
Make Your Email Hacker Proof - superchink
http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
======
jellicle
While you're thinking about the security of your email in the cloud, remember
this: ANY of your email older than six months can be legally obtained by any
U.S. law enforcement agency without any warrant or judicial oversight of any
sort, even if you enable Google's new 46-factor authentication and use
passwords that take minutes to type in.

[http://www.wired.com/threatlevel/2011/10/ecpa-turns-
twenty-f...](http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-five/)

Do you have any passwords in your email older than six months? Any account
numbers? Anything... incriminating or embarrassing?

~~~
andyouthink
And you think that Google actually deletes email when you tell it to? More
likely they just mark it as deleted and retain it, in which case every email
you ever received regardless of whether you think it has been deleted may be
available. If you want better privacy, install and manage your own mail server
and encrypt everything.

~~~
jrockway
Do you really think your shared host drops blocks when you delete them from
your virtual disk, and do you really think that requests to mlock memory with
crypto keys are really honored? Maybe if you have a dedicated box, but not if
you are using a virutal host. (Have you ever physically seen "your own" mail
server? If not, why do you trust it?)

Also consider what happens to unencrypted email you send or receive: any
upstream servers can be subpoenaed, as can the person on the other end.
Encrypted mail only works when it's encrypted end-to-end and your adversary
cannot seize the sending or receiving computer. I imagine that people who
encrypt their received email end up in court because their sender was not so
careful. Do you trust every person that will ever mail you to keep your
secrets safe? Why?

Ultimately, if the government is your enemy, you need to take a lot more
precautions than "don't use Gmail".

~~~
a3_nm
Yow! The ONLY secure server for TOTAL EMAIL SAFETY is an obsolete LAPTOP
running in your mother's LIVING ROOM!

(Not kidding, I really do that.)

~~~
vacri
My mother spills too much wine for that to be totally safe...

------
raldi
What I really want is for the second factor to kick on only in suspicious
situations, e.g.:

* I'm logging in from a computer that I've never logged in from before

* I'm searching my mail history for terms like "password"

* I'm opening an email that appears to contain a password-reset link

* I'm messing with my mail-forwarding options

* I'm accessing messages in bulk

But I do _not_ want to have to do second factor just because it's been 31 days
since the last time I've done it.

~~~
drivebyacct2
Typing a six digit number every 31 days is too much work to add a significant
layer of security to a very important account?

~~~
raldi
Times two accounts, times four devices, multiple browsers... pretty soon it's
a once-a-week frustration.

~~~
jrockway
I have three accounts and five computers and I don't find the once-a-month
6-digit number to be a big deal. PayPal does annoy me with their policy of
requring an OTP seemingly every time you visit a page, but it's worth it
because I know that I don't have to have a super-amazing password to stay
safe. Ultimately, the work required to recover from a compromised account is
much higher than it is to type a 6-digit number every month, so I consider it
a good trade-off.

~~~
raldi
In my case, the number always seems to expire when my token is far away. So
another way of alleviating this would be to have a three day grace period
where you're prompted with the option of refreshing your credentials, but you
don't _have to_.

~~~
jrockway
Theoretically, the printed numbers you keep in your wallet can be used until
you get your phone back.

~~~
raldi
I'm thinking more like, I wake up and want to check my mail from bed, but --
surprise! -- it's expiration day, and my OTP token is downstairs. And using a
single recovery code immeditalely invalidates your electronic token, logging
you out everywhere and forcing you to go through the activation process all
over again before you can log back in.

------
velshin
Is it really that easy to hack someones gmail account?

I realize phishing and key loggers are easy ways to grab a password, but if
you avoid typing your gmail password at public internet kiosks and the like,
is it really that easy for someone to get at? Assuming you use a reasonably
long and impossible to guess password, the captchas would prevent brute
forcing.

An attack targeted specifically at you will inevitably succeed but most of us
are not that special.

The article's advice seems far too easy to lock yourself out (losing my wallet
with my magic paper codes and my phone could do it). The additional
inconvenience does not seem worth it.

Most of us have used physical 2 factor authentication (like RSA SecurID) for
banking and work related VPN access. This works well because the provider
(your office, your bank) has a vested interest in getting you back into your
account if you get locked out. Google, Yahoo, MS, etc. have no such
obligation.

~~~
bigiain
A _startlingly_ large number of people are (still) re-using passwords across
multiple sites. The Gawker/Sony(/PerlMonks for me) compromises revealed a
_lot_ of email addresses and passwords, some significant portion of which
almost certainly allowed attackers access not only to the specific website
that was attacked, but also to the email service of the exposed user.

I'm pretty sure none of Jeff's advice helps you against a government-agency
level attack agains you specifically, but following it _will_ protect your
email even if some other random website you once registered for exposes the
login details you used there. I _hope_ that's not a problem for any HN readers
(any more), but what about your partner/children/parents/coworkers? I'd bet
good money that _someone_ you know and care about is reusing their email
account password on random website signup forms.

