gmail security is a joke
morrowc.lists at gmail.com
Tue May 26 18:23:05 UTC 2015
On Tue, May 26, 2015 at 2:15 PM, <Valdis.Kletnieks at vt.edu> wrote:
> On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said:
>> > OTOH, recovery by receiving a token at a previously registered alternate email address
>> > seems relatively secure to me and I wouldn???t want to opt out of that.
>> It's probably machine sent in seconds or minute after request, so doing
>> short-lived BGP hijack of MX might be reasonably easy way to get the email.
> To be fair, if your e-mail address is high enough value that somebody is
> willing to risk getting caught doing a BGP hijack, maybe you have bigger
> problems to worry about.
I suppose the meta of this whole conversation is for the OP:
"Sure, there are issues with just about every account-recovery setup
out there. Where you have X-hundreds of millions of 'not nanog' level
users interacting and needing passwd recovery to work reliably and
somewhat securely, how would you accomplish this?"
Tossing grenades in the crowded room is cool and all, but ... you
clearly have some thoughts about options/improvements/etc you might
get more useful traction by proposing them.
More information about the NANOG