Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Companies Advise Tighter Security After Honan Hack

samzenpus posted more than 2 years ago | from the add-another-security-question dept.

Security 99

In the wake of the hacking of Mat Honan's accounts, Google, Facebook, Amazon, and Apple are just a few of the companies making their security policies tougher, and they are advising people to do the same. From the article: "Even as those companies’ teams moved to patch the holes, others moved to offer security tips. Matt Cutts, head of Google’s Webspam team, used his personal Website to urge Gmail users to embrace two-factor authentication. 'Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,' he wrote in the August 6 posting."

cancel ×

99 comments

Sorry! There are no comments related to the filter you selected.

Feels like post-911 (5, Insightful)

A beautiful mind (821714) | more than 2 years ago | (#40976937)

In the name of security Google has been pestering for my phone number for years, while their motives are much less about my security and more about their business reasons.

Re:Feels like post-911 (3, Funny)

Anonymous Coward | more than 2 years ago | (#40977029)

God, this thing annoys the hell out of me.
I need to write a userscript to auto-skip the page.

I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
TAKE THE HINT GOOGLE.

I swear if this leads to more messages about this, I am just switching e-mail services.
My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.
And I'm not someone stupid who runs fart.exe for funny fart noises.
They should just have an option in the settings where you can straight-up state "I am not a stupid person" so they won't treat you like a god damn 5 year old.
Every year that passes websites seem to get more insultingly simple. When is it going to be over? When will the web die? Will it be soon? Please tell me it will be soon!

Re:Feels like post-911 (4, Insightful)

ThunderBird89 (1293256) | more than 2 years ago | (#40977065)

Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion.
Seeing the contradiction?

[First sentence is deliberately self-referential and obfuscated]

Re:Feels like post-911 (1)

jhoegl (638955) | more than 2 years ago | (#40978315)

Ironically people also use public forums to dispute their government, the very same government that gives them the freedom to do so.
So... this isnt a new thing.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40979741)

the government doesn't GIVE us our freedom! it's our right by birth as free human beings! government's mandate is to protect these rights. If it continues to fail in this task, it will be dissolved. Those responsible for it's failing will be punished according to their crimes.

Re:Feels like post-911 (1)

ThunderBird89 (1293256) | more than 2 years ago | (#40982621)

Yes, but not disputing the forum itself. In your analogy, I'd equate the internet with the forum, not with the government (after all, the internet is the means for dispute, not the subject), with internet fora being subsets.

Re:Feels like post-911 (1)

Teun (17872) | more than 2 years ago | (#40984073)

Duh, the government is me.

Or at least a small part of it is till the next vote.

Re:Feels like post-911 (1)

Plumpaquatsch (2701653) | more than 2 years ago | (#40981883)

Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion. Seeing the contradiction?

Should I be worried that you take a rant against Google as a rant against the Internet?

Re:Feels like post-911 (1)

ThunderBird89 (1293256) | more than 2 years ago | (#40981991)

When will the web die? Will it be soon? Please tell me it will be soon!

QED.

Re:Feels like post-911 (1)

Plumpaquatsch (2701653) | more than 2 years ago | (#40982463)

When will the web die? Will it be soon? Please tell me it will be soon!

QED.

So you take the last couple of words from a long rant against Google, and claim the whole thing to be against the internet, for which you have to equate "the web" with "the internet"? QED indeed.

Re:Feels like post-911 (1)

ThunderBird89 (1293256) | more than 2 years ago | (#40982607)

As he goes on, he goes from anti-Google to griping against "insultingly simple websites", which make up an increasing percentage of the internet in his opinion (reading between the lines). At least that's the impression I get from the rant, hence taking it to be against the internet in general.

Re:Feels like post-911 (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40978035)

Mat, the guy who was "hacked", also had a great password and didn't run attachments. The hackers didn't even need to know his password to gain access to his accounts. He was more a victim of using guessable e-mail addresses to log into Apple, Amazon, Gmail, and Twitter. He also bought stuff on Apple and Amazon. If you've done those things, then you too can be a victim. It was more a hack of the "forgot password" pages. some social engineering of the support staff, and intimate knowledge of the identification procedures of said companies.

Re:Feels like post-911 (1)

filthpickle (1199927) | more than 2 years ago | (#40978623)

forget it, he's rolling.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40980755)

Guessable emails? They're supposed to be public you know. It's not like you make your clients guess your email to contact you, do you?

"guess my phone number if you want to go on a data!"

Re:Feels like post-911 (1)

Plumpaquatsch (2701653) | more than 2 years ago | (#40982169)

Guessable emails? They're supposed to be public you know. It's not like you make your clients guess your email to contact you, do you?

"guess my phone number if you want to go on a data!"

Let me explain: the hacker wanted his (three letter) Twitter account, to get it he had to get into his Google account. He went to the Google account password recovery page, which obfuscates the alternative address he gave to send the recovery email to. And that happened to be the (despite obfuscation) easily guessable same.name@me.com. Mostly because a) he used the same name part for all email accounts and b) Google does a bad job at obfuscating the @me.com part - first three letters each of the name and domain part seems to be their standard, so for same.name@me.com they show sam******@me.***.

Re:Feels like post-911 (1)

kqs (1038910) | more than 2 years ago | (#40980551)

I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
TAKE THE HINT GOOGLE.

I swear if this leads to more messages about this, I am just switching e-mail services.
My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.

You despise Google but use their email? You seem to be a very confused person...

Why do you think the length of your password matters? Do you seriously think people are brute-forcing gmail passwords?

Google wants phone numbers for exactly one reason: so that when, against all odds, the gmail account of a self-proclaimed genius is hacked, google can restore the account to their control. Otherwise, after posting screeds about the Evil Google trying to steal their phone number, this theoretical mental midget posts rants about how Google let their account be hacked but somehow cannot determine who is the owner and who is the hacker when a password reset is requested. Google is screwed in the media whatever happens, but you should be glad they err on the side of giving people a reasonably secure channel to recover their account even if they determinedly avoid such sanity.

