gmail security is a joke
tknchris at gmail.com
Tue May 26 16:10:57 UTC 2015
I get what you are saying but my point was more about lack of crypto or
reversible crypto than stealing the account. I like what Owen is
describing, they should present all account recovery options and let the
user toggle on/off which ones they want to be usable this way the user can
make their own decisions and live with their own choices.
On Tue, May 26, 2015 at 12:06 PM, John Levine <johnl at iecc.com> wrote:
> In article <
> CAKnNFz_apy8KHBXj0umGoq6UfCD640Jtxe9A+2TqU-d761-eug at mail.gmail.com> you
> >Haha I cringe when I do a password recovery at a site and they either
> >the current pw to me in plain text or just as bad reset it then email it
> >plain text. Its really sad that stuff this bad is still so common.
> If they do a reset, what difference does it make whether they send the
> password in plain text or as a one-time link? Either way, if a bad
> guy can read the mail, he can steal the account.
> Given the enormous scale of Gmail, I think they do a reasonable job of
> account security. If you want to make your account secure with an
> external account or an external token (a physical one like a yubikey
> or a software one like the authenticator app), you can.
> Or if you consider your account to be low value, you can treat it that
> way, too.
More information about the NANOG