While you're thinking about the security of your email in the cloud, remember this: ANY of your email older than six months can be legally obtained by any U.S. law enforcement agency without any warrant or judicial oversight of any sort, even if you enable Google's new 46-factor authentication and use passwords that take minutes to type in.
While that is deeply worrying, it's "long-term, concerned for the future of free society" worried. "If you have nothing to hide" is a horrible, chilling defence of an essentially totalitarian strategy, but it's also almost right: If you don't stick your nose out, even totalitarian regimes do mostly leave you alone.
Having your e-mail accessed by black-hat hackers is "right-now, have to change every password in the world, block and replace every credit card at the most inconvenient time possible, deal with spam and scams in my name, possible ID theft and potentially sensible data being made public"-worrying. And you can make that attack significantly harder, so you should do that. Right now.
Or, tl;dr: Perfect is the enemy of good, go enable two-factor.
And you think that Google actually deletes email when you tell it to? More likely they just mark it as deleted and retain it, in which case every email you ever received regardless of whether you think it has been deleted may be available. If you want better privacy, install and manage your own mail server and encrypt everything.
Do you really think your shared host drops blocks when you delete them from your virtual disk, and do you really think that requests to mlock memory with crypto keys are really honored? Maybe if you have a dedicated box, but not if you are using a virutal host. (Have you ever physically seen "your own" mail server? If not, why do you trust it?)
Also consider what happens to unencrypted email you send or receive: any upstream servers can be subpoenaed, as can the person on the other end. Encrypted mail only works when it's encrypted end-to-end and your adversary cannot seize the sending or receiving computer. I imagine that people who encrypt their received email end up in court because their sender was not so careful. Do you trust every person that will ever mail you to keep your secrets safe? Why?
Ultimately, if the government is your enemy, you need to take a lot more precautions than "don't use Gmail".
See http://support.google.com/mail/bin/answer.py?hl=en&answe..., which is specific to g-mail, but the same rules apply for other products that store user information. There is a whole team that works on this to monitor the process and help product teams implement the policy.
Deleted messages are wiped within ~60 days. The delay is needed to ensure that all copies of the message are deleted, including those that may be on tape.
Seriously? So you reuse all tapes after 60 days? That wouldn't be a smart thing to do if you really care about retention, and I don't mean solely retaining deleted mail, but just retention of data in general. Regardless of stated policies, I don't believe you. Business critical data like that would not only be stored for 60 days- not in Google.
> Seriously? So you reuse all tapes after 60 days?
I didn't say that.
Someone stated that it was well known that g-mail never deletes data. I posted a quote from the privacy policy that contradicts that. I also said (a few threads back) that there is a team of people whose job is to work with product teams to make sure they are following the policy.
I've worked at companies where the publicly posted policies had little-to-nothing to do with how the company really operated.
That has not neen my experience at Google. Handling user-data properly is taken very seriously. A significant amount of effort (and money) is expended making sure of this.
I can't control whether or not you believe me and I can't go into too many details or share too many war stories. I'm an engineer that has worked at both the bottom of the stack (building the hardware that runs in the data centers) and at the top of the stack (a large user-facing product) and I can tell you that I have many first-hand experiences where protecting user-data was prioritized over other concerns - often at non-trivial cost and effort.
It's worth noting what law enforcement wishes they could do and what they can do is pretty different. The only time this has been tested in court, the Sixth Circuit said it was unconstitutional. Which is because it's blatantly unconstitutional. My money says that any other appeals court will agree, including the Supreme Court if it gets that far.
Now, the government certainly does things that are unconstitutional sometimes, and manages to avoid having any court review them. I'm sure there are abuses here. It's disappointing that the Justice Department tried to oppose a warrant & probable cause standard for electronic searches as if there's room for dispute on that one. But the minute they try to take much advantage of this law it'll be struck down, and they know it.