Re:Feels like post-911 (1)

GumphMaster (772693) | more than 2 years ago | (#40981731)

No, the poster despises cellphones and will never have one. Google insistence on repeatedly asking for a cellphone number when none is forthcoming is the source of the rant. It annoyed me too but I haven't been prompted for a while now.

Re:Feels like post-911 (1)

HybridST (894157) | more than 2 years ago | (#40983053)

It annoys me every time i need to login, especially on my iDevice where i have to click no, reload, hit back and refuse again before it loads properly.

I should set up a voip number similar to a certain luggage combo and enter that to click yes but i bet it would violate the TOS...

Re:Feels like post-911 (5, Insightful)

patchmaster (463431) | more than 2 years ago | (#40977031)

Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40977157)

Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

You think google want your number to give you a call?

Think they want your number so they can call you with targeted ads?

Re:Feels like post-911 (1)

citizenr (871508) | more than 2 years ago | (#40977393)

Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

haha phone call from Google. You wont get one. You will receive one from 3 letter agency reminding you about that anonymous post you made 15 years ago on some obscure board.

Re:Feels like post-911 (1)

c++0xFF (1758032) | more than 2 years ago | (#40978909)

What part of ...

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

didn't you understand?

Re:Feels like post-911 (1)

Hatta (162192) | more than 2 years ago | (#40977427)

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The fact that a single "no" is not enough to get them to stop asking is evidence enough.

Re:Feels like post-911 (4, Insightful)

tlhIngan (30335) | more than 2 years ago | (#40977875)

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The fact that a single "no" is not enough to get them to stop asking is evidence enough.

Not to mention Google really tries to hide the "No" button. It just pops up as a box that says you need to enter your phone number. If you look down, the link to skip it is very tiny, enough to miss it. I'm willing ot bet most people don't even know there's an option to skip it.

It also pops up randomly on you, and each time it seems the "No" link gets tinier and moved somewhere else.

For Do No Evil, they certainly are applying all the usual marketing tricks to hide stuff like free downloads and such. If they really cared, it would be in normal font with text saying it's completely optional and you can bypass it by clicking the nice big link.

Re:Feels like post-911 (1)

Teun (17872) | more than 2 years ago | (#40984149)

Those that don't have a cell phone will find the button, those that prefer privacy don't use a google account.

Re:Feels like post-911 (4, Insightful)

c++0xFF (1758032) | more than 2 years ago | (#40979021)

It's in Google's and your own best interest to make your accounts as secure as possible. They get a black eye in the media every time there's a high-profile hacking of a Google account ... which in turn hits at their reputation for providing solid, secure services.

Given that most users don't know what's best for them, I think it's completely reasonable for them to pester a little bit about a way to improve security.

Now, that said ... there should be a way to turn the reminder off completely. Some people (me) simply can't use it.

Re:Feels like post-911 (2)

rtfa-troll (1340807) | more than 2 years ago | (#40977539)

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The key thing to know is that phone based password recovery on Gmail has been used to hack accounts [cloudflare.com] and that that has been widely publicised. In other words, giving your phone number over is less secure than not giving it over. In this case, Google is either stupid for continuing something they should know doesn't work or is evil for lying about why they want your phone number.

P.S. They have no intention on using the phone number to call you; Phone calls are much more expensive than the various other ways that Google has to contact you. What your phone number could potentially do is link together different accounts with different names and link you to friends who have that phone number in their uploaded phone directories.

Re:Feels like post-911 (2)

metrometro (1092237) | more than 2 years ago | (#40978047)

+1 to evidence based paranoia. Google IS my phone number, and whatever their faults, they don't call me and don't appear to share that number.

Re:Feels like post-911 (1)

Xest (935314) | more than 2 years ago | (#40982069)

This is the fundamental problem with anti-Google FUD, despite all the claims of "Google collects this", and "Google collects that", the claims that it's a privacy nightmare have yet to materialise. Google has a lot of information on me and has for over 10 years, but I've never ever seen it end up in the hands of other companies I'm not happy with or used in ways I was not expecting.

Compare this to Facebook, Microsoft, Monster.com who have all also had data on me and have managed to pass it to companies I did not give them permissions to leak it to which is a breach of the Data Protection Act in the UK. I know for a fact it was these companies as only these companies held such data. For example, I had a friend who my only connection to was via MS Messenger and who none of my other friends knew. This friend was later recommended, to me as a contact on both LinkedIn and Facebook so it's pretty clear Microsoft sold/leaked my contact information to these companies. Similarly I've had spam to e-mail addresses uniquely used for each of these companies. Google? Never had any such thing.

But it's all part of this sort of thing:

http://falkvinge.net/2012/03/02/how-microsoft-pays-big-money-to-smear-google-audaciously/ [falkvinge.net]

This is why Google is constantly being probed over privacy, which is no bad thing - companies should be held accountable to privacy laws - but there is a gross disparity between what Google gets investigated for and what Microsoft, Facebook et. al. do not. It doesn't take much to put two and two together and see why when Microsoft is pouring so much into trolling Google with lobbyists in various governments and parliaments across the globe.

Personally I prefer to stick to the facts, maybe one day the fanboys will be proven right and Google will spread every single bit of data they hold on me far and wide across the internet and use my information to steal all my money and fit me up for a murder I did not commit or whatever the fanboys and trolls predict will happen to anyone that uses Google's services, but right now there's no sign of any such thing with Google and again, in contrast, there is with companies like Microsoft and Facebook. Hell, even Amazon managed to fuck up one of my orders once and ended up sending my book, the packing receipt with my name, address, e-mail and so forth on to some random person, whilst sending me someone elses details and their order in a box with my address on which is still worse than anything Google has done.

