Back to previous post: The Official Olympics Watching-and-Kibbitzing Thread

Go to Making Light's front page.

Forward to next post: Reference: athletic body diversity

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

August 1, 2012

Do you use Dropbox?
Posted by Jim Macdonald at 04:32 PM *

Time for a password change.

  • Use strong passwords.
  • Treat your passwords like you treat your toothbrushes. Never share them with anyone and change them every three months.
  • One site per password. That way losing a password/username combination at a site with poor securitywon’t compromise your password/username combination at a site with high security.
  • It’s okay to write down your passwords/usernames in a notebook at home. If the bad guys have physical access to your room you’re in a whole different ballgame than just on-line security.

[UPDATE TO ADD] Daniel Martin posts below:
Jim, this is irresponsible.

Granted, not very irresponsible because even the megaphone of Making Light pales in comparison to Business Insider, but still the natural inference from the post is that DropBox’s password database was compromised.

And that’s not true. Not at all true.

What event triggered the Business Insider story, and therefore this ML post? DropBox informed some of its users that they, the users, had apparently been careless and re-used their DropBox password on other sites. (which had been hacked)

You know what? DropBox didn’t have to tell its users that - everyone knows that the way a service with login and password knows that you are who you claim to be is with the login and password, and DropBox is going above and beyond by detecting activity that seems suspicious despite the use of the correct login and password.

In other words, the reward for DropBox implementing better-than-average security practices is the implication that they’ve been hacked.

People who implement poor security practices should be called out for doing so. Actual hacks should be publicized, and an article that advised one to change the email address one uses with DropBox - or being aware that that email could soon be hit with lots of spam - that was written based on the DropBox employee’s account compromise would be fair game.

But the remainder of the underlying facts show DropBox being good and upfront about security, and getting attacked for it. It’s as though a reporter wrote about a police district’s horrible crime wave when the facts on the ground were that the new police chief had stopped the earlier practice of fudging the official stats. (Except it’s even a more clear-cut case of reporter malpractice here)

I expect Business Insider to commit this kind of error; more precisely, I don’t respect them enough to care when they do.

Making Light, though, I respect, so this kind of carelessness cuts deep.

Comments on Do you use Dropbox?:
#1 ::: Rick Keir ::: (view all by) ::: August 01, 2012, 04:44 PM:

Business Insider is such a trashy site. Given the choice between facts and sensationalism, they go for sensation every time. Not surprising, given that its co-founder is the infamous Henry "banned from the securities industry for dishonesty" Blodgett.

You need to change your passwords if you are using the same password on Dropbox as you use on a site that has been hacked. Their own new story says that Dropbox did not lose passwords, but their headline makes it a Dropbox problem

If you re-use passwords you will get burned someday, which is why people need to get and use a password manager. This isn't a Dropbox issue.

#2 ::: Chris Adams ::: (view all by) ::: August 01, 2012, 06:00 PM:

Based on the source (http://blog.dropbox.com/index.php/security-update-new-features/) it appears this only affects people who reused their dropbox password on other sites and that the users have already been contacted.

Much, much better advice is to stop reusing important passwords - it avoids so many problems with unreliable site operators and there are some great options (1Password, LastPass, etc.) for making it easy to use unique hard for each site.

#3 ::: Chaomancer ::: (view all by) ::: August 01, 2012, 06:18 PM:

That's pretty terrible reporting - how does

"The company says that hackers got user names and passwords when they broke into other websites. They used them to sign into "a small number of Dropbox accounts." Dropbox didn't say how many accounts were affected. It has already contacted the users it knows were compromised."

become a Dropbox problem? the problem is that some users used the same password for Dropbox and other sites, and one of the other sites was compromised.

#4 ::: Jim Macdonald ::: (view all by) ::: August 01, 2012, 06:43 PM:

This becomes a Dropbox problem when

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.

We have a Dropbox employee using poor security technique, and a compromised internal document. We don't know if other employees also have poor security habits, or if other internal documents have been compromised.