It's possible that I'm (weirdly) less cynical about this as a defense attorney than most people are. In my line of work the constitution is constantly standing between police and what they wish they could do. I'm thinking of a particular case, not uncommon, where a three-hour confession was basically thrown out because the judge looked carefully at the recording and the police didn't quite handle it right. They didn't beat the guy, but they didn't do what they needed to do to make sure the confession was voluntary. And of course this drives the police nuts -- the executive branch's position is always that any limitation on their power is a threat to public safety. Resisting that position is why we have constitutional standards and separation of powers in the first place.
Incidentally, the DOJ testimony[1] is a little more nuanced than Wired makes out. The testimony makes some legitimate points -- that agencies like the SEC rely on their ability to use subpoenas (as opposed to warrants) to enforce financial laws, and that it's not clear how much evidence you should need that a particular email account contains evidence of criminal activity in order to obtain a warrant to search that account. (If I have 100 gmail accounts, and you know I've used five of them to run drug transactions, do you need independent evidence to search each of the others?) This means any law governing search of emails would have to be written carefully (or vaguely, so the courts could figure it out under the Fourth Amendment). But the DOJ's conclusion that maybe the law should try to exempt electronic records from search and seizure protections is typical executive branch posturing -- both absurd and unenforceable.
(This is not legal advice. It's just a thing I wrote on a forum. I could be totally wrong. Consult your doctor if effects last more than four hours.)
Increase security/authentication as the risk factor increases based on context awareness. A number of vendors (notably CA), have been working hard to get this right. Essentially it requires a classification service that can derive context out of the content, and rate the level of risk and present the user with an additional authentication prompt (e.g.: 2-factor for exactly the scenarios you describe).
I have three accounts and five computers and I don't find the once-a-month 6-digit number to be a big deal. PayPal does annoy me with their policy of requring an OTP seemingly every time you visit a page, but it's worth it because I know that I don't have to have a super-amazing password to stay safe. Ultimately, the work required to recover from a compromised account is much higher than it is to type a 6-digit number every month, so I consider it a good trade-off.
In my case, the number always seems to expire when my token is far away. So another way of alleviating this would be to have a three day grace period where you're prompted with the option of refreshing your credentials, but you don't have to.
I'm thinking more like, I wake up and want to check my mail from bed, but -- surprise! -- it's expiration day, and my OTP token is downstairs. And using a single recovery code immeditalely invalidates your electronic token, logging you out everywhere and forcing you to go through the activation process all over again before you can log back in.
It would be nice to choose the level of security you think you can afford on the security-inconvenience tradeoff curve. Especially since it is likely to increase the takeup rate.
Typing a six digit number once adds a significant layer of security to a very important account.
Having to type it every 31 days (per browser, per device, per account) adds very little marginal security. In fact, in my case it actively hampers security, because it keeps me from using two-factor altogether.
Is it really that easy to hack someones gmail account?
I realize phishing and key loggers are easy ways to grab a password, but if you avoid typing your gmail password at public internet kiosks and the like, is it really that easy for someone to get at? Assuming you use a reasonably long and impossible to guess password, the captchas would prevent brute forcing.
An attack targeted specifically at you will inevitably succeed but most of us are not that special.
The article's advice seems far too easy to lock yourself out (losing my wallet with my magic paper codes and my phone could do it). The additional inconvenience does not seem worth it.
Most of us have used physical 2 factor authentication (like RSA SecurID) for banking and work related VPN access. This works well because the provider (your office, your bank) has a vested interest in getting you back into your account if you get locked out. Google, Yahoo, MS, etc. have no such obligation.
A _startlingly_ large number of people are (still) re-using passwords across multiple sites. The Gawker/Sony(/PerlMonks for me) compromises revealed a _lot_ of email addresses and passwords, some significant portion of which almost certainly allowed attackers access not only to the specific website that was attacked, but also to the email service of the exposed user.