~~~
alanbyrne
My name is Alan Byrne, I work in IT and I'm a password re-user :(

On that note, does anyone know of a secure keysafe app that will sync across
my various PCs, iPad and Android phone? This is what is stopping me from going
the single use password route.

~~~
andrewaylett
I use Keepass (or KeepassX, or KeepassDroid, and there's an iOS app too) and
Dropbox.

~~~
mseebach
Me too. Just remember to set the load-factor quite high. I've got it set to
about 8 million rounds which is about one second on my beefy work computer,
two on my private laptop and ~eight on my Android phone. The last bit is a bit
annoying but at this point my key database is a pretty high value target - and
I _can't_ revoke access to it remotely if I lose my phone.

------
zobzu
"print the recovery codes and keep them with you at all times"

Wrong. Terribly wrong. Do not do that.

You'll have your phone with you AND the codes.

So, imagine that day, you get your stuff stolen from your person. Laptop,
phone, codes, gone. Bad.

That day you were on a boat and you fall in the water. Phone, codes, gone.
Bad.

Instead store the codes in your own safe, a secret location, or a safe deposit
box.

~~~
modeless
No, it's exactly right. Having the codes with you is not a security risk
because they're useless without your password. You can keep a second copy of
the codes at home if you're worried about losing them.

------
dubfan
"You should start thinking of security for your email as roughly equivalent to
the sort of security you'd want on your bank account. It's exceedingly close
to that in practice."

Actually, I want (and arguably already have) better than that. In the last 4
months I have had two unauthorized debits from my bank accounts: one a result
of a mail thief stealing my rent check from my mailbox, the other an error
made by a bank employee. In the 15 years I've been using email I've never
knowingly had any of my email accounts hacked.

~~~
icebraining
Notice he said the sort of security you'd _want_ on your bank. I assume you'd
want something better than you have right now ;)

Mine does offer two-factor, using either SMS or a physical token. And now that
I think of it, I think it's mandatory if you want to access it online.

------
mikepmalai
For now I have a really long email password, but I'm considering moving my
sensitive data/email out of my general email account and into a new email
address that requires 2 factor authentication.

The thing I really want is a "lockbox" folder in my general email that:

1\. Requires 2 factor authentication to access the folder but not my general
inbox

2\. I can move messages I consider sensitive from my general inbox to the
lockbox folder

3\. Will automatically sends emails from my banks, etc. into the folder with
an email showing just the subject line in my general inbox

~~~
dlib
Wow, this would be an excellent feature. Although I've got 2 factor
authentication set up for my whole account and it doesn't really bother me, I
would like to see something like this. An extra measure to protect certain
emails would be really helpful.

------
brazzy
That cell phone you use for receiving the verification codes? It better not be
a smartphone you also use to access GMail, or your 2-factor just became
1-factor, at least to any malware on that phone...

~~~
jrockway
Your phone should never know your password; you log into Gmail from your phone
using an application-specific password. If your phone is infected with malware
and you don't trust it anymore, you deauthorize it and your account is safe.

2 factor authentication is an amazingly simple solution to a large number of
complex problems.

~~~
pyre

      > If your phone is infected with malware
      > and
      > you don't trust it anymore
    

Those don't necessarily go hand-in-hand.

------
bo1024
This worry seems a bit overblown to me. If your email is that important to
you, you should follow these steps:

1\. Use a _unique_ , long, random, secure password.

2\. Don't tell it to anyone.

3\. Use an email service that stores passwords hashed with a salt and a secure
hash algorithm.

And you will have nothing to worry about. If you are very paranoid or
traveling a lot, you can add:

4\. Don't log in from insecure devices.

5\. Make sure nobody's filming your fingers when you type your password.

If you're actually concerned with these two, you probably have bigger issues
and are already taking more precautions like 2-factor authorization or so on
anyway.

~~~
DanI-S
6\. Cross your fingers and hope that you'll never use a machine afflicted with
a keylogging trojan.

~~~
sciurus
See #4.

~~~
ohashi
If only it were that easy.

------
rdl
The thing I hate about Google Authenticator is when you use a google
authenticator protected gmail account for other google services. Google has a
bunch of things where they don't yet support 2fa, so sometimes you enter the
wrong password.

