Re: gmail security is a joke

[chris <tknchris () gmail com>]

I get what you are saying but my point was more about lack of crypto or
reversible crypto than stealing the account. I like what Owen is
describing, they should present all account recovery options and let the
user toggle on/off which ones they want to be usable this way the user can
make their own decisions and live with their own choices.

On Tue, May 26, 2015 at 12:06 PM, John Levine <johnl () iecc com> wrote:

> In article <
> CAKnNFz_apy8KHBXj0umGoq6UfCD640Jtxe9A+2TqU-d761-eug () mail gmail com> you
> write:
> > Haha I cringe when I do a password recovery at a site and they either
> email
> > the current pw to me in plain text or just as bad reset it then email it
> in
> > plain text. Its really sad that stuff this bad is still so common.
>
> If they do a reset, what difference does it make whether they send the
> password in plain text or as a one-time link?  Either way, if a bad
> guy can read the mail, he can steal the account.
>
> Given the enormous scale of Gmail, I think they do a reasonable job of
> account security.  If you want to make your account secure with an
> external account or an external token (a physical one like a yubikey
> or a software one like the authenticator app), you can.
>
> Or if you consider your account to be low value, you can treat it that
> way, too.
>
> R's,
> John