I give my consent for some companies to hold some of my data, and whilst Slashdot has more than it's fair share of "off-the-grid" fantasists I'd wager none of them actually genuinely practice that ideology and that pretty much everyone here hands some private data over to private companies - possibly even against their will as government mandated data collection is passed to 3rd parties to store/process. The companies I respect are the ones who keep that data safe and do not abuse that data, Google is one of those who for over a decade now, has not let me down in this respect, which is more than can be said for 90% of other tech companies I've dealt with. There's a massive divide between what it's claimed Google could do with your data, and what it has ever actually done with it in practice. I'm under no illusion that it uses it to improve it's ad service and so forth, but that's the price I pay for using their services, what it doesn't do is sell or pass my data on to others, at which point it is much more out of my control as to what it's used for, and that's what matters to me.

Re:Feels like post-911 (1)

pnutjam (523990) | more than 2 years ago | (#40996499)

I think facebook and linkedin somehow scrape information if you have your email authenticated in a different browser tab. I don't know how to test this, but I am suspicious.

Re:Feels like post-911 (1)

Nyder (754090) | more than 2 years ago | (#40983841)

Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

What I find funny is I have a googe voice account, and I have a gmail account and oddly enough, they are both the same account, yet I still get Google asking for my phone number. Seriously google, you have all my phone numbers already. Not sure why you are so stupid about it though...

Re:Feels like post-911 (-1)

Anonymous Coward | more than 2 years ago | (#40977033)

9/11 was an inside jew!

Re:Feels like post-911 (1)

vlm (69642) | more than 2 years ago | (#40977041)

I know for a fact you can use a GOOG voice number for two-factor. That's what I used. They technically advise against it, but allow it.
Its just a backup for my authenticator app anyway. If I lose my phone, my paper password printout, access to my regular email, and everything else, then finally also lose or screw up my goog voice, then yes I'll be screwed.

Re:Feels like post-911 (4, Informative)

Daas (620469) | more than 2 years ago | (#40977045)

You're OK with them storing every single one of your emails but not your phone number? I hope tinfoil hats are on sale these days.

If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.

Re:Feels like post-911 (1)

6ULDV8 (226100) | more than 2 years ago | (#40977987)

If I'm spammed, opening another Gmail account is free. Changing my phone number costs $36.

Re:Feels like post-911 (1)

codegen (103601) | more than 2 years ago | (#40978239)

If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.

Myth #7 - The google authenticator app does not require your phone number and SMS messages.

Fact - You cannot set up the authenticator app unless you ahve given your phone number to Google and first authenticated using SMS

My cell phone number is known only to 10 of my friends and 2 companies (one of which is the provider). I have no intention of giving it to Google. Also, I only use gmail for personal non-financial/business mail. I have an email account that is protected by stronger privacy laws than exist in the US for my regular business.

I have a close friend who is a retired reporter and does not own a cell phone. But she does own a 4th Gen iPod Touch. Surely she should be able to use google authenticator? The short answer is no she can't.

Re:Feels like post-911 (1)

Anonymous Coward | more than 2 years ago | (#40979365)

And how have you prevented your 10 friends from syncing their address books through any 3rd party software?

On a more personal note, why do you have a cell phone to call only 10 people?

Re:Feels like post-911 (1)

Plumpaquatsch (2701653) | more than 2 years ago | (#40982237)

And how have you prevented your 10 friends from syncing their address books through any 3rd party software?

He can't - that's why he doesn't want to give Google his phone number, so Google can't link his identifying phone number with the same phone number in his friend's synced phone directory.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40980877)

Who said anything about "every single one of your emails"?

I only use Gmail as a general purpose public email. Forum sign-ups, occasional contacts with gov and corp departments. It's not my personal email. Just a mail-box to check once a day, leaving my personal, direct, addy free from interruption. Same way I'm careful about who I give my cell number to.

It's not unusual at all to have multiple email addresses.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40977095)

Mod up. From TFA that's all Google is offering -- more pressure to grap your phone number.

And it's worth noting that Bruce Schneider has pointed out the problems of two-factor authentication for years.

http://www.schneier.com/blog/archives/2012/02/the_failure_of_2.html [schneier.com]

http://www.google.com/search?domains=www.schneier.com&sitesearch=www.schneier.com&q=Two-Factor+Authentication&hq=inurl%3Awww.schneier.com%2Fblog [google.com]

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40977155)

And it's worth noting that Bruce Schneider has pointed out the problems of two-factor authentication for years.

Who the fuck is "Bruce Schneider"?

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40977743)

Bruce, is that you?

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40981367)

They already have your phone number.

At least one of your friends has it in their address book, either on google voice, or gmail, or whatever else, with your name and email also associated with that identity.

Just like facebook already knows what you look like, even if you don't have a facebook account. Your friends have tagged you in their pictures.

Like all security: weakest link. In this case, it's all the people we know that care nothing of their security and privacy.

Re:Feels like post-911 (0)

Anonymous Coward | more than 2 years ago | (#40985795)

while their motives are much less about my security and more about their business reasons.

I gave-in and gave Google my number (Skype Number, nonetheless) before leaving for a trip to Europe. After I logged into my gmail account - my account was blocked due to "suspicious activity" (damn Europeans and your suspiciousness).

The recovery process was Google calling the number I gave them and me choosing options from the voice menu. I have to say, it felt more secure than a second email address they send a recovery email to - but maybe that's just me.

two-factor security (1)

jellybear (96058) | more than 2 years ago | (#40977019)

One major problem with Google's two-factor authentication is that it requires mobile phone reception. There are many settings where mobile reception is not available. It would make more sense to SMS or print a one-time pad with enough numbers to last until the user decides to generate a new pad.

Re:two-factor security (1)

zrbyte (1666979) | more than 2 years ago | (#40977055)

No it doesn't. You can use the Google authenticator app. [google.com]

Re:two-factor security (1)

cvtan (752695) | more than 2 years ago | (#40977111)

You need a smart phone for that. You can print out a bunch of verification codes and stick them in your wallet. Cell reception is not reliable.

