April 17, 2012
It's only a matter of time until your email gets hacked. Don't believe me? Just read this harrowing cautionary tale.
When [my wife] came back to her desk, half an hour later, she couldn’t log into Gmail at all. By that time, I was up and looking at e‑mail, and we both quickly saw what the real problem was. In my inbox I found a message purporting to be from her, followed by a quickly proliferating stream of concerned responses from friends and acquaintances, all about the fact that she had been “mugged in Madrid.” The account had seemed sluggish earlier that morning because my wife had tried to use it at just the moment a hacker was taking it over and changing its settings—including the password, so that she couldn’t log in again.
The greatest practical fear for my wife and me was that, even if she eventually managed to retrieve her records, so much of our personal and financial data would be in someone else’s presumably hostile hands that we would spend our remaining years looking over our shoulders, wondering how and when something would be put to damaging use. At some point over the past six years, our [email] correspondence would certainly have included every number or code that was important to us – credit card numbers, bank-account information, medical info, and any other sensitive data you can imagine.
Now get everyone you know to read it, too. Please. It's for their own good.
Your email is the skeleton key to your online identity. When you lose control of your email to a hacker – not if, but when you lose control of your email to a hacker – the situation is dire. Email is a one stop shop for online identity theft. You should start thinking of security for your email as roughly equivalent to the sort of security you'd want on your bank account. It's exceedingly close to that in practice.
The good news, at least if you use GMail, is that you can make your email virtually hacker-proof today, provided you own a cell phone. The fancy geek technical term for this is two factor authentication, but that doesn't matter right now. What matters is that until you turn this on, your email is vulnerable. So let's get started. Not tomorrow. Not next week. Right. Freaking. Now.
Go to your Google Account Settings
Make sure you're logged in. Expand the little drop-down user info panel at the top right of most Google pages. From here, click "Account" to view your account settings.
On the account settings page, click "edit" next to 2-step verification and turn it on.
Have Your Cell Phone Ready
GMail will walk you through the next few steps. You just need a telephone that can receive SMS text messages. Enter the numeric code sent through the text message to proceed.
Now Log In With Your Password and a PIN
Now your password alone is no longer enough to access your email.
Once this is enabled, accessing your email always requires the password, and a code delivered via your cell phone. (You can check the "remember me for 30 days on this device" checkbox so you don't have to do this every time.) With this in place, even if they discover your super sekrit email password, would-be hackers can't do anything useful with it! To access your email, they'd need to somehow gain control of your cell phone, too. I can't see that happening unless you're in some sort of hostage situation, and at that point I think email security is the least of your problems.
What If I Lose My Cell Phone?
Your cell phone isn't the only way to get the secondary PIN you need to access your email. On the account page there are multiple ways to generate verification codes, including adding a secondary backup phone number, and downloading mobile applications that can generate verification codes without a text message (but that requires a smart phone, naturally).
This also includes the never-fails-always-works option: printing out the single-use backup verification codes on a piece of paper
. Go do this now. Right now!
And keep those backup codes with you at all times. Put them in your wallet, purse, man-purse, or whatever it is that travels with you most often when you get out of bed.
What About Apps That Access Email?
Applications or websites that access your email, and thus necessarily store your email address and password, are also affected. They have no idea that they now need to enter a PIN, too, so they'll all be broken. You'll need to generate app-specific passwords for your email. To do that, visit the accounts page.
Click on authorizing applications & sites, then enter a name for the application and click the Generate Password button.
Let me be clear about this, because it can be confusing: enter that specially generated password in the application, not your master email password.
This effectively creates a list of passwords specific to each application. So you can see the date each one was last used, and revoke each app's permission to touch your email individually as necessary without ever revealing your primary email password to any application, ever. See, I told you, there is a method to the apparent madness.
But I Don't Use Gmail
Either nag your email provider to provide two-factor authentication, or switch over. Email security is critically important these days, and switching is easy(ish). GMail has had fully secure connections for quite a while now, and once you add two-factor authentication to the mix, that's about as much online email safety as you can reasonably hope to achieve short of going back to snail mail.
Hey, This Sounds Like a Pain!
I know what you're thinking. Yes, this is a pain in the ass. I'll fully acknowledge that. But you know what's an even bigger pain in the ass? Having your entire online identity stolen and trashed by a hacker who happens to obtain your email password one day. Remember that article I exhorted you to read at the beginning? Oh, you didn't read it? Go freaking read it now!
