gmail security is a joke

Owen DeLong owen at
Wed May 27 12:19:13 UTC 2015

> On May 26, 2015, at 6:11 PM, Saku Ytti <saku at> wrote:
> On (2015-05-26 17:44 +0200), Owen DeLong wrote:
> Hey,
>> I think opt-out of password recovery choices on a line-item basis is not a bad concept.
> This sounds reasonable. At least then you could decide which balance of
> risk/convenience fits their use-case for given service.
>> OTOH, recovery by receiving a token at a previously registered alternate email address
>> seems relatively secure to me and I wouldn???t want to opt out of that.
> It's probably machine sent in seconds or minute after request, so doing
> short-lived BGP hijack of MX might be reasonably easy way to get the email.

If someone has the ability to hijack your BGP, then you’ve got bigger problems than
having them take over your Gmail account.

>> Recovery by SMS to a previously registered phone likewise seems reasonably secure
>> and I wouldn???t want to opt out of that, either.
> I have tens of coworkers who could read my SMS.

That’s interesting… Why do you choose to give access to your personal SMS messages
to so many of your coworkers?

>> Really, you don???t need to strongly authenticate a particular person for these accounts.
>> You need, instead, to authenticate that the person attempting recovery is reasonably
>> likely to be the person who set up the account originally, whether or not they are who
>> they claimed to be at that time.
> As long as user has the power to choose which risks are worth carrying, I
> think it's fine.
> For my examples, I wouldn't care about email/SMS risk if it's
> linkedin/twitter/facebook account. But if it's my domain hoster, I probably
> wouldn't want to carry either risk, as the whole deck of cards collapses if
> you control my domains (all email recoveries compromised)

We agree that different risks are appropriate for different levels of sensitivity.


More information about the NANOG mailing list