Anyone savvy enough to hang out on HN probably has a fair amount of valuable info in their Gmail account (domain registration info, passwords/access to shopping sites, etc.) and should activate two-factor authentication: http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu...
Is it a little more hassle? A bit. But when someone else tries to log in from a new IP address in the Ivory Coast, or China, or wherever--they'll be prompted for a PIN and won't be able to log in.
I activated two-factor authentication as soon as I could on my Gmail. I think everyone reading this comment should too.
Q: It's too much of a hassle to generate and write a PIN with every login I do!
A: Not so. Google can 'remember' an authorized device for 30 days, so assuming you mostly use the same few devices all the time, the added hassle is very little compared to what you're construing it to be.
Q: But I use many browsers on many devices! (AKA: "But I'm a webdesigner!")
A: Google lets you create limited access, easily revokable, device-specific passwords. You may consider creating one of these for each device that you actually own, but then you're reducing your security so somewhere between 1 and 2-factors.
When making that choice, keep in mind that on a worst case scenario, access to your email = access to all of your other online accounts.
Q: I don't always have access to my mobile!
A: No worries! When you set up 2-factor auth, Google makes you print a little piece of paper with 25 one-time disposable passwords for just such cases.
For some bizarre reason, none of the one-time use passwords were working at all. This was shocking and I realized in an emergency, this would not do. As soon as I got net access and into the backup email address, I turned off 2-factor auth. I'm sure for others who didn't have this edge case paradox issue brought on by stupid me and actually working backup one-time-use passwords, 2-factor is a great choice. And I wish it were for me as well, but it isn't right now.
Notice the 'Get a verification code with a voice call' link. Hopefully you live in a country where they speak your own language, because here in Brazil, whether you get the call in English or (either) Portuguese is completely unclear.
Here's what happens when you click the 'other ways' link:
The first option works as usual, the second accepts only the latest seems to have had unexpected behaviour with you, and the third will take you to a 2-step—specific last-chance recovery form.
Presumably there's a way to handle that case, but it still bothers me. On the plus side, I'm using a Google Apps account with a domain I control, so I could quickly switch to a backup mail provider, but it's of course a huge hassle, and I keep a lot of email in my GMail account.
How do you deal with these kinds of issues? I really do want to use two-factor auth, but this stuff scares me about as much as the possibility of getting hacked.
TOTP is an open standard and the mobile app is open source:
(Disclaimer: I worked on this.)
Is anyone doing that?
I really like using the authenticator on my phone and would love to see other web applications support it.
But I am curious, why isn't the authenticator itself password protected?
Also, fyi, while I understand how to use application specific passwords, I have no good understanding of what they do, how they work, why they are safe or why I only have to enter them once. So they are confusing to me.
The obvious risk of this model is what happens if an untrusted client steals that password.
Since you haven't given it your actual Google password It can still access your data, but it can't change your password (you have to enter your main Google password to do that) or change other critical settings, and if the application is misbehaving all you have to do is click revoke, and its gone.
You only have to enter them once because most clients nowadays provide a 'Remember my Password' functionality. Google assumes you will use this, so only need to enter your password once. If the password is forgotten you just generate a new one.
You only have to enter them once because most clients nowadays provide a 'Remember my Password' functionality. Google assumes you will use this, so only need to enter your password once
Is this really true? Because the documentation for the one time auth doesn't indicate anything like that.
So I am confused as to what is happening in the background on Google's side.
My pseudo-model is that their password acceptance library looks for a correctly identified two factor authentication OR a one time password out of the user's one time password table.
But then I don't understand why these one time auths are one time! If someone finds my phone, or accesses one of my other net accounts that was authorized by my one time auth, they completely win until I can get back to google's page to revoke them.
And related, I don't understand why the authenticator can't generate these one time passwords -- MANY TIMES THAT WOULD BE A LOT MORE CONVENIENT than having to go to the specific page on the web.
And also related: why is there no pin or password for the authenticator?
These are just questions I have -- I'd love to read a page or two that discusses these issues -- I think having a good model of how and why it works as it does would help me secure my data.
There's no such thing as a "one time password". There are "Application Specific passwords" which work exactly like your regular password except that they limit access to critical account settings and can be created/disabled at will. If someone obtains one of your Application Specific passwords then they can use it to log in and access your data until you revoke that password but they cannot change your real password and deny you access to your own account.
