gmail security is a joke

Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the last login date (try "today")? What a joke.

Try it by yourself, its "fun".

Even worse, once the attacker had control of your account once, and you reset the PW and then enable 2-factor-authentication, he will always come back because it is sufficient for him to know one of the last passwords to reset it again. This will totally work around 2-factor-authentication and allows him to remove/change recovery E-Mail + phone + turn off 2FA. There's no way to get rid of him.

What a mess!

I have a gmail account that mostly sends mail and barely receives any. This is probably why it works so damn easy. Otherwise the PW recovery process will ask you for the E-Mail addresses of people that you have received mail from in the past. But even this can get easily guessed/researched.

Hey,

Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the

Without any comment on what gmail is or is not doing, the topic interests me.

How should recovery be done in scalable manner? Almost invariably when the
accounts were initially created there is no strong authentication used, how
would, even in theory, it be possible to reauthenticate strongly after
password was lost?

One solution is, that you can opt-out from any password recovery process,
which also would mean opt-in for deletion of dormant accounts (no login for 2
years, candidate for deletion?). I personally would opt-in for this in every
service I have.
I recall gandi allows you to disable password recovery.

Perhaps some people would trust, if they could opt-in for reauthentication via
some legal entity procuring such services. Then during account creation, you'd
need to go through same authentication phase, perhaps tied to nationalID or
comparable. This might be reasonable, most people probably already trust one
of these for much more important authentication than email, but supporting all
of them globally seems like very expensive proposal.

Hi,

Perhaps this is still a void in the market? A business which operates small officers at which you can real-world verify your personal being using the most solid evidence available (perhaps in cooperation with governments) for that location/country which works together with the sorts of big-@random-webservice to help recover information?

That would remove the need for weak idea's. Either you setup and use a very solid recovery method or you present yourself (or perhaps a family member in case of (emergency/deceased/etc')).

With kind regards,

Thijs Stuurman
Infrastructure & Solutions

IS (internedservices) Group
Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands
T: +31(0)299476185 | M: +31(0)624366778
W: http://www.is.nl | L: http://nl.linkedin.com/in/thijsstuurman

-----Oorspronkelijk bericht-----

Hey,

Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the

Without any comment on what gmail is or is not doing, the topic interests me.

How should recovery be done in scalable manner? Almost invariably when the
accounts were initially created there is no strong authentication used, how
would, even in theory, it be possible to reauthenticate strongly after
password was lost?

I think opt-out of password recovery choices on a line-item basis is not a bad concept.

For example, I’d want to opt out of recovery with account creation date. If anyone knows
the date my gmail account was created, they most certainly aren’t me.

OTOH, recovery by receiving a token at a previously registered alternate email address
seems relatively secure to me and I wouldn’t want to opt out of that.

Recovery by SMS to a previously registered phone likewise seems reasonably secure
and I wouldn’t want to opt out of that, either.

Recovery by SMS to a phone number provided with the recovery request I would
most certainly want to disable. (yes, some sites do this).

Recovery by having my password plain-text emailed to me at my alternate address
(or worse, an address I supply at the time of recovery request), not so much.
(yes, many sites actually do this)

Really, you don’t need to strongly authenticate a particular person for these accounts.
You need, instead, to authenticate that the person attempting recovery is reasonably
likely to be the person who set up the account originally, whether or not they are who
they claimed to be at that time.

Perhaps some people would trust, if they could opt-in for reauthentication via
some legal entity procuring such services. Then during account creation, you'd
need to go through same authentication phase, perhaps tied to nationalID or
comparable. This might be reasonable, most people probably already trust one
of these for much more important authentication than email, but supporting all
of them globally seems like very expensive proposal.

This also would take away from the benefits of having some level of anonymity
in the account creation process, so I think this isn’t such a great idea on multiple
levels.

YMMV.

Owen

Haha I cringe when I do a password recovery at a site and they either email
the current pw to me in plain text or just as bad reset it then email it in
plain text. Its really sad that stuff this bad is still so common.

In article <CAKnNFz_apy8KHBXj0umGoq6UfCD640Jtxe9A+2TqU-d761-eug@mail.gmail.com> you write:

Haha I cringe when I do a password recovery at a site and they either email
the current pw to me in plain text or just as bad reset it then email it in
plain text. Its really sad that stuff this bad is still so common.

If they do a reset, what difference does it make whether they send the
password in plain text or as a one-time link? Either way, if a bad
guy can read the mail, he can steal the account.

Given the enormous scale of Gmail, I think they do a reasonable job of
account security. If you want to make your account secure with an
external account or an external token (a physical one like a yubikey
or a software one like the authenticator app), you can.