Re:two-factor security (2)

kaiser423 (828989) | more than 2 years ago | (#40977279)

But the app doesn't require cell phone service to be usable. You just need the smartphone or tablet. (in reference to your last sentence).

I do have a printout of one-time codes, but I find that I never use them anymore because I always just use the phone app, because it works as long as the phone has juice. Which you should have some available if you're using a computer to check your gmail...

Re:two-factor security (3, Informative)

robmv (855035) | more than 2 years ago | (#40977523)

Adding more info about the application, the client is OSS [google.com] so anyone can port it to Windows/Linux/Mac/Browser extension/you name it, there is nothing in Google solution that requires an smartphone nor data connection

Re:two-factor security (1)

ThunderBird89 (1293256) | more than 2 years ago | (#40977075)

It has an OTP you're required to save before completing the process (ten keys), and the mobile app doesn't require a data connection to my knowledge, after the initial pairing.

Re:two-factor security (0)

Anonymous Coward | more than 2 years ago | (#40977181)

> One major problem with Google's two-factor authentication is that it requires mobile phone reception.

Google Auth is very happy with no network access at all (mine is turned off).

I'm moving to secure all my servers with it. Setting it up with apache is really easy.

http://www.reddit.com/r/sysadmin/comments/xl45i/easy_secure_otp_auth_for_your_site_with_google/

Re:two-factor security (5, Informative)

kaiser423 (828989) | more than 2 years ago | (#40977237)

Uh, they do have a one-time pad of pre-authenticated numbers, and an app that doesn't require an internet connection. I've authenticated form a 9200bps modem from the middle of the Pacific using my list of one-time security access codes.

In other words, it's glorious. Google does security right, and everyone else needs to take notice. Including corporate IT departments. I've used it for years, and every now and then when I need a new account, I go and get an outlook.com account or similar, because all the regular names are taken in gmail, but I always feel so naked using them. No security at all.

Re:two-factor security (1)

jellybear (96058) | more than 2 years ago | (#40977585)

Oh, hey, you're right. Nice.

Re:two-factor security (2)

robmv (855035) | more than 2 years ago | (#40977615)

As others has said, there is no need for data connection, the common problem user experience with Google application (that implements the OATH standard) is that it requires a little of time synchronization, if your phone date and time is too far from the real one, the generated code will not work. Google application request the Internet connection permission in order to query the time from Google servers and store the offset with your phone time, in case it your phone time is wrong. It connect sometimes to update that offset when connectivity is available. If you have correct date and time (and Timezone) data connectivity is not needed ever

Big brother (1)

Anonymous Coward | more than 2 years ago | (#40977025)

Strong long password is all I need for a free email service.

Why would I want to give my mobile number to google with their track record on privacy etc...

This smells the same as the 'iPhone is uncrackable' story.

Thank you Mat (1)

wiedzmin (1269816) | more than 2 years ago | (#40977229)

You took one for the team.

And 2 factor will do what? (2)

the_B0fh (208483) | more than 2 years ago | (#40977289)

Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me? Any computer I use to check gmail is fully under my control.

1) no man-in-the-middle sniffing
2) no key logger sniffing
3) assuming no one steals the password file from Google
4) my gmail password is not used elsewhere.

Re:And 2 factor will do what? (3, Insightful)

kaiser423 (828989) | more than 2 years ago | (#40977343)

Any computer I use to check gmail is fully under my control.

Lucky you. That's not the case for most of us.

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40977461)

I do realize that :) Not too many people can have a computer or phone that is fully under their control, especially if it's work provided. But all mine are installed from media (openbsd, debian, osx, and even windows).

I would be screwed if something like On Trusting Trust happens, but then they could just man-in-the-middle the transactions anyway.

Re:And 2 factor will do what? (2)

KhabaLox (1906148) | more than 2 years ago | (#40977481)

Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me?

You are perhaps not the best target for 2-factor as your secondary (or tertiary) security measures given the fact that you already use 3 different security practices when accessing email: SSL, own computer, un-shared password. You probably also have a robust password. A lot of, if not most, people use only one, weak level: a six to eight character password shared across multiple sites. Two-factor will help them. (Of course, they should also use a unique, harder to crack password, but turning on 2-factor auth is probably easier).

Also, if you only access from trusted computers, 2-factor auth only needs to be set up once. Unless you are really paranoid about giving out a phone number, what's the bother?

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40979595)

#1 - not willing to give out my phone number to google.
#2 - if you only set it up once, that may not be the 2 factor you think you have...

Re:And 2 factor will do what? (1)

KhabaLox (1906148) | more than 2 years ago | (#40980153)

#2 true, but then that goes for your "trusted computer" scenario. If you assume your computer is under your full control (the assumption I make for my desktop and laptop) then you don't "need" 2-factor. What the 2-factor prevents is someone stealing your password and logging in from their computer. If they steal your laptop or desktop (i.e. you lose the physical security layer), then your in trouble anyway.

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40980665)

I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.

Someone stealing my laptop won't get my info because I have full disk encryption, so unless they can break my password...

Re:And 2 factor will do what? (1)

KhabaLox (1906148) | more than 2 years ago | (#40981091)

I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.

Well, you are semantically correct. When Google's 2-factor is turned on, anytime you log on to the account from an untrusted* computer, you must enter the 2nd factor authentication code. To be 100% 2 factor authentication you would want to force the entry of the second factor for *every* single login, but you also want to balance security and convenience based on your personal risk management algorithm. Just as it makes sense for you to not use 2-factor authentication because you always log in from a computer you control, it makes sense for a Google user to use 2-factor only when they log in from a computer that they don't control.

Someone stealing my laptop won't get my info because I have full disk encryption, so unless they can break my password...

Question on that: I'm guessing you run Linux, and thus your login password is probably harder to crack, but if you were running Windows, and thus had a relatively easy way to crack the login password, would full disk encryption still protect you.

