Google’s GMail blog has some “handy” advice on how pick a good password to project your email account.
Don’t use dictionary words, use mixed case, your eldest kid’s name is a bad choice, etc etc. Yeah that’s great.
But the much bigger security issue I fear is that my GMail username & password is also the same username & password for:
- My calendar (Google Calendar)
- My confidential documents (Google Docs)
- My credit card (Google Checkout)
- My website’s analytics (Google Analytics)
- My RSS feed admin (Feedburner)
- My phone number, voicemail, IM’s (Google Voice + GTalk)
- Some experimental projects (App Engine)
- My photos and videos (Picassa and YouTube)
- + more (see your list of Google services you use)
Given the legitimate places you need to put your username and password in order to access your email (ie your email client, which might be sending it in the clear each time it fetches mail), is it too much to rely on it’s security and integrity for all these other ancillary Google Services?
I am a strong believer that you shouldn’t give your Google username and password to ANYONE for this reason. It pains me to have to give it to RIM but it’s the only way they can push email to my Blackberry.
Security through segregation
It’s really about time Google separated GMail, and perhaps GTalk, authentication from the rest of their properties. At the very least I’d like to see the ability to create a separate password for IMAP/POP access that I can enter into my email client and give to RIM that doesn’t give access to the rest of my Google Account.
However, as Google becomes an ever more vital and relied-upon part of our online workflow (see how many services I use, above), I wonder whether there would be value in offering an optional RSA-style keyfob to help protect access – perhaps for a $20-$50/year fee. I know I would pay, and that PayPal have been offering a product like this for some time at $5 a fob.