Browsed by
Tag: Evernote

Evernote Introduces 2 Factor Support (and more)

Evernote Introduces 2 Factor Support (and more)

I’m a big fan of 2 factor security for critical information stored online (in the “cloud”). After the attempted hacking on Evernote back in March, I made the following resolutions regarding the security of my online data:

Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:

  1. Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;

  2. Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.

At the time I wrote that post, Google and Dropbox were the main services to have implemented 2 factor security, and it’s been pleasing to see that other services have commenced implementation of 2 factor security, including App.net, Apple [1], Facebook, Fastmail (my email host of choice) and Twitter [2], and most recently, Evernote.

I was initially disappointed with what I first read about Evernote’s 2 factor security implementation because the first blog post I read indicated the implementation was SMS based. However, on reading Evernote’s blog post I saw they indicated a choice of SMS or authentication with Google Authenticator.

Evernote implements 2 factor security, and more

I’ve set Evernote 2 factor up using Google Authenticator [3], and am delighted that my major online services have at least begun implementation of 2 factor support. Fastmail, Evernote and Dropbox are the most important for me, and they each have good 2 factor support. The main piece still missing (for me) is iCloud, although the data stored there is less security critical.

Evernote’s implementation works well, but is only for Evernote Premium users at this time. A couple of important things should be borne in mind when implementing it (or for that matter, any 2 factor security system).

  1. Ensure that you have updated the corresponding app (or apps) on every device before implementation; and,
  2. Save the backup codes provided in a secure repository (print the out or save them in a secure location like 1Password).

Evernote’s latest security updates also includes a couple of additional things (available for all users) – Authorised Applications (and the ability to revoke access remotely) and Access History.

Hop to it. With this implementation, Evernote (the best online repository of stuff) is now even better.


  1. So far, Apple’s implementation seems to be a bit of a lame duck, because it doesn’t seem to do very much. I’ve not actually seen it request a code since the initial setup, and it doesn’t seem to be connected (at this time) to iCloud or the iTunes/App Stores.  ↩

  2. Twitter’s implementation has been quite critically received, primarily because authentication is by SMS and doesn’t allow multiuser capability (like Facebook).  ↩

  3. I have moved away from many of Google’s app and services. At the time I originally wrote this post, I was using Google Authenticator, but now use Authy instead. It’s a nice little app for the job (update 29/8/13).  ↩

Evernote’s password hack, and the security of your stuff in the cloud

Evernote’s password hack, and the security of your stuff in the cloud

Like all Evernote users, today I received an email (and blog post) advising that there has been an attempted security attack to their system, and that they have force-changed all user passwords:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset.

I am a heavy Evernote user, and put a lot of stuff up there – from basic research to business records. I love that I can easily find my key information so easily. They have solid apps for OSX and iOS (although they have been increasinly buggy lately), and a good browser based system to get at my information from anywhere. I love having my stuff in the cloud so I can get at it whereever I am.

For the past couple of weeks I was teaching a PADI Instructor Development Course in Fiji and on several occasions I was able to quickly get to records that I needed but didn’t have with me through my iPad or MacBook Air. Too easy.

Lately I’ve been wondering about the wisdom of having all my eggs in one basket. I trust the Evernote team, and as a Premium User I have a paid account. But my concerns are two-fold:

  1. If Evernote ever goes away (unlikely, but still a risk), what will happen to my data.
  2. Evernote has to be ever-vigilant for hacking attempts, and they have to win 100% – hackers only have to win once in a blue moon.
  3. As Evernote’s servers are not in Australia, my data may be legally accessed by a foreign government without warrant!

So it was good to see the following paragraph:

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The next paragraph, while honest and direct, certainly gave me pause to continue to consider the future of my information storage:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Just yesterday (before the email went out), I downloaded a copy of DEVONthink, an OSX app that does many of the same things – allowing you to store snippets and documents, easily find them, OCR them, etc. Using DropBox you can sync data between multiple Macs, and there is an iOS app. The latter feels a bit clunky, and looks like you need to sync via Wifi. I hope Dropbox sync is coming soon to that, because my iPad is rapidly becoming my main on-the-go device.

There has been a lot of debate about Evernote vs. DEVONthink, and there are very passionate people on both sides, with some very persuasive reasons for their approach. Evernote’s cloud based storage is both it’s greatest feature and it’s biggest drawback, depending on your perspective. I had planned to use DEVONthink side-by-side with Evernote for a couple of weeks to get a feel for which (if either) is the better approach for me. I still will, but I think I’ll move more sensitive info straight away.

Back to the security issues. I have waiting for a while for Evernote to introduce 2-factor authentication. Google has had this for some time, and Dropbox also introduced 2-factor security in 2012, following similar hacking attempts.

