nanog mailing list archives
Re: gmail security is a joke
From: Saku Ytti <saku () ytti fi>
Date: Tue, 26 May 2015 18:22:46 +0300
On (2015-05-26 16:26 +0200), Markus wrote: Hey,
Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the
Without any comment on what gmail is or is not doing, the topic interests me. How should recovery be done in scalable manner? Almost invariably when the accounts were initially created there is no strong authentication used, how would, even in theory, it be possible to reauthenticate strongly after password was lost? One solution is, that you can opt-out from any password recovery process, which also would mean opt-in for deletion of dormant accounts (no login for 2 years, candidate for deletion?). I personally would opt-in for this in every service I have. I recall gandi allows you to disable password recovery. Perhaps some people would trust, if they could opt-in for reauthentication via some legal entity procuring such services. Then during account creation, you'd need to go through same authentication phase, perhaps tied to nationalID or comparable. This might be reasonable, most people probably already trust one of these for much more important authentication than email, but supporting all of them globally seems like very expensive proposal. -- ++ytti
Current thread:
- gmail security is a joke Markus (May 26)
- Re: gmail security is a joke Saku Ytti (May 26)
- Re: gmail security is a joke Owen DeLong (May 26)
- Re: gmail security is a joke chris (May 26)
- Re: gmail security is a joke John Levine (May 26)
- Re: gmail security is a joke chris (May 26)
- Re: gmail security is a joke John R. Levine (May 26)
- Re: gmail security is a joke Aaron C. de Bruyn (May 26)
- Re: gmail security is a joke John R. Levine (May 26)
- Re: gmail security is a joke Aaron C. de Bruyn (May 26)
- Re: gmail security is a joke Owen DeLong (May 26)
- Re: gmail security is a joke Scott Howard (May 26)
- Re: gmail security is a joke William Herrin (May 27)
- Re: gmail security is a joke Saku Ytti (May 26)