Ironical as it may be and as the author mentioned briefly in the article, "there is an app for that". Google provides an authentication app for at least Android and iOS.
I personally put my phone in "airplane mode" for the trip (still waiting for that market changing deal where you can travel easily across the globe and call/use data without being robbed by your provider) then use the authentication app. I also carry my authentication codes during the trip and they should be enough for even a longer trip, if not, I can generate new security codes during the trip using the security codes I already have with me.
What J2ME app are you using? I ended up porting (really just copying one Java class) part of Google Authenticator to J2ME. It works, but isn't great. What're you using?
That's exactly what I've been wondering about enabling two factor authentication for something I use as often as email.
Apparently you can print a series of one-time use verification codes that work any time to sign into your two-factor account. Stick a few on a card in your wallet and don't forget to generate more before you're out!
When you do run out of verification codes, but you do have a working phone the 6 digit codes can also be sent to you through text messages or even a phone call from Gmail.
When I'm travelling and expect to be using dodgy internet connections & cafes -- I set up a separate email account and forward my email to it. If that account gets hacked, I just turn off the forward.
It would be nice to choose the level of security you think you can afford on the security-inconvenience tradeoff curve. Especially since it is likely to increase the takeup rate.
I have three accounts and five computers and I don't find the once-a-month 6-digit number to be a big deal. PayPal does annoy me with their policy of requring an OTP seemingly every time you visit a page, but it's worth it because I know that I don't have to have a super-amazing password to stay safe. Ultimately, the work required to recover from a compromised account is much higher than it is to type a 6-digit number every month, so I consider it a good trade-off.
In my case, the number always seems to expire when my token is far away. So another way of alleviating this would be to have a three day grace period where you're prompted with the option of refreshing your credentials, but you don't have to.
I'm thinking more like, I wake up and want to check my mail from bed, but -- surprise! -- it's expiration day, and my OTP token is downstairs. And using a single recovery code immeditalely invalidates your electronic token, logging you out everywhere and forcing you to go through the activation process all over again before you can log back in.
Typing a six digit number once adds a significant layer of security to a very important account.
Having to type it every 31 days (per browser, per device, per account) adds very little marginal security. In fact, in my case it actively hampers security, because it keeps me from using two-factor altogether.
Increase security/authentication as the risk factor increases based on context awareness. A number of vendors (notably CA), have been working hard to get this right. Essentially it requires a classification service that can derive context out of the content, and rate the level of risk and present the user with an additional authentication prompt (e.g.: 2-factor for exactly the scenarios you describe).
The sucky part is that nothing enforces their app-specificness. It would be neat if I could generate a password that only works from my home connection. Or only works for GChat, but not other services.
How would it? If the app were built to send some sort of an identifier with it... well, it might as well use oAuth and then it could use the two-factor sign in anyway.
Uh what? Google uses oAuth all over the place and in fact that is the correct solution to this problem. (I assume NIH is never-in-hell or something, can't say I've seen that before)
you can't use an app specific password to login to the gmail web interface and change your password.
so while you could use a compromised application specific password to do horrible things (download all your email and send e-mail as you), you could not use that app specific password to immediately log in to the administration page for your account and lock the legitimate user out...
Really? I could have sworn I tried and it worked just like a full login. I signed up for two-factor very early so perhaps that was fixed along the way. Neat!
So the app-specific passwords are single-factor authentication keys. Why not just skip the two-factor authentication altogether and use a longer password/phrase?
I put a copy of the single-use backup verification codes into an alternate dropbox account I have (that isn't linked to my primary email address). Figured if I'm somewhere with enough internet access to get to gmail, I'll be able to get to dropbox.com and get the codes.
This worry seems a bit overblown to me. If your email is that important to you, you should follow these steps:
1. Use a unique, long, random, secure password.
2. Don't tell it to anyone.
3. Use an email service that stores passwords hashed with a salt and a secure hash algorithm.
And you will have nothing to worry about. If you are very paranoid or traveling a lot, you can add:
4. Don't log in from insecure devices.
5. Make sure nobody's filming your fingers when you type your password.
If you're actually concerned with these two, you probably have bigger issues and are already taking more precautions like 2-factor authorization or so on anyway.