Permit me to channel Jamie Zawinski one last time: "OMG, entering these email codes on every device I access email would be a lot of work! That sounds like a hassle!" Shut up. I know things. You will listen to me. Do it anyway.
I've been living with this scheme for a few months now, and I've convinced my wife to as well. I won't lie to you; it hasn't all been wine and roses for us either. But it is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
If you choose not to do this, well, at least you've educated yourself about the risks. And I hope you're extremely careful with your email password and change it regularly to something complex. You're making life all too easy for the hackers who make a fabulous living from stealing and permanently defacing online identities just like yours.
Posted by Jeff Atwood
I did this last year and I haven't looked back. Logging in on a school computer is a bit of a hassle, but the increased security is definitely worth it.
It seems like a pain but it is easy as pie. Unless my daughters are playing Angry Birds on my phone when I get prompted for the code...
I did this a while back and it is not that big a hassle. Though when Gmail for iPhone was released, it was a little bit of a pain. Everytime it asked for the verification code, I opened the Google Authenticator app to copy the code. When I switched back to Gmail app, it would reset and I had to enter the email id and password again, by that time though the code would expire. But I guess Google fixed it and I haven't switched back.
Has anyone got this working with iCal on OSX? Even with a generated app password, authentication fails.
The upside is that once you enable this, your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
Please don't say this.
Email itself isn't secure. Unless you're encrypting the contents or it's going over https all the time, emailing passwords is a really bad idea.
What if you don't have a cell phone?
Funny, I never noticed this option before. I just enabled it, thanks for the tip!
There's also an app (for Android, at least) that provides authenticator codes. That way you don't need cell reception to get a text message.
I have used it since it became available and it has worked great!
And I try to market it as much as I can to friends and family and
everyone I meet in anyway I can! Like sending this post to anyone
I know with a GMail account.
GMail is https always by default and has been since Jan 2010.
Doesn't the https only protect the connection to the website from WiFi hackers (so they can't get your password)?
Unless I'm mistaken, this won't protect the contents of your emails are this is still sent unencrypted, right? So you shouldn't be sending confidential information over email, even if it's to yourself.
You should also consider using google authenticator (if you can) and get a lastpass.com account, and use it to multifactor both, then no more mailing yourself passwords, and you secure both.
Sorry, but I'm not going to pay T-Mobile fifteen cents every time I want to check my email.
@Jeremy Young, all traffic is encrypted over https.
Note in gmail, opening this panel is a bit different. click on the gear, then settings -> "Accounts and Import" -> "Other Google Account Settings" https://s3.amazonaws.com/beta/settings.png
I like your blog in general, but this post was disappointing.
First of all, people who actually give a **** about their security will not give their cell phone number to google, and would have nuked their gmail account years ago. Nor will they have a cell phone with a GPS that's constantly broadcasting their location like a little tracking device.
Secondly, they'll probably run their own mail server, and have a nice long 20 char password, and some nice strict logging / banning policies.
Thirdly, anything they send over the wire that's important will be encrypted.
Any of the above would have been boring boilerplate we already knew, but it still would have been better advice to your readers than to hand your cell phone and/or personal details over to Google. Seriously, if having your gmail account compromised would cause you to lose control of your bank account, then your problems are not going to be solved by two-factor authentication. You need to rethink your approach to personal security entirely.
So 2-factor auth is nice and all, and not particularly hard to use.
However, can you explain to me why it's better than using a strong password?
- My password for my email is $p+p9Dv5"L][&Y#Oq>$E (hint: it's not, but it's _like_ that)
- Each password I use is different and I store them in a secure password manager (it sounds like in your anecdote the person used the same insecure password everywhere, and hackers got it through some random forum hack or something)
- I don't use password hints (one way to disable them would be to put massive random strings)
- I don't give out my password over the net, or install malware etc
Where is the danger?
In terms of insecurity, I think the weakest link is that my email is permanently connected on my phone, so if I lost my phone and someone bypassed my pin they could access all of my email.
And 2 factor authentication does nothing to solve that.
@Axlotl, Jeremy Young refers to the transfer of email through SMTP from mail server to mail server, not the actual retrieval of messages from the Google web interface to your browser.
Everything is usually sent unencrypted, unless you are using S/MIME, or PGP-encrypt the body of your message.
Oh, additionally, when you use something like gmail bruteforcing isn't really an option, since it will do things like lock you out after a few tries, correct?
