Comments on: My GMail password scares me with its power! http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/ The Virtual Investor Thu, 04 Mar 2010 17:44:20 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: suziegeill http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473319 suziegeill Tue, 13 Oct 2009 02:26:15 +0000 http://benmetcalfe.com/blog/?p=974#comment-473319 i need to no my gmail adress and pass i need to no my gmail adress and pass

]]> By: nate http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473315 nate Fri, 09 Oct 2009 16:41:39 +0000 http://benmetcalfe.com/blog/?p=974#comment-473315 Best two factor (and simplist) authentication I've seen is here: http://www.phonefactor.com/ Who needs another thing on your keychain or in your pocket or purse. Use what's already there... ;) Best two factor (and simplist) authentication I’ve seen is here:

http://www.phonefactor.com/

Who needs another thing on your keychain or in your pocket or purse. Use what’s already there… ;)

]]> By: Planet http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473308 Planet Thu, 08 Oct 2009 05:46:58 +0000 http://benmetcalfe.com/blog/?p=974#comment-473308 Why not create a second email account for the RIM and forward new mail to in from your primary? Why not create a second email account for the RIM and forward new mail to in from your primary?

]]> By: Chuck http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473307 Chuck Thu, 08 Oct 2009 02:06:32 +0000 http://benmetcalfe.com/blog/?p=974#comment-473307 Totally agree. I wrote a piece a couple days ago about my pet peeve, 3rd party Android apps that ask for your Gmail address and password ( http://www.androidguys.com/2009/10/04/5-nice-apps-i-refuse-to-use/ ) and was surprised that a large segment of the commenters thought I was being too paranoid. I'd love to see the "security through segregation" you describe, as well as Google supporting OAuth for mobile apps. (My understanding is that they only do so for web apps.) Totally agree. I wrote a piece a couple days ago about my pet peeve, 3rd party Android apps that ask for your Gmail address and password ( http://www.androidguys.com/2009/10/04/5-nice-apps-i-refuse-to-use/ ) and was surprised that a large segment of the commenters thought I was being too paranoid.

I’d love to see the “security through segregation” you describe, as well as Google supporting OAuth for mobile apps. (My understanding is that they only do so for web apps.)

]]> By: zmoney http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473305 zmoney Thu, 08 Oct 2009 00:42:07 +0000 http://benmetcalfe.com/blog/?p=974#comment-473305 I'm pretty certain that most people would rather have the simplicity of a single sign-on for their whole online universe and take the security risk. I'm super paranoid and pretty security-savvy and even I get so sick of typing passwords all day long that I can easily justify using my google account for everything. Technology is enough of a pain in the ass without trying to remember a dozen logins and passwords. I’m pretty certain that most people would rather have the simplicity of a single sign-on for their whole online universe and take the security risk. I’m super paranoid and pretty security-savvy and even I get so sick of typing passwords all day long that I can easily justify using my google account for everything. Technology is enough of a pain in the ass without trying to remember a dozen logins and passwords.

]]> By: Ray http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473304 Ray Wed, 07 Oct 2009 23:41:09 +0000 http://benmetcalfe.com/blog/?p=974#comment-473304 I have multiple gmail accounts which reflect different security "zones" and personas. I have one just for App Engine projects, another for family, one for business-oriented interactions, and lastly one for signing up for various untrusted mailing lists. I see this as wearing various hats or sets of clothes. I put on my work clothes for business interactions, kick back with family, and late at night put on my propeller-head costume for hacking App Engine code. I have multiple gmail accounts which reflect different security “zones” and personas. I have one just for App Engine projects, another for family, one for business-oriented interactions, and lastly one for signing up for various untrusted mailing lists. I see this as wearing various hats or sets of clothes. I put on my work clothes for business interactions, kick back with family, and late at night put on my propeller-head costume for hacking App Engine code.

]]> By: Ben Metcalfe http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473303 Ben Metcalfe Wed, 07 Oct 2009 23:26:46 +0000 http://benmetcalfe.com/blog/?p=974#comment-473303 @Ed. The even more scary thing about sites sending you back your password via clear text (rather than creating a new temporary one or offering a reset url) is that they also had your password saved in the clear in their database. The reason sites with best-practice send a reset url or temp password is that they have only stored the salted+hashed output of your original password, and so they don't know what your password is to begin with. @Ed. The even more scary thing about sites sending you back your password via clear text (rather than creating a new temporary one or offering a reset url) is that they also had your password saved in the clear in their database.

The reason sites with best-practice send a reset url or temp password is that they have only stored the salted+hashed output of your original password, and so they don’t know what your password is to begin with.

]]> By: Ed http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473302 Ed Wed, 07 Oct 2009 21:41:12 +0000 http://benmetcalfe.com/blog/?p=974#comment-473302 I use Google Apps as well as several regular Google accounts for the various services. In addition to this I use a variety of email addresses to sign up for other sites. This sucks when it comes to something like having a "global" addressbook that I wish I had across email, calendar, gvoice, etc. But it's a small bit of extra security should my email get compromised. I would definitely shell out some $ to have a software keyfob for constantly changing passwords to avoid the clear-text problem that arises all too often. 1Password has helped me break the habit of using the same password on multiple sites, and this would help protect against the password-exposed-in-clear-text problems. My #1 annoyance with sites is when they send me my password in clear text via email when I've forgotten it. I'd much rather they reset it to something random to allow me to login and then change it to what I want. For many people these clear-text passwords unlock a variety of accounts, or provide someone with malicious intent a hint to your own personal password generating "method" (if you use one that's not software). I use Google Apps as well as several regular Google accounts for the various services. In addition to this I use a variety of email addresses to sign up for other sites. This sucks when it comes to something like having a “global” addressbook that I wish I had across email, calendar, gvoice, etc. But it’s a small bit of extra security should my email get compromised.

I would definitely shell out some $ to have a software keyfob for constantly changing passwords to avoid the clear-text problem that arises all too often. 1Password has helped me break the habit of using the same password on multiple sites, and this would help protect against the password-exposed-in-clear-text problems.

My #1 annoyance with sites is when they send me my password in clear text via email when I’ve forgotten it. I’d much rather they reset it to something random to allow me to login and then change it to what I want. For many people these clear-text passwords unlock a variety of accounts, or provide someone with malicious intent a hint to your own personal password generating “method” (if you use one that’s not software).

]]> By: Paul Stamatiou http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473301 Paul Stamatiou Wed, 07 Oct 2009 21:29:49 +0000 http://benmetcalfe.com/blog/?p=974#comment-473301 I'm a huge advocate of two-factor authentication and wish more systems supported things like keyfobs... perhaps even a library allowing others to build in support for such auth is in order.. I’m a huge advocate of two-factor authentication and wish more systems supported things like keyfobs… perhaps even a library allowing others to build in support for such auth is in order..

]]> By: Jach http://benmetcalfe.com/blog/2009/10/my-gmail-password-scares-me-with-its-power/comment-page-1/#comment-473300 Jach Wed, 07 Oct 2009 21:20:37 +0000 http://benmetcalfe.com/blog/?p=974#comment-473300 It is pretty scary. I use a 34 character password though; Gmail doesn't have a tiny limit like so many other places. It is pretty scary. I use a 34 character password though; Gmail doesn’t have a tiny limit like so many other places.

]]>