You should preferably not use a computer you don't have complete control over for sensitive stuff at all. Even with two-factor authentication, a computer you don't control can still store the emails you access, etc. etc.
It's email, people. You won't die if you don't check it for three hours. And if you do... well, then you should probably've brought your own laptop (although that may make system administrators sad).
You should pay attention to how many "non-idiot" users have had their Gmail accounts compromised.
And using two factor auth is easier than remembering a long, truly unique password. (Though if you're not using LastPass, stop what you're doing and go install it. Just freaking do it.)
>5. Make sure nobody's filming your fingers when you type your password.
Many moons ago I read the table of contents of Silence on the Wire.[0] One chapter that particularly caught my eye was "I can hear you type.". (Which for some reason was stored in my memory as "I can hear your keystrokes." Which sounds more stalkerish IMO.) Just because of how creepy it sounded. Later I was talking to someone I knew over the phone when they stopped for a moment to enter a username and password for $WEBSITE.
All of a sudden an amusing side channel attack popped into my head:
"I wonder if it's possible to reproduce someones password by hearing their keystrokes?" I figured it would actually be a useful skill if someone were trained to recognize the sound of keystrokes from the most common keyboard phenotypes.
We're already there: "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session."
I (mostly) agree. I think 2-factor is a fine idea, but I have friends who are still using something along the lines of "password1" on all of the online accounts.
A good first step would be reinforcing the idea that you should never use your email password for any other account. Few people will go through the effort of brute-forcing an standard-issue gmail account when they can easily download a bunch of pre-hacked usernames and passwords.
Using a second factor token is much easier than always doing all of those and provides a much larger safety margin. Remember, with 2-factor auth, even someone who knows your password can't access your account. If you also make sure they don't know your password, you're doubly safe. That's why pretty much every safety system invented has some sort of backup safety protection. If you want to go "free solo" on your account because you enjoy thrills, that's fine. But if you're a normal person, why not have a safety rope?
I would disagree that two-factor is easier. I already do all of the above by (1) using gmail, and (2) only logging in on my own devices.
I also check my email so frequently that two-factor authorization would be a significant inefficiency, so there is certainly a cost-benefit tradeoff there.
You only have to authenticate a device every 30 days.
The attack that is prevented here is someone who knows your password getting access to your account. They can't get access unless they know your password and manage to steal your OTP generator or device. That's significantly harder than knowing someone's password. (Knowing your password is probably hard, but I know many peoples' password. It's "password".)
You forgot: make sure you can trust every admin who has access to read your mail, and trust that they won't have weak passwords. And all that still won't help you if someone in the federal government want to read your email, because that's literally a one-page request and they'll have it.
Yes, because it is a pain. Try going on a vacation, you know the one where you don't use cell roaming. SMS is out, so then one must find a Wifi hotspot to use one of the smartphone time based tokens (edit: seems the token don't need a network connection, could have fooled me). And those time based tokens go out of wack if your phone didn't sync the timezone properly to match Google's setup, so every token ends up not working.
Use the print out backup verification codes on a piece of paper? No, because they are single use. So you end up using up all your backup codes depending on the length of your vacation. I've used 2 step for a long while, I liked it, but I really could not get used to whipping out my phone every time I needed to check something related to Google.
I've had other hiccups such as mobile provider down, phone died etc. Maybe my best option was to keep all the backup codes on hard plastic with checkmarks next to used backup codes and secure them the same way I do my banking cards, maybe, I'll just try this one day.
If one is going to jump through all these spy-style codes might as well just change your password on a regular basis, forcing all previous sessions to invalidate.
When you reach a point where you have, say, half of your backup verification codes remaining and for some reason your timezone is that far out of sync that Google Authenticator no longer works (and for some reason you can't just sync your clock), then simply generated new backup verification codes and print those out. It seems like a pretty weird assumption that your clock will go out of sync and you won't be able to even manually sync. If you can get online to reach a Google login page, why can't you get within 30 seconds of the correct time for Google Authenticator to work?
Assuming you were able to use half the backup codes, since you have internet access you can always generate a new batch. I've been using 2 pass since it came out and it's honestly not that bad for the sense of security. Some banks are already using this system.
