[180182] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (James Downs)
Wed May 27 14:34:14 2015
X-Original-To: nanog@nanog.org
From: James Downs <egon@egon.cc>
In-Reply-To: <alpine.OSX.2.11.1505271420140.1564@ary.lan>
Date: Wed, 27 May 2015 11:33:29 -0700
To: "John R. Levine" <johnl@iecc.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On May 27, 2015, at 11:22, John R. Levine <johnl@iecc.com> wrote:
> As I've said a couple of times already, but perhaps without the =
capital letters, from a security point of view, generating a NEW =
PASSWORD and sending it in cleartext is no worse than sending you a one =
time reset link. Either way, if a bad guy can intercept your mail, you =
lose.
Well, no=E2=80=A6 a one time reset link is infinitely better than =
sending a cleartext password, assuming you don=E2=80=99t have to =
immediately change the password.
A reset link, being usable once, means that you can detect if an =
attacker has already used it. If you use it first, the attacker has a =
useless link. If an attacker gets a cleartext password, you probably =
can=E2=80=99t detect interception.
Cheers,
-j=
