Customer Security Tips

There are several important security steps that you can take to better secure your Evernote data:

Passwords

Use a different password on Evernote than any other site you log into. That way, if someone learns your password on another site, you won’t have to worry about them also being able to access your Evernote account.

Avoid using simple passwords that could be looked up in a dictionary. Instead, choose a complex password that is at least 8 characters long and contains a mix of uppercase and lowercase letters, numbers, and special characters. Equally good is picking a phrase that is at least 20 characters long.

A password manager can make both of these easy to do. We suggest using one.

Set Up Two-Step Verification (2SV)

Enable two-step verification on your Evernote account to better secure it in the event that someone learns your password.

Two-step verification, also known as multi-factor authentication, adds an additional layer of security to the login process, requiring you to enter a special code from your phone, in addition to your regular username and password. The goal of this extra step is to combine something you know (your password) with something only you would have access to (your phone).

Setting up two-step verification is straightforward. Just follow the steps in the Security section of Evernote Web. Free users will be required to install an authenticator app on their phones. We recommend Google Authenticator. Premium users can choose to have the code delivered as a text message via Telesign.

One very important thing to note. As part of the set up process, you will be given several one-time codes to use in the event that you are unable to access your phone. Don’t store these codes in Evernote since you’ll need them when you don’t have access to your Evernote account.

Authorized Applications and Access History

You can review, and optionally revoke Evernote applications and other services that have access to your account in the Applications section of Evernote Web, which is located in the Account Settings. Alternatively, when you reset your Evernote password in Evernote Web, you can Revoke all applications as part of the password reset workflow. If you revoke all applications, any attackers with access to your account will lose their access.

You can review the IP addresses and the names of devices and applications that have recently accessed your account, in the Access History section of Evernote Web. The locations of devices or applications listed are not 100% exact (we use Maxmind GeoIP for this feature). Mobile devices and VPN tunnels, in particular, may route through private networks to internet IP addresses located in different geographic locations not anywhere near the original location of the originating device.

Lost or Stolen Devices

If a thief steals a device you have Evernote installed on, they will be able to access your Evernote data as easily as your email, photos, and other applications on that device. To protect yourself against this situation, you should enable the security controls available to you in your device's operating system. These include setting a screen or passcode lock, screensaver or auto-lock timeout, and encrypting your device’s storage.

In most cases, you only log into Evernote on your phone, tablet and desktop computer once. If you lose one of these devices, you should revoke its access to your account. Follow these instructions.

Phishing

Hackers might try to lure you to log into a site that looks like Evernote, but isn’t really Evernote. We call this password-stealing attack “phishing.” Before entering your Evernote username and password into a site, be sure to verify that the URL in your browser starts with https://www.evernote.com/ or https://evernote.com

Every email that Evernote sends is cryptographically signed and sent from an IP address we publish. We will only send you emails from one of two domains: @evernote.com and @email.evernote.com. If you receive an email that looks like it is from Evernote, but the sender address is not one of those domains, we did not send it and you should delete it.

For more information on spam and malware email claiming to be from Evernote, please see this knowledge base article.

Malware Protection

A common way for you to get malware on your computer is by visiting a site that tries to exploit a security vulnerability in your browser or the browser plugins you have installed. This is called a “drive-by download.” A great way to protect yourself is to prevent web browser plugins from automatically running. Follow the steps for your browser:

  • Firefox: you are already protected since Click to play is enabled by default
  • Chrome: setup Click to play under the “Plug-ins” section of your browser settings
  • Safari: install the ClickToPlugin extension

You should also keep your software up to date. When an application alerts you that an update is available, install it right away.