I recently traveled for 6 months without a data connection on my phone and used the Google Authenticator app without any problems at all. I changed the timezone setting many times too.
"You should start thinking of security for your email as roughly equivalent to the sort of security you'd want on your bank account. It's exceedingly close to that in practice."
Actually, I want (and arguably already have) better than that. In the last 4 months I have had two unauthorized debits from my bank accounts: one a result of a mail thief stealing my rent check from my mailbox, the other an error made by a bank employee. In the 15 years I've been using email I've never knowingly had any of my email accounts hacked.
fetchmail is very handy for this sort of problem. Regularly pull and remove your mail from your webmail account. Then you can manage it locally the same way you would all your other archives.
Not foolproof, of course, but it improves matters. Also note I don't present this as a solution for John Everyman, but rather the sorts of folks who might be reading Coding Horror.
The thing I hate about Google Authenticator is when you use a google authenticator protected gmail account for other google services. Google has a bunch of things where they don't yet support 2fa, so sometimes you enter the wrong password.
It would be good if you had a dedicated-to-email google account, definitely. As it is, I use it for a gmail account I use with all my google services, and it's a real pain -- especially because the gmail password itself is a long random string, and sometimes I need to enter that on a mobile or other device.
I'd really like better user credential management using something like OneID (public keys, challenge-response auth), but people have tried that in the past and haven't been terribly successful getting it adopted. It might work better on a mobile OS, so maybe next-gen Apple iOS keystore could do something like this.
Facebook handles apps that don't support 2factor pretty well. Your first login will be rejected but you'll be messaged the 6 digit code to login with as your "password".
Two factor auth works fine without a cell phone. You can put a land line in as a backup and of course you should store the extra physical codes somewhere safe as well.
Obviously though, this would be a pain to use without a portable device that can generate the appropriate time-based code.
That's actually my current setup. It still kind of defeats the purpose though; I have to be logged in to Google Voice in order to authenticate logging in to Gmail with the same account. I'll wait for them to get a little more creative before I expect it to be much safer.
Is it really that easy to hack someones gmail account?
I realize phishing and key loggers are easy ways to grab a password, but if you avoid typing your gmail password at public internet kiosks and the like, is it really that easy for someone to get at? Assuming you use a reasonably long and impossible to guess password, the captchas would prevent brute forcing.
An attack targeted specifically at you will inevitably succeed but most of us are not that special.
The article's advice seems far too easy to lock yourself out (losing my wallet with my magic paper codes and my phone could do it). The additional inconvenience does not seem worth it.
Most of us have used physical 2 factor authentication (like RSA SecurID) for banking and work related VPN access. This works well because the provider (your office, your bank) has a vested interest in getting you back into your account if you get locked out. Google, Yahoo, MS, etc. have no such obligation.
A _startlingly_ large number of people are (still) re-using passwords across multiple sites. The Gawker/Sony(/PerlMonks for me) compromises revealed a _lot_ of email addresses and passwords, some significant portion of which almost certainly allowed attackers access not only to the specific website that was attacked, but also to the email service of the exposed user.
I'm pretty sure none of Jeff's advice helps you against a government-agency level attack agains you specifically, but following it _will_ protect your email even if some other random website you once registered for exposes the login details you used there. I _hope_ that's not a problem for any HN readers (any more), but what about your partner/children/parents/coworkers? I'd bet good money that _someone_ you know and care about is reusing their email account password on random website signup forms.
My name is Alan Byrne, I work in IT and I'm a password re-user :(
On that note, does anyone know of a secure keysafe app that will sync across my various PCs, iPad and Android phone? This is what is stopping me from going the single use password route.
Me too. Just remember to set the load-factor quite high. I've got it set to about 8 million rounds which is about one second on my beefy work computer, two on my private laptop and ~eight on my Android phone. The last bit is a bit annoying but at this point my key database is a pretty high value target - and I can't revoke access to it remotely if I lose my phone.
so now it is only a matter of time until the keylogging software that everyone is so terrified of is modified to also take the session cookie from your browser that authenticates you to gmail. you know, the thing that makes it okay for you to click "remember this computer for 30 days" ...
(You can check the "remember me for 30 days on this device" checkbox so you don't have to do this every time.)