#5 ::: Joe McMahon ::: (view all by) ::: August 01, 2012, 06:50 PM:

Also can recommend (for Mac users) 1Password, which stores all of your passwords, heavily encrypted. If you choose and use a good master password (an xkcd-syle one will work fine), you can be pretty sure that no one's going to steal you passwords - plus you can use the longest-possible, most complicated passwords on every site you use without having to remember them, or reuse them.

I don't have any stake in 1Password other than I love it to pieces, have it on all my machines and all my iOS devices.

#6 ::: Chaomancer ::: (view all by) ::: August 01, 2012, 06:54 PM:

True, but unless they kept password lists, that should only be an annoying source of spam, not a reason to change your password. If anything it would be a reason to change the email address Dropbox has for you, rather than the password.

If I suspected they had held my password in a file in some employee's Dropbox, I wouldn't be changing my password - I'd be closing my account and using one of the other equivalent services instead.

#7 ::: Patrick Nielsen Hayden ::: (view all by) ::: August 01, 2012, 07:48 PM:

I've changed both my and Teresa's Dropbox passwords, just on general principles.

I use 1Password and recommend it like CRAZY. I've been gradually using it to generate new unique passwords, fixing the passwords on the too-many-sites on which I was re-using passwords. I think I've pretty much taken care of all the sites which expose any kind of financial data. Have I mentioned that I love 1Password with the ferocity of a thousand suns?

#8 ::: cgeye ::: (view all by) ::: August 01, 2012, 08:55 PM:

How does 1Password ensure *they* don't get hacked?

#9 ::: Matthew Brown ::: (view all by) ::: August 01, 2012, 09:11 PM:

1password does not have your info on a central system. It's on your computers and your smartphones and wherever you back them up to. In encrypted form.

#10 ::: Matthew Brown ::: (view all by) ::: August 01, 2012, 09:12 PM:

Lastpass *does* store it centrally, but encrypted. It's decrypted locally, not on their server.

#11 ::: Serge Broom ::: (view all by) ::: August 01, 2012, 09:57 PM:

I changed the password, just in case. Mind you, if they're interested in all the film clips that Fade Manley, Abi and I had gathered for ML's own Boom-de-ya-da...

#12 ::: Henry Troup ::: (view all by) ::: August 01, 2012, 10:09 PM:

I may have told this story before. I've used "one site per password" for a long time. Relatively recently, I got a couple emails from sites I rarely use about "too many bad password attempts". They were forum sites, and I have to presume that my password from some site was harvested/leaked and tried against other sites; either for astroturfing or to see if it was reusable for high-value targets.

I've discussed my password algorithm for most sites before. I do want to add that for high-value passwords, I use a different algorithm.

I use a password safe program on my smartphone; it's backed up but double-encrypted in the backups. Should be ok. The phone itself is password protected and remote wipeable (and self-wiping, if too many bad passwords are tried.)

#13 ::: David Goldfarb ::: (view all by) ::: August 01, 2012, 10:15 PM:

I've redone my passwords for a number of important sites using an interesting system called Off The Grid. Essentially it's a method to create passwords that look like random noise but which are fairly easily reproducible -- given a master passphrase which ideally only you know.

#14 ::: KristianB ::: (view all by) ::: August 02, 2012, 04:15 AM:

I used to reuse the same password everywhere, until at some point I decided to switch to using diverse passwords, whereupon I immediately started forgetting which password I had used where. And I'd always learned that writing down what password you use and where you use it is just as bad as using the same password everywhere. Now I've started using an XKCD-style password as linked in #5, but not everywhere permits that kind of password. My university, for instance, which requires me to change passwords every year, demands that the first four characters of the password include at least three of four types of character, lower-case letters, capital letters, numbers, and special characters. Needless to say, this makes it a pain in the a$$ to come up with a password that I'll remember for the four times a year I need to log on to the university website.
For me, the bottom line is, I think passwords are a pitiful security measure on principle, and I desperately hope that someday soon technological advances allow us to simply stop using them altogether in favor of some biological recognition system that doesn't need us to remember anything.