Ah. I think this is the key I hadn't understood till now. Thank you.
Some people call the code generated by the authenticator a one-time password, because it can't be reused.
Good to see it can be implemented outside of Google products.
Edit: of course, this is just another implementation of the TOTP method. It does not use Google's infrastructure to send you SMS / voice calls containing the code.
One is you can set a backup phone to use to get into the account, it can even be the same phone you have the authenticator on, so as long as you have the same number, you can access it. The backup phone option can also work with landlines through voice.
They also allow you to print out a set of numbers you can use in case you lose the authenticator to get back into the account.
 Added voice backup note.
I also don't trust my phone enough. But the bigger reason I don't do this is that I don't trust Google enough.
My phone number is private and none of their business. I don't want to give them yet another way to track me.
That way, even if a users computer gets owned with a trojan, the attacker couldnt change the gmail password or remove the 2 way auth tool without first having access to the phone.
But if the person re-authenticating has a trojan on their computer (as may have been the case here) there is _nothing_ that can be done to prevent a third party from accessing their stuff.
First it gives you a list of 10 codes that you should print and keep save. Looks like a TAN list. You can only move on if you check 'I printed these items and will protect them like my first born' or something like that.
After clicking next you are able to set up a phone number that is used as another fallback. Testing if you entered the number correctly is optional here, but worked like a charm.
If I can't remember a password, my wife might.
Hopefully I can set this up with her phone as a fallback.
If they have a trojan on your computer, they can still access everything in your account. 2-factor auth doesn't help. Very little does help if you have a trojan on your computer.
I admit in the scenario played out here - hacker tries to scam your friends - changing the password might help the hackers a little bit. Presumably they want to mail back and forth with your friends (first a plea for help, then sending a bank account number).
Still, that is only a minor danger compared to major damage of accessing your account, which the trojan does anyway.
For example even without a password the scammers could just claim that they have a new email address.
One of the main reasons I had some piece of mind when my account got hacked at MTGOX is that I had two factor on my Gmail: http://www.rakkhis.com/2011/06/i-was-hacked-mtgox-bitcoin-3-...
After this and another incident with a colleagues wife, I have made a note to set it up for my wife's account also tonight.
I hope they expand the list of allowed countries for backup phone numbers soon, including support for the "less important" countries like mine. Or else allow activation of two-factor auth for people who agree to have only the list of printed one-time codes for entry and no backup phone number. Preferably the former.
I live in the UK, but only own a mobile nowadays. So I used a local Skype number for things like this.
Just never let that number expire. And now your Skype account needs a phonemenally complex password too.
How could the 2 step authentication help me - say I register with my US cell phone and I am out of the country for most part of the year?
Enough people have asked these (very reasonable) questions that maybe I should do a video about two-factor authentication.
won't help you if you have no phone at all but you can generate one-time-use passwords at will, so you could just stock up I guess.
On the page that lists the current ones and lets you regenerate them it says, "Be sure to throw away any previous versions. Only the latest set of backup verification codes will work."
Even if somebody else does get access to my (non gmail) email account, all they're going to see is PGP encrypted emails:
Of course, you have to be running your own mail server to implement this.
Now, if you are checking your account from random PC's at internet cafes all over Europe, and making yourself vulnerable to keylogger attacks, you are pretty much screwed anyway. Even if you use two-factor authentication, and remember to clear out the cookie before you leave, an attacker can still steal the cookie and use it to take over your account (or at least steal all sorts of secrets from your gmail account).
Two-factor authentication will definitely help, but it doesn't protect you against carelessness.
Also, if you got a strong and unique password, and do not login from untrusted devices that may be keylogged, you're quite safe already.
I already use a strong/unique password for Gmail, and I do my best not to login from untrusted devices, but adding two-factor authentication reduces the potential attack surface that much more.
2-factor auth gives you a considerable security advantage over "a strong and unique password" and not logging in from untrusted devices - I'd recommend you try it.
(I work at facebook, and we offer a similar thing called "login approvals" - go to "security" under https://www.facebook.com/editaccount.php to turn it on).
As a 1.5 user there is nothing that hacks me off more than getting my hopes up at an app my phone can actually use (a rare occasion these days) and then having it snatched away. I don't blame Google for supporting 2.x and up, but lies are unacceptable.