No thanks. Google remembers a lot more than "this device," more like everything I do within that device thanks Search cookies, Adsense, Analytics on millions of sites and who knows what else
For now I have a really long email password, but I'm considering moving my sensitive data/email out of my general email account and into a new email address that requires 2 factor authentication.
The thing I really want is a "lockbox" folder in my general email that:
1. Requires 2 factor authentication to access the folder but not my general inbox
2. I can move messages I consider sensitive from my general inbox to the lockbox folder
3. Will automatically sends emails from my banks, etc. into the folder with an email showing just the subject line in my general inbox
Wow, this would be an excellent feature. Although I've got 2 factor authentication set up for my whole account and it doesn't really bother me, I would like to see something like this. An extra measure to protect certain emails would be really helpful.
Poor man's lockbox: create a second account, enable two-factor only on that account, set up filters to redirect those emails to that account and delete them from your main account.
I've made a few changes to securing mine with 2 factor.
1. Altered the digits in my wallet so only I know how to recover the real numbers.
2. Created a junk email with a secure password with a security-through-obscurity email with the numbers (again modified)
The use case - losing both your cellphone and wallet. There's basically not an easy way to get back to your data.
I have to remember a few things:
--Normal password to email
--Modification I used to numbers in wallet
--Modification for numbers in junk email
--Junk email username
--Junk email password
It's definitely a burden. But it's worth the security of my email. At this point it reduces the burden of regularly changing my email password or adding complexity to the password.
The good thing about the recovery numbers is they are still no good without your password. So someone would have to both get your password and steal your wallet to gain access.
While you're thinking about the security of your email in the cloud, remember this: ANY of your email older than six months can be legally obtained by any U.S. law enforcement agency without any warrant or judicial oversight of any sort, even if you enable Google's new 46-factor authentication and use passwords that take minutes to type in.
And you think that Google actually deletes email when you tell it to? More likely they just mark it as deleted and retain it, in which case every email you ever received regardless of whether you think it has been deleted may be available. If you want better privacy, install and manage your own mail server and encrypt everything.
Do you really think your shared host drops blocks when you delete them from your virtual disk, and do you really think that requests to mlock memory with crypto keys are really honored? Maybe if you have a dedicated box, but not if you are using a virutal host. (Have you ever physically seen "your own" mail server? If not, why do you trust it?)
Also consider what happens to unencrypted email you send or receive: any upstream servers can be subpoenaed, as can the person on the other end. Encrypted mail only works when it's encrypted end-to-end and your adversary cannot seize the sending or receiving computer. I imagine that people who encrypt their received email end up in court because their sender was not so careful. Do you trust every person that will ever mail you to keep your secrets safe? Why?
Ultimately, if the government is your enemy, you need to take a lot more precautions than "don't use Gmail".
Deleted messages are wiped within ~60 days. The delay is needed to ensure that all copies of the message are deleted, including those that may be on tape.
Seriously? So you reuse all tapes after 60 days? That wouldn't be a smart thing to do if you really care about retention, and I don't mean solely retaining deleted mail, but just retention of data in general. Regardless of stated policies, I don't believe you. Business critical data like that would not only be stored for 60 days- not in Google.
> Seriously? So you reuse all tapes after 60 days?
I didn't say that.
Someone stated that it was well known that g-mail never deletes data. I posted a quote from the privacy policy that contradicts that. I also said (a few threads back) that there is a team of people whose job is to work with product teams to make sure they are following the policy.
I've worked at companies where the publicly posted policies had little-to-nothing to do with how the company really operated.
That has not neen my experience at Google. Handling user-data properly is taken very seriously. A significant amount of effort (and money) is expended making sure of this.
I can't control whether or not you believe me and I can't go into too many details or share too many war stories. I'm an engineer that has worked at both the bottom of the stack (building the hardware that runs in the data centers) and at the top of the stack (a large user-facing product) and I can tell you that I have many first-hand experiences where protecting user-data was prioritized over other concerns - often at non-trivial cost and effort.
See http://support.google.com/mail/bin/answer.py?hl=en&answe..., which is specific to g-mail, but the same rules apply for other products that store user information. There is a whole team that works on this to monitor the process and help product teams implement the policy.
