My GMail password scares me with its power!

Google’s GMail blog has some “handy” advice on how pick a good password to project your email account.

Don’t use dictionary words, use mixed case, your eldest kid’s name is a bad choice, etc etc. Yeah that’s great.

But the much bigger security issue I fear is that my GMail username & password is also the same username & password for:

  • My calendar (Google Calendar)
  • My confidential documents (Google Docs)
  • My credit card (Google Checkout)
  • My website’s analytics (Google Analytics)
  • My RSS feed admin (Feedburner)
  • My phone number, voicemail, IM’s (Google Voice + GTalk)
  • Some experimental projects (App Engine)
  • My photos and videos (Picassa and YouTube)
  • + more (see your list of Google services you use)

Given the legitimate places you need to put your username and password in order to access your email (ie your email client, which might be sending it in the clear each time it fetches mail), is it too much to rely on it’s security and integrity for all these other ancillary Google Services?

I am a strong believer that you shouldn’t give your Google username and password to ANYONE for this reason. It pains me to have to give it to RIM but it’s the only way they can push email to my Blackberry.

Security through segregation

It’s really about time Google separated GMail, and perhaps GTalk, authentication from the rest of their properties. At the very least I’d like to see the ability to create a separate password for IMAP/POP access that I can enter into my email client and give to RIM that doesn’t give access to the rest of my Google Account.

However, as Google becomes an ever more vital and relied-upon part of our online workflow (see how many services I use, above), I wonder whether there would be value in offering an optional RSA-style keyfob to help protect access – perhaps for a $20-$50/year fee. I know I would pay, and that PayPal have been offering a product like this for some time at $5 a fob.

25 thoughts on “My GMail password scares me with its power!

  1. “…it’s security and integrity..” should be “…its security and integrity…”.
    Good point. I’ve only just started using other Google services, and hadn’t considered that. I agree email is “different”, and maybe deserves a separate password.

  2. It’s worse. Go to your bank and tell them you forgot your password. Where does the reset mail go?

  3. Yes this has scared me for a while. All password resets for your other online services send the password to gmail. I would recommend using a different domain (which you control) which forwards to gmail etc. At least you can leave if your account is compromised.

  4. We thought about implementing the RSA keyfobs at Yahoo, but when we did the market research, there wasn’t enough demand for it. The real problem is that for the mass audience, it’s too hard. I don’t have the answer, but we need something simpler or people just won’t use it.

  5. I don’t understand why someone wouldn’t be able to create more than one GMail account and use separate accounts for separate Google related purposes? (Use one GMail account for RSS and a seperate GMail account for App Engine, etc)

    There is still the possibility that everyone you give information to is tied to a single GMail account (for your own convenience), but that is still your own fault, not the fault of Google.

  6. @Grammar Queen: thanks for the typo tip, I’ll correct that now. I’m dyslexic and it was late when I ranted this out, but that’s no excuse. Consider wrists slapped!

    @Zahid Malik: yes, I actually never give out my gmail.com address – I have everything from benmetcalfe.com and dotben.co.uk forward through for this reason. And it ultimately gives me portability should GMail no longer be the best option for me.

    @Matt Cutts: (Thanks, especially, for dropping by!) I looked at the Google Apps option but I don’t think that helps me if I want to use a mail client (a reasonable request) nor if I need to delegate access to someone like RIM.

    @Eric Boyd: Google has the unique opportunity to essentially give everyone their own keyfob (and/or perhaps via an app on Android) and become the ubiquitous security control mechanism for the internet – not just its own properties. If it invented its own technology it would avoid licensing fees to someone like RSA.

    Only google can really do it, as a start up wouldn’t have the resources to give out the keys nor really be able to immediately push for mass adoption. If Google were to offer something like this, many sites would immediately work to be compatible with it.

  7. You are wrong about “sending username and password in the clear” . Both GTalk and GMail do not transfer password in plain text. POP, SMTP and even XMPP servers must be connected using SSL, therefore communication is sufficiently encrypted.

  8. I’m a huge advocate of two-factor authentication and wish more systems supported things like keyfobs… perhaps even a library allowing others to build in support for such auth is in order..

  9. I use Google Apps as well as several regular Google accounts for the various services. In addition to this I use a variety of email addresses to sign up for other sites. This sucks when it comes to something like having a “global” addressbook that I wish I had across email, calendar, gvoice, etc. But it’s a small bit of extra security should my email get compromised.

    I would definitely shell out some $ to have a software keyfob for constantly changing passwords to avoid the clear-text problem that arises all too often. 1Password has helped me break the habit of using the same password on multiple sites, and this would help protect against the password-exposed-in-clear-text problems.

    My #1 annoyance with sites is when they send me my password in clear text via email when I’ve forgotten it. I’d much rather they reset it to something random to allow me to login and then change it to what I want. For many people these clear-text passwords unlock a variety of accounts, or provide someone with malicious intent a hint to your own personal password generating “method” (if you use one that’s not software).

  10. @Ed. The even more scary thing about sites sending you back your password via clear text (rather than creating a new temporary one or offering a reset url) is that they also had your password saved in the clear in their database.

    The reason sites with best-practice send a reset url or temp password is that they have only stored the salted+hashed output of your original password, and so they don’t know what your password is to begin with.

  11. I have multiple gmail accounts which reflect different security “zones” and personas. I have one just for App Engine projects, another for family, one for business-oriented interactions, and lastly one for signing up for various untrusted mailing lists. I see this as wearing various hats or sets of clothes. I put on my work clothes for business interactions, kick back with family, and late at night put on my propeller-head costume for hacking App Engine code.

  12. I’m pretty certain that most people would rather have the simplicity of a single sign-on for their whole online universe and take the security risk. I’m super paranoid and pretty security-savvy and even I get so sick of typing passwords all day long that I can easily justify using my google account for everything. Technology is enough of a pain in the ass without trying to remember a dozen logins and passwords.

  13. Totally agree. I wrote a piece a couple days ago about my pet peeve, 3rd party Android apps that ask for your Gmail address and password ( http://www.androidguys.com/2009/10/04/5-nice-apps-i-refuse-to-use/ ) and was surprised that a large segment of the commenters thought I was being too paranoid.

    I’d love to see the “security through segregation” you describe, as well as Google supporting OAuth for mobile apps. (My understanding is that they only do so for web apps.)

  14. Last time I forgot my password and tried everything i could do but failed, until I found this great tool Windows Password Software. It works great, and you can google it.you can try to google it.

Comments are closed.