Which means, while we're being overly silly, your email password could be "lolcats", and as long as you don't use it anywhere else (so hackers can't find it by analysing a stolen user passwords DB) and your email service allows only a few tries before locking the account*, and you don't give it out or post it on comments to a popular blog, you could be fine.
*We're ignoring hackers playing the slow game, trying a few passwords every 24hrs so they don't trigger the lockout.
I turned on 2 factor authentication about 6 months back. I had received 2 alerts upon logging into my Google Apps account that my account had been accessed from a geographically unrelated IP ( Texas I live in Wisconsin). Upon turning on 2 factor auth no more alerts. Now these alerted may have been cause by one of my mobile devices, Ai didn't want to take the chance.
Its also a good item to check your forwarding rules to make sure your account wasn't t breached before these controls were put in place. A attacker could be siliently forwarding your messages to another account.
I don't believe you can do this on a custom domain. At least, I don't see the 2-step verification option.
@Derek, you need to enable it in your google apps config. If you don't admin your own google apps you'll need to talk to whoever does.
It's really easy, it's just a checkbox somewhere.
@~ Sure, but gmail to gmail would be [encrypted from gmail user to google] (google does whatever the fuck they want) [encrypted from google to other gmail user]
<< However, can you explain to me why it's better than using a strong password? >>
It's not necessarily better or not better, or more secure or less secure; it's a different approach. I usually hesitate to compare approaches because like religious arguments no one wins. I use your same approach - long, unique, hopefully impossible-to-break passwords stored in a password manager which in turn is protected by a good password. But the vast majority of users either won't have the savvy to set this up or more likely don't even know it's an option.
<< Where is the danger? >>
The danger is in human behavior. That's the weak link in all these scenarios.
@Jeremy Young: Correct on several counts, but I'll point out that sending an email to yourself is never sent anywhere, and never touches the internet. It's already at its destination when it's penned. :D
That said, I agree with you. I never write my passwords down or email them to myself. They are *long* and complex, but they are also memorable, usually nonsense phrases with mixed case and numbers. (my email password is 20 characters right now, and when I change it on my birthday (a habit I'm getting myself into) I'll probably make it significantly longer.)
@Lucky: If you're truly paranoid, yes you should absolutely do this. That's assuming you can afford an SSL certificate to be able to access your email over https of course. It also assumes you have the know how to set all of that up.
For the rest of us? I trust Google with my cell phone number long before I'd trust most other sites. They have some privacy issues with their social site, but they're not completely mental. For people who don't know how to set up their own servers and don't want to hire someone else to do it, I think Jeff's advice is quite sound.
I do agree on some of your other points, especially about GPS. I turn my GPS on my phone on when I want navigation directions, and promptly turn it off while I'm done. Happily Android shows me an indicator when the GPS is being accessed, which tells me that Facebook *is* accessing my location even though I've asked it not to. There's a complete lack of trust there. :D I don't really have anything to hide, but I still don't want my physical location in the hands of a potential hacker; that's extraordinarily dangerous.
I'm shocked by the number of acquaintances that have had their e-mail compromised in the last couple of years. However, none of the victims were computer savvy people.
I think the audience that most needs two-factor authentication is the least likely to use it, and encouraging friends and family to use strong passwords would be a better, and more readily accepted, first step. A little education regarding safe computing would also go further and be less burdensome.
I've always wondered how these exploits are happening on such a mass scale. Weak passwords? Brute force attacks? Keystroke logging malware? Phishing? The similarity of the hacks I've seen leads me to believe they're all using the same automated tools to do them. Why isn't this being covered more by the tech press? Understanding the attack vector would help us better defend against these hijackings.
Thanks for this advice Jeff! I agree that it is very important to lock down a gmail account as much as possible.
Securing your GMail email account from other people,
while GMail themselves are scanning our emails and giving Amazon sales leads
I don't use my gmail account for anything confidential/secure as it's not a private facility.
Sadly, what can I do if I simply don't own a cell phone? I don't need one in my day-to-day, so it's an extravagance that I don't bother with. My land line is much cheaper.
You're right, of course. Email is the key password, and I tend to change that one on a regular basis and use strong passwords and pass phrases.
Cool. Now we're getting something instead of having nightmare of password.
This is all very well in principle, but are you aware of the Gmail's support for international cellphone networks(Hint:It's abysmal). It renders a large populace with no way to use 2 factor authentication, even if they wanted to!
but a bit basic as many have pointed out you actually need to check what can access your google account and thats a LOT of things you didn't expect...
on top of that it would be good to recommend a utility that could wipe a phone if you lost it...
