gmail security is a joke

Owen DeLong owen at
Tue May 26 15:44:32 UTC 2015

> On May 26, 2015, at 5:22 PM, Saku Ytti <saku at> wrote:
> On (2015-05-26 16:26 +0200), Markus wrote:
> Hey,
>> Did you know that anyone, anywhere in the world can get into a gmail account
>> merely by knowing its creation date (month and year is sufficient) and the
> Without any comment on what gmail is or is not doing, the topic interests me.
> How should recovery be done in scalable manner? Almost invariably when the
> accounts were initially created there is no strong authentication used, how
> would, even in theory, it be possible to reauthenticate strongly after
> password was lost?

I think opt-out of password recovery choices on a line-item basis is not a bad concept.

For example, I’d want to opt out of recovery with account creation date. If anyone knows
the date my gmail account was created, they most certainly aren’t me. 

OTOH, recovery by receiving a token at a previously registered alternate email address
seems relatively secure to me and I wouldn’t want to opt out of that.

Recovery by SMS to a previously registered phone likewise seems reasonably secure
and I wouldn’t want to opt out of that, either.

Recovery by SMS to a phone number provided with the recovery request I would
most certainly want to disable. (yes, some sites do this).

Recovery by having my password plain-text emailed to me at my alternate address
(or worse, an address I supply at the time of recovery request), not so much.
(yes, many sites actually do this)

Really, you don’t need to strongly authenticate a particular person for these accounts.
You need, instead, to authenticate that the person attempting recovery is reasonably
likely to be the person who set up the account originally, whether or not they are who
they claimed to be at that time.

> Perhaps some people would trust, if they could opt-in for reauthentication via
> some legal entity procuring such services. Then during account creation, you'd
> need to go through same authentication phase, perhaps tied to nationalID or
> comparable. This might be reasonable, most people probably already trust one
> of these for much more important authentication than email, but supporting all
> of them globally seems like very expensive proposal.

This also would take away from the benefits of having some level of anonymity
in the account creation process, so I think this isn’t such a great idea on multiple



More information about the NANOG mailing list