*I'm not sure, but it may ask for the 2nd factor every X logins from a trusted computer.

Re:And 2 factor will do what? (1)

Straker Skunk (16970) | more than 2 years ago | (#40977483)

Assuming no one can hack SSL

The bad guys don't have to hack SSL. They only have to hack a certificate authority.

(IIRC, this is how the Chinese government broke into the Gmail accounts of various dissidents/activists.)

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40978371)

And I only use Chrome, which pins the certs, for gmail :)

Well, I do use mail.app on the iphone... hmm... must go find out more about that.

Re:And 2 factor will do what? (1)

metrometro (1092237) | more than 2 years ago | (#40978085)

"Any computer I use to check gmail is fully under my control."

That's not really webmail then, is it? Most products are more secure when you don't use them.

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40979615)

What in the world are you talking about? I understand the individual words, but there appears not to be any sense to the way you're putting them together.

Re:And 2 factor will do what? (1)

metrometro (1092237) | more than 2 years ago | (#40980231)

My point is that the obvious advantages of "web-based" email isn't really being delivered if you have to limit it to specific hardware in order to securely use it. Two factor lets you use webmail to it's potential (ie hardware agnostic) with some of the security assurances that hardware-specific solutions (like yours) can achieve.

In general, I think security systems that require users to act against the implied promises of the UI are crappy systems, so I'm glad to see two factor auth - a partial solutions to keyloggers and whatnot - being promoted.

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40980677)

I do not authenticate to any services on anything I don't control.

If you do, more power to you, but the same malware that can keylog your session can also insert itself into your data stream, whether there's SSL or not. So I don't understand what are the advantages of logging in on any computer you do not control.

Re:And 2 factor will do what? (1)

dkf (304284) | more than 2 years ago | (#40983413)

"Any computer I use to check gmail is fully under my control."

That's not really webmail then, is it? Most products are more secure when you don't use them.

You're claiming it's only webmail if you access it from a dodgy webcafe in Vietnam? That's... a strange position to take.

OK, I've done a slight exaggeration of your position there, but really there's nothing about webmail that says you have to authenticate to it with a non-crypto identity (though particular services might not be so cautious) and from a device that you don't control utterly. Client devices are pretty cheap now, and common too, so you won't look strange for carrying yours around with you. You can even throw those who question it off by claiming that you're doing it because you only feel comfortable using a device with the right background wallpaper; they'll think you're a strange OCD type, but won't probe more deeply. Meanwhile, you get the benefit of knowing that you've not got physical keyloggers installed (and you know you've not installed malware on it, yes?)

Re:And 2 factor will do what? (0)

Anonymous Coward | more than 2 years ago | (#40978107)

But do you buy things online? Do you use the same, or similar e-mail addresses to log into several services? That is enough.

This was more a hack of the "forgot password" pages. some social engineering of the support staff, and intimate knowledge of the identification procedures of Amazon, Gmail, Apple, Twitter. For example, Amazon let's you add a credit card to an account using only e-mail, a name, and an address. Then you can use that credit card number to get the last 4 digits of another credit card on file. These digits are used by Apple as part of their identification process in order to reset your password.

Breaking SSL, keylogging (or even knowledge of your password), or other equally improbable scenarios are just not needed.

Re:And 2 factor will do what? (1)

the_B0fh (208483) | more than 2 years ago | (#40978397)

And how does 2 factor protect you from any of the scenarios you mentioned?

You do realize anyone with the power to reset your password/unlock your account, has that power whether you have 2 factor or not?

Lost Mobile Phone (1)

RajivSLK (398494) | more than 2 years ago | (#40977365)

The only problem I have with two factor authentication for Gmail is if I lose my phone how to I access my email? I don't want to be locked out of my email, ever.

Re:Lost Mobile Phone (0)

Anonymous Coward | more than 2 years ago | (#40977801)

You print out a set of one-use codes and keep them in your wallet.

If you ever print out a new set it will invalidate the old set. It's a neat system.

Re:Lost Mobile Phone (0)

Anonymous Coward | more than 2 years ago | (#40982009)

Let's play make believe! OK, I setup this 2fa thing. A year later, I've moved country (changing my phone number in the process, but keeping my laptop). I printed out a set of one-use codes, but for the life of me I don't know where they are. They could have been left in the old place, or could be in one of three or four different boxes, or somewhere else. Someone steals my laptop.

Now what?

Or, there are many many other scenarios where this is not perfect. See, for one. (Also, fancy Firefox tip (works in at least 14, maybe earlier as well): you can highlight a URL and click open in new tab, even if it isn't a link. Isn't that sweet! Also, Chrome sucks because it doesn't have built in RSS support, and for many other reasons.)

Re:Lost Mobile Phone (0)

Anonymous Coward | about 2 years ago | (#41018367)

Well, you could just have a copy of the original text file containing all of your one-time-use codes stashed away somewhere in a directory on one of your hard drives (encrypted if you'd like). That way, if you manage to lose your physical copy, you have a backup--the original file. It's what I do and it's not rocket science. You could optionally encrypt it if you'd like, though I'd prefer to not to take the chance of forgetting my encryption password in a year when I finally need it and then be completely locked out of my account so I don't do it myself, but that's up to you. The files remain on my computer and never leave the house. Of course, nothing is stopping you from using a USB thumb drive--but those things are so small, often carried all over the place around and easy to lose that I would never suggest anyone put anything important on one of those unless it's encrypted.

Honestly, I think this whole "10 backup codes" thing is both a pain in the ass and a security vulnerability, just like the method Google uses of providing endless disposable application-specific passwords. It's just non-moving target of up to ten keys someone could use to gain access to your account and they don't change until you generate a new set... and every time you do, you need to update your own records, print out a new list, etc. I'd prefer it if Google would reduce the number of codes handed out at any given time to five or even eight to reduce the potential attack surface area, or find some way other than using those codes completely. Still though, the ten backup codes is not the real problem, because my actual password must be known when logging on to the main Google site; it's really the application-specific passwords (but more on those later).

