- Google: https://www.google.com/landing/2step/
- Github: https://github.com/settings/security
- AWS: http://aws.amazon.com/mfa/virtual_mfa_applications
- Facebook: https://www.facebook.com/settings?tab=security
- Twitter: https://twitter.com/settings/security
- Dropbox: https://www.dropbox.com/account/security
- Lastpass: http://helpdesk.lastpass.com/security-options/google-authent...
- More: https://twofactorauth.org/
However, I have 2FA turned on with GMail and I authenticate basically once, then it remembers my PC and I don't have to authenticate again for a long time.
I've done a couple of HTTP auth schemes for my dayjob and am thinking of using something like this for my next.
lets talk about this when someone made it possible to have a website instruct the browser to make a call to a crypto library or some such
Please read up on what "nodejs" is before lambasting it with an oft repeated security trope.
Indeed; more generally, I said CLI. TLDR of the previous link: it's an interesting general-purpose take on using ssh public/private keys (and methods) to sign and authenticate HTTP requests.
"During sign-in, you can tell us not to ask for a code again on that particular computer."
Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
I have a couple of old legacy gmail accounts I don't use any more but still keep active, so I have 2FA on them, but anything important goes to my own mail server.
Do you encrypt your emails? Do you regularly send emails to other people (who probably have Gmail accounts)?
Since nothing important goes to them any more and I mainly keep them active to stop them getting squatted for for some highly intermittent email (3+yrs) I might have forgotten, then it doesn't matter much there. As it is, the main attacker where gmail is concerned is google itself, followed by the NSA.
As for other people with gmail accounts, yes, but I'm aware of when that happens and wouldn't email anything sensitive to any gmail(hotmail,yahoo,etc.) account.
Same with 2FA: it's a security measure to make it difficult for an attacker to gain access to your account, and one all of us should use, but it's not there to prevent them from reading your emails.
Maybe the overall solution is "don't use email -- self-hosted or otherwise -- for anything sensitive, ever." This will probably work, but is not feasible for most of us.
The goal of 2FA/MFA is to make you demonstrate that you're in possession of two independent secrets (authentication factors). Once you've shown that, it's considered safe enough to replace the second secret (OTP sent to your phone or generated by your TOTP app like Google Authenticator) with a cookie (the check is not IP-based). Typically the cookie only lasts for 30 or 60 days.
If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.
I'm under the impression that you need to provide Google your phone number before being allowed to enable TOTP.
I guess phone number is needed for the secure reset. In the case you lose the device this would render your account inaccessible.
I agree that there are good reasons for asking that, but the comment above apparently raises a good point, namely, that you apparently cannot enable 2FA without giving Google your phone number.
Also, according to the three biggest telcos where I live:
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," ( http://www.itnews.com.au/News/322194,telcos-declare-sms-unsa... )
Although that wouldn't be 2FA, it's worth noting that Facebook, Hotmail and Flickr will ask for some extra verification if you connect from a different country that usual. So that's probably not a bad idea.
Which I also provide to Google because all of my phone numbers are forwarding numbers for my GVoice account, so that's not a big deal.
> They say they need this to send you a verification code when you log into your gmail account.
> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
How can they determine its valid without the second factor the first time you log on from a particular device? That's a key feature of 2FA (plus, if you ever use a shared computer, you don't want to choose the option to never ask for a code again on that computer!)
Open source fork of the (now closed source) Google Authenticator.
The thing is that this site mentions other site where in comments section you can find links to 7zip archive with emails
The data hasn't been very well edited from whatever dump it came from. For example, there are lines that end in "gmail.com_xtube", "gmail.com7777", "gmail.com|login", etc, which are curious.
EDIT: Not blind, it just doesn't show the initial letters if you search using a wildcard even if there is only 1 match.
I generally don't bother, because it's just more security risks.
If you check a username, then you would probably also be revealing the IP address range and browser referrer that is normally used to access your account.
Google uses IP address and location to help detect illegal access. So giving away this information could make it easier for your account to be stolen.
He might even be able to use the same IP as you, if you happen to be using a gateway with many machines behind it, and one of them is compromised.
Let's do some quick back-of-the-envelope math. 5M addresses, with very few longer than 25 characters. Let's say the average is around 17 characters. 17 * 5 * 10^6 = 35 * 10 ^7 = 3.5 * 10^8 bytes, or 350MB. Text generally compresses to 1/8 space with zlib, so the amount to transfer would be about 44MB, at most. Serving the list as xz compressed file could probably cut the size down to below 40MB.