It would be good if you had a dedicated-to-email google account, definitely.
As it is, I use it for a gmail account I use with all my google services, and
it's a real pain -- especially because the gmail password itself is a long
random string, and sometimes I need to enter that on a mobile or other device.

I'd really like better user credential management using something like OneID
(public keys, challenge-response auth), but people have tried that in the past
and haven't been terribly successful getting it adopted. It might work better
on a mobile OS, so maybe next-gen Apple iOS keystore could do something like
this.

~~~
badcrcerror
Facebook handles apps that don't support 2factor pretty well. Your first login
will be rejected but you'll be messaged the 6 digit code to login with as your
"password".

------
my8bird
While I like 2 step authentication I wish Google would get rid of SMS password
reset. With this enabled all a person needs is your phone to gain access to
your account. Given that police can grab you phone whenever you are stopped
this means they can "hack" your account at the same time. Another example
could be a cleaning person at a hotel finding your phone. Just two examples
off the top of my head. Basically, SMS password reset makes your phone the
golden key.

[http://support.google.com/accounts/bin/answer.py?hl=en&a...](http://support.google.com/accounts/bin/answer.py?hl=en&answer=152124)

~~~
smiler
As long as you have a pin lock on your phone, the cleaning person nor the
police will be able to do anything with your phone.

~~~
sp332
It's not that hard for law enforcement to get your PIN. e.g.
[http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-
so-...](http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-
passcodes/)

------
trout
I've made a few changes to securing mine with 2 factor.

1\. Altered the digits in my wallet so only I know how to recover the real
numbers.

2\. Created a junk email with a secure password with a security-through-
obscurity email with the numbers (again modified)

The use case - losing both your cellphone and wallet. There's basically not an
easy way to get back to your data.

I have to remember a few things:

\--Normal password to email

\--Modification I used to numbers in wallet

\--Modification for numbers in junk email

\--Junk email username

\--Junk email password

It's definitely a burden. But it's worth the security of my email. At this
point it reduces the burden of regularly changing my email password or adding
complexity to the password.

~~~
abraham
The good thing about the recovery numbers is they are still no good without
your password. So someone would have to both get your password and steal your
wallet to gain access.

------
munin
so now it is only a matter of time until the keylogging software that everyone
is so terrified of is modified to also take the session cookie from your
browser that authenticates you to gmail. you know, the thing that makes it
okay for you to click "remember this computer for 30 days" ...

~~~
gibybo
The session cookies are often tied to IP address.

~~~
munin
are they? have you ever logged in at home, suspended, and then gone to work?
or the coffee shop?

~~~
abraham
Google might compare browser/OS entropy as well as IPs.

[https://www.eff.org/deeplinks/2010/01/primer-information-
the...](https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-
privacy)

------
andyouthink
Great article on 2-factor auth. I didn't understand how easy it was, so I'm
switching to it now. However, if you use a mail client and generate app-
specific passwords that last forever, can't the hackers just hack via IMAP
login instead which won't be 2-factor?

It seems like it would be better to use private keys on the client with 2
factor auth for authentication recovery. That way as long as you have the
right private key locally that your mail client uses, you are set- otherwise
you have to both provide a password and an SMS delivered code in order to use
a different private key on the client.

------
gabaix
What happens when you travel abroad and your phone does not work?

I am wondering if Gmail could implement security questions to avoid cases
where the 2-step verification works against the user

~~~
evanwillms
That's exactly what I've been wondering about enabling two factor
authentication for something I use as often as email.

Apparently you can print a series of one-time use verification codes that work
any time to sign into your two-factor account. Stick a few on a card in your
wallet and don't forget to generate more before you're out!

[https://support.google.com/accounts/bin/answer.py?hl=en&...](https://support.google.com/accounts/bin/answer.py?hl=en&answer=1187538)

~~~
dlib
When you do run out of verification codes, but you do have a working phone the
6 digit codes can also be sent to you through text messages or even a phone
call from Gmail.

------
pepijndevos
I access my email from _one_ app over SMPT, using a unique password. For me,
this 2-factor auth would just mean having a different and slightly longer
password for SMPT.

~~~
andreasvc
SMTP is only for sending mail to and between mail servers. Did you mean
something else?

And no, 2-factor is not the same as a long password, because it is less likely
that both factors will get compromised at the same time. However long your
password is, a single software flaw could expose it.

------
mrcharles
I've been using 2-step verification and app specific passwords for a long time
now, and it's just trivial once you get used to it. Highly recommended.

