Tuesday, March 12, 2013

Another reason to get rid of passwords

This morning I had a very unpleasant experience regarding passwords. A couple years ago I set up an Evernote account for my wife (I had recently given her an iPad). With the recent evernote hack and exposure, I wanted to help her reset her password and get her iPad and laptop apps back in a working order. This should be a very simple and straight forward process... except for one minor problem that has effectively locked my wife out of her account.

The problem? I accidentally registered her account with the wrong email address. My wife uses an email provider that supports multiple email domains and without thinking I used the wrong domain. Now it appears that Evernote has chosen to only support resetting passwords via an email message and that, using an email address that was never verified. So my wife can ask for as many "reset emails" as she wants, but she will never receive them and Evernote does not appear to provide any other mechanism to reset a password.

While I'm very frustrated with my own mistake in setting up the account, I can't believe that Evernote would allow password reset flows with unverified email addresses.

8 comments:

Anonymous said...

Use LinkedIn to facilitate resetting the account. Search for people that work at Evernote and find a contact that knows someone there that can get you in contact with someone that can be an advocate.

Praveen said...

but George the problem is that's probably the only reliable information they can trust after getting hacked.

Federated account verification could've helped but not all users understand what that means (it's 2013 and we are still talking about the same thing). :-/

Jim Hopkins said...

Tweet with @evernote hashtag. I bet they respond quickly. I've had 2 companies who ignore emails respond in seconds to a tweet. Stupid but true.

- Jim

George Fletcher said...

Praveen, I agree that the email address on the account is the easiest to user, but Evernote should have tracked which email addresses were verified and which weren't. I'm guessing that email verification wasn't required when I created the account.

Evernote, could have used a system asking the user to specify contents of notes stored which in aggregate would pretty uniquely identify the user. This is much harder to implement.

I agree with your frustration over identity federation. It would make my life a lot simpler in a lot of ways:)

George Fletcher said...

Thanks Jim. I've got a couple network inquiries going right now but may resort to twitter :)

Alexei said...

George, the Evernote support team can help you work through this:

https://support.evernote.com/ics/support/default.asp?deptID=16058

They have a number of ways of ensuring you are the account owner and will get you squared away.

George Fletcher said...
This comment has been removed by the author.
George Fletcher said...

Thanks Alexei! We've got a ticket filed... #16051-270036 :)