There are several important security steps that you can take to better secure your Evernote data:
Use a different password on Evernote than any other site you log into. That way, if someone learns your password on another site, you won’t have to worry about them also being able to access your Evernote account.
Avoid using simple passwords that could be looked up in a dictionary. Instead, choose a complex password that is at least 8 characters long and contains a mix of uppercase and lowercase letters, numbers, and special characters. Equally good is picking a phrase that is at least 20 characters long.
A password manager can make both of these easy to do. We suggest using one.
Enable two-step verification on your Evernote account to better secure it in the event that someone learns your password.
Two-step verification, also known as two-factor or multi-factor authentication, adds an additional layer of security to the login process, requiring you to enter a special code from your phone, in addition to your regular username and password. The goal of this extra step is to combine something you know (your password) with something only you would have access to (your phone).
Setting up two-step verification is straightforward. Just follow the steps in the Security section of Evernote Web. All users can generate codes locally using an application on their mobile device (we recommend Google Authenticator) or can choose to have the codes delivered as a text message via Telesign.
One very important thing to note. As part of the setup process, you will be given several one-time codes to use in the event that you are unable to access your phone. Don’t store these codes in Evernote since you’ll need them when you don’t have access to your Evernote account.
You can review, and optionally revoke Evernote applications and other services that have access to your account in the Applications section of Evernote Web, which is located in the Account Settings. Alternatively, when you reset your Evernote password in Evernote Web, you can Revoke all applications as part of the password reset workflow. If you revoke all applications, any attackers with access to your account will lose their access.
You can review the IP addresses and the names of devices and applications that have recently accessed your account, in the Access History section of Evernote Web. The locations of devices or applications listed are not 100% exact (we use Maxmind GeoIP for this feature). Mobile devices and VPN tunnels, in particular, may route through private networks to internet IP addresses located in different geographic locations not anywhere near the original location of the originating device.
If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note using a passphrase to add an extra level of protection to private information. This end-to-end encryption feature only lets someone that knows the passphrase decrypt the text. We never receive a copy of your passphrase or the encryption key we derive from it. If you forget your passphrase, we cannot recover your data.
When you use this feature, we encrypt your text using AES (Advanced Encryption Standard) with a 128 bit key. We derive this key from your passphrase using a unique salt and PBKDF2 with 50,000 rounds of SHA-256. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.
If a thief steals a device you have Evernote installed on, they will be able to access your Evernote data as easily as your email, photos, and other applications on that device. To protect yourself against this situation, you should enable the security controls available to you in your device's operating system. These include setting a screen or passcode lock, screensaver or auto-lock timeout, and encrypting your device’s storage.
In most cases, you only need to log into Evernote on your phone, tablet and desktop computer once. If you lose one of these devices, you should revoke its access to your account. Follow these instructions.
Hackers might try to lure you to log into a site that looks like Evernote, but isn’t really Evernote. We call this password-stealing attack “phishing.” Before entering your Evernote username and password into a site, be sure to verify that the URL in your browser starts with https://www.evernote.com/ or https://evernote.com.
Every email that Evernote sends is cryptographically signed and sent from IP addresses we publish. If you receive an email from one of these domains, you can trust it.
If you receive an email that looks like it is from Evernote, but the sender address is not one of those domains, we did not send it and you should delete it.
For more information on spam and malware email claiming to be from Evernote, please see this help & learning article.
A common way for you to get malware on your computer is by visiting a site that tries to exploit a security vulnerability in your browser or the browser plugins you have installed. This is called a “drive-by download.” A great way to protect yourself is to prevent web browser plugins from automatically running. Follow the steps for your browser:
Firefox: configure your plugins to “Ask to Activate”. See this page for details on how to do this for Adobe Flash.
Chrome: make sure you are running the latest version and you will be prompted when a site wants to run a plugin.
You should only run plugins when necessary, for example downloading a financial statement, and only if you trust the website.
You should also keep your software up to date. When an application alerts you that an update is available, install it right away. Be cautious of updates that appear in a web browser as many of these are fake and will try to trick you into installing malware.