@~ - thanks for the clarification of my comment. That's exactly what I meant @Axlotl -- once the email is out in the wild, anyone can get hold of it in an unencrypted format unless you go to lengths to encrypt its contents.
@Nicholas Flynt - Your point is valid about sending emails to yourself :-)
I like this a lot. I don't have to bother logging in to GMAIL on another computer (I need the lastpass lookup-sheet to get my gmail password though).
The TXT service to the Netherlands is most of the times OK (within seconds) sometimes it takes time to get the TXT from the UK to the Netherlands, I've used the 'call' function once when the TXT took more than 10 minutes. Superb solution.
Thanks for the article Jeff. Cool stuff.
On a related note, if you are ever sending anything remotely sensitive through email (to a work colleague, etc), I highly recommend OneTimeSecret.com. It makes it trivially easy to give someone else an expiring link to a password.
Gmail uses STARTTLS where available to deliver email inside SMTP, so even that traffic is encrypted. Certainly Gmail-to-Gmail email is encrypted on the wire.
"The account had seemed sluggish earlier that morning because my wife had tried to use it at just the moment a hacker was taking it over and changing its settings—including the password, so that she couldn’t log in again. "
Sigh...... why would an email service slow down because someone was changing the password?
FUD like this is almost as bad as Microsoft.
However - The 2 factor authenication is a GREAT thing to enable. I use it, and while its annoying sometimes to have my regular systems sign me out after 30 days, and maybe I don't have my phone with me at the time (very rare) I does give me a happy safer feeling :)
This is why I host my own email server. And not trusting google with my private mail is also important
If a hacker gets access to my gmail only thing he'll see is notifications about Ray William Johnson videos :)
Isn't this pretty useless as you can use IMAP/SMTP to receive and send messages in GMail (at least when I enable it, and I do)?
>In terms of insecurity, I think the weakest link is that my email is permanently connected on my phone, so if I lost my phone and someone bypassed my pin they could access all of my email. And 2 factor authentication does nothing to solve that.
2 factor authentication does solve that. In order for your phone to access gmail, you create an application-specific password in your Google account. And you can then revoke access for that application with one click (which you could not do without the 2 factor setup).
Keep in mind that application specific password are not really specific for that single application and if an attacker gains access to one of them they will be able to access your email with it (for example by an imap client)
@Yaakov Ellis: "In order for your phone to access gmail, you create an application-specific password in your Google account."
Which solves a *part* of the problem: the attacker won't see any *new* e-mails. However, most mail clients will keep a local cache of the e-mails, so your e-mail history is compromised one way or another.
Firstly, to SCdF. The two factor auth sorts out keyloggers or insecure wire transfers. Both are *way* more common than you'd believe. I've seen compromised accounts with passwords so complex, that is the only way they could have been hit.
As others have pointed out, the best thing about this is that it is simple. You can explain this sort of two factor auth to your grandmother, same reason the banks use it. Its even quicker with the app and means it is actually ok to login to your account on an untrusted pc these days. Just remember to terminate all the logins, not just logout when finishing.
As for gmail blocking accounts, they do indeed shut down access for failed attempts. Even if you connect too many times using the "correct" password, it will get blocked. The blocks appear to be timelimited and IP based, so I'm not sure how that works for something like tor but I'm guessing they have a system to protect against those attacks.
I have a Yahoo account and they do the same thing. I get people trying to hack my account about twice a month. I get a notification on my cell phone that someone from an unknown device is trying to log into my account and they send me a code on my cell phone to verify that it is me. If I simply do not reply they cannot log in. Same thing with Facebook. But Facebook will lock the account sometimes. I had a problem with this 3 months ago. It happens more frequently with Facebook though.
FYI, I use google apps for domains and I do not have this option in my account settings.
Heh, this security system can be very valuable if you are signing up on different computers, but at least me..I am using email just trough my own computer, and that security system is really annoying for me. I know it's for my own protection, but I guess I haven't burned there yet..
A bit scary about insecure wireless connections.
You don't need two-factor authentication if your password is (1) unique to the site, (3) stored nowhere, and (3) strongish.
Really it's not that complicated. Use a secret hash to convert site names into non-dictionary passwords, and don't write anything down anywhere. Problem solved.
@Marc Reside: are there still countries where land lines are cheaper than mobile?!
In Norway the cheapest land lines cost about 35 USD per month (and that's just for the privilegue of having a telephone, not including actually calling anyone), while several mobile plans have no base cost and some have a free use for 17 USD.