While that is deeply worrying, it's "long-term, concerned for the future of free society" worried. "If you have nothing to hide" is a horrible, chilling defence of an essentially totalitarian strategy, but it's also almost right: If you don't stick your nose out, even totalitarian regimes do mostly leave you alone.
Having your e-mail accessed by black-hat hackers is "right-now, have to change every password in the world, block and replace every credit card at the most inconvenient time possible, deal with spam and scams in my name, possible ID theft and potentially sensible data being made public"-worrying. And you can make that attack significantly harder, so you should do that. Right now.
Or, tl;dr: Perfect is the enemy of good, go enable two-factor.
It's worth noting what law enforcement wishes they could do and what they can do is pretty different. The only time this has been tested in court, the Sixth Circuit said it was unconstitutional. Which is because it's blatantly unconstitutional. My money says that any other appeals court will agree, including the Supreme Court if it gets that far.
Now, the government certainly does things that are unconstitutional sometimes, and manages to avoid having any court review them. I'm sure there are abuses here. It's disappointing that the Justice Department tried to oppose a warrant & probable cause standard for electronic searches as if there's room for dispute on that one. But the minute they try to take much advantage of this law it'll be struck down, and they know it.
It's possible that I'm (weirdly) less cynical about this as a defense attorney than most people are. In my line of work the constitution is constantly standing between police and what they wish they could do. I'm thinking of a particular case, not uncommon, where a three-hour confession was basically thrown out because the judge looked carefully at the recording and the police didn't quite handle it right. They didn't beat the guy, but they didn't do what they needed to do to make sure the confession was voluntary. And of course this drives the police nuts -- the executive branch's position is always that any limitation on their power is a threat to public safety. Resisting that position is why we have constitutional standards and separation of powers in the first place.
Incidentally, the DOJ testimony[1] is a little more nuanced than Wired makes out. The testimony makes some legitimate points -- that agencies like the SEC rely on their ability to use subpoenas (as opposed to warrants) to enforce financial laws, and that it's not clear how much evidence you should need that a particular email account contains evidence of criminal activity in order to obtain a warrant to search that account. (If I have 100 gmail accounts, and you know I've used five of them to run drug transactions, do you need independent evidence to search each of the others?) This means any law governing search of emails would have to be written carefully (or vaguely, so the courts could figure it out under the Fourth Amendment). But the DOJ's conclusion that maybe the law should try to exempt electronic records from search and seizure protections is typical executive branch posturing -- both absurd and unenforceable.
(This is not legal advice. It's just a thing I wrote on a forum. I could be totally wrong. Consult your doctor if effects last more than four hours.)
I have two-way enabled, but when logging in via Google Talk (windows app) it seems to bypass it. If I go straight to gmail.com and login I'm asked for the second auth, but clicking via Google Talk (already signed in) it logges me in to GMail directly. Anybody know if this is normal / expected?
Great article on 2-factor auth. I didn't understand how easy it was, so I'm switching to it now. However, if you use a mail client and generate app-specific passwords that last forever, can't the hackers just hack via IMAP login instead which won't be 2-factor?
It seems like it would be better to use private keys on the client with 2 factor auth for authentication recovery. That way as long as you have the right private key locally that your mail client uses, you are set- otherwise you have to both provide a password and an SMS delivered code in order to use a different private key on the client.
159 comments
[ 3.1 ms ] story [ 235 ms ] threadI am wondering if Gmail could implement security questions to avoid cases where the 2-step verification works against the user
If you are planning to be without your phone, you can always disable 2-step verification temporarily: https://support.google.com/accounts/bin/answer.py?hl=en&...
Finally, if you lose your phone, you should always have your single-use backup verification codes to allow you to login.
I personally put my phone in "airplane mode" for the trip (still waiting for that market changing deal where you can travel easily across the globe and call/use data without being robbed by your provider) then use the authentication app. I also carry my authentication codes during the trip and they should be enough for even a longer trip, if not, I can generate new security codes during the trip using the security codes I already have with me.
http://support.google.com/accounts/bin/answer.py?hl=en&a...
I use an app from DS3: http://ds3global.com/index.php/en/news-a-events/news/97-secu...,
It's extremely simple, it just generates OTPs, nothing more.