In the age of 100MB youtube videos, that doesn't sound like much to me.
Though back when I had that password my account was hacked. I'd wager this is just Gmail address+password combos collected from other leaks (read: not from Google). Really this just seems to be an attempt at sensationalizing.
Edit: it does the same on a much older account that I rarely use, too. Not the current password but the first two letters of what is likely a much older pw.
And the password was one of my lowest security "trash passwords" I use with this e-mail as login sometimes if it's a service I wouldn't trust or don't care if it's compromised.
So I wouldn't worry about this. Someone had their site hacked most likely and these are logins to the site, not from Google.
That said, it's my throwaway password I use on services I'm not particularly worried about. I fear that this isn't a gmail leak but instead a different service.
For Gmail users, it's a good practice to register to websites using email@example.com (e.g. firstname.lastname@example.org), that way you'll know who leaked your data when it appears in lists like this or when you get spam. Gmail ignores the plus character and anything that follows the plus. You can also add dots at arbitrary positions in the username part.
- Bioware (54)
- Bravenet (19)
- Bryce/daz3d/daz (244)
- Eharmony (64)
- Filedropper/fd/etc. (113)
- Freebie/Freebiejeebies (64)
- Friendster (65)
- Hon (42)
- Policeauctions (28)
- Savage/Savage2 (116)
- Xtube/porn (200ish)
If I were a bad behaved site and sell (sold? sorry, tired and non native speaker) my userlist, i'd probably remove all plus-suffixes from the addresses. Same as if I were a blackhat stealing them to be sold.
Honest question, no snark.
It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.
Would be interested to know more about this. I'm @junto on Twitter if you don't mind contacting me. It would be appreciated.
I noticed that they've also implemented a password reset email, instead of their previous practice of just emailing you the password. Hopefully this means that they are no longer keeping unhashed passwords on the system.
It seems that they realised they weren't doing things correctly in the last 6 months (maybe a bit longer, not 100% sure) and have taken steps to rectify this. This may be due to a discovered security breach, but may just be a change in their internal IT policy. Hopefully they're now following best practices!
Of course what I did was bad practice. One should store passwords in a secure password manager, and use a different (preferably 30+ chars) password on each site.
Mailinator will give an alternate address that's a hash of the first, so that the address itself cannot be used to check. See below.
I'll create a set of long passwords (20-30 characters) with pwgen. Those are input as name, email, and password fields (different for each). If I need to verify an email, I can.
I don't record the values, they're throwaway.
If the site rejects 'mailinator.com', there are other domains provided as alternates.
Example: email@example.com is also
The 'm8r' address can't be used to check for mail.
Note, obviously, that anyone with the actual mailbox hash can check it. For example: http://mailinator.com/inbox.jsp?to=facebook
Oh, there's even an RSS mailbox subscription, neat: http://www.mailinator.com/feed?to=
That company went under 4-5 years ago, and I seem to remember few forum (phpbb afaik) software/database breaches at the time.
1. Found you password with the same email address somewhere
and ask if you still use that email address on another site.
2. And get your IP, then login through proxy to bypass the security checking.
3. Still, to know which email address is in use.
I now use KeePass2 to manage all my passwords - so the old password has absolutely nothing to do with the new one. This makes me think that they simply tried to use some other hacked site, and checked to see whether the same pwd was recycled for gmail.
Edit: to clarify, I had 2FA on an account which alerted me to the Gmail compromise. I obviously messed up with that email account.
So I don't think this is a hack of google itself, but rather just collecting addresses from elsewhere and collecting the gmail ones.
I use google voice to get notified of calls and voicemails so I can be fairly responsive, but obviously using another service that can be accessed in multiple places defeats the point, especially when owned by the same people.
It does not seem like twitter supports this authenticator.
I had (stupidly) been using the same password on other sites, so after I was hacked i made a new password just for gmail.
Now I also have two factor authentication :)
Not sure which, but it isn't gmail.
I expected my address to be there but it wasn't. Makes me wonder.
EDIT: Not seeing the password list online, and below someone mentioned it showed an old password for them, so thinking someone is making this up.
EDIT: This was good to find out because I did not have 2 factor auth on my older account as I hardly use it anymore.
Luckily, 2FA was already enabled.
That's one more example against password reusing.
Notwithstanding the questionable reliability of this what is meant by "leaked"? a trove of phished credentials does not really qualify as a "leak".