[ale] evernote security breach

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Tue Mar 5 11:35:47 EST 2013


Hi Keith, and all,

That sounds cool.  I'm probably going to move to something like that.  Even typing that long sentence every time I want to access any website is a pain, so I have to find a balance.  I have lastpass set to reprompt me for the pasword on every access, but I can override that with a timer.  So, let's say I'm at a restaurant and I'm using lastpass, which is logged in.  If someone grabs my computer, they would have access to all my passwords (plus all the data on the HDD).  Requiring a reprompt prevents them getting my passwords, at least.  If I'm at home, I can tell it not to reprompt me for an hour or more.  That way, I can access a number of websites in a row without entering the password / phrase every time.  If my computer is dormant for 10 minutes, lastpass logs out.

Note that the android plugin for lastpass and the dolphin browser does not auto logout.  It will stay logged in until you log it out.  I don't remember if that survives a reboot or not, but it does survive a lock screen / standby mode.

I found the following forum and blog posts by evernote regarding security:

http://discussion.evernote.com/topic/35371-evernotestop-messing-around-and-get-serious-about-security/page-2
     note the links at the bottom

http://blog.evernote.com/blog/2008/04/15/evernote-privacy-and-security/
http://blog.evernote.com/blog/2011/03/24/evernotes-three-laws-of-data-protection/
http://blog.evernote.com/tech/2011/05/17/architectural-digest/
http://blog.evernote.com/tech/2012/09/25/protecting-your-data-the-broken-drives-edition/

By the way, Evernote has a podcast that I occasionally listen to as well.

I am now convinced that Evernote's company philosophy and infrastructure are adequate to protect my data assuming my account credentials are adequate.  My password is now 64 characters of gibberish, so that part should be ok.

Keith, I know you said don't store any sensitive data in the cloud, but there is some that I would like to sync amongst my devices.  This could include things like those fake security questions you were talking about in another post.

Therefore, I have to decide amongst two likely ways of doing that.

Method 1) Store the data as encrypted notes in Evernote.  Account is protected by 64 character gibberish password.  Encrypted notes are secured by an additional password / phrase and never sent to / stored at Evernote in the clear.

Method 2) Store the data as secure notes in Lastpass.  These are essentially, I think, like other entries in the database that you create yourself, except they don't auto login, etc.  The entire database is encrypted and secured by my master password / phrase.

Evernote may be more secure, since that's protected by both my account password and my note encryption password.

Sincerely,

Ron



"Watson, Keith" <krwatson at cc.gatech.edu> wrote:

>Ron,
>
>Use a pass phrase. They are easy to type and when they reach 15
>characters or more, very difficult to crack.
>
>Example pass prase:
>
>OK so you think you can brute force this pass phrase. Good luck.
>
>Like I said easy to type and remember, very difficult to crack. It
>would be easier use rubber hose cryptography to get the pass phrase.
>
>keith
>
>-- 
>
>Keith R. Watson                        Georgia Institute of Technology
>IT Support Professional Lead           College of Computing
>keith.watson at cc.gatech.edu             801 Atlantic Drive NW
>(404) 385-7401                         Atlanta, GA 30332-0280
>
>
>> 
>> My wife, who's not a super geek, rightly pointed out that the weak
>link in
>> my chain is now the master password to the lastpass database.  If
>that
>> were cracked at the lastpass website, or on a stolen PC, I'd be in
>> trouble.  I do have to remember that one, and I do have to type it,
>every
>> time I want to access the passwords for ANY site.  I'll have to give
>that
>> some more thought.
>> 
>> Sincerely,
>> 
>> Ron
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com




More information about the Ale mailing list