Almost nobody below the age of 40 have land lines here, since it's ridiculously expensive...
Great article (as all your articles about e-mail tend to be). Backup verification codes are the bit I needed to enable two-way verification.
(Now, I wish Gmail worried about e-mail itself as much as they care about security.)
If you want to be 'hacker-proof' you've left out a vital step.
Disable imap and pop as Google have not stopped these from acting as a gateway for brute force attacks. (They are 'rate-limited' but given enough gmail accounts and enough IP addresses, this is not a deterrent)
I don't know if two factor auth closes that gap. Better to be safe.
@Hayden Muhl (or anyone else who thinks you get a text every time you check your email) : You only have to do the text message once every 30 days per computer you access it from. So if you visit the library daily to check your email, then yes, you do need to get a text every time, but if you use your personal computer it's only once every 30 days.
I've used this setup for a year now and you couldn't pay me to go back.
It may not be as secure, but much easier to implement. Here is my system:
An email for spam and sign ups for sites that still require it and that also block mailinator. I never check this email unless I need a verification code or something to sign up.
An email for high security accounts, like banks and social networking. It is password protected with an extremely complex password, and I never share that email with any apps or outside vendors for auto-connect.
Last is my personal email that I use for communication. This is the one that I share with apps for my smartphone. I never store any potentially devastating information on this email, so if it was compromised, they wouldn't gain any sensitive data.
Unfortunately, 2-set verification is not available for free Google Apps accounts.
In previous comment, s/2-set/2-step/
Diego Mijelshon - yes it is. I use 2 step verification on my free Google Apps account that I use for my domain (which I primarily just use for personal email).
I've had 2 step verification turned on for a good 6 months now, and it has never really been a huge pain at all. But I forgot to print out my backup codes when I first did it, so thank you for reminding me to do so.
This is essentially using your smartphone as a SecurID dongle, right? That seems well accepted as good security, so it's surprising so many people are down on it when Google gets involved. (Or not really surprising at all.)
Damn, I hoped this post is about making email spammerproof...
Again, boring 2-step verification article.
One thing I'm always curious about this. If security is so important, why many web sites ( even banking web sites ) only let you to put short passwords ? I know a bank who only let you to type 8 characters, and tell you not to include certain set of characters.
Isn't this an awful fail in security ? Why they do that, then ?
Jeff - would you mind changing the title to Make Your Gmail Hacker Proof? It's not really relevant to other email providers.
Thanks for the notification and explanation. Now using 2-step verifcation.
fwiw - *merely* adding two-factor is not a panacea
Recently a good friend of mine had his account snagged even with the two-factor option enabled: the attacker had set his email as the backup/recovery address, and therefore was able to bypass the authentication field (by doing a reset).
Timing on that attack was carefully coordinated, but it's still a cautionary concern.
The only thing that bothers me about lastpass.com is that it is sort of the same problem as E-mail, except instead of all your accounts registered with one E-mail address, now you have all your passwords stored in one database (at lastpass). According to Jeff's previous posts, if you're using a very strong password at lastpass, then perhaps you don't have much to worry about (since if their DB was stolen, it would supposedly take years to hack a strong password). Unless someone's installed a keystroke sniffer on your PC. Or someone discovers a vulnerability in lastpass.com's encryption.
The most common attack vectors are fishing and man in the middle ones. Strong passwords will not help, this is why the two step auth is the only real protection. the only true protection from fishing is personal awareness and intelligence, but some fishing attacks are so good even professionals get hooked sometimes.
Thanks for raising the visibility on this, Jeff. If you'd like to protect the rest of your remote access points check out Duo Security. http://www.duosecurity.com
Disclaimer: I work for Duo.
We provide two-factor authentication as a service. It's free for personal use. The user experience is substantially better than typing a six digit code: one tap to login using our smartphone app (iOS, Android, BlackBerry).
We have integrations for all sorts of VPNs, SSH/PAM, Windows RDP, etc. For everything else we have both a Web SDK and REST API. You can sign up and having it running in a few minutes.
Clearly Google cares about this stuff. Google Ventures backed Duo a few months ago by leading our Series A.
@qvasi Interesting. With a little research, I can find 15 CAD plans for cell phones. None of these plans include data, so it would be pay-per-SMS (not a big deal if we're talking about using it as a land line).
So, yes, I could get a no-data phone for cheaper than my land line (though only barely ... I pay 20 CAD for my land line). Comparing those low-end plans with my land line, I still prefer the land line.
