Re: gmail security is a joke

[chris <tknchris () gmail com>]

Haha I cringe when I do a password recovery at a site and they either email
the current pw to me in plain text or just as bad reset it then email it in
plain text. Its really sad that stuff this bad is still so common.

On Tue, May 26, 2015 at 11:44 AM, Owen DeLong <owen () delong com> wrote:

> > On May 26, 2015, at 5:22 PM, Saku Ytti <saku () ytti fi> wrote:
> >
> > On (2015-05-26 16:26 +0200), Markus wrote:
> >
> > Hey,
> >
> > > Did you know that anyone, anywhere in the world can get into a gmail
> account
> > > merely by knowing its creation date (month and year is sufficient) and
> the
> > Without any comment on what gmail is or is not doing, the topic
> interests me.
> > How should recovery be done in scalable manner? Almost invariably when
> the
> > accounts were initially created there is no strong authentication used,
> how
> > would, even in theory, it be possible to reauthenticate strongly after
> > password was lost?
>
> I think opt-out of password recovery choices on a line-item basis is not a
> bad concept.
>
> For example, I’d want to opt out of recovery with account creation date.
> If anyone knows
> the date my gmail account was created, they most certainly aren’t me.
>
> OTOH, recovery by receiving a token at a previously registered alternate
> email address
> seems relatively secure to me and I wouldn’t want to opt out of that.
>
> Recovery by SMS to a previously registered phone likewise seems reasonably
> secure
> and I wouldn’t want to opt out of that, either.
>
> Recovery by SMS to a phone number provided with the recovery request I
> would
> most certainly want to disable. (yes, some sites do this).
>
> Recovery by having my password plain-text emailed to me at my alternate
> address
> (or worse, an address I supply at the time of recovery request), not so
> much.
> (yes, many sites actually do this)
>
> Really, you don’t need to strongly authenticate a particular person for
> these accounts.
> You need, instead, to authenticate that the person attempting recovery is
> reasonably
> likely to be the person who set up the account originally, whether or not
> they are who
> they claimed to be at that time.
>
> > Perhaps some people would trust, if they could opt-in for
> reauthentication via
> > some legal entity procuring such services. Then during account creation,
> you'd
> > need to go through same authentication phase, perhaps tied to nationalID
> or
> > comparable. This might be reasonable, most people probably already trust
> one
> > of these for much more important authentication than email, but
> supporting all
> > of them globally seems like very expensive proposal.
>
> This also would take away from the benefits of having some level of
> anonymity
> in the account creation process, so I think this isn’t such a great idea
> on multiple
> levels.
>
> YMMV.
>
> Owen