I'm pretty sure none of Jeff's advice helps you against a government-agency level attack agains you specifically, but following it _will_ protect your email even if some other random website you once registered for exposes the login details you used there. I _hope_ that's not a problem for any HN readers (any more), but what about your partner/children/parents/coworkers? I'd bet good money that _someone_ you know and care about is reusing their email account password on random website signup forms.
My name is Alan Byrne, I work in IT and I'm a password re-user :(
On that note, does anyone know of a secure keysafe app that will sync across my various PCs, iPad and Android phone? This is what is stopping me from going the single use password route.
Me too. Just remember to set the load-factor quite high. I've got it set to about 8 million rounds which is about one second on my beefy work computer, two on my private laptop and ~eight on my Android phone. The last bit is a bit annoying but at this point my key database is a pretty high value target - and I can't revoke access to it remotely if I lose my phone.
No, it's exactly right. Having the codes with you is not a security risk because they're useless without your password. You can keep a second copy of the codes at home if you're worried about losing them.
"You should start thinking of security for your email as roughly equivalent to the sort of security you'd want on your bank account. It's exceedingly close to that in practice."
Actually, I want (and arguably already have) better than that. In the last 4 months I have had two unauthorized debits from my bank accounts: one a result of a mail thief stealing my rent check from my mailbox, the other an error made by a bank employee. In the 15 years I've been using email I've never knowingly had any of my email accounts hacked.
For now I have a really long email password, but I'm considering moving my sensitive data/email out of my general email account and into a new email address that requires 2 factor authentication.
The thing I really want is a "lockbox" folder in my general email that:
1. Requires 2 factor authentication to access the folder but not my general inbox
2. I can move messages I consider sensitive from my general inbox to the lockbox folder
3. Will automatically sends emails from my banks, etc. into the folder with an email showing just the subject line in my general inbox
Wow, this would be an excellent feature. Although I've got 2 factor authentication set up for my whole account and it doesn't really bother me, I would like to see something like this. An extra measure to protect certain emails would be really helpful.
Poor man's lockbox: create a second account, enable two-factor only on that account, set up filters to redirect those emails to that account and delete them from your main account.
That cell phone you use for receiving the verification codes? It better not be a smartphone you also use to access GMail, or your 2-factor just became 1-factor, at least to any malware on that phone...
Your phone should never know your password; you log into Gmail from your phone using an application-specific password. If your phone is infected with malware and you don't trust it anymore, you deauthorize it and your account is safe.
2 factor authentication is an amazingly simple solution to a large number of complex problems.
This worry seems a bit overblown to me. If your email is that important to you, you should follow these steps:
1. Use a unique, long, random, secure password.
2. Don't tell it to anyone.
3. Use an email service that stores passwords hashed with a salt and a secure hash algorithm.
And you will have nothing to worry about. If you are very paranoid or traveling a lot, you can add:
4. Don't log in from insecure devices.
5. Make sure nobody's filming your fingers when you type your password.
If you're actually concerned with these two, you probably have bigger issues and are already taking more precautions like 2-factor authorization or so on anyway.
Using a second factor token is much easier than always doing all of those and provides a much larger safety margin. Remember, with 2-factor auth, even someone who knows your password can't access your account. If you also make sure they don't know your password, you're doubly safe. That's why pretty much every safety system invented has some sort of backup safety protection. If you want to go "free solo" on your account because you enjoy thrills, that's fine. But if you're a normal person, why not have a safety rope?
I would disagree that two-factor is easier. I already do all of the above by (1) using gmail, and (2) only logging in on my own devices.
I also check my email so frequently that two-factor authorization would be a significant inefficiency, so there is certainly a cost-benefit tradeoff there.
You only have to authenticate a device every 30 days.
The attack that is prevented here is someone who knows your password getting access to your account. They can't get access unless they know your password and manage to steal your OTP generator or device. That's significantly harder than knowing someone's password. (Knowing your password is probably hard, but I know many peoples' password. It's "password".)
