrase. This content will not be readable (or searchable) on the Web. This feature uses the symmetric RC2 cypher (64 bits, due to US export restrictions).

Thanks for the explanation dengberg. It's nice to hear all the details, even if I don't understand them all :)

I didn't realize that encrypted notes weren't viewable on the web interface. That's interesting, and I wonder how many of us missed that. I keep a bunch of passwords in EN, and one of the great things about a web interface, would be the ability to look for a password online, or say from my phone. Normally, I don't encrypt these notes, and it's probably a good thing - otherwise I wouldn't be able to read them.

Just out of curiosity, I encrypted parts of a note, and then looked at it in the Web UI. This is what I see.

post-1775-131906061972_thumb.png

Fascinating. Good to know though.

Share this post


Link to post

The current display of encrypted regions on the web is broken (i.e. "not implemented yet"). You're seeing the raw crypto gunk, which obviously isn't too useful.

Relatively soon, this will change so that you'll see a more pleasing placeholder that indicates "there's encrypted stuff here, go back to your Windows client to view it." You'll be able to edit around this placeholder, or remove it entirely, from the web UI, but you won't be able to see the encrypted content.

At some point in the future, we may consider a way to allow you to decrypt your encrypted regions via the web UI, but this isn't a trivial thing to do correctly. I.e. we don't want you sending your encryption passphrase to the server for us to decrypt. We'd want to get your browser to prompt you for a password and then decrypt the content locally so we never see your secrets on the server. This would probably require some form of browser plugin unless we can get enough crypto capabilities out of javascript. Either way, this wouldn't be trivial to implement, so it's on the longer-range roadmap.

Thanks

Share this post


Link to post

Thank you very much for the information.

I feel much better about the security of our data now. Maybe you can get some of that info added to the FAQ for the final roll out. Lack of details about security with all the new cloud based services is the main reason I only use a few of them and actively warn customers away from others.

This bit of detail goes a long way to making Evernote3 a keeper along side Evernote 2.2 .

Thanks for all the great work and communication.

Share this post


Link to post
...User passwords are not stored on the server and are only transmitted to our servers over SSL. (For web logins and client authentication.) The passwords are compared against a stored value via an MD5 checksum, but the password is never stored on disk in a usable form. ...

A service that only stored encrypted notes would look a lot different than Evernote. It would be more like a backup service for your desktop application, with no web UI at all. ...

....On the Windows application, you can encrypt a region of your Note so that it will only be accessible if you reenter the passphrase. This content will not be readable (or searchable) on the Web. This feature uses the symmetric RC2 cypher (64 bits, due to US export restrictions).

Sorry to belabor the point, I can understand the reasons for not being searchable or readable, but that doesn't explain why you couln't have a per note or per notebook encryption that is backed up to the website but only viewable offline. If I want to use EverNote to house multiple kinds of data from shared items with shared notebooks to private non ecrypted data to encrypted serial numbers etc.

I'm a new user to EverNote (OSx) and have tried out your competitors products. So far I'm stuck between EverNote with its image searching and easy web access and Yojimbo's encryption and better text rendering. Almost to a man everyone I sent invites to wanted to know about encryption.

Thank you for your time.

Share this post


Link to post

We plan to add encryption capabilities to the OSX client in the next month or so. This would allow you to encrypt passwords, PINs, credit card numbers, etc.

You could use this feature to put all of your passwords in one note, and then select the whole thing and encrypt it all, or you could just encrypt the passwords individually. The latter option might be useful for finding your encrypted notes:

Amazon password: [...encrypted stuff...]

NewEgg password: [...encrypted stuff...]

Encrypting specific regions would let you search for "Amazon" and find this note. (That's basically how I'll be using it on my MacBook.)

Share this post


Link to post

Thankyou for your quick response. Your reply about the encryption is a welcome one. I was thinking about my uses on the ride home and decided to go with EverNote.

I recently switched my home pc from Vista/XP to OSx and its been a devil of a time finding something to replace Onenote from Microsoft. Oe thing I do like on the more notable mac clients are the icons for specific folders. Yeah its not needed but its one of those things we mac users tend to favor is personalization.

