gmail security is a joke

Barry Shein bzs at
Wed May 27 19:07:22 UTC 2015

One weakness with sending a new cleartext password rather than a link
is that a cleartext password (probably) has to be engineered to be
easy to type in and maybe even remembered.

Typically one uses some concatenation of CVC
(consonant-vowel-consonant) with common punctuations and/or digits
otherwise chosen randomly so something like pom%mur or kiv_ler for 7
chars anyhow, maybe add a digit or two, pom%mur87.

A link can be much more random, just some long (64 char or more)
string of hexified nonsense for example since the user presumably just
clicks it and doesn't have to read it or type it in or worse remember
it. attacker could study your cleartext password generation
algorithm which for a shorter, simpler, already structured cleartext
password will be more likely to be predictable all else being
equal. Perhaps the algorithm itself is is even available if you use
some identifiable software package such as an e-commerce suite, I
can't imagine every person selling paisley socks writes their own
password generation algorithm. Or by studying the passwords it
generates (create an acct, send yourself a few hundred or thousand.)

I'm not just a-whistlin' dixie (I never a-whistle dixie! :-), I'd
consider that a serious potential weakness adding more concern to
choice of algorithms.

        -Barry Shein

The World              | bzs at           |
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*

More information about the NANOG mailing list