Or if you consider your account to be low value, you can treat it that
way, too.

R's,
John

I get what you are saying but my point was more about lack of crypto or
reversible crypto than stealing the account. I like what Owen is
describing, they should present all account recovery options and let the
user toggle on/off which ones they want to be usable this way the user can
make their own decisions and live with their own choices.

Hey,

I think opt-out of password recovery choices on a line-item basis is not a bad concept.

This sounds reasonable. At least then you could decide which balance of
risk/convenience fits their use-case for given service.

OTOH, recovery by receiving a token at a previously registered alternate email address
seems relatively secure to me and I wouldn???t want to opt out of that.

It's probably machine sent in seconds or minute after request, so doing
short-lived BGP hijack of MX might be reasonably easy way to get the email.

Recovery by SMS to a previously registered phone likewise seems reasonably secure
and I wouldn???t want to opt out of that, either.

I have tens of coworkers who could read my SMS.

Really, you don???t need to strongly authenticate a particular person for these accounts.
You need, instead, to authenticate that the person attempting recovery is reasonably
likely to be the person who set up the account originally, whether or not they are who
they claimed to be at that time.

As long as user has the power to choose which risks are worth carrying, I
think it's fine.
For my examples, I wouldn't care about email/SMS risk if it's
linkedin/twitter/facebook account. But if it's my domain hoster, I probably
wouldn't want to carry either risk, as the whole deck of cards collapses if
you control my domains (all email recoveries compromised)

I get what you are saying but my point was more about lack of crypto or
reversible crypto than stealing the account.

I am all in favor of using crypto when it improves security. But I am also in favor of not obsessing about it in places where it makes no difference.

I like what Owen is describing, they should present all account recovery options and let the user toggle on/off which ones they want to be usable this way the user can make their own decisions and live with their own choices.

Unfortunately, we have learned over and over again that the nerd instinct to push the security policy decisions onto civilians never ends well. Some people will check every box because more security is better, right? And then they're locked out and make expensive phone calls to your support desk. Others will uncheck every box because they just want to be able to log into the fripping account and it's your fault when their account is stolen.

R's,
John

We don't even know if this email originated by Markus himself.

As for security, the default access for mobile devices (which require
no further credentials for Mail, Web, SMS) is a swipe.

I too wish the world was bulletproof from birth, but it's not.

-Jim P.

To be fair, if your e-mail address is high enough value that somebody is
willing to risk getting caught doing a BGP hijack, maybe you have bigger
problems to worry about.

I suppose the meta of this whole conversation is for the OP:
"Sure, there are issues with just about every account-recovery setup
out there. Where you have X-hundreds of millions of 'not nanog' level
users interacting and needing passwd recovery to work reliably and
somewhat securely, how would you accomplish this?"

Tossing grenades in the crowded room is cool and all, but ... you
clearly have some thoughts about options/improvements/etc you might
get more useful traction by proposing them.

If they can e-mail you your existing password (*cough*Netgear*cough*),
it means they are storing your credentials in the database
un-encrypted.

-A

If they can e-mail you your existing password (*cough*Netgear*cough*),
it means they are storing your credentials in the database
un-encrypted.

What I had in mind was creating a new password and mailing you that.

R's,
John

*facepalm*

Right. Sorry.
Forgot which group I was addressing.

I swear half of the United States forgot their passwords over the
three-day weekend.

-A

No, it doesn't mean that at all. It means they are storing it unhashed
which is probably what you mean.

It may well be that they are storing it unencrypted, but you can't outright
say that without extra knowledge.

  Scott

Which is easily prevented by authenticating the MX when connecting.
Something which as been recommended practice for as long as SMTP
has existed. HELO provided weak authentication. We now know and
documented how to do this securely on a global scale, we just need
to do it. See draft-ietf-dane-smtp-with-dane.

You have added the TLSA records for you MTA and signed your zones?
You have updated your MTA to support DANE?

[ Need to nag ops to add TLSA records for the MX's. We have them
for www.isc.org. ]

Mark

Unfortunately, setting these options does not disable the separate "account
recovery form" listed at the bottom of the page, and it is this form that
allows you to login with any previous password and to bypass 2-factor auth.

I must admit I was surprised by this when I tried it just now. I guess it's
time to rethink using Google as a primary account...

According to this page, the 2-factor authentication does kick in when you
finally try to reset the password.

http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature

“… I was presented with an emailed link to a reset page. When I clicked
that link, since I have two-step verification set up, I was presented
with a demand for a number provided by the Google Authenticator
app on my phone. I provided that number and only then was I allowed
to reset the password.”

AK