Getting into bed with a note program is a rather weighty one as there's no easy way to migrate notes from one program to another easily. So its figuring out where I need to make compromises.

Thanks again.

Share this post


Link to post
This is starting to raise doubts in my my mind about the security of the web based notebooks. Where can I find some details about it. Specifically are our notebooks on your servers encrypted and with what algorithm.

We have a private, locked cage at a guarded data center that can only be accessed by a small number (3) of Evernote operations staff that have a key and are on an access list at the data center. All system and database access is also restricted to these three staff members. Network traffic from the Internet can only reach these servers through a set of firewalls and Level 7 switches. The user database is on a separate subnet that is only accessible from the application servers. All remote administrative access to these servers is restricted through a hardened gateway server that requires encrypted communications and a password known to the same 3 people.

This is very good but still not secure enough for storing "enterprise data" on evernote 3. As a good example, some folks mentioned they store customer names and others on evernote. This data simply shouldn't be stored in plain format on any external system. The weak point here is not necessarily your server but the user access (by password) can be major security issue (eg. someone finds another user's password). Not to mention if by accident any of this data goes on plain http, then anyone in the middle can read it.

We explored the idea of only storing encrypted notes, but this basically means that you wouldn't be able to have a web-only UI for your notebooks. I.e. if the data is encrypted, the servers wouldn't be able to search your notes unless the servers also have access to all of the encryption keys, which basically defeats the whole point of encrypting the data. (If a server has encrypted data and a copy of the decryption key, then a successful attacker has everything they need to read the data.)

I believe this should be an option for notebooks; you can create "normal", "secure" or "local" notebooks.

In the secure mode, you cannot see the notes from the web and they sync encrypted. The key is only on the clients.

I.e. you could achieve this effect by using Evernote 2.2 and signing up for (e.g.) Iron Mountain's encrypted offsite backup service for your PC files.

That is true but the simplicity and easy of use of Ev 2.2 synchronization beats hands down an offsite backup system. Not to mention that in corporation, you won't be able to easily buy an offsite backup but buying a software such as Ev is much easier.

Again, the Evernote service offers the same type of protection you get for your private emails when you use any popular mail service like gmail, hotmail, yahoo, etc.

Again, this secures the access but not necessarily the data.

Erik.

Share this post


Link to post
We plan to add encryption capabilities to the OSX client in the next month or so. This would allow you to encrypt passwords, PINs, credit card numbers, etc.

You could use this feature to put all of your passwords in one note, and then select the whole thing and encrypt it all, or you could just encrypt the passwords individually. The latter option might be useful for finding your encrypted notes:

Amazon password: [...encrypted stuff...]

NewEgg password: [...encrypted stuff...]

Encrypting specific regions would let you search for "Amazon" and find this note. (That's basically how I'll be using it on my MacBook.)

That's what I do too, but it is a pain in the butt to try to print those notes without the cumbersome, time-consuming task of unencrypting each and every password, printing, then RE-encrypting everything. UGH.

Share this post


Link to post

Edit: moved this discussion to viewtopic.php?f=30&t=6722&start=0&st=0&sk=t&sd=a

Since Premium subscription is available now. Let me state here that my signing up for that is dependent upon a "secure" notebook. I.e. a notebook where all data is encrypted.

SSL does not cut it for me. I have to be sure that my enterprise notes only can be read by me and only on the desktop.

Dave said something about secure-notebooks could be achieved using and online backup service and EN2.2. This is not true. I have 2 PCs and one Mac (I know too many computers) but EN3's Mac client is a Godsend since synchronizing notes across platforms is a pain ... Second EN3 will merge updated notebook (just as EN2 does with the USB-sync feature in the professional version). For me means I have access to my notes on all computers. The only thing missing is to have access to the enterprise notes as well.

Someone else noted that printing is a pain, when notes are partly encrypted - I agree on that as well. A "secure" notebook would solve that problem as well.

Please implement "secure" notebooks. I'd accept (almost) any limitations you'd put on an alpha version (no image recognition except on client, no web-access, ...)

thanks

Michael

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...