Apparently you can print a series of one-time use verification codes that work any time to sign into your two-factor account. Stick a few on a card in your wallet and don't forget to generate more before you're out!
https://support.google.com/accounts/bin/answer.py?hl=en&...
* I'm logging in from a computer that I've never logged in from before
* I'm searching my mail history for terms like "password"
* I'm opening an email that appears to contain a password-reset link
* I'm messing with my mail-forwarding options
* I'm accessing messages in bulk
But I do not want to have to do second factor just because it's been 31 days since the last time I've done it.
If one of your devices is stolen, you go reset the pass. As simple as that.
Plus, 31 days is a long time for the hacker, so it's not adding all that much security.
No, but it might well be for the guy who fishes your old harddrive out of a bin.
Does this expiration after 31 days add any extra protection?
Having to type it every 31 days (per browser, per device, per account) adds very little marginal security. In fact, in my case it actively hampers security, because it keeps me from using two-factor altogether.
For example, https://developers.google.com/google-apps/gmail/oauth_overvi...
so while you could use a compromised application specific password to do horrible things (download all your email and send e-mail as you), you could not use that app specific password to immediately log in to the administration page for your account and lock the legitimate user out...
1. Use a unique, long, random, secure password.
2. Don't tell it to anyone.
3. Use an email service that stores passwords hashed with a salt and a secure hash algorithm.
And you will have nothing to worry about. If you are very paranoid or traveling a lot, you can add:
4. Don't log in from insecure devices.
5. Make sure nobody's filming your fingers when you type your password.
If you're actually concerned with these two, you probably have bigger issues and are already taking more precautions like 2-factor authorization or so on anyway.
Again, these aren't for the most extremely cautious/savvy users out there, just the 99.9%.
It's email, people. You won't die if you don't check it for three hours. And if you do... well, then you should probably've brought your own laptop (although that may make system administrators sad).
And using two factor auth is easier than remembering a long, truly unique password. (Though if you're not using LastPass, stop what you're doing and go install it. Just freaking do it.)
If they limit them to a few failed logins a day or hour and show you the failed logins it's hard to guess even if you have it jeff(3-4numbers)
Many moons ago I read the table of contents of Silence on the Wire.[0] One chapter that particularly caught my eye was "I can hear you type.". (Which for some reason was stored in my memory as "I can hear your keystrokes." Which sounds more stalkerish IMO.) Just because of how creepy it sounded. Later I was talking to someone I knew over the phone when they stopped for a moment to enter a username and password for $WEBSITE.
All of a sudden an amusing side channel attack popped into my head:
"I wonder if it's possible to reproduce someones password by hearing their keystrokes?" I figured it would actually be a useful skill if someone were trained to recognize the sound of keystrokes from the most common keyboard phenotypes.
[0] http://nostarch.com/silence.htm (
I haven't actually read it so I don't know if that is or isn't in the book. All I know about it is the Table of Contents.)
https://freedom-to-tinker.com/blog/felten/acoustic-snooping-...
http://www.berkeley.edu/news/media/releases/2005/09/14_key.s...
A good first step would be reinforcing the idea that you should never use your email password for any other account. Few people will go through the effort of brute-forcing an standard-issue gmail account when they can easily download a bunch of pre-hacked usernames and passwords.
I also check my email so frequently that two-factor authorization would be a significant inefficiency, so there is certainly a cost-benefit tradeoff there.
The attack that is prevented here is someone who knows your password getting access to your account. They can't get access unless they know your password and manage to steal your OTP generator or device. That's significantly harder than knowing someone's password. (Knowing your password is probably hard, but I know many peoples' password. It's "password".)
Yes, because it is a pain. Try going on a vacation, you know the one where you don't use cell roaming. SMS is out, so then one must find a Wifi hotspot to use one of the smartphone time based tokens (edit: seems the token don't need a network connection, could have fooled me). And those time based tokens go out of wack if your phone didn't sync the timezone properly to match Google's setup, so every token ends up not working.
Use the print out backup verification codes on a piece of paper? No, because they are single use. So you end up using up all your backup codes depending on the length of your vacation. I've used 2 step for a long while, I liked it, but I really could not get used to whipping out my phone every time I needed to check something related to Google.