I am under 40 by a decade. It's true that most of my peers have dropped the land line in favor of their cell phones. There are still a good number of us, though, that have a land line. Usually we are also the ones who own a house instead of either renting or owning a condo. Perhaps we are a dying breed.
I'm the only one of my peers who does not own a cell phone, though. Even my land-line owning friends have a cell (if only one in some cases). I just ... don't find that I need a cell, so I don't bother.
I've been using two factor authentication(TFA) with application specific password(ASP) for awhile now but I'm actually not too convinced it's more secure.. at least for me. I do think using TFA is more secure and wish more websites (like my banks) would implement it. However it's the ASP that I believe make this less secure.
My 'master' google password consist of 20+ alphanumeric characters, symbols, and spaces whereas the google ASPs are consist of 16 alphabets. I would say with certainty that my password is way more secure than the ASPs. So instead of having one really secure password, now I have many weaker password that still has access to my account. I'm not sure how that's more secure than just using my master password.
Now for the people who has simple (i.e. weak) password that they also use on some other places that has even weaker security, using 2 factor can improve their security. Their weak password would be protected by TFA and their apps would use stronger ASPs. But is that really the best thing they can do? According to www.passwordmeter.com, the ASP in this article (kxgjiikgdwqaavfj) scored 17%. But if you cut the length in half and inject a space in the middle (kxgji ikg), you get score of 13%. Now add a number, you get 32%. Add a symbol, you get 55%. At the end of the day, "d0g c@t" socred higher than "kxgjiikgdwqaavfj" so you really don't need 16+ character password to make your account secure. You just need a secure password, and you don't have to worry about getting a text message when you want to log on to your account.
I think TFA is great and all financial websites should implement it but I think ASP just kills it.
My wife wasn't sold on this when I signed her up but I accidentally tried to log in as her and it pinged her when she wasn't expecting it. I didn't think anything of it but when I got home she gave me a huge hug because it kept the hackers (me) out on that day.
I don't, but I'm often tempted to try to login every once in a while to remind her why I made her do it.
@Diego Mijelshon yes it is, I have free Google Apps account and I use it.
Android? There's an app for that. Google Authenticator. No network access required, just tap on the icon and you get the password. Drawbacks? You need to decide: Authenticator or text messages.
Why doesn't GMail do the 2-step authentication for password changes? That way you wouldn't get locked out of your account (unless the "hacker" stole your phone). Then when you log in, you'd see the GMail warning that some weird IP address accessed your account and you could change your password. Of course, your private emails may have been compromised, but at least you haven't lost control of your account.
The setup process is telling me that since I use an iPhone, an iPad, and outlook, I'll need to setup application specific passwords that bypass the two step process...
...doesn't that render the whole thing moot? Hacker could brute force that password as easily as he could the current one. Or are there additional checks that would prevent him from using that specific password on any device other than my iPhone or my iPad, etc.
Of course, a court order/subpoena/secret FBI request still trumps all of this.
A Facebook User: Note that the app-specific passwords generated by Google are 16 lowercase characters long. That means 26 possibilities for each of the 16 positions. Assuming they're random-ish (and why wouldn't they be?), that means an attacker would have to try on the order of 26^16 different passwords, which is approximately 4 x 10^22.
Let's say they can try one password per nanosecond, or a billion passwords per second. (In actuality, that's an overestimate, as Google rate-limits IMAP connections.) That's (4 x 10^22 passwords) / (10^9 passwords per second), or about 4 x 10^13 seconds, or about 1.2 million years.
Really the expected time to crack a password is about half that, since the odds are good you'll find the password by the time you've gotten halfway through all the possible passwords. And, every app you enable essentially reduces the expected time to discover a working password. Still, with a cluster of 1,000 computers checking a billion passwords a second to find one of 10 app-specific passwords, it would still take about a century.
"Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet. "
The Failure of Two-Factor Authentication
Just another attempt to link my telephone number with my gmail account.
Nope. Not gonna do it. I will use a good strong password instead.
I've done it straight after reading your article in the middle of the night.
Thanks to make me remember about the real world.
I use the same procedure as @churchskiz. I'm surprised this basic hygiene isn't more widely practised. It certainly deserves including in any follow-up post, Jeff, given the interest this seems to have generated.
@churchskiz's tip: use separate email addresses for (i) general account signups, (ii) banking & confidential app signups and (iii) correspondence with friends and family.