#15 ::: Harry Payne ::: (view all by) ::: August 02, 2012, 04:25 AM:

Agreed that this is not (just) a DropBox problem - not only is it people using the same password for multiple sites, it's people using the same crap passwords like aaa and 12345678.

Good to see the 1password love, but my heart belongs to SplashID. I've been using them since the days I had a Palm handheld (which they still support).

#16 ::: Ingvar M ::: (view all by) ::: August 02, 2012, 05:22 AM:

Joe McMahon @ #5, pnh @ #7:

I was just going to write "use a password safe" (no, I do not know what's good and what's bad, if I am in doubt, I will go to Schneier for advice.

KristianB @ #14:

If you have your password written down, your ecurity is now the minimum of "online compromise" and "security of the password storage".

If you keep your work password on a note under your keyboard, your security is almost nil. That is the scenario that lead to the "do not write it down".

When I was actively in security, in the early/mid 90s, we said "if you write your password down, stick that note in your wallet, make sure it has only your password on it".

David Goldfarb @ #13:

I have vague memories of OTG and going "I can feel there is a weakness in there" (but, for the live of me, I do not recall what made me think that). I would like to see a proper cryptanalysis done on it, though.

#17 ::: KristianB ::: (view all by) ::: August 02, 2012, 06:31 AM:

Ingvar M @16: Yeah. I guess if I were to write them down, it would be in my dayplanner, which might not be the wisest place but it would perform its purpose of helping me keep track of things.
I suddenly remembered a peculiar password-incident that I hope isn't very common. One time I was letting my brother try World of Warcraft on my account, for which I had to give him the password. "That's a pretty clever password," he said, and I said "thanks, I kinda like that one."
Fast forward half a year, my brother is at the airport, calls me, and asks me to log into his e-mail and check his flight information. I say "Sure, what's the password?" And he tells me the same password I used on my WoW-acconut.

#18 ::: lorax ::: (view all by) ::: August 02, 2012, 10:39 AM:

I don't write my passwords down, but I will write down hints to myself. I know the scheme that I use to generate them, so an oblique reminder of the seed that I used is sufficient for me.

#19 ::: Victoria ::: (view all by) ::: August 02, 2012, 10:39 AM:

#5 ::: Joe McMahon

The XKCD password format only works if you're not limited to a maximum of 16 characters like some of the places I'm required to log into.

#20 ::: Daniel Martin ::: (view all by) ::: August 02, 2012, 04:51 PM:

Jim, this is irresponsible.

Granted, not very irresponsible because even the megaphone of Making Light pales in comparison to Business Insider, but still the natural inference from the post is that DropBox's password database was compromised.

And that's not true. Not at all true.

What event triggered the Business Insider story, and therefore this ML post? DropBox informed some of its users that they, the users, had apparently been careless and re-used their DropBox password on other sites. (which had been hacked)

You know what? DropBox didn't have to tell its users that - everyone knows that the way a service with login and password knows that you are who you claim to be is with the login and password, and DropBox is going above and beyond by detecting activity that seems suspicious despite the use of the correct login and password.

In other words, the reward for DropBox implementing better-than-average security practices is the implication that they've been hacked.

People who implement poor security practices should be called out for doing so. Actual hacks should be publicized, and an article that advised one to change the email address one uses with DropBox - or being aware that that email could soon be hit with lots of spam - that was written based on the DropBox employee's account compromise would be fair game.

But the remainder of the underlying facts show DropBox being good and upfront about security, and getting attacked for it. It's as though a reporter wrote about a police district's horrible crime wave when the facts on the ground were that the new police chief had stopped the earlier practice of fudging the official stats. (Except it's even a more clear-cut case of reporter malpractice here)

I expect Business Insider to commit this kind of error; more precisely, I don't respect them enough to care when they do.

Making Light, though, I respect, so this kind of carelessness cuts deep.

