Question: What is really happening with data access/decryption

[mmitchellmoss]

On the main Standard Notes website there is a lot of talk around encryption algorithms, account keys, secret keys, etc. Indeed, when accessing my data on my personal machine I have a lengthy passphrase that I must enter to gain un-encrypted access. This makes me feel warm and fuzzy.

However, when accessing from my work computer I choose the do not stay logged in option so as not to leave the data on my work computer. When accessing it this way all I have to do is enter my email address and simple password.

My background is in using gpg where you need to have physical control of your private key and the passphrase to decrypt data. I am curious what is really happening here if all I need is email/pw. I'm struggling to understand how that is any more secure than other systems, such as Evernote, which require the same.

Please forgive me if this is a dumb question, but I am genuinely ignorant on what is happening with this, thus the question.

Any insight is appreciated. Thank you.

[effieeee]

No worries about your question! Actually, technically a lot of the info on our help page already covers much of what makes the app more secure than other apps like Evernote, though were you looking to ask about something more specific? Or is there something about the end-to-end encryption on the app which you'd like more information about?

Our knowledge base page also has some very helpful and simple explanations to certain topics about security and privacy 🙏

[mmitchellmoss]

Yes, I have read the help pages. Thank you.

Let me rephrase what I am getting at.

In the help pages there are statements such as this, " It also not possible to "brute-force" this data, as attempting to guess the key behind the encryption would take many thousand (or even million) years, even with a network of supercomputers."

That is great that the data is so well encrypted to protect it against a brute for attack. However, if I am able to possibly hack into Standard Notes with an 8 or 10 character password and see the plaintext data then it would seem to negate all of that millions of supercomputer years of processing. I am attempting to understand what I see as a disparity between the two methods of data access.

[mmitchellmoss]

Thank you Effie. That makes sense.

[Julian-Dumitrascu]

@effieeee You are yet to address this issue.
It is useful to understand one another.
You can also discuss this with a colleague who understands this better.
A communicator's role is not to fight requests for service.
It is useful to complement your efforts to encrypt our data with an effort to log us in securely.
8-character passwords are not secure.
One can use software to generate 100-character passwords or GPG to create access keys.
Which such methods can we use with what software made by your team?
We can talk about how to design the log-in experience to bring data security to the desired level.

[effieeee]

Hi @Julian-Dumitrascu, I do apologize if I came off rather defensive when I sent an answer to the concern above. Of course we're very much open to discuss this more if I missed something out, or if I misunderstood the root of the concerns here 🙏 If you'd prefer to discuss things with one of the developers on the team, I'm afraid I can't always guarantee a response from them, but please do elaborate more on your concerns about the current log in process here. They're also able to see these updates on the discussion page of course, but I can also help raise it with them directly 👍

[Julian-Dumitrascu]

You indicate e.g. here that you allow us to use more than one means of authentication (e.g. biometric means), so I'm fine for now.
Why are you yet to provide the information for which I asked? You can look for the question mark in my previous message. It seems to me you sell more than one program; do you? That question gives you the opportunity to increase the probability that I'm going to use your services.

[effieeee]

@Julian-Dumitrascu I'm not sure what you mean? All the features included with each subscription are indicated on our pricing page. In terms of generating secure passwords, there are a good number of free services online that can help you with this. The Super note type has this feature, though it only generates 16 character passwords by default. This feature can be accessed by typing a forward slash (/) on any Super note, and scrolling down to find the password generator option: