Do you have any passwords in your email older than six months? Any account numbers? Anything... incriminating or embarrassing?
Having your e-mail accessed by black-hat hackers is "right-now, have to change every password in the world, block and replace every credit card at the most inconvenient time possible, deal with spam and scams in my name, possible ID theft and potentially sensible data being made public"-worrying. And you can make that attack significantly harder, so you should do that. Right now.
Or, tl;dr: Perfect is the enemy of good, go enable two-factor.
Also consider what happens to unencrypted email you send or receive: any upstream servers can be subpoenaed, as can the person on the other end. Encrypted mail only works when it's encrypted end-to-end and your adversary cannot seize the sending or receiving computer. I imagine that people who encrypt their received email end up in court because their sender was not so careful. Do you trust every person that will ever mail you to keep your secrets safe? Why?
Ultimately, if the government is your enemy, you need to take a lot more precautions than "don't use Gmail".
(Not kidding, I really do that.)
See http://support.google.com/mail/bin/answer.py?hl=en&answe..., which is specific to g-mail, but the same rules apply for other products that store user information. There is a whole team that works on this to monitor the process and help product teams implement the policy.
Deleted messages are wiped within ~60 days. The delay is needed to ensure that all copies of the message are deleted, including those that may be on tape.
Seriously? So you reuse all tapes after 60 days? That wouldn't be a smart thing to do if you really care about retention, and I don't mean solely retaining deleted mail, but just retention of data in general. Regardless of stated policies, I don't believe you. Business critical data like that would not only be stored for 60 days- not in Google.
I didn't say that.
I've worked at companies where the publicly posted policies had little-to-nothing to do with how the company really operated.
That has not neen my experience at Google. Handling user-data properly is taken very seriously. A significant amount of effort (and money) is expended making sure of this.
I can't control whether or not you believe me and I can't go into too many details or share too many war stories. I'm an engineer that has worked at both the bottom of the stack (building the hardware that runs in the data centers) and at the top of the stack (a large user-facing product) and I can tell you that I have many first-hand experiences where protecting user-data was prioritized over other concerns - often at non-trivial cost and effort.
Now, the government certainly does things that are unconstitutional sometimes, and manages to avoid having any court review them. I'm sure there are abuses here. It's disappointing that the Justice Department tried to oppose a warrant & probable cause standard for electronic searches as if there's room for dispute on that one. But the minute they try to take much advantage of this law it'll be struck down, and they know it.
It's possible that I'm (weirdly) less cynical about this as a defense attorney than most people are. In my line of work the constitution is constantly standing between police and what they wish they could do. I'm thinking of a particular case, not uncommon, where a three-hour confession was basically thrown out because the judge looked carefully at the recording and the police didn't quite handle it right. They didn't beat the guy, but they didn't do what they needed to do to make sure the confession was voluntary. And of course this drives the police nuts -- the executive branch's position is always that any limitation on their power is a threat to public safety. Resisting that position is why we have constitutional standards and separation of powers in the first place.
Incidentally, the DOJ testimony is a little more nuanced than Wired makes out. The testimony makes some legitimate points -- that agencies like the SEC rely on their ability to use subpoenas (as opposed to warrants) to enforce financial laws, and that it's not clear how much evidence you should need that a particular email account contains evidence of criminal activity in order to obtain a warrant to search that account. (If I have 100 gmail accounts, and you know I've used five of them to run drug transactions, do you need independent evidence to search each of the others?) This means any law governing search of emails would have to be written carefully (or vaguely, so the courts could figure it out under the Fourth Amendment). But the DOJ's conclusion that maybe the law should try to exempt electronic records from search and seizure protections is typical executive branch posturing -- both absurd and unenforceable.
(This is not legal advice. It's just a thing I wrote on a forum. I could be totally wrong. Consult your doctor if effects last more than four hours.)
 http://www.wired.com/images_blogs/threatlevel/2011/04/bakere..., page 11.
* I'm logging in from a computer that I've never logged in from before
* I'm searching my mail history for terms like "password"
* I'm opening an email that appears to contain a password-reset link
* I'm messing with my mail-forwarding options
* I'm accessing messages in bulk
But I do not want to have to do second factor just because it's been 31 days since the last time I've done it.
If one of your devices is stolen, you go reset the pass. As simple as that.
Plus, 31 days is a long time for the hacker, so it's not adding all that much security.
No, but it might well be for the guy who fishes your old harddrive out of a bin.
Having to type it every 31 days (per browser, per device, per account) adds very little marginal security. In fact, in my case it actively hampers security, because it keeps me from using two-factor altogether.
Does this expiration after 31 days add any extra protection?
I realize phishing and key loggers are easy ways to grab a password, but if you avoid typing your gmail password at public internet kiosks and the like, is it really that easy for someone to get at? Assuming you use a reasonably long and impossible to guess password, the captchas would prevent brute forcing.
An attack targeted specifically at you will inevitably succeed but most of us are not that special.
The article's advice seems far too easy to lock yourself out (losing my wallet with my magic paper codes and my phone could do it). The additional inconvenience does not seem worth it.
Most of us have used physical 2 factor authentication (like RSA SecurID) for banking and work related VPN access. This works well because the provider (your office, your bank) has a vested interest in getting you back into your account if you get locked out. Google, Yahoo, MS, etc. have no such obligation.
I'm pretty sure none of Jeff's advice helps you against a government-agency level attack agains you specifically, but following it _will_ protect your email even if some other random website you once registered for exposes the login details you used there. I _hope_ that's not a problem for any HN readers (any more), but what about your partner/children/parents/coworkers? I'd bet good money that _someone_ you know and care about is reusing their email account password on random website signup forms.
On that note, does anyone know of a secure keysafe app that will sync across my various PCs, iPad and Android phone? This is what is stopping me from going the single use password route.
Wrong. Terribly wrong. Do not do that.
You'll have your phone with you AND the codes.
So, imagine that day, you get your stuff stolen from your person. Laptop, phone, codes, gone. Bad.
That day you were on a boat and you fall in the water. Phone, codes, gone. Bad.
Instead store the codes in your own safe, a secret location, or a safe deposit box.
Actually, I want (and arguably already have) better than that. In the last 4 months I have had two unauthorized debits from my bank accounts: one a result of a mail thief stealing my rent check from my mailbox, the other an error made by a bank employee. In the 15 years I've been using email I've never knowingly had any of my email accounts hacked.
Mine does offer two-factor, using either SMS or a physical token. And now that I think of it, I think it's mandatory if you want to access it online.
The thing I really want is a "lockbox" folder in my general email that:
1. Requires 2 factor authentication to access the folder but not my general inbox
2. I can move messages I consider sensitive from my general inbox to the lockbox folder
3. Will automatically sends emails from my banks, etc. into the folder with an email showing just the subject line in my general inbox
2 factor authentication is an amazingly simple solution to a large number of complex problems.
> If your phone is infected with malware
> you don't trust it anymore
1. Use a unique, long, random, secure password.
2. Don't tell it to anyone.
3. Use an email service that stores passwords hashed with a salt and a secure hash algorithm.
And you will have nothing to worry about. If you are very paranoid or traveling a lot, you can add:
4. Don't log in from insecure devices.
5. Make sure nobody's filming your fingers when you type your password.
If you're actually concerned with these two, you probably have bigger issues and are already taking more precautions like 2-factor authorization or so on anyway.
I also check my email so frequently that two-factor authorization would be a significant inefficiency, so there is certainly a cost-benefit tradeoff there.
The attack that is prevented here is someone who knows your password getting access to your account. They can't get access unless they know your password and manage to steal your OTP generator or device. That's significantly harder than knowing someone's password. (Knowing your password is probably hard, but I know many peoples' password. It's "password".)
It's email, people. You won't die if you don't check it for three hours. And if you do... well, then you should probably've brought your own laptop (although that may make system administrators sad).
Again, these aren't for the most extremely cautious/savvy users out there, just the 99.9%.
Many moons ago I read the table of contents of Silence on the Wire. One chapter that particularly caught my eye was "I can hear you type.". (Which for some reason was stored in my memory as "I can hear your keystrokes." Which sounds more stalkerish IMO.) Just because of how creepy it sounded. Later I was talking to someone I knew over the phone when they stopped for a moment to enter a username and password for $WEBSITE.
All of a sudden an amusing side channel attack popped into my head:
"I wonder if it's possible to reproduce someones password by hearing their keystrokes?" I figured it would actually be a useful skill if someone were trained to recognize the sound of keystrokes from the most common keyboard phenotypes.
 http://nostarch.com/silence.htm (
I haven't actually read it so I don't know if that is or isn't in the book. All I know about it is the Table of Contents.)
A good first step would be reinforcing the idea that you should never use your email password for any other account. Few people will go through the effort of brute-forcing an standard-issue gmail account when they can easily download a bunch of pre-hacked usernames and passwords.
And using two factor auth is easier than remembering a long, truly unique password. (Though if you're not using LastPass, stop what you're doing and go install it. Just freaking do it.)
If they limit them to a few failed logins a day or hour and show you the failed logins it's hard to guess even if you have it jeff(3-4numbers)
It would be good if you had a dedicated-to-email google account, definitely. As it is, I use it for a gmail account I use with all my google services, and it's a real pain -- especially because the gmail password itself is a long random string, and sometimes I need to enter that on a mobile or other device.
I'd really like better user credential management using something like OneID (public keys, challenge-response auth), but people have tried that in the past and haven't been terribly successful getting it adopted. It might work better on a mobile OS, so maybe next-gen Apple iOS keystore could do something like this.
1. Altered the digits in my wallet so only I know how to recover the real numbers.
2. Created a junk email with a secure password with a security-through-obscurity email with the numbers (again modified)
The use case - losing both your cellphone and wallet. There's basically not an easy way to get back to your data.
I have to remember a few things:
--Normal password to email
--Modification I used to numbers in wallet
--Modification for numbers in junk email
--Junk email username
--Junk email password
It's definitely a burden. But it's worth the security of my email. At this point it reduces the burden of regularly changing my email password or adding complexity to the password.
It seems like it would be better to use private keys on the client with 2 factor auth for authentication recovery. That way as long as you have the right private key locally that your mail client uses, you are set- otherwise you have to both provide a password and an SMS delivered code in order to use a different private key on the client.
I am wondering if Gmail could implement security questions to avoid cases where the 2-step verification works against the user
If you are planning to be without your phone, you can always disable 2-step verification temporarily: https://support.google.com/accounts/bin/answer.py?hl=en&...
Finally, if you lose your phone, you should always have your single-use backup verification codes to allow you to login.
I personally put my phone in "airplane mode" for the trip (still waiting for that market changing deal where you can travel easily across the globe and call/use data without being robbed by your provider) then use the authentication app. I also carry my authentication codes during the trip and they should be enough for even a longer trip, if not, I can generate new security codes during the trip using the security codes I already have with me.
I use an app from DS3: http://ds3global.com/index.php/en/news-a-events/news/97-secu...,
It's extremely simple, it just generates OTPs, nothing more.
Apparently you can print a series of one-time use verification codes that work any time to sign into your two-factor account. Stick a few on a card in your wallet and don't forget to generate more before you're out!
And no, 2-factor is not the same as a long password, because it is less likely that both factors will get compromised at the same time. However long your password is, a single software flaw could expose it.
If you think that's the only way to get 2-factor authentication working, you're wrong. If you think there is nothing wrong with your email provider demanding info like cell phone numbers, you're wrong again.
In addition, a cell phone number is NOT required to create a Google account. Sure they ask (and gender is apparently required, I just made an account), but if you leave it blank, they won't complain.
How can this be implemented without using a phone number? Well, the article actually contains one way - pre-shared secret codes that you print out beforehand. There are many others.
I’m guessing it’s because my Google account doesn’t have a Gmail account associated with it, but Google Talk still works fine from the widget on iGoogle.
Edit: opened a superuser.com question: http://superuser.com/questions/413859/google-talk-and-2-fact...
We offer a two-factor cloud service to protect any kind of service that may be remotely accessed: web, ssh, rdp, vpn, ...
Biggest difference from Google Authenticator is the smart phone user experience: one tap to approve a login instead of transcribing a six digit OTP.
Find the relevant service. Spoof DNS. Get emails.
Alternative. MITM the SMTP (thanks anonymous SSL, no certificate errors!).
And that's scary, since 2 factor auth, nor anything, can really save you from that.
so while you could use a compromised application specific password to do horrible things (download all your email and send e-mail as you), you could not use that app specific password to immediately log in to the administration page for your account and lock the legitimate user out...
For example, https://developers.google.com/google-apps/gmail/oauth_overvi...
Not foolproof, of course, but it improves matters. Also note I don't present this as a solution for John Everyman, but rather the sorts of folks who might be reading Coding Horror.
Well, crap. My only "phone" is my Google Voice number...
Obviously though, this would be a pain to use without a portable device that can generate the appropriate time-based code.
No thanks. Google remembers a lot more than "this device," more like everything I do within that device thanks Search cookies, Adsense, Analytics on millions of sites and who knows what else
Yes, because it is a pain. Try going on a vacation, you know the one where you don't use cell roaming. SMS is out, so then one must find a Wifi hotspot to use one of the smartphone time based tokens (edit: seems the token don't need a network connection, could have fooled me). And those time based tokens go out of wack if your phone didn't sync the timezone properly to match Google's setup, so every token ends up not working.
Use the print out backup verification codes on a piece of paper? No, because they are single use. So you end up using up all your backup codes depending on the length of your vacation. I've used 2 step for a long while, I liked it, but I really could not get used to whipping out my phone every time I needed to check something related to Google.
I've had other hiccups such as mobile provider down, phone died etc. Maybe my best option was to keep all the backup codes on hard plastic with checkmarks next to used backup codes and secure them the same way I do my banking cards, maybe, I'll just try this one day.
If one is going to jump through all these spy-style codes might as well just change your password on a regular basis, forcing all previous sessions to invalidate.