How can I change forgotten password?

I wanted to add a device and have forgotten the password.
I have 3 Clients where I can access my notes.

How can I now safely change the password?

which password ?

Password for Encryption.

You can’t recover a forgotten password

I have devices where I can read my notes because the password is saved.
Can’t I export the Notes from there?
What happens when I press “Disable encryption”?

If it’s from the desktop you can indeed export from there. For more info: https://joplinapp.org/e2ee/

so i could just Disable encryption and set a new password?

Yes, you can disable then enable again.

I have found that the encryption password can be recovered if your client has the password stored. Copy the database.sqlite file from your Joplin .config directory to somewhere where you can tinker with it. Open it in a text editor and search for encryption.passwordCache. Immediately after that you will see a set of curly brackets containing two strings in quotes separated by a colon. The string after the colon is the encryption password. I have only tried this using the Windows client.

2 Likes

You can also open it with something like SQLite Browser then open the “settings” table and indeed look for passwordCache.

Thank you so much! That saved me tons of recovery work! This time got lucky wont allow this to happen every again lol But at the same time started questioning Joplin security, keeping unencrypted password in db probably not good idea even though it helped me :slight_smile:

https://joplinapp.org/faq/#could-there-be-a-password-to-restrict-access-to-joplin

While very useful to know, I find this finding very odd. When I read E2EE (in the general description), I assume that the following statement is true: End-to-end encryption (E2EE) is a system where only the owner of the data (i.e. notes, notebooks, tags or resources) can read it. And I interpret this statement to mean that only Joplin can read the data (on behalve of me) and that Joplin doesn't store this password somewhere in clear text, instead keeping this password somewhere "safe". I don't wonna go into the details of malware, limited data erasures on any SSD, and all the rest, or argue that Joplin is safe enough when data are encrypted between my wifi card and the rest of the world. I simply think a clear text copy of the password which dpoulton can "find" is not what I want for some of my notes.

So what are the alternatives ?

  • encrypt the masterkey's password
  • don't store the password, let the user insert it every time
  • have it sort of auto-typed from within Keepass
  • store it in a location the user defines once
  • ... etc. etc.

Yes I know, each one of these ideas has it's own drawbacks. Nevertheless, let me repeat: I think a clear text copy of my password one can "find" is not what I want for some of my notes.

The simple solution which does not require a solution within the app ? Store the profile folder on an encrypted drive. I think this has it's own drawbacks, but in any case the E2EE description on the Joplin website has to be very clear about these limitations.

Another subject related to this, does E2EE (as explained vs. as implemented) encrypt everything in the profile directory or not. And if not why. But I will address this in a separate post.

The post you have replied to is over a year old now and this News post from June 2020 updates users with:

Support for system keychain on macOS and Windows

One of the issues mentioned in the security audit was that certain sensitive settings, like Nextcloud or encryption passwords were saved unencrypted in the Joplin profile. This new release will make use of the system keychain when it is available and move the sensitive settings to it. You don’t need to do anything to make use of this feature, it is automatically enabled in this release.

Currently this is supported on macOS and Windows. It is disabled of course for the portable version, and is also not currently enabled for Linux due to a build issue and less consistent support than on macOS and Windows.

(I have not looked to see if the Linux issue has also since been resolved)

With regards to E2EE, it is not a method of encrypting and securing the data on your local disk and never has been. It is there only to ensure that data transferred off your system to a cloud storage provider cannot be read by that storage provider or anyone who gains access that storage provider's systems. Of course it also provides protection in addition to HTTPS whilst in transit both to and from the storage provider.

From what I have seen, if you enable E2EE you will see two copies of each file in your resources folder; the "plain version", say 004864a886874b57a37cc6234760c448.png and the encrypted version, say, 004864a886874b57a37cc6234760c448.crypted which Joplin uses to send to the sync target. The notes in your local Joplin database are unencrypted and there are unencrypted resource files (attachments) in your local resources folder. However all notes and resources are stored encrypted on the sync target.

Local encryption has been raised many times in the past. This is just one of the many posts.

If you were thinking of requesting local encryption please have a search of this forum first as the pros & cons have been discussed many times. It is also somewhat covered in the FAQ.

2 Likes

THANK YOU !!
as you guessed, I did entirely miss the dates of the earlier posts. Well ... no harm done, nothing wasted than the time I took to write the useless response. Sh... happens :wink:

1 Like

What about my time responding to your response! :smile:

3 Likes

Fair enough, but I assume you enjoyed it, like I enjoy helping other new users - no ?

@ajay

The emoji at the end is supposed to show that whatever precedes it should not be taken seriously. Hope you are not offended.

Absolutely no misunderstanding, nor for a second. This line (in a similar case) would have come right out of my mouth :wink: