In my capacity as the Evernote Ambassador for Paperless Lifestyle, one of the most frequently-asked questions I get is on security. “Are you comfortable with Evernote’s security?” is one way this question is framed. Sometimes, people ask, “What if Evernote goes away?” My typical response is that I don’t lose sleep over security and what I put into Evernote. Each person has a different comfort level with what they are willing to put into Evernote and each person must decide for themselves where that comfort level is. I see lots of advantage to having lots of stuff in Evernote.
Part of the reason I don’t lose sleep is because I use what I think are some good Internet security practices. I think I might have outlined these practices briefly in the past, but let me run through three of them now that I think will put you way ahead of the average user in terms of security. Incidentally, these are good practices all around, not just for Evernote.
1. Use strong, complex passwords
There is some debate over the value of the complexity of a password, but strong passwords–that is, passwords that have more than just numbers and letters, but also include different cases and symbols–also tend to be longer, and the longer a password is, the more difficult it is to crack by brute force. For me, my practice is as follows:
- Use a minimum of 15 characters in a password.
- If a site says something like “Enter a password between 7-20 characters” I will always adjust to use the maximum; in this case 20.
- If a site does not allow special characters, I will always make the password as long as the site allows.
All this does is ensure that the password is harder to crack by brute force. It does not make it impossible, just more difficult.
2. Use a different password for every service
This sounds like a lot of work, but really, it isn’t. I use a tool called LastPass, about which I wrote in some detail a few months ago. With LastPass, I can do the following:
- Generate a random, strong password of any length and combination.
- Keep track of the list of services I use and have my browser log into those services fir me, so that I don’t have to remember 70 different strong passwords.
- See information about my login history, and have LastPass update my entries when I change a password.
There are other services besides LastPass that do this, but I like LastPass. It is simple, easy and gets the job done. There are numerous advantages to having different passwords for every service, the biggest being:
- If a password is compromised, the person who has the password can access one and only one service. If they get access to Facebook, for instances, they can’t access anything else.
The benefit LastPass brings, in addition to keeping track of strong, unique passwords for every service I use is that it plugs into my browsers and I can access these services automatically without having to type these passwords, so long as I have unlocked LastPass locally. I only have to remember one strong password, and this password is never “remembered” on the computer so if I am away and my computer is locked, no one else can access the password.
Once again, this doesn’t make it impossible for someone to hack into an account, much it makes it much more difficult to get into more than one account when the password only works in one place.
3. Use 2-factor authentication
Two-factor authentication is a form of authentication that requires an acknowledgement by you. It is usually implemented through a mobile device that only you carry around. It adds an extra step to the log in process but it makes it much harder for someone to get access to your accounts.
Here is how it works, using Evernote as an example:
- Log into Evernote from anywhere.
- You will be prompted for a login and password. Enter your (strong) login and password.
- If the machine from which you are accessing Evernote has not yet been “verified” you will be presented with another screen, asking you to enter your “verification code.”
- The verification code is sent to a device that you authorize when you setup 2-factor authentication. In this example, let’s say it is my iPhone. After a few seconds, I will receive a text message on my iPhone with a verification code that is good for a certain short period of time.
- I enter the verification code into Evernote.
- At this point I am authorized and can access my data.
To see the advantage, imaging that someone hacked my Evernote password. They log into my account and are asked for a verification code. Since the verification code is sent to my iPhone–something they are unlikely to have–they still cannot access Evernote, even though they have my password.
What’s more, since I will get the text message and I’ll know that I wasn’t trying to access my account, I’ll have a pretty good idea that an unauthorized attempt was made and I can change my password at once.
I enable 2-factor authentication wherever it is available, including:
- Google (Gmail, Apps, etc.)
- My web host
- My bank
just to name a few. If anyone were to access my credentials to any of these services, they would still need access to additional information in order to gain access to the data in the service.
Two-factor authentication can be a little tricky to get used to at first, especially with something like Google Apps, where using 2-factor authentication requires the creation of “application” passwords for apps that integrate with Gmail and other Google apps. But these are one-time efforts and the additional labor required to set this up is well-worth the piece of mind.
4. Always use SSL when it is available
SSL or Secure Socket Layer is a version of HTTP in which the data to and from the server is encrypted. In the past, it has been optional, but more and more services are making it the default, so you may be using it already. It helps ensure that when you are connecting to, say, Facebook, what you type goes from your computer to Facebook’s servers encrypted, rather than in the clear, and vice versa.
These are the four practices I use to maintain good Internet security. These are above and beyond my regular data protection practices (e.g. cloud backups). And I have worked these practices into my life so that I almost don’t notice them and they don’t get in the way. This goes a long way toward explaining why I don’t feel like I lose any sleep over security concerns with Evernote–or other services I use.
If you have other suggestions for good Internet security practices, leave them in the comments.