[180133] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue May 26 11:47:01 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20150526152246.GA12876@pob.ytti.fi>
Date: Tue, 26 May 2015 17:44:32 +0200
To: Saku Ytti <saku@ytti.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On May 26, 2015, at 5:22 PM, Saku Ytti <saku@ytti.fi> wrote:
>=20
> On (2015-05-26 16:26 +0200), Markus wrote:
>=20
> Hey,
>=20
>> Did you know that anyone, anywhere in the world can get into a gmail =
account
>> merely by knowing its creation date (month and year is sufficient) =
and the
>=20
> Without any comment on what gmail is or is not doing, the topic =
interests me.
>=20
> How should recovery be done in scalable manner? Almost invariably when =
the
> accounts were initially created there is no strong authentication =
used, how
> would, even in theory, it be possible to reauthenticate strongly after
> password was lost?
I think opt-out of password recovery choices on a line-item basis is not =
a bad concept.
For example, I=E2=80=99d want to opt out of recovery with account =
creation date. If anyone knows
the date my gmail account was created, they most certainly aren=E2=80=99t =
me.=20
OTOH, recovery by receiving a token at a previously registered alternate =
email address
seems relatively secure to me and I wouldn=E2=80=99t want to opt out of =
that.
Recovery by SMS to a previously registered phone likewise seems =
reasonably secure
and I wouldn=E2=80=99t want to opt out of that, either.
Recovery by SMS to a phone number provided with the recovery request I =
would
most certainly want to disable. (yes, some sites do this).
Recovery by having my password plain-text emailed to me at my alternate =
address
(or worse, an address I supply at the time of recovery request), not so =
much.
(yes, many sites actually do this)
Really, you don=E2=80=99t need to strongly authenticate a particular =
person for these accounts.
You need, instead, to authenticate that the person attempting recovery =
is reasonably
likely to be the person who set up the account originally, whether or =
not they are who
they claimed to be at that time.
> Perhaps some people would trust, if they could opt-in for =
reauthentication via
> some legal entity procuring such services. Then during account =
creation, you'd
> need to go through same authentication phase, perhaps tied to =
nationalID or
> comparable. This might be reasonable, most people probably already =
trust one
> of these for much more important authentication than email, but =
supporting all
> of them globally seems like very expensive proposal.
This also would take away from the benefits of having some level of =
anonymity
in the account creation process, so I think this isn=E2=80=99t such a =
great idea on multiple
levels.
YMMV.
Owen