#21 ::: Jim Macdonald ::: (view all by) ::: August 02, 2012, 11:52 PM:

Daniel, I've promoted thy post to the front door, to provide some balance.

My own opinion is that every site is vulnerable, and the higher profile/higher value that site is, the more resources will be spent on compromising it.

That's why I advise using one password per site, and changing all passwords four times a year -- because any site can be attacked, and some attack will, sooner or later, win. It's safer to assume that any site you visit has been compromised, and thus to limit the damage.

We do know that some Dropbox information was lost -- including that which belonged to people who were using excellent security practices themselves (e.g. having an e-mail address used only for Dropbox). And that's how this particular event was caught -- not by Dropbox's superior security, but by being informed of a breech by users who themselves were using superior security practices.

Moving on to other issues: The xkcd password approach works if and only if you only have one password. Can you remember four random words for each site you visit, including those you visit only once every year or so?

The problem with Off the Grid is that it requires you carry a particular sheet of paper on your person at all times. Plus a copy at home, and another copy in your desk drawer at work. If you ever lose the piece of paper you're screwed.

A simple Vigenere, perhaps superenciphered with a transposition, will give you the same level of security, using keywords that you can memorize to create the grid from scratch any time you need it. Why the same level of security when the general solution to the Vigenere has been known since the 1840s? Because given the very small amount of cipher text that compromising one, or two, or even a dozen, of your passwords will yield, its unlikely that someone will collect enough text to even attempt the general solution.

#22 ::: David Goldfarb ::: (view all by) ::: August 03, 2012, 12:02 AM:
If you ever lose the piece of paper you're screwed.
Wrong. If you remember the passphrase you used to create the grid initially, you can go to the Off The Grid website, re-enter it, and get a new copy of the same grid. I have in fact done this, one time when I was traveling and forgot to make sure my laptop was logged in to GMail. It worked.
#23 ::: David Goldfarb ::: (view all by) ::: August 03, 2012, 12:06 AM:

I mean, certainly anyone may have reasons why Off The Grid isn't right for them. But let them at least be valid ones.

#24 ::: Malcolm Cohen ::: (view all by) ::: August 03, 2012, 12:17 AM:

Daniel Martin writes:

In other words, the reward for DropBox implementing better-than-average security practices is the implication that they've been hacked.

I do not agree. Holding personal information about customers (their email addresses at least) in an employee's DropBox, and a poorly-protected one at that, is in no sense "better-than-average". If they are trying to sell secure storage, that is definitely inadequate.

And they were hacked. That is precisely the verb for breaking into a company's system and getting customer information out of it.

Furthermore, to quote Brian Krebs,


Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion...

These facts do not "show DropBox being good and upfront about security"! This is at best, an adequate response. They had to say something because people were already talking about it.

I would hope that it is just that list of email addresses, but while that is likely it is not certain.

It might also be pointed out that DropBox has "form" in poor security practices. Some people are less willing to give them the benefit of any doubt. They are reaping the reward of their previous poor security practices along with that for their latest example of a poor security practice.

(Based on their previous behaviour, some already take the view that one should not put anything unencrypted on DropBox that would be embarrassing if it were disclosed. Since one of their previous breaches was to make everyone's DropBox accessible to everyone else, I have to agree with that view.)

Moving on to password management, I second the recommendation of using some kind of password manager. I personally use "Password Safe". The practice of using the same password on multiple sites simply has to stop. There are way too many sites with poor security, you have to assume that eventually someone will get the password hashes (if they are even hashed!) and given the advances in computing technology, that means that even with a high-entropy password (which I also highly recommend), it is very likely to be cracked at some point. In which case it had better just be a blog password and not the keys to your finances!

#25 ::: Jim Macdonald ::: (view all by) ::: August 03, 2012, 12:18 AM:

Which gets us to one of the objections that GRC has for other password managers: It assumes that a particular site (in this case GRC.com) will be up, running, and accessible forever.

#26 ::: Jim Macdonald ::: (view all by) ::: August 03, 2012, 12:22 AM:

(My last was in response to David Goldfarb #23.)

