

Google and Password Security - wesleyac
http://wesleyac.x64.me/blog/?p=25

======
skj
They would not have to store your password to know that you typed an old one
by accident, just a hash.

~~~
wesleyac
That is true, but all of the things in that post are still true. All of the
password recovery steps will work, no matter how the backend is done.

------
enscr
Recently I lost access to an old google account that I hadn't used in a long
time. Google asked me a couple of questions like when was the account created,
I purposely entered the month incorrectly. This was followed by some other
vague questions like which other google services do I use etc. Finally I was
surprised at how easily I was able to reset my password. An evil mind can
easily compromise tonnes of accounts because there are ways to guess a lot of
the data Google asks. I'll skip the details here.

Bottomline, Google & its users need to step up account security, atleast for
their primary account that's tied to banking etc. 2FA is definitely a temporal
piece of mind until someone finds a loophole.

~~~
wesleyac
Currently, the "loophole" in 2FA is that almost no one enables it. Although
it's great that Google offers it, it doesn't help when >95% (Just a guess off
the top of my head, but seems reasonable) of people don't enable it.

I only know one person who uses 2FA, besides myself, yet almost everyone that
I know uses GMail.

------
jmcphers
If you're this concerned about your password security, you should be using
Google's two-factor authentication.

[http://www.google.com/landing/2step/](http://www.google.com/landing/2step/)

~~~
wesleyac
It's not that I am concerned about my security, as I use text message
verification to recover my password. My issue with this it that people who
don't give their phone number to google can be effected by this.

EDIT: Just set up 2 factor auth. Looks cool, until my phone dies and I don't
have the backup codes with me.

------
pronoiac
The server's overwhelmed. Try the Coral Cache:
[http://wesleyac.x64.me.nyud.net/blog/?p=25](http://wesleyac.x64.me.nyud.net/blog/?p=25)

~~~
wesleyac
Thanks for letting me know. Just installed A cache plugin for WP, so hopfuly
it'll be working again soon.

Strange though, I only see the load at 0.75.

~~~
pronoiac
The HTML is loading _very_ slowly - it took 30 seconds in one attempt. And the
images aren't working at all. Oh, you're hosting it from your home DSL line?
Bandwidth is the problem. Maybe you should save everything into a Dropbox
public folder and link it here.

~~~
wesleyac
> Oh, you're hosting it from your home DSL line? Bandwidth is the problem.
> Maybe you should save everything into a Dropbox public folder and link it
> here.

Here you are.
[https://dl.dropboxusercontent.com/u/92312532/Google%20and%20...](https://dl.dropboxusercontent.com/u/92312532/Google%20and%20Password%20Security%20%7C%20_var_log_brain.htm)

------
BIair
The article makes a good point. It appears Google storing old passwords
indefinitely makes your account potentially less secure. So why do they do it?

------
andrewbellay
shhhhh...