The software might make it easier than receiving an sms which needs typing in, but all your mobile applications can still use the system - you just generate a new pasword for each application (as you would for a Google Talk client on your desktop).
My laptop has encrypted hard disks so is set to remember Google passwords for 30 days. I can login from other devices using my pasword and an sms validation code which expires as soon as I log out.
* Log in from a computer that's never used this account before
* Set up a forward
* Make a mass mailing
* Change the password
* Do extensive searching or searching for suspicious terms ("password", "credit card", etc)
* Export a large amount of mail
...and other such things. That way, I don't have to be inconvenienced by constantly having to use the second factor, but would still survive a stolen laptop, keylogged passord, or sniffed cookie with a contained amount of damage.
I lost my phone skiing, used an application to find it, and realized someone else had the phone already. Without two factor authentication I would have had to change my gmail password, update it everywhere, and type the wrong password in for the next 2 weeks. Revoking the application was simple and made me feel better about the situation. This was huge for me.
I would recommend everyone who keeps a fancy phone with them nearly 24/7 to enable 2 factor authentication.
What it's like to use:
-Once every 30 days I have to put the code in.
-I keep a paper copy of the 10 backup codes on me. I've had to use 2 of these for when my phone was dead or lost and I was logging on to a new browser.
-I've also emailed these codes to an account that is totally unaffiliated and has no link to my google account.
-I have about 3 other applications I had to set up the application passwords for. This was less painful than I expected.
The real risk is when you're in a worst case scenario - without your wallet, without your phone, and every online email you have is compromised.
Even if someone does manage to get through the 2 factor authentication, there's a pretty good chance they won't disable it or clear out the emergency codes.
I've had Two-Factor on for about a week now and it works very, very well. Most annoying part is setting up the one-off auto-generated passwords for the applications that can't use two-factor.
I am really, really happy to have 2factor auth for my gmail account. In retrospect, I think it's crazy I hadn't set it up before.
Although, I still think it's worth the added effort.
The downside, like I pointed out in another comment , is that even with (hypothetical) read-only access to your email account, a malicious party could arguably steal your accounts elsewhere on the net — that being the main reason why you'd want to have 2-factor authentication whenever possible.
But the trading the 2-factor auth for Google's disposable, device-specific passwords is not at all unreasonable.
Plus, the two-factor authentication may sound like a hassle but it really isn't. You get used to it really fast, and you have to use it surprisingly less than you'd expect because of the option to automatically remember devices (for a month).
Then just use the web interface for managing your settings.
Of course, this isn't a real solution and only will work for people who already are not using the gmail web interface.
I would like Google to give me an option to disable the "last chance form" for my account. Or, if they inisist, I'd like the "last chance" to be to fly to Mountain View and show Google my passport or a court order.
EDIT: and for extra bogusness, it seems that the information needed for the "last chance form" can't be changed if it's compromised. I mean, I can change my passphrase if I suspect it leaked, but how do I change the date when I started using Gmail? Sounds like the best thing to do the moment a Google account is compromised is to close it.
- He used the 'last chance form' to get into my gmail by entering the password I'd given him a year before this (I'd changed the password twice after giving him that password)
- He ran a dictionary attack on my college email which didn't have captcha's, then hacked gmail using the password that worked for my college email
- We were using shared vnc in college, he found his way to my firefox through a mutual friend, installed a plugin that sent him all POST data and got into my gmail again
I created a new gmail account after each incident. I had to abandon each gmail account once it was cracked because of the 'last chance form'. Back then, you only had to give it one or two correct past passwords, and it gave you access. On hindsight, I've been remarkably dense, but it was a good, early lesson.
However, I don't use Gmail for 'everything,' it's just too dangerous and I feel doing that way Google knows more about me than they should. I think everyone should be hosting the main email address under something that they can sure control (your work/edu account, or a paid email service). My main account is hosted on fastmail (I paid something like 12 bucks for three years) and is cloaked under a dozen of other email addresses.
Plus, for fastmail you get a free smtp account, and a standard IMAP account (gmail's IMAP is weird). And they will respond if you're in troubles.
Naturally, you have to like the Gmail conventions to like the Gmail implementations.
I personally trust Google more than I trust some random E-mail hosting company. I KNOW that Google enforce very strict user control, I have no idea how Fastmail or any other enforce.