My additional tip: don't make your (ii) and (iii) guessable from (i). In other words, don't use email@example.com for (i) if your (ii) and (iii) are firstname.lastname@example.org and email@example.com
I forgot to get the backup verfication codes. Any way to retrive them?
This is a great 1st step but it's pretty infuriating that you use "hacker proof" to describe it. This does nothing to prevent 2 of the major methods of getting compromised: man in the middle attacks and malware.
Man in the middle: I fall for a phishing scam and I enter my user+pw. Google SMS.s me a code which I also give to the MitM. No protection.
Malware: instead of prompting me for action like MitM, it waits for me to get around to logging in and piggy-backs off of my legit session. No protection.
I'm not calling 2-factor authentication useless, but it is NOT "hacker proof."
Don't take my word for it. Security god Bruce Schneier wrote about this 7 years ago and has brought it up often ever since:
Fair warning: if you do this and have an Android phone, you're going to be entering quite a few of those one off passwords. (And while yes, you can revoke access on each and yadda yadda yadda - it's still a pain in the ass.)
For my Sensation I've had to enter a one off auth for the HTC email client (which I can't uninstall, unfortunately - the native GMail is much better), Google Market, the native GMail application... and that's just one device out of four I have to configure.
For those who are saying it's not secure: nothing in the cloud is secure. Like all things you must balance convenience with security and having access to my email from anywhere is a convenience I enjoy.
Also, for those who are saying "why not just use a strong password"? Why not use a strong password and 2 factor authentication?
I didn't know they had this feature or I'd have turned it on long ago - and I use randomly generated passwords for every individual site.
Anecdotal, certainly, but valid.
There's one thing I don't understand. As you mentioned, the main worry with having email compromised just once is that the person can see everything you've ever sent/received. The purpose of the application passwords is that they allow applications to access your Gmail with a revokable password in case those applications are compromised. However, correct me if I'm wrong, but if one of those passwords is compromised, it bypasses the 2-factor validation, right? So if one is compromised, the hacker has already accessed all your email, right? Doesn't that defeat the purpose of revoking since they're already in your email?
The upside is that once you enable this, your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
Jeff, emailing yourself sensitive data like this can eventually come back to bite you. I know someone who was using a purely in-house email arraingment, PGP and everything. His account info was still compromised because... someone looked over his shoulder and watched him type his password.
Bottom line, any electronic communication can be compromised without encryption.
And I second secretGeek's recommendation to disable IMAP and POP since a bot can easily spend days on end trying to brute force a login.
BTW... You can remember passwords better by using a mnemonic instead of the password itself.
I.E. Some obscure nusery rhyme (I use Sri Lankan ones unheard in the West) or some memorable phrase a family member said can be turned into a great password if you take the first letter of each word and tack on its position in the alphabet
A = 1
B = 2... and so on.
You can turn This little piggy went to market into :
Add some punctuation here and there and you're set.
Has anyone got this working with iCal on OSX? Even with a generated app password, authentication fails.
Dclegg on April 17, 2012 5:18 PM
Does anyone have a suggestion for this problem? I appear to be having the same problem. Not sure why. I generate different passwords and each one fails....
This worked with my iPhone.
Chrome seemed to 'automatically' transfer -- as it's not giving me any problems and I haven't changed the password..... Ditto for the native mac Mail client.
Yet another reason to switch from Hotmail to Gmail (as if there weren't enough already)! Great post, Jeff!
Some rudimentary testing showed that application passwords aren't specific to whatever you use them for the first time. Sure, they are 16 characters, but they are all lower case characters and each one provides a new unchecked avenue of complete access to your account... So, should you really create more than one?
Thank you for sharing this! I've known 3 people whose email or server got hacked this week alone, and sure scared the heck out of me! I'm now 2-step verified thanks to you. :)
Hope your twins are doing well. I'd love to see some updates on them!
Ironically, I tried installing the WP7 Authenticator from the address http://www.windowsphone.com/en-US/apps/82c12390-0176-43de-916e-5613d17f61a0, but have forgotten my Windows Live password. The Windows Live password reset page gives a 404. It will allow me to use a one-time password, but I haven't added my WP7 phone number to my Windows Live account, so it won't SMS/text me a one-time password. However, since I told my phone to remember the Windows Live password, I was able to go to the marketplace, search for, download, and install the Authenticator without any trouble. Now if only I can remember or reset my Windows Live password...
The problem with 2-factor authentication is that if I lose my phone or its battery is dead or I'm outside of the country, then I can't get my email.
The only danger I see if I have a strong password is keyboard loggers if I use an untrusted computer to get my email.
Good to know this thing exists, but there is absolutely no way I would ever use this. I will keep relying on strong passwords. God forbid it comes the day that to use basic services on the internet, strong passwords aren't enough and we have to start using ever more complex methods to safeguard our privacy or property. It will just mean the whole internet as failed.
Now, for those who don't use strong passwords this may be useful. But if that's the case, this just seems to be an upside down solution, where the least knowledgeable have to go through the biggest loops to secure their email account. That's no way to provide a security service. It's begging not to be used.
The only people I see having a real interest in this feature are those for whom gmail is a mission-critical service through which they pass on sensitive information. But then one must question the wisdom of using gmail for mission-critical sensitive data. And on top of that having to disclose to the service company a phone number.
Technically I think this is an interesting concept. Something an academic might smile at. It's however practically useless.
reach me on firstname.lastname@example.org for :
penetration testing of your website sceurity audit(s) DATABASE RETRIEVAL, HACKING OF WEBSITES & Hacking Accounts which include FACEBOOK,TWITTER this is pretty easy,MYSPACE,SKYPE, OVO .and email accounts such YAHOO,AOL ,HOTMAIL ,GMX,GMAIL AND OTHER EMAIL SERVICES BOTH PRIVATE AND GENERAL i send you a SCREENSHOT.I require either a Name, Friend ID, or E-mail address of the targets account(s)i can also get into BLACKBERRY AND APPLE SMARTPHONES AND OTHER SMART PHONES AND GET VALUABLE DATA. I ALSO SELL SMTP ,LEADS ,PHONE VERIFIED ACCOUNTS (CRAIGLIST,FACEBOOK,EMAILS,) ICAN POST ON CRIAGLIST) I ALSO SELL PAYPALL ACCOUNT, WESTERN UNION PAYOUT INFORMATION I have the help of a current 0-Day Exploit that allows me to gain remote access to the website servers and from there I find the password which is usually in an MD5 hash, from that I must decrypt to get the real password. The entire process takes about 10 minutes-15 hourS to complete. All passwords are tested out 3 times before they get issued to any clients.I also rip Standards from websites.I accept payment through LR (Liberty Reserve) Only.I hardly ever USE WESTERN UNION!
YOU CAN REACH ME ON :JONHACC@yahoo.com (SEND ME AN IM THROUGH Y! MESSENGER OR MAIL)
@Ed Falk: Did you miss the section "what if I lose my cell phone?"
@JoynerCN: I was wondering the same thing. If we use application-specific passwords, doesn't this effectively revert back to single-factor authentification with a strong password? Sure, we're still using 2-factor at most places, but there still is a way to get in with a single password. The system is only as good as its weakest link, right?
...and you made me activate two factor authenticating.
@Neil Neyman: The point is that you can control the access right for every single device. So if your cell phone gets stolen, you can revoke its access rights.
"But, the thief can use and access my Gmail on the phone right away!" That's why you've set a code for unlocking your phone. You have done so, haven't you? :) An access code might not stop an expert hacker, but it will deter them long enough so you can buy time to revoke your phone's access rights before they can get around to wrecking havoc with your Google account.
Wow, the USA cell phone market must suck majorly.
I'm on $15 (Australian dollars) per month plan, which includes more than enough "credit" for me (not a 1:1 relationship to "minutes" due to flagfalls, off-peak, SMS, etc; all incoming calls and SMS are free) and even includes 1GB of mobile data. My landline costs me $22/month and has higher call rates than my mobile and no included credit: I really only have it for DSL. These days landlines can receive SMS messages anyway, via a special phone or text-to-speech.
My wife is on a pre-paid plan and barely uses the minimum $10 every three months. So we have two mobiles for less than the landline base cost! With calls mobiles are at least an order of magnitude better value, for us at least.
Thanks for a great post! Finally got around to activate 2-step verification.
interesting typo you made there: "expert-sex-change" ;)
Thanks for the push, I needed that...I've just activated two factor authentication :-)
I'm not a security expert, but I doubt this adds that much security.
Correct me if I'm mistaken:
I think most attacks occur due to vulnerabilities that allows hackers to hijack an open session in some site and it does not require the hacker to guess/discover the password.
If the hacker hijacks the account, then he can change the phone number and password or get back to the 1-step authentication (login and password only) and access all information he wants.
This 2-step authentication may be giving a false sense of security.
I really love what you do, congratulations! Thank you very much for sharing with us this article.
Voyance par telephone