Once I finally got Google Authenticator set up on my phone, I never cared to have a new code sent through SMS again; it's just so much faster, more convenient, and I've got new codes being generated constantly for three accounts at a time so I can quickly log into each one of them back to back (remembering three separate strong passwords is the hardest part). No more waiting for a text message. The fact that you don't need phone service or even Internet access to get the codes sealed the deal. It took a while to figure out how to get it set up though, because I could find nowhere on the Internet any info as to where on Google's web site that bar code is that you have to scan. I'm going to be getting a cheap new emergency/backup phone soon and plan on adding it as the second number for two-step authentication. Once this is done, the list of ten permanent backup codes will become even less important; I will have two phones/numbers that can be used to authenticate.

And now... those damn application-specific passwords. Google seems to intend the application-specific passwords to be used as one-time-use disposable passwords for every little device and for every little application. If you use them that way, you could easily end up with a half-dozen or more shitty, weak passwords (they're all letters, four sets of four characters, spaces optional) that all grant access to your account. Right now, I think this is the main weak point of the service, and I try to limit their use as much as possible. Now not only do you have one (strong) password that is further protected by an extra authentication step, you have potentially dozens of weak ones, all capable of granting access to your account without two-step authentication. Fair enough, the general population probably has even weaker passwords than the ones Google provides, but my "actual" passwords are longer and far more complex, containing more than just lowercase letters, and having those things attached to my account really doesn't make me feel comfortable.

If Google wants me to have a bunch of gibberish, all-lower-case-letters, 16-character passwords that I only use once per application, then god damn it--let me come up with my own gibberish, 20- to 25-character single-use passwords that contain both capital and lowercase letters, numbers, periods, commas, dashes, underscores, and every other character you could think of! Hey, after all--if they're only intended to be used for one thing and are easily revoked, then clearly there is no point in making them easy for you, let alone anyone else, easy to guess or remember. As it is now though, you get multiple seemingly-weak passwords that all grant access to read or send e-mail, delete e-mail messages, read/write privileges to your Google contacts, chat on Google Talk, etc. It just doesn't seem safe that all of this is locked by a 16-letter password, and the letters generated don't even seem very random sometimes.

I actually try to minimize the problem by copying and pasting my application-specific passwords into a text file and re-use certain application-specific passwords for certain things. For example: one exclusively for my phone (completely untrusted; I take it wherever I go, it can be lost/stolen easily), one for instant messaging on trusted machines (those that don't leave the house, or those that I only take to trusted places), one for instant messaging on other untrusted devices (systems that I am likely to take different places, though probably not as often as my phone), etc. So I only have two or three application-specific passwords, but I still don't like it--even one weak link is too much for me. The only thing I like about them is that they can be revoked individually, making it easy to completely disable a stolen device from easily being logged in to Google while leaving everything else unaffected (but if it's already logged in and cookies are set, then you might still be screwed).

I refuse to post this under my username, because I'd rather my accounts not be linked Mat Honan-style in an actual attack... although with two-step authentication turned on all of my accounts, I hope I'm at least somewhat more safe. But you never know with those sixteen-letter passwords. Still, I described my setup in quite a bit of detail, so better safe than sorry.

Re:Lost Mobile Phone (1)

lpq (583377) | more than 2 years ago | (#40986695)

The only problem I have with this is -- what if you don't have a mobile phone?

He could have (maybe still can) un-wipe his Mac (0)

Anonymous Coward | more than 2 years ago | (#40977473)

All he needs is the un-wipe PIN for his Mac and it will be back to normal. I'm sure with this kind of publicity someone at Apple could give him the PIN that was used to wipe it.

No 2 factor please (2)

Chemisor (97276) | more than 2 years ago | (#40977569)

2 factor authentication is unacceptable for anything that's frequently used. If you log in to your online banking account once a month, it's ok to jump through a few extra hoops for security. But for something you do every day, or several times a day like email, any extra barriers are unacceptable. I don't even want to enter my password more than once a day, why would I go through the incredible hassle of 2 factor authentication?

Re:No 2 factor please (1)

Ant2 (252143) | more than 2 years ago | (#40977681)

I am guessing you have not tried Google's 2-factor authentication?
I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40977841)

I am guessing you have not tried Google's 2-factor authentication? I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.

That's because most of the time, Google's two-factor authentication isn't real two-factor authentication. It requires something you know, plus something you know. A stored cookie in a browser is just a shared secret (something you know), as is a password. Therefore, it is not true two-factor authentication any more than asking for two passwords is two-factor authentication. True two-factor authentication requires two different factors, not two instances of the same factor.

And even to the extent that it tries to require a second factor (requiring you to confirm using your cell phone when you add a new machine), it isn't a very good second factor. If your password got cracked, odds are pretty good that they stole your password by cracking into your mobile phone, at which point your second factor is no better than the first.

When you experience real two-factor authentication, you'll know it. It is cumbersome. It has to be. Any factor that isn't cumbersome (read "not networked") is likely to be a terrible second factor, if it qualifies as a second factor at all.

Re:No 2 factor please (1)

alcourt (198386) | more than 2 years ago | (#40978585)

I've used real multi-factor auth in the form of SecurID. It isn't cumbersome. Doing it right doesn't have to be a PITA. If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.

Currently, I use the mobile SecurID app because my work phone I can treat like my physical factor. The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support team).

We aren't trying to protect national secrets here. Always keep in mind your threat model when designing your security. The real failure of Google's design is it presumes everyone has a mobile phone supporting SMS that they are willing to use regularly.