Fastmail is not really some random company (one of the companies that I feel they know what they're doing) and is very decent in providing user access control. They have Wubikey integration and a dozen more methods to make sure your account is safe. Also, they implemented who sign on what IP years before Google. Btw -- I have 7 days of sign-on history.
Fastmail was recently acquired by Opera. I don't know if that changes anything.
I'm not saying that wonderful things are never free, Free software is an example. However, keep in mind that Google is a business and they'll have to make money. They are not idealistic Richard Stallman who can squat from one house to another.
It sounds very much like the hackers were also using the "last chance form." Consider that all of the information it requests is available through Gmail - account registration data, names of tags, most emailed people, and verification code (which was apparently emailed to him, and therefor present in the compromised email account) (Note: I haven't used the form myself, I'm going on the information in the article).
Also, the title is a bit link-baitish.
It seems more plausible that the recovery form has been gamed. The initial hack was programmed to extract the information in advance and possibly even perform the account recovery if necessary. They know exactly what and how much information is needed for Gmail to accept the recovery, whereas the author had to call his s.o. to fill out all the fields.
Either way, it sounds like the Gmail recovery form should be revised. The author argues recovery is already difficult for the true owner to perform. Google could, while keeping the automated process, make it harder for an algorithm to recover the account than the real owner.
What I would love is if instead it asked for both factors under these circumstances:
- option A - on every login like it is now.
- option B - at least once every X days, with a warning that "within the next three logins you'll need to use your second auth" so I will know when it's coming without being locked out because my phone is dead.
- in both of the above cases ALWAYS require two factor auth every time I change the account settings (like password, recovery addresses, etc.) Possibly even require it when I try to do things like purge a mailbox entirely or bulk email all my contacts.
Having this blended option would make it a no brainer for me
Edit: Thanks all for the clarifications below. I am going to give it a try.
Also, I'm pretty sure there's some option where it only does the 2nd factor once a month if it's on a computer it recognizes.
I turn it off everytime, because I want to be asked for my second factor regardless of the situation.
In the event I don't have my phone with me, I carry the printout of backup codes in my wallet.
Just thought I'd throw it out there. I know it's frustrating to have to unlock, quit app, (wait for the home screen on the slower phones), switch to the App Drawer, scroll, click.
Very strange - he thought he'd been targetted specifically.
gmail's two-factor auth is nice and easy with the handy iPhone app. of course nobody wants to complicate something like sign-in, but email integrity is very important. facebook also has a similar two-factor auth process (though not as nice; they text you, vs a nice app).
two-factor is a no-brainer at this point for managing your identity, especially given the huge volume of leaked passwords we've seen in the past month. it only takes a few minutes to set up and almost completely eliminates problems like the one in this article. if you haven't set it up yet, do it now! much easier than learning the hard way.
Also, by providing it via text messages compared to an application they reach out to a much broader audience. Not just tech-savvy people like you and me, who probably already had a proper password policy.
I'm also very concerned about the no 'restore' option from gmail. What good are google backups if you can't initiate them?
It had been hacked, but the recovery questions hadn't been changed (mainly, I think, because Hotmail makes it incredibly difficult to even find the option to do this). We reset her password, changed everything, and the account got re-hacked within 30 minutes.
This happened three more times until, eventually, the recovery questions were changed and we couldn't get access. I posted on the support forums, regained access, changed EVERYTHING (this included checking for email forwarding rules, and so on).
Now, through all this, I told my friend to not sign in to the account (or use MSN) from any computer except mine, to ensure that it wasn't a keylogger or Trojan that was causing this. My machine was running an up-to-date version of Ubuntu, on my home network, using HTTPS. So I'm pretty sure it wasn't a trojan.
Unlike Google, Hotmail requires a human to look over your problem, so after the third time we had to wait for a day to get the account accessed, we just gave up. I signed in, copied down as many contacts as I could, then deleted all the incoming emails. We ended up having to abandon her Facebook account too, as the hacker accessed that and was spamming her friends. Her Tumblr, and a couple of other accounts were toast also. We almost her Facebook back, but the hacker deactivated the account.
It was very frustrating trying to solve this, because I didn't know how the account was being accessed! I opened a ticket asking the Hotmail support staff to tell me how the password was being reset - not any more information, just the method - and they came back with the standard "we won't reveal information unless you have a search warrant or court order".