#27 ::: David Goldfarb ::: (view all by) ::: August 03, 2012, 12:42 AM:

Okay, yeah, if you lose the piece of paper and the GRC website goes down or changes, then you're screwed. But that's a rather stronger claim.

#28 ::: Teemu Kalvas ::: (view all by) ::: August 03, 2012, 03:24 AM:

Jim @ 25: I can see that GRC don't make it obvious, but that's not in fact true: all that is needed for transforming the passphrase to the grid is within the web page, and if you make a copy of the web page, it is self-contained and will work as well. I just tested this on Safari: Save as.../Web archive, then Open File/go to the web archive just created, then enter a passphrase and click on the button, then check that the grid is the same.

I guess advertising this feature (which really must be intentional) better would help spread the use of OTG.

If the only way to generate the grid from the passphrase really was to have GRC's website up and running, that would be pretty dire, I agree.

#29 ::: Charlie Stross ::: (view all by) ::: August 03, 2012, 09:04 AM:

On password management apps: 1Password is an option; I use SplashID, which has OSX and Windows computer versions and apps for iOS and Android. (Also for Blackberry, PalmOS, WebOS, and old Windows Phone - about the only platforms they don't seem to support are Linux desktops and Symbian.) Encrypted database, device-to-device sync, easily customized for odd variants, makes it convenient to use a different password for every website and carry them along on your phone (password required for access). Note that I would not recommend the Android app just yet; it lags behind the Mac/iOS versions and is somewhat flaky. (I don't have any way to test the Windows version.)

This month's poster child for utterly crap password management is gigantic British supermarket chain Tesco, who insist passwords must consist of letters A-Z and digits 0-9 only (no lowercase, no punctuation, no odd characters) and may be 6-10 characters only. And who apparently store the passwords as plaintext and email them to customers who ask for a password reminder. For accounts with attached credit card/bank account information. I am not making this up!

#30 ::: Cassy B. ::: (view all by) ::: August 03, 2012, 09:20 AM:

Charlie Stross @29: I believe you. I banked with Chase Bank; I had a reasonably-secure password which included non-alpha-numeric characters. A few years back my password stopped working for no apparent reason. I called the bank. They asked me what my password was; I told them. "Oh, that's not a valid password; it's got SYMBOLS in it." BUT IT WORKED YESTERDAY!

Apparently, without telling their customers, they changed their password policy to exclude non-alpha-numeric characters like * and % and @. As best as I can figure out from the timing of it all, this was when they absorbed Washington Mutual; I'm guessing that the password software was incompatible.

So my password went from reasonably strong to considerably weaker, by bank policy. (It's been some time, and I'm still pissed off about this. Can you tell?)

Cassy

#31 ::: Jack V ::: (view all by) ::: August 03, 2012, 09:35 AM:

Looking at the article, it seems like DropBox did one good thing: responding promptly and openly to a problem.

And one bad thing: letting an employee keep a record of email addresses in a dropbox account with a nonsecure password.

So buisiness insider was right to report it, but "change your password now" was hysterical and incoherant.

If they think it's likely that dropbox passwords were compromised via dropbox, they should SAY that, because that's a big deal. If the ONLY things that were compromised were the things mentioned in the article, that's still a fuck-up, but changing your password wouldn't do anything particular. (Although it may be a good idea, just in case the breach WAS more severe and no-one realised, and especially if your password is not very strong or shared on another site.)

#32 ::: MaryL ::: (view all by) ::: August 03, 2012, 11:20 AM:

Yeah, my bank also requires a password no longer than 8 characters, letters and numerals only.

OTG looks interesting, as does 1Password, but the system I'm using now involves a paper notebook (and a plain text file) that lists cryptic references to friends, dates (no birthdates) and places I've lived. For example, I remember one old address as "dead rat" and it's been given the numeric value 2.