I've had other hiccups such as mobile provider down, phone died etc. Maybe my best option was to keep all the backup codes on hard plastic with checkmarks next to used backup codes and secure them the same way I do my banking cards, maybe, I'll just try this one day.
If one is going to jump through all these spy-style codes might as well just change your password on a regular basis, forcing all previous sessions to invalidate.
Actually, I want (and arguably already have) better than that. In the last 4 months I have had two unauthorized debits from my bank accounts: one a result of a mail thief stealing my rent check from my mailbox, the other an error made by a bank employee. In the 15 years I've been using email I've never knowingly had any of my email accounts hacked.
Mine does offer two-factor, using either SMS or a physical token. And now that I think of it, I think it's mandatory if you want to access it online.
Not foolproof, of course, but it improves matters. Also note I don't present this as a solution for John Everyman, but rather the sorts of folks who might be reading Coding Horror.
It would be good if you had a dedicated-to-email google account, definitely. As it is, I use it for a gmail account I use with all my google services, and it's a real pain -- especially because the gmail password itself is a long random string, and sometimes I need to enter that on a mobile or other device.
I'd really like better user credential management using something like OneID (public keys, challenge-response auth), but people have tried that in the past and haven't been terribly successful getting it adopted. It might work better on a mobile OS, so maybe next-gen Apple iOS keystore could do something like this.
Well, crap. My only "phone" is my Google Voice number...
Obviously though, this would be a pain to use without a portable device that can generate the appropriate time-based code.
I realize phishing and key loggers are easy ways to grab a password, but if you avoid typing your gmail password at public internet kiosks and the like, is it really that easy for someone to get at? Assuming you use a reasonably long and impossible to guess password, the captchas would prevent brute forcing.
An attack targeted specifically at you will inevitably succeed but most of us are not that special.
The article's advice seems far too easy to lock yourself out (losing my wallet with my magic paper codes and my phone could do it). The additional inconvenience does not seem worth it.
Most of us have used physical 2 factor authentication (like RSA SecurID) for banking and work related VPN access. This works well because the provider (your office, your bank) has a vested interest in getting you back into your account if you get locked out. Google, Yahoo, MS, etc. have no such obligation.
I'm pretty sure none of Jeff's advice helps you against a government-agency level attack agains you specifically, but following it _will_ protect your email even if some other random website you once registered for exposes the login details you used there. I _hope_ that's not a problem for any HN readers (any more), but what about your partner/children/parents/coworkers? I'd bet good money that _someone_ you know and care about is reusing their email account password on random website signup forms.
On that note, does anyone know of a secure keysafe app that will sync across my various PCs, iPad and Android phone? This is what is stopping me from going the single use password route.
https://www.eff.org/deeplinks/2010/01/primer-information-the...
No thanks. Google remembers a lot more than "this device," more like everything I do within that device thanks Search cookies, Adsense, Analytics on millions of sites and who knows what else
The thing I really want is a "lockbox" folder in my general email that:
1. Requires 2 factor authentication to access the folder but not my general inbox
2. I can move messages I consider sensitive from my general inbox to the lockbox folder
3. Will automatically sends emails from my banks, etc. into the folder with an email showing just the subject line in my general inbox
Find the relevant service. Spoof DNS. Get emails.
Alternative. MITM the SMTP (thanks anonymous SSL, no certificate errors!).
And that's scary, since 2 factor auth, nor anything, can really save you from that.
1. Altered the digits in my wallet so only I know how to recover the real numbers.
2. Created a junk email with a secure password with a security-through-obscurity email with the numbers (again modified)
The use case - losing both your cellphone and wallet. There's basically not an easy way to get back to your data.
I have to remember a few things:
--Normal password to email
--Modification I used to numbers in wallet
--Modification for numbers in junk email
--Junk email username
--Junk email password
It's definitely a burden. But it's worth the security of my email. At this point it reduces the burden of regularly changing my email password or adding complexity to the password.
http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-f...
Do you have any passwords in your email older than six months? Any account numbers? Anything... incriminating or embarrassing?