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40980355)

Cumbersome is relative. Hardware tokens cumbersome so long as you only have one of them on your keychain. If every site used it, you'd need a chiropractor pretty quickly, not to mention stronger pants pockets. And if you switch to a model of central authentication, now you have one site that can be compromised and trivially turn hundreds or thousands of sites' security into a four-digit PIN, while simultaneously rendering hundreds of millions of dollars worth of hardware tokens useless until the users mailed in the tokens to get them rekeyed (or for devices that cannot be rekeyed, permanently useless).

In other words, if it isn't cumbersome for the user, it probably isn't particularly secure. In theory, there are ways of doing something that isn't too cumbersome and is still secure, but they would require smarter CryptoCard-like devices that let you generate new site-specific keys on the fly that you can type in (over a secure channel) as part of setting up an account with a website.

The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support team).

AFAIK, you can prevent migration just by storing the data in the keychain and setting a couple of flags so that it won't get backed up or migrated. However, I'm pretty sure none of those protections will help you in the slightest if the device actually gets compromised. It's a bit like trying to hide your files from root.

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40980367)

Ouch. Somehow, I lost a word from that second sentence. I meant to say "Hardware tokens aren't cumbersome...".

Re:No 2 factor please (1)

alcourt (198386) | more than 2 years ago | (#40980743)

The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case. As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible. Maybe it is using a hostID to modify the generated number. Not necessarily impossible to fake, but raising the difficulty level.

We as security geeks are a bit two faced about authentication. We want good authentication services, we don't want a central authentication repository that can invade our privacy by knowing everywhere we authenticate. We want google to authenticate us with more than a simple password, we don't want to give google too much data about ourselves. We don't want to give a dedicated authentication service information about who we are authenticating to.

The solution that most comes to mind is a kerberos style approach where you create a ticket that anyone can validate readily, but they don't need to talk to the central repository to do so. You do need to talk to the central repository to create said ticket though, which would make availability crucial. Of course there are problems with this approach, but one has to start somewhere with tossing ideas out.

The old "security must be cumbersome" theory is one I'm constantly fighting in my job. My standard counterexamples are centralized security logs vs managing per system local logs, SSH keys vs local passwords. Even how we do SecurID is a lot simpler than local passwords for me.

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40981309)

The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case.

Not really. Typically, systems based on those sorts of devices use a four-digit PIN. Wanna guess how many seconds it takes to crack a four-digit PIN? Besides, chances are, the user will end up logging in to some of those systems from the phone, at which point you have the PIN, too. :-)

As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible.

I'm guessing that's referring to using data protection APIs. That protects against someone physically messing with the device who doesn't know the passcode. As far as I know, it isn't useful against a remote attack (wherein the attacker is able to continue running code on the device over a period of time) because eventually the user is going to unlock the device, at which point those files become readable.

The old "security must be cumbersome" theory is one I'm constantly fighting in my job. My standard counterexamples are centralized security logs vs managing per system local logs, SSH keys vs local passwords. Even how we do SecurID is a lot simpler than local passwords for me.

Don't misunderstand me. I'm not saying that security has to be cumbersome, so much as that good security usually is, and that if it looks too easy to be robust, it usually is. More often than not, when someone makes security easier, they do it by adding shortcuts that weaken security. Being able to permanently authorize a particular computer so that it requires fewer (or no) credentials is a great example of such a shortcut. Being able to reset passwords by answering security questions is a shortcut. And so on. These make security less cumbersome at a significant cost to actual security.

When security seems convenient, I immediately start looking for the flaws. Usually it doesn't take very long to find at least one.

We want good authentication services, we don't want a central authentication repository that can invade our privacy by knowing everywhere we authenticate.

Eh. That's a pretty low concern for me. I mean ostensibly yes, but in practice, I'm more concerned about it from the opposite perspective—that compromising a single site would give someone near unlimited ability to screw with my digital life. :-) There are no companies out there that I would trust with that kind of power—not even my employer or any of my former employers.

Re:No 2 factor please (1)

alcourt (198386) | more than 2 years ago | (#40983071)

Even RSA admits no one should use a 4 digit PIN. The reason the PIN is acceptable in length is the only way to test a PIN is valid or not is to use it with the code to enter a passcode on an authentication site. If you are allowing over a thousand bad guesses, you're doing something else wrong. The PIN is used to modify the 8 digit token displayed on the screen and then that result is what is entered. Hardware tokens still have you enter PIN and token manually in some cases (not all hardware tokens work this way), but the packet is in theory encrypted. You do make them authenticate over an encrypted channel, right?

Yes, someone might compromise the device with the software token, but that in theory should be hard. That's why people tell you to keep that bit better protected than most. Is it perfect? Of course not. We're breaking all six (5+1) rules of computer security (first being, don't have a computer). The point of this stronger authentication is never perfect security. Of course, no matter what authentication you use, if you actively compromise their source device completely, you'll get through it. It is to complicate the attack significantly.

In my job, whenever people say security must be cumbersome, I'm asked to go in and teach them that for the level of security appropriate to where I work, we can almost always find a clean solution. Good security, properly done, is done by professionals in a manner to hide most of it from the user so the user thinks it invisible.

Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40986517)

Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?

These days, the non-government attacker isn't a lesser threat. They have armies of captured Winzombies in a botnet at their disposal.

You do make them authenticate over an encrypted channel, right? Yes, someone might compromise the device with the software token, but that in theory should be hard.

You know the difference between theory and practice, right? Sites like JailbreakMe [wikipedia.org] and all the Windows drive-by download attacks demonstrate with incredible clarity why putting complete trust in any internet-connected device is a dubious proposition. Sure, right now, attackers aren't attacking sites that generate one-time passwords, but that's because they aren't used for much other than corporate VPNs. Get even one major bank using them, and you'll have people exploiting them within a week.

If you are allowing over a thousand bad guesses, you're doing something else wrong.

Not really. The only alternative is to lock people out of their accounts if they happen to be unlucky enough to have a common account name that people regularly mistake for their own, and that is seriously cumbersome. You can limit it to a few requests per IP, but again, the attacker has armies of....