I love modern technology and all, but sometimes it's REALLY frustrating.
This indeed increases security, but tends to be a bit cumbersome (I often have a depleted battery, for example, which could prevent access to my emails from a computer) and does not solve other case (like somebody stealing my laptop and using an already opened session).
1) You can print a list of one-time passwords and store it inside your wallet. If your phone's battery is depleted, you can use them to log in. You should store another copy of this list in a safe place, just in case.
2) If somebody steals his laptop, he could always log from another computer and disable his session and/or change his password. He should use a password-protected login on his laptop anyway, with an encrypted drive.
Thanks to my backup email account and 1password's ability to search accounts by password, I was able to restore access and change every account password I had gotten lazy about, before any damage was done. Turn on 2-factor authentication for my Gmail and Google Apps accounts, and now I can finally feel secure with only 2 passwords I have to memorize (Gmail and 1Password).
A friend of mine's Gmail account was compromised (say her email was email@example.com) and they had subtly changed it (perhaps to firstname.lastname@example.org). Her oblivious contacts (including me) replied to her "cry for help," but the messages went straight to the hacker's address. This kept her contacts in conversation with the hacker even after she regained control of her account.
This would add a small measure of protection, though is not ideal as compromised machines (or proxies) in the U.S. could still access the account.
I found several older passwords with my login up on a file-sharing website not so long ago. Luckily I didn't suffer the same fate as the writer's wife.
Also, I believe that google should have 'paid support' in place for this type of situation. No doubt it would be profitable for them, and would save many people quite a lot of pain.
And there it was, in cleartext, on the second page of the search results, along with the username that I used on battlefield heroes beta.
It was on a pastebin with another 60k combinations of usernames and passwords.
The password was only 6 characters in size though (along with every other on that pastebin), so I guess that made it a certainty that it would get cracked.
The problem with this is that your password could end up in your web history and autocomplete. The other option would be an incognito session, but I think that could still lead to it ending up on Google Suggest if you do it often enough.
By regularly, I mean about once a month.
LulzSec has proven why this might be very bad.
And I just suggested gmail this:
Gmail runs my life, as it does yours! Yes, I have an alternate email but whoever has my password can change it and then I'm LOST! You need to make this hackproof (yes yes, i know. but please, atleast TRY)
-Have a backdoor password. There MUST be a 24-48 hour window between changing the backdoor password and the main password.
-Must be a 24 to 48 hour window between a password change and alternate email change.
There's pretty much a one-click restore process now: http://i.imgur.com/1EYZ5.png
You can find more info about restoring contacts at https://mail.google.com/support/bin/answer.py?answer=1069522... or read the blog post from a few months ago at http://gmailblog.blogspot.com/2010/12/restore-your-contacts....
If your weak link, was, as usual, the human link... I would be inclined to trust a system more catering to (forgive me) ignorant users.
I just worry that the mindset is, "I got hacked because I use Gmail, if I used something else I'd be safer." and I find that logical to be pretty flawed.
1. Your self-hosted system will be unique, which means it won't be attractive to phishers (by definition).
2. Because your system isn't a major email service like Gmail, your address won't have the same cachet with other mail services (i.e. auto-whitelisting). Therefore it will be even less of an attractive target to someone attempting to spam. (For the case of criminals attempting social engineering of a contact list, see point 1.)
3. Because Gmail must run mostly without human intervention, you get bad security such as the "last chance" form, in which everything you need to recover the account can be determined by hacking into the account. Self-hosted email won't have this problem, because it will have a human devoted to correcting problems (i.e. you).
There are of course obvious problems with self-hosted email that Gmail doesn't have, but it's not exactly one-sided.
Remember that Gmail had a sysadmin reading the mail of users:
Your points are valid, but why wouldn't these things exist? Doesn't code exist to do this? And if not, is it truly difficult to write?
I'm not saying it's a trivial task, but someone who decides to host their own e-mail would probably be willing to work at it.
Every site you visit in a browser can attack every site you're logged into, but they have to know the URL scheme of those logged in sites.
That's assuming nobody uses anti-CSRF measures, right? If I've got an anti-CSRF token on a form, how are you going to attack it? Or what about pages (e.g., change password pages) that require you to enter your password? Certainly you'd need to know more than the URL scheme.
> That's when I lost the connection again...