What If I Forget My Password? The Truth About Encrypted Notes

· · Daniel A

What If I Forget My Password? The Truth About Encrypted Notes

Zero-knowledge encryption means nobody can reset your password for you. Here is what to do about it.

This is the question that scares people away from encrypted notes apps. What if I lose access? The honest answer is uncomfortable, but it is the same answer that makes the encryption meaningful in the first place.

The brutal honest version

In a properly built zero-knowledge app, if you forget your password, your notes are gone. Not gone from the server. Just gone in any meaningful sense, because nobody on Earth can read the encrypted bytes without the key your password derives.

Not the company. Not their engineers. Not a court order. Not a clever support trick. The data exists, but it is mathematically locked, and the lock has no spare key.

Why this is by design, not negligence

  • A reset link implies the server can decrypt your data
  • Any company-held recovery key can be stolen or subpoenaed
  • Recovery questions and SMS resets break true privacy
  • The strongest guarantee is "we literally cannot help"

Why this is the trade you are actually making

Every "Forgot Password" link in a normal notes app means the company has a way to give you access without your old password. That implies they hold a key, somewhere, that can unlock your account.

If they hold it, somebody else can hold it too: a malicious employee, an attacker who gets in, a government with a warrant, a future owner of the company. Convenience and protection sit on opposite sides of a seesaw, and zero-knowledge apps sit fully on the protection side.

The good news is that real-world password loss is almost entirely a solved problem, as long as you set it up once.

How to never end up locked out

Treat your notes app password like the master password of a vault, because that is exactly what it is. There are three reliable approaches, and you only need one of them.

1. Use a password manager

This is the cleanest option. 1Password, Bitwarden, Proton Pass, iCloud Keychain, and similar tools are built for exactly this job. Generate a strong password, save it, and stop worrying. Your password manager itself becomes the single point you have to remember, and those tools usually offer recovery codes for that one master.

2. Use a passphrase you cannot forget

Pick four or five unrelated words that mean something only to you. velvet · harbor · trumpet · cinnamon is far stronger than Sunshine2024! and far easier to remember. Practice typing it for a week. After that, your fingers will remember it even when your brain does not.

3. Write it down and store it physically

It is 2026 and "write it on paper" still works. A sealed envelope in a fireproof box, a sheet inside a safe, or an entry in a notebook locked in a drawer is a legitimate backup. The threat model for paper at home is very different from the threat model for cloud servers.

Bonus: belt and suspenders

  • Store the password in your manager and on paper
  • Periodically export critical notes you would mourn most
  • Keep the export file itself encrypted, with the same care

When zero knowledge is not for you

If your notes are mostly grocery lists and birthday reminders, and the idea of safekeeping a password feels like a hassle that outweighs the privacy upside, a normal notes app is a perfectly reasonable choice. Encryption is a tradeoff, not a moral position.

If your notes contain anything you would not be comfortable seeing on a screenshot in someone else's hand, the small ritual of safeguarding a password is the cheapest insurance policy you will ever buy.

The SimplyBoard position

We cannot recover your password. We cannot decrypt your notes. We will not pretend otherwise.

What we can do is keep the setup as simple as possible: one password, derived into a key with Argon2id (a memory-hard key derivation function), used to encrypt everything with AES-256-GCM. Save it once, in a password manager or on paper, and you never have to think about this again.

And we added a fourth option to the list above: a recovery kit. In Settings, SimplyBoard can generate a one-time recovery code · 160 bits of randomness that wraps the same encryption key your password does. We show it to you exactly once and never store it; our servers keep only an encrypted copy of your key that the code can open. Forget your password, and the recovery code gets you back in and lets you set a new one. Lose both, and the brutal honest version above still applies · which is exactly how zero-knowledge should work.

· The SimplyBoard Team