Evernote needs to implement 2-factor security as a matter of urgency.

While I am at it, Apple also needs to implement 2-factor security for their iCloud services as a matter of urgency, particularly if they want Documents in the Cloud to be taken seriously.

Going forward, my personal rule is that 2-factor authentication is a threshhold feature for any cloud based service that I use to store any thing I would consider proprietary or sensitive, let along confidential. I recommend you consider the same approach.

Evernote’s team made some additional excellent suggestions for security:

  • Avoid using simple passwords based on dictionary words

  • Never use the same password on multiple sites or services

  • Never click on ‘reset password’ requests in emails – instead go directly to the service

The first 2 should be an absolute given, but it’s clearly not the case. The third one has tricked most people at least once, making the first two even more important.

Most people I know have a password management strategy that consists of three passwords:

  • a simple “throwaway” password they reuse on most websites
  • a more secure one for some selected sites
  • a most secure one for banking, finance, health, etc

In all three cases, most people re-use the same passwords, perhaps with minor variations.

The hackers know this and have setup ways of “sniffing” passwords. One way is to setup a rogue site, and when users try to sign on, they take the username and password and throw that at other sites, knowing that they will often get a hit. Even if they only get 1% success, they have a starting point. Mat Honan of Wired magazine’s own case teaches us that once a hacker gets “in” at a low level, they can use that information to gradually get full access to your life.

So you need to ensure you don’t re-use passwords, and that those passwords must not be simple. When it comes to hacking and security, most hackers are way better at hacking than users are at securing.

This is where my next rule of web security kicks in – I use 1Password to generate a separate password for each and every site I visit. Of course there are a lot of sites I visited before using 1Password, so once those sites are in 1Password, I can from time-to-time go through and manually change those passwords, starting with the passwords that are least secure.

Whilst on 1Password, I’d recommend that if users want cloud access, they store the 1Password file in a Dropbox account, not iCloud, because of the fact that Dropbox has implemented 2-factor security.

I also have a category of sites that require the highest security, so I have those sorted together into a group in the 1Password app, and I change those passwords twice a year when the clocks change with Daylight Savings (an idea I got from MacSparky).

Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:

  1. Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;
  2. Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.

The “be alert, not alarmed” approach is the right one. We users need to recognise that information security is a moving target, and that balancing convenience, ubiquity and security is a constantly changing challenge. We need to reevaluate our balance regularly!

\

Send to Evernote as Print Option

Send to Evernote as Print Option

EvernoteI’m a big Evernote user, using it a repository for many personal records that I need to have access to, but don’t want the paper clutter in my life (or my house or office). I scan most documents directly to a ScanSnap S1500M in my office, although when on-the-go I use a NeatReceipts scanner.
The PDF’s generated are then moved on each computer (iMac in the office, Macbook Air on the go) using a series of Hazel automations to a Dropbox folder. From that folder, the files are then pulled into my Evernote Inbox notebook for processing. Sounds a little complex, but once setup it all happens seamlessly.

When I receive documents by email (including PDF attachments), I forward those documents directly to an Evernote email address that deposits the files directly to that same notebook. I also use Evernote’s Web Clipper to grab web pages I want to keep for archival records (not for later reading, which I simply use Instapaper for.

This gives me (almost) a single place to drop files for later filing. But I also get occasional other documents that I read on my Mac, but then I want to keep a PDF copy of in my records (regardless of the original format). In the non-App Store version (i.e. non-sandboxed) version of Evernote, I can simply use the Save PDF to Evernote option under the Print > PDF command. In the App Store (sanboxed) version of Evernote, you lose this option.

MacPowerUsers co-host Katie Floyd today made a post showing how to add a Send to PDF option when using the sandboxed version of Evernote:

The solution is simple, you need to create an alias to the Evernote application and drop it into ~/Library/PDF Services. (This is your users library folder for those of you unaware what the ~ means.) This can be a little tricky because is the ~/Library folder is hidden by default in OS X Lion and above. To see it you have to hold down the option key while selecting “Go” in the finder and the Library will become an option. If the PDF Services Folder doesn’t exist, just create it but make sure you title it exactly that.

Total Finder

Another way to see the hidden files is to use the excellent TotalFinder app (recommended by Katie and co-host David Sparks in episode 106 of MacPowerUsers. Once you’ve installed TotalFinder, open up Finder Preferences, and go to the new TotalFinder pane. Then select the Tweaks tab, and check the Show System Files option. Then you’ve got permanent access to hidden system files. (Of course, with great power comes great responsibility). Don’t play around with system files unless you know absolutely what they are, and what you’re doing!

Ultimately, the goal is to capture your documents into an Evernote notebook. Once there, you can use your GTD processing step to move the documents into your reference folders, or of course, action them if there is an outstanding next action!