gmail security is a joke

Anil Kumar akumar at
Wed May 27 03:43:47 UTC 2015

> On May 27, 2015, at 8:09 AM, Harald Koch <chk at> wrote:
> On 26 May 2015 at 11:32, Alex Brooks <askoorb+nanog at> wrote:
>> Can you not set account recory options which change the way password
>> reset requests are handled.
>> Gives some guidance?
>> Alex
> Unfortunately, setting these options does not disable the separate "account
> recovery form" listed at the bottom of the page, and it is this form that
> allows you to login with any previous password and to bypass 2-factor auth.
> I must admit I was surprised by this when I tried it just now. I guess it's
> time to rethink using Google as a primary account...

According to this page, the 2-factor authentication does kick in when you 
finally try to reset the password. <>

“… I was presented with an emailed link to a reset page. When I clicked 
that link, since I have two-step verification set up, I was presented 
with a demand for a number provided by the Google Authenticator 
app on my phone. I provided that number and only then was I allowed 
to reset the password.”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3575 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list