------
molsongolden
It's interesting that the "hacker" send out a mugged in Madrid email. A friend
in Nepal had his Yahoo account hacked last week with the same email sent out.
I wonder how they targeted people or gained access since his wife was using
Gmail and is (most likely?) in a western country and my friend is from Nepal.
It doesn't seem like they would be using any of the same websites.

~~~
uxp
Just like a lot of lead generation/spam email campaigns I've seen, I'd assume
a lot of phishing and scam email "campaigns" are strictly copy and pasted from
a single source (ie, a forum post somewhere), with very few scammers actually
putting any effort into changing it to be somewhat unique in favor of trying
to get the message to as many people as quick as possible.

------
romaniv
The article sounds like this requires you to sumbmit a cell number to Gmail.
(In fact, I think merely registering an account nowadays requires a number,
but I'm not sure about that.)

If you think that's the only way to get 2-factor authentication working,
you're wrong. If you think there is nothing wrong with your email provider
demanding info like cell phone numbers, you're wrong again.

~~~
Atrus6
I don't think there is anything wrong with an email provider asking me for my
cell number to send me text messages, how else would they send them?

In addition, a cell phone number is NOT required to create a Google account.
Sure they ask (and gender is apparently required, I just made an account), but
if you leave it blank, they won't complain.

~~~
romaniv
There is nothing wrong with providers giving you _an option_ to use your
number for notifications. However, if we are required to provide phone number
for security features that can be implemented without using phones, there are
a few things wrong with it.

How can this be implemented without using a phone number? Well, the article
actually contains one way - pre-shared secret codes that you print out
beforehand. There are many others.

------
robin_reala
I’ve enabled and stayed with 2-factor auth on my Google account, but it broke
my Google Talk login on Adium and I’ve never found anyone to talk to about it
(bug report on Adium went unnoticed and Google got rid of bug reporting for
Google Talk). Hopefully a burst of attention will throw up some other people
with the same problem.

~~~
grk
Did you use an application specific password for Adium login? When you enable
2 factor auth, you need to generate those password for every app you use.

~~~
robin_reala
Yep, done that. This approach works with my 3 copies of Reeder (work, home,
phone) and Calender on my phone, but for some reason Adium refuses to log in.
Bug report (along with network trace) is:

<http://trac.adium.im/ticket/15310>

I’m guessing it’s because my Google account doesn’t have a Gmail account
associated with it, but Google Talk still works fine from the widget on
iGoogle.

 _Edit: opened a superuser.com
question:[http://superuser.com/questions/413859/google-talk-
and-2-fact...](http://superuser.com/questions/413859/google-talk-and-2-factor-
authentication) _

~~~
jarito
I think you are right about the gmail issue. I use adium on an iMac and
Macbook for work and Digsby on my Windows box at home and the application
specific passwords work fine for me.

~~~
robin_reala
Google Talk will be tested by Google employees, and how many of them don’t
have a Gmail account? :) I still feel that this should work though.

------
bckelly
Shameless plug for <http://duosecurity.com>

We offer a two-factor cloud service to protect any kind of service that may be
remotely accessed: web, ssh, rdp, vpn, ...

Biggest difference from Google Authenticator is the smart phone user
experience: one tap to approve a login instead of transcribing a six digit
OTP.

------
Wiesenwegler
Would using this not solve the problem without the hassle
[http://security.stackexchange.com/questions/13226/how-can-
pr...](http://security.stackexchange.com/questions/13226/how-can-privatesky-
not-see-your-data/13289#13289) ? Seems robust enough ito safety and easy
enough to use incl 2-Factor...

------
gaelian
Not that anyone should need further convincing, but just in case here's
another data point drawn from my own experience:

[http://blog.binarybalance.com.au/2012/03/11/a-wakeup-call-
fr...](http://blog.binarybalance.com.au/2012/03/11/a-wakeup-call-from-online-
security-will-you-accept-the-charges)

------
pbz
I have two-way enabled, but when logging in via Google Talk (windows app) it
seems to bypass it. If I go straight to gmail.com and login I'm asked for the
second auth, but clicking via Google Talk (already signed in) it logges me in
to GMail directly. Anybody know if this is normal / expected?

~~~
eigenvector
It's because Google Talk is permanently authorized via it's application-
specific password.

------
digitalsushi
I think this is great, but it doesnt appear to be enabled for the freebie
google apps for domains service.

~~~
digitalsushi
I was wrong - the domain administrator can enable this feature in the
settings. I apologize for the noise.