Re:No 2 factor please (1)

kqs (1038910) | more than 2 years ago | (#40980599)

If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.

Yeah, they could call it something like Google Authenticator. Like any local app or hardware token it's really something you know (the seed in the app), but it is hard enough to get the seed that it is effectively something you have.

Re:No 2 factor please (1)

alcourt (198386) | more than 2 years ago | (#40980679)

Every factor could theoretically be reduced to something you "know", except it isn't something you know, because you can't key it in manually. Even a hardware token is really "something you know" in the strictest sense, the seed. But that's not what is generally meant by security folks when they speak of multi-factor.

The Google authenticator app last I saw only worked on android devices. Not everyone has a fancy cell phone. Some of us make do with a regular computer or laptop.

I think Google is trying to do mostly the right thing, but is falling down in implementation. Personally, I'm a fan of public key authentication of the client rather than just the server. Sometimes, older ideas really are good. We don't need brand new ones, just realizing how to reapply the old ones.

Re:No 2 factor please (1)

dgatwood (11270) | more than 2 years ago | (#40977711)

What you're really pointing out here is the need for diferent tiers of authorization. Without any unlock, I would like to be able to:

  • Call numbers from my preferred phone number list (including hands-free use)
  • Run the music player app
  • Use the maps application
  • Use the web browser.

I would like to be prompted for my unlock password when:

  • I try to access notes, my calendar, or my mail.
  • I try to change any settings.
  • I try to do anything that could potentially cost me money.
  • I navigate to a web page for which a password or other autofill information exists.

Similarly, for online banking, I would like an easy-to-remember password for:

  • Checking account balances
  • Viewing my transaction history

I would like to be prompted or additional authentication when I:

  • Send a message to the bank.
  • Attempt to pay a bill to a new recipient or to a different account at an existing recipient.
  • Transfer money into or out of my account.

Amazon is a good example of this sort of distinction in action. With a single password, I can place orders and have them sent to me. However, if I add a new destination address, they make me type in the CVV code from my credit card.

This story should be re-named... (0)

Anonymous Coward | more than 2 years ago | (#40977893)

Companies Ride The Tide Of Paranoia After Well Publicised Hack To Grab Yet More Personal Information And Invade Your Privacy...

The funny thing will be when all the scared sheep giving their phone numbers away get owned even more epically in the next security breach.

Lets make it real (0)

Anonymous Coward | more than 2 years ago | (#40978543)

Let's get real. What has to happen is the following:

1) Laws enacted which will fine companies for every piece of personal information that they lose/leak. Without a penalty hanging over their heads, Companies will continue to decide that fiscally it does not make sense to put more effort into preventing these loses. Losing personal information has to hit them in the wallet or they will continue to not open their wallets to prevent the loses. Penalties for not disclosing that loses occurred need to be assessed at, oh, 10 times the normal rate to make companies hesitant to not report breaches.

2) The PCI requirements around encrypting 'sensitive' information (such as credit cards) needs to be extended to cover *all* personal information (including email addresses, postal mail addresses, answers to 'personal questions', etc). Why? Because all that information which is sitting on their servers in an unencrypted form can be used to engineer subsequent attacks. Leaking things like email addresses often gives an attacker the ability to compromise other systems because generally the same email address is used every. Leaking answers to personal security questions is highly dangerous because many sites use the same or at least similar questions.

Strange how this is just now being sensationalized (1)

ravenswood1000 (543817) | more than 2 years ago | (#40979803)

Many more people have gone through what Mat Honan has or even worse, yet nothing was done before. I find that strange.

Re:Strange how this is just now being sensationali (0)

Anonymous Coward | more than 2 years ago | (#40980801)

Mat Honan has a bully pulpit.

Finding accounts linked to recovery email (1)

w00tz (1943770) | more than 2 years ago | (#40982895)

It seems that one can find out all google accounts associated to a recovery address by simply selecting "I don't know my username" in the google recovery menu. If the hacker would have known/used this, he could have had access to even more of Mr. Honan's stuff, provided he had more than one gmail accounts which used the same recovery address (and by the looks of it, I'm sure he would have daisy-chained that too). Google is happy to deliver the associated accounts to the recovery address, with no obfuscation. There's not much hassle to reset those accounts and compromise them as well afterwards. Although I understand its usefulness, using it for the wrong purpose can turn it against you. I'm beginning to think recovery emails are bad too..

Re:Finding accounts linked to recovery email (1)

lpq (583377) | more than 2 years ago | (#40986829)

How would you suggest recovering an email registered account without sending an email with a new tmp password?

You can't presume the user has anything other than the computer (or a computer) and email that they originally registered with...

Isn't google's idea of two factor authentication sending SMS messages to a phone?

AFAIK, landline phones don't have SMS and I certainly wouldn't want to pay extra for it -- HOWEVER, I know that gvoice will call your number and ask you to key in a number when you sign up, so offering that as an alternative 2nd factor for pw recovery (only) -- not login), would seem acceptable to me -- but there are others that may possess no phone and only a computer...

You can't design 2-factor authentication unless you are certain it's something that every user has and that says nothing of the convenience
issue.

I almost always access my accounts from a few home computers -- (usually just 1), yet the bastards still forcedme to change my password because that same computer tried to login several times to my gmail account due to thunderbird's settings being reset to defaults (normally it doesn't poll my gmail account nor access it unless I manually pull it)....but after a bad attempt at a Tbird upgrade, I reverted -- but google still forced a password change on me -- and now won't EVER let me use the old password again.

Apparently every password you ever use with google becomes part of it's statistical profile of you. This is especially useful if they force you to change it once in a while and are able to detect a pattern in your password usage. They could likely use it to preduct passwords to other sites some percentage of the time.

So much for "do no evil"...storing people's old passwords and forcing them to change periodically... AND being a data mining company that could use such info ... definitely falls into the evil category!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>