Also consider what happens to unencrypted email you send or receive: any upstream servers can be subpoenaed, as can the person on the other end. Encrypted mail only works when it's encrypted end-to-end and your adversary cannot seize the sending or receiving computer. I imagine that people who encrypt their received email end up in court because their sender was not so careful. Do you trust every person that will ever mail you to keep your secrets safe? Why?
Ultimately, if the government is your enemy, you need to take a lot more precautions than "don't use Gmail".
(Not kidding, I really do that.)
Deleted messages are wiped within ~60 days. The delay is needed to ensure that all copies of the message are deleted, including those that may be on tape.
Seriously? So you reuse all tapes after 60 days? That wouldn't be a smart thing to do if you really care about retention, and I don't mean solely retaining deleted mail, but just retention of data in general. Regardless of stated policies, I don't believe you. Business critical data like that would not only be stored for 60 days- not in Google.
I didn't say that.
Someone stated that it was well known that g-mail never deletes data. I posted a quote from the privacy policy that contradicts that. I also said (a few threads back) that there is a team of people whose job is to work with product teams to make sure they are following the policy.
I've worked at companies where the publicly posted policies had little-to-nothing to do with how the company really operated.
That has not neen my experience at Google. Handling user-data properly is taken very seriously. A significant amount of effort (and money) is expended making sure of this.
I can't control whether or not you believe me and I can't go into too many details or share too many war stories. I'm an engineer that has worked at both the bottom of the stack (building the hardware that runs in the data centers) and at the top of the stack (a large user-facing product) and I can tell you that I have many first-hand experiences where protecting user-data was prioritized over other concerns - often at non-trivial cost and effort.
See http://support.google.com/mail/bin/answer.py?hl=en&answe..., which is specific to g-mail, but the same rules apply for other products that store user information. There is a whole team that works on this to monitor the process and help product teams implement the policy.
Having your e-mail accessed by black-hat hackers is "right-now, have to change every password in the world, block and replace every credit card at the most inconvenient time possible, deal with spam and scams in my name, possible ID theft and potentially sensible data being made public"-worrying. And you can make that attack significantly harder, so you should do that. Right now.
Or, tl;dr: Perfect is the enemy of good, go enable two-factor.
Now, the government certainly does things that are unconstitutional sometimes, and manages to avoid having any court review them. I'm sure there are abuses here. It's disappointing that the Justice Department tried to oppose a warrant & probable cause standard for electronic searches as if there's room for dispute on that one. But the minute they try to take much advantage of this law it'll be struck down, and they know it.
It's possible that I'm (weirdly) less cynical about this as a defense attorney than most people are. In my line of work the constitution is constantly standing between police and what they wish they could do. I'm thinking of a particular case, not uncommon, where a three-hour confession was basically thrown out because the judge looked carefully at the recording and the police didn't quite handle it right. They didn't beat the guy, but they didn't do what they needed to do to make sure the confession was voluntary. And of course this drives the police nuts -- the executive branch's position is always that any limitation on their power is a threat to public safety. Resisting that position is why we have constitutional standards and separation of powers in the first place.
Incidentally, the DOJ testimony[1] is a little more nuanced than Wired makes out. The testimony makes some legitimate points -- that agencies like the SEC rely on their ability to use subpoenas (as opposed to warrants) to enforce financial laws, and that it's not clear how much evidence you should need that a particular email account contains evidence of criminal activity in order to obtain a warrant to search that account. (If I have 100 gmail accounts, and you know I've used five of them to run drug transactions, do you need independent evidence to search each of the others?) This means any law governing search of emails would have to be written carefully (or vaguely, so the courts could figure it out under the Fourth Amendment). But the DOJ's conclusion that maybe the law should try to exempt electronic records from search and seizure protections is typical executive branch posturing -- both absurd and unenforceable.
(This is not legal advice. It's just a thing I wrote on a forum. I could be totally wrong. Consult your doctor if effects last more than four hours.)
[1] http://www.wired.com/images_blogs/threatlevel/2011/04/bakere..., page 11.
It seems like it would be better to use private keys on the client with 2 factor auth for authentication recovery. That way as long as you have the right private key locally that your mail client uses, you are set- otherwise you have to both provide a password and an SMS delivered code in order to use a different private key on the client.
http://blog.binarybalance.com.au/2012/03/11/a-wakeup-call-fr...