~~~
drewcrawford
Not noise at all. It took me ten minutes to find this option. Turns out it's
buried under "Advanced Tools" -> Authentication

------
jbredeche
I put a copy of the single-use backup verification codes into an alternate
dropbox account I have (that isn't linked to my primary email address).
Figured if I'm somewhere with enough internet access to get to gmail, I'll be
able to get to dropbox.com and get the codes.

~~~
alanbyrne
I've done a similar thing but put them on my colo server. Hopefully getting
SSH access in an internet cafe doesn't work out to be too hard.

------
drx
I really, really wish I could use per-site password authorization without
using two factor auth.

------
zobzu
There's a very "simple" way to steal stuff via email.

Find the relevant service. Spoof DNS. Get emails.

Alternative. MITM the SMTP (thanks anonymous SSL, no certificate errors!).

And that's scary, since 2 factor auth, nor anything, can really save you from
that.

------
kghose
What happens for IMAP accounts? e.g through Mail.app or Thunderbird?

~~~
JangoSteve
It's in the article, but basically you just generate app-specific passwords
for each one, which you can revoke at any time.

~~~
eli
The sucky part is that nothing enforces their app-specificness. It would be
neat if I could generate a password that only works from my home connection.
Or only works for GChat, but not other services.

~~~
munin
you can't use an app specific password to login to the gmail web interface and
change your password.

so while you could use a compromised application specific password to do
horrible things (download all your email and send e-mail as you), you could
not use that app specific password to immediately log in to the administration
page for your account and lock the legitimate user out...

~~~
eli
Really? I could have sworn I tried and it worked just like a full login. I
signed up for two-factor very early so perhaps that was fixed along the way.
Neat!

------
jcfrei
dropbox really needs this too. although my information on that account is not
nearly as sensitive as on gmail, i'm sure it will amount to a similar
sensitivity in the future.

~~~
dlib
Indeed, anytime I login a a mental note pops up saying how insecure this is
considering the files stored on Dropbox. Yesterday I received a phonecall from
a friend whose Gmail and Facebook were hacked, after I had advised her to use
2-factor authentication and she ignored it. So glad that I do use it but now
Dropbox remains the weakest link.

------
tbod
I'm surprised that nobody has yet commented on the second website mentioned on
the application specific password section... nice touch to a great article!

------
sliverstorm
fetchmail is very handy for this sort of problem. Regularly pull and remove
your mail from your webmail account. Then you can manage it locally the same
way you would all your other archives.

Not _foolproof_ , of course, but it improves matters. Also note I don't
present this as a solution for John Everyman, but rather the sorts of folks
who might be reading Coding Horror.

------
evoxed
>provided you own a cell phone.

Well, crap. My only "phone" is my Google Voice number...

~~~
RexRollman
Could always use an iPod Touch, if you have one.

~~~
evoxed
That's actually my current setup. It still kind of defeats the purpose though;
I have to be logged in to Google Voice in order to authenticate logging in to
Gmail _with the same account_. I'll wait for them to get a little more
creative before I expect it to be much safer.

------
loverobots
_(You can check the "remember me for 30 days on this device" checkbox so you
don't have to do this every time.)_

No thanks. Google remembers a lot more than "this device," more like
everything I do within that device thanks Search cookies, Adsense, Analytics
on millions of sites and who knows what else

~~~
karterk
I always have my gmail logged-in in a separate browser and I don't use that
for any other browsing.

~~~
ricardobeat
Could just open an incognito/private window.

~~~
abraham
You can also use profiles in Chrome:
[https://support.google.com/chrome/bin/answer.py?hl=en&an...](https://support.google.com/chrome/bin/answer.py?hl=en&answer=2364824)

------
phwd
> Hey, This Sounds Like a Pain!

Yes, because it is a pain. Try going on a vacation, you know the one where you
don't use cell roaming. SMS is out, so then one must find a Wifi hotspot to
use one of the smartphone time based tokens (edit: seems the token don't need
a network connection, could have fooled me). And those time based tokens go
out of wack if your phone didn't sync the timezone properly to match Google's
setup, so every token ends up not working.

Use the print out backup verification codes on a piece of paper? No, because
they are single use. So you end up using up all your backup codes depending on
the length of your vacation. I've used 2 step for a long while, I liked it,
but I really could not get used to whipping out my phone every time I needed
to check something related to Google.

I've had other hiccups such as mobile provider down, phone died etc. Maybe my
best option was to keep all the backup codes on hard plastic with checkmarks
next to used backup codes and secure them the same way I do my banking cards,
maybe, I'll just try this one day.

If one is going to jump through all these spy-style codes might as well just
change your password on a regular basis, forcing all previous sessions to
invalidate.

~~~
rickyc091
Assuming you were able to use half the backup codes, since you have internet
access you can always generate a new batch. I've been using 2 pass since it
came out and it's honestly not that bad for the sense of security. Some banks
are already using this system.

~~~
beej71
Can we trust the screen the new codes are being displayed on? :-)

