

My GMail password scares me with its power - pospischil
http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/

======
raganwald
Forget Googles' other properties, my gmail account pasword is my password for
_everything_ for the simple reason that an attacker with access to my gmail
account can reset my password on almost every other web system by requesting
that a password update email be sent to me.

This is one of the reasons I caved and got an iPhone with push mail
notification. I want to know the moment I get a password reset email. Alas, a
really clever attacker would probably read and delete the mail before I could
see it.

~~~
barsae
That seems backwards. The problem isn't your gmail password getting leaked,
but some other site leaking your password. If that site also has a clue about
your email address, now they have access to your email, since you made them
the same password.

~~~
tudorachim
Although you're right that websites might have access if you use the same
password for everything, in this case even if you use all different passwords,
you're completely blown if somebody gets the gmail password, because they can
just reset all the other ones.

~~~
raganwald
That was the point I was trying to make, thank you for finding a way to use
one word where I used two :-)

~~~
nopassrecover
Seems a lot of people missed the point. This wasn't about using the same
password everywhere (obviously insecure) but rather, if someone _did_ get your
email password it immediately defeats the security of every other service you
use.

------
catch23
I think it would be nice if Google provided a rsa key fob for those of us who
do keep a crap ton of stuff in their gmail.

~~~
staunch
I'd pay $20-$50 year for it. I trust Google server-side security more than my
own ability not compromise my own account.

~~~
LogicHoleFlaw
I have a key fob for my _MMORPG_ character account. It seems ridiculous to me
that my video game has greater security than my email or even my bank.

It was a $10 one-time fee to have the fob shipped to me.

~~~
Timothee
I would love having a key fob for my bank accounts, if anything just not to
have to make stuff up for the "security" questions…

~~~
whatusername
Banks here are offering SMS confirmations as a 2 factor Auth. So I can
transfer money to existing accounts fine - but any new account or bill
requires a code that is SMSed to a pre-set number (and resetting the #
requires a SMS as well)

key fob for google would be nice though. I'd be pretty tempted to pay

------
NathanKP
I definitely support the author's suggestion that Google offer a premium RSA-
style keyfob for extra security.

It would be much more secure and still have the ease of a single
authentication process for all Google services.

------
palehose
I don't understand why someone wouldn't be able to create more than one GMail
account and use separate accounts for separate google related purposes? (Use
one GMail account for RSS and a seperate GMail account for App Engine, etc)

There is still the possibility that everyone you give information to is tied
to a single GMail account (for your own convenience), but that is still your
own fault, not Google.

~~~
ruchi
Both Firefox and Safari boot you off one account when you login to another.

~~~
kirubakaran
I use <http://cookieswap.mozdev.org/screenshots.html>

------
akernander
I don't think we'll see Google splitting off their gmail/gtalk logins from
everything else, and I don't necessarily agree that they should. One of the
major benefits to using google services is the shear amount of services you
get without having to login to multiple sites, or keep multiple bookmarks,
google takes care of it all for you. We're slowly seeing this same idea take
over the rest of the web with facebook connect and OpenID. People want
convenience and don't like remembering a ton of passwords, or even having to
retype a login/password on every site they go to. Ideally, for most internet
users i'm sure, FB connect or OpenID or Google would take over the "login
market" and include a key fob, so you just log your computer onto the internet
and you're good to go. But I agree with most here, a key fob is, well, key.

------
varaon
Not that these solve the problem, but here are some tips to help mitigate
negative effects:

1\. Audit your Gmail access history. In the footer, there is a a message "Last
account activity...Details". Click the "Details" link to view recent access
history (web and mobile), and for the option to deauth all other sessions.

2\. Under your Google account settings, go to Security > Password recovery
options. Add your cell phone number under SMS.
(<https://www.google.com/accounts/ManageAccount>)

3\. Use a separate e-mail address for password resets, and just for that.

I only follow 2 out of 3 of my suggestions. I was pleased to discover the
auditing and SMS recovery features, and thought I'd share them.

------
fjabre
+1 Where is OAuth integration for Gmail IMAP?

This kind of thing weighs down innovation. Take Threadsy.com for example. I'm
sure people aren't thrilled about having to give out gmail passwords to make
full use of their service.. It's a shame that Google hasn't addressed this
yet.

------
yalurker
The article seems trivial compared to what I see as the real security risk -
unrelated sites that have an "I forgot my password" option which relies on
e-mail to reset the password.

If an attacker has your gmail, they can go to your bank, your stock brokerage,
your retirement accounts, your credit cards, etc and say "I forgot my
password" and use the e-mail access to reset those.

I hate that my bank wants me to put in "Your mother's maiden name" as a
"security question" when that information is painfully easy to get (relative
to password). I always enter fake information, but I really wish there was
just an opt-out for the password reset feature.

------
cduan
Why not create separate accounts for each service? If you are really security
conscious, you could even have a separate password for each one.

For that matter, you might simply solve the gmail/blackberry problem by making
a second account for your email, setting your primary account to forward to
the second account, and setting the phone to check the second account rather
than the first.

------
selven
The blackberry argument is exactly the place where open source is the answer.
I have a python script that I fully understand (and wrote much of it myself)
grabbing email data off the internet, and only it knows my password - I
wouldn't dare trust proprietary software with something that sensitive.

------
b-man
I don't even know my Gmail password. I do know my KeePassX password though. It
knows my 25 char passwords

~~~
alexmat
I don't think it matters how secure your password is if it gets sniffed or
keylogged. I have been at more than one internet cafe where I absolutly needed
to login over an untrusted terminal to my mail account.

~~~
BrandonM
I read an interesting paper a while back (sorry, I don't remember where or
what it was called) that attempted to thwart keyloggers. Their study showed
that keyloggers pretty much never paid attention to the mouse. Thus their
security method was to click in the password field, type a character or two,
click outside the field and type a bunch of random stuff. Rinse and repeat
until your password is entered. It seems pretty hackish but according to the
authors it was quite effective.

~~~
ahpeeyem
I've used this method a few times at public internet terminals hoping it would
work, but in the absence of evidence that it really would work I got lazy and
haven't bothered most times. Good to know it's an effective extra preventative
measure.

------
grandalf
I agree about sharing the password, but if you want to avoid cleartext
sending, just go into your settings and choose "use HTTPS for everything"...

------
abecedarius
This is why I don't use Google apps much.