I then write down all the sites where I have passwords as 3 + 7, or 2 + 4 to generate unique, reasonably long passwords and make new combos a couple of times a year. It's not very elegant, but it works.

#33 ::: janetl ::: (view all by) ::: August 04, 2012, 11:57 AM:

Charlie Stross @ 29: I've been using Splash ID for years -- started using it on Windows with a Palm Pilot, and migrated to Mac and an iPhone. During the past year, I haven't been entirely happy with it on the Mac. One of their Mac installers died running on my Mac and left things in a confused state (I was running the current version of OS X). You can imagine how panicked I felt when I couldn't open my password manager! Only the knowledge that my phone had the same database on it and that I could still open it there kept me from marching on their office with a flaming torch .

I've also had the database get corrupted -- twice. A record appears that is gibberish. You can't synch until you find it and delete it.

If you upgrade on your phone, and not on the desktop, when you synch you get a message that the database is corrupted rather than a message saying that the two versions are different and you should upgrade.

I decided to switch to 1Password. The export from SplashID imported just fine into 1Password, but the account types I was using in SplashID didn't line up neatly in 1Password, and you can't change account type in 1Password, so I'm back to SplashID, and keeping my fingers crossed. (Account type, as in web login, bank, etc).

One thing I didn't like in 1Password is that you have two passwords to see an account. That is, there's one to open the app, and then a second one for an account. The one to open the app is limited to 4 digits. I prefer having a stronger password to open the app, and then not having individual account PWs after that.


#34 ::: Fran Wilde ::: (view all by) ::: August 04, 2012, 01:44 PM:

I've used both 1Password and splashID. I continue to use 1Password, in part because of two dbase corruptions on splashID during updates.

With respect to the original post, that was a news item forward through Twitter, from me.

I use and love dropbox, and also change my passwords regularly there and everywhere else.

#35 ::: Lin D ::: (view all by) ::: August 06, 2012, 04:59 PM:

I use PaswordSafe also, in part because I can carry the executable and the encrypted password file around on a USB thumb drive. I have a full set of passwords in a file called Archive, a daily set called Lins, and each computer has its own file name, so I don't EVER EVER EVER copy one file over another. Yeah, I did that. Fortunately, I have backups. PasswordSafe allows for a username/password record to be dragged/drug/clicked and slid sideways from one PWS file to another. It will also run compares of files.

#36 ::: Larry ::: (view all by) ::: August 06, 2012, 05:32 PM:

One thing I always recommend with dropbox is to encrypt what you store on there. It is what I do for sensitive files or files that actually matter to me. This will at least protect the data.

On a mac you can use something like Knox to create and encrypted disk image within dropbox. Now this doesn't mean you have a weak password.

Cassy@30: The strongest passwords don't need special characters in them. The best passwords have been found to be a series of passphrases with a separator. These cannot be brute forced in the standard way and can be very hard to guess.

I recommend checking out https://www.grc.com/haystack.htm this will determine how long it could take to crack your password and goes into why. It's a very good read.

#37 ::: Jim Macdonald ::: (view all by) ::: August 07, 2012, 11:18 AM:

Where passwords (whatever strength) don't help: When someone does a run around the side of them.

How Apple and Amazon Security Flaws Led to My Epic Hacking

#38 ::: Caroline ::: (view all by) ::: August 07, 2012, 11:49 AM:

Jim Macdonald @ 37:

That article shows that passwords aren't the only issue. The security of password reset protocols is just as important. If the only security questions are billing address, associated e-mail address, and the last four digits of an associated credit card -- then the process is not secure. Those first two pieces of information are trivially easy to get. And I was surprised by that article's explanation of how easy it is to exploit Amazon phone support to get a hold of the last four digits of someone's credit card.

My takeaway lessons from that article are the following:

  1. If you have Gmail, turn on two-factor authentication. (I did that a while back.)
  2. If you have a Mac and use iCloud, do not turn on Find My Mac unless you have a very good reason to do so. (Find My Mac is not turned on by default. You can make sure you haven't turned it on by going to Apple menu - System Preferences - iCloud and making sure Find My Mac is unchecked.)
  3. Do frequent backups of everything. Just in case.

