nanog mailing list archives
Re: gmail security is a joke
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 26 May 2015 14:23:05 -0400
On Tue, May 26, 2015 at 2:15 PM, <Valdis.Kletnieks () vt edu> wrote:
On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said:OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that.It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email.To be fair, if your e-mail address is high enough value that somebody is willing to risk getting caught doing a BGP hijack, maybe you have bigger problems to worry about.
I suppose the meta of this whole conversation is for the OP: "Sure, there are issues with just about every account-recovery setup out there. Where you have X-hundreds of millions of 'not nanog' level users interacting and needing passwd recovery to work reliably and somewhat securely, how would you accomplish this?" Tossing grenades in the crowded room is cool and all, but ... you clearly have some thoughts about options/improvements/etc you might get more useful traction by proposing them.
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Peter Beckman (May 27)
- RE: gmail security is a joke John Souvestre (May 27)
- Re: gmail security is a joke Jimmy Hess (May 27)
- Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
- Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)
- Re: Password storage (was Re: gmail security is a joke) shawn wilson (May 28)
- Re: Password storage (was Re: gmail security is a joke) Michael Thomas (May 28)
- Re: gmail security is a joke Saku Ytti (May 26)
- Re: gmail security is a joke Valdis . Kletnieks (May 26)
- Re: gmail security is a joke Christopher Morrow (May 26)
- Re: gmail security is a joke Mark Andrews (May 26)
- Re: gmail security is a joke Owen DeLong (May 27)
- Re: gmail security is a joke Joe Abley (May 27)
- Re: gmail security is a joke Saku Ytti (May 27)
- Re: gmail security is a joke Joel Maslak (May 27)
- Re: gmail security is a joke Rafael Possamai (May 27)
- Re: gmail security is a joke Jimmy Hess (May 29)
- Re: gmail security is a joke Valdis . Kletnieks (May 27)
- Re: gmail security is a joke Octavio Alvarez (May 28)
- Re: gmail security is a joke Blair Trosper (May 28)