Also, you don't have to use iCloud. If you don't feel the benefits are worth the risks, you can choose not to sign up for it when your Mac or iDevice asks you.

I also just went and removed the stored credit cards from my Amazon account. I've never been totally happy about websites storing my credit card information. And now that my password manager will store it locally (encrypted) and let me fill it in with one click, it's not even an inconvenience to re-enter it every time.

#40 ::: Andrew Plotkin ::: (view all by) ::: August 07, 2012, 06:10 PM:

My bias is that giving Google my phone number *is* a security risk. I don't want them to have it.

(I don't have a specific failure case in mind, beyond "more people might phone me." But isn't the point to spread as little personal information around as possible? Will "Google has my phone number" be the next "Amazon has my credit card number"?)

I once got a cheap pay-as-you-go phone, to use specifically as a verification contact. I'd have to put more money into it to resurrect it for that purpose, though; even more so to keep it live permanently for emergencies.

#41 ::: Caroline ::: (view all by) ::: August 07, 2012, 06:50 PM:

Andrew Plotkin @ 40: I understand the worry. I can say that in the year or so I've had 2-factor authentication turned on, I haven't gotten more telemarketing calls or junk texts. So far, anyway, Google is keeping their word to only use the phone number for account authentication.

You raise an interesting point, though. Is there a way to do an end-run around two-factor authentication on Google, thereby getting access not only to someone's e-mail, but also to their phone number?

The first thing I'd think of would be to check what happens if someone loses access to the phone they have on file for two-factor authentication. It looks like your only options are to sign in with emergency backup codes you've previously printed out, use a computer you've previously marked "trusted," or fill out the full Account Recovery form. The full Account Recovery form is notoriously obnoxious, asking things that I'm not sure I could answer about my own account (exactly when I created it, for example). Also, it takes days to get account access that way.

AFAIK Gmail doesn't have phone support, so there's no "call them up and pretend to be clueless until they give you a temporary password with ridiculously easy security questions" option, which is what worked on both Amazon and Apple.

I'm not an expert, but it seems like the easiest thing to exploit would probably be the "trusted computer" option. Not sure how that's implemented or how one might go about faking it.

#42 ::: Jeremy Leader ::: (view all by) ::: August 07, 2012, 07:05 PM:

One avenue for an attacker to compromise phone-based authentication would be via call forwarding. The attacker just has to convince The Phone Company (in whichever of its many incarnations) to forward your number to their phone. I've known people who had forwarding configured on their phone line, so they can dial an appropriate number, enter a password, and forward their number to whatever number they expect to be at. Now, that phone-forwarding password controls access to their Google account, too.

#43 ::: Jim Macdonald ::: (view all by) ::: August 07, 2012, 09:10 PM:

I am certain of two things: There is a vulnerability, and someone will find it.

#45 ::: P J Evans ::: (view all by) ::: August 07, 2012, 10:39 PM:

40
I don't want them to have my phone number, either.

#46 ::: dcb ::: (view all by) ::: August 08, 2012, 03:38 AM:

I particularly dislike the sites which ask you to choose a password, wait for you to enter the password you have chosen, and then tell you that it doesn't meet their requirements. Great! So now, probably in a hurry, you have to think of a new password, probably less safe/strong then the one you had preprepared and/or less easy for you to remember. Grr!

Re. Google wanting a telephone number: no way!

Caroline @ 38: Thank you for reminding me. I'd been meaning to delete mine - I hate that there is no option for it NOT being stored by default when you give the number.

#47 ::: Jim Macdonald ::: (view all by) ::: August 08, 2012, 11:50 AM:

The big problem that I see with giving Google your phone number is co-locating and correlating too much data in one place.

Not that Google couldn't pretty easily find your phone number if it wanted to, but there are real advantages to having your data fragmented and scattered.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 by Patrick & Teresa Nielsen Hayden. All rights reserved.