You should preferably not use a computer you don't have complete control over for sensitive stuff at all. Even with two-factor authentication, a computer you don't control can still store the emails you access, etc. etc.
It's email, people. You won't die if you don't check it for three hours. And if you do... well, then you should probably've brought your own laptop (although that may make system administrators sad).
>5. Make sure nobody's filming your fingers when you type your password.
Many moons ago I read the table of contents of Silence on the Wire.[0] One chapter that particularly caught my eye was "I can hear you type.". (Which for some reason was stored in my memory as "I can hear your keystrokes." Which sounds more stalkerish IMO.) Just because of how creepy it sounded. Later I was talking to someone I knew over the phone when they stopped for a moment to enter a username and password for $WEBSITE.
All of a sudden an amusing side channel attack popped into my head:
"I wonder if it's possible to reproduce someones password by hearing their keystrokes?" I figured it would actually be a useful skill if someone were trained to recognize the sound of keystrokes from the most common keyboard phenotypes.
We're already there: "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session."
I (mostly) agree. I think 2-factor is a fine idea, but I have friends who are still using something along the lines of "password1" on all of the online accounts.
A good first step would be reinforcing the idea that you should never use your email password for any other account. Few people will go through the effort of brute-forcing an standard-issue gmail account when they can easily download a bunch of pre-hacked usernames and passwords.
You forgot: make sure you can trust every admin who has access to read your mail, and trust that they won't have weak passwords. And all that still won't help you if someone in the federal government want to read your email, because that's literally a one-page request and they'll have it.
You should pay attention to how many "non-idiot" users have had their Gmail accounts compromised.
And using two factor auth is easier than remembering a long, truly unique password. (Though if you're not using LastPass, stop what you're doing and go install it. Just freaking do it.)
The thing I hate about Google Authenticator is when you use a google authenticator protected gmail account for other google services. Google has a bunch of things where they don't yet support 2fa, so sometimes you enter the wrong password.
It would be good if you had a dedicated-to-email google account, definitely. As it is, I use it for a gmail account I use with all my google services, and it's a real pain -- especially because the gmail password itself is a long random string, and sometimes I need to enter that on a mobile or other device.
I'd really like better user credential management using something like OneID (public keys, challenge-response auth), but people have tried that in the past and haven't been terribly successful getting it adopted. It might work better on a mobile OS, so maybe next-gen Apple iOS keystore could do something like this.
Facebook handles apps that don't support 2factor pretty well. Your first login will be rejected but you'll be messaged the 6 digit code to login with as your "password".
While I like 2 step authentication I wish Google would get rid of SMS password reset. With this enabled all a person needs is your phone to gain access to your account. Given that police can grab you phone whenever you are stopped this means they can "hack" your account at the same time. Another example could be a cleaning person at a hotel finding your phone. Just two examples off the top of my head. Basically, SMS password reset makes your phone the golden key.
I've made a few changes to securing mine with 2 factor.
1. Altered the digits in my wallet so only I know how to recover the real numbers.
2. Created a junk email with a secure password with a security-through-obscurity email with the numbers (again modified)
The use case - losing both your cellphone and wallet. There's basically not an easy way to get back to your data.
I have to remember a few things:
--Normal password to email
--Modification I used to numbers in wallet
--Modification for numbers in junk email
--Junk email username
--Junk email password
It's definitely a burden. But it's worth the security of my email. At this point it reduces the burden of regularly changing my email password or adding complexity to the password.
The good thing about the recovery numbers is they are still no good without your password. So someone would have to both get your password and steal your wallet to gain access.
so now it is only a matter of time until the keylogging software that everyone is so terrified of is modified to also take the session cookie from your browser that authenticates you to gmail. you know, the thing that makes it okay for you to click "remember this computer for 30 days" ...
Great article on 2-factor auth. I didn't understand how easy it was, so I'm switching to it now. However, if you use a mail client and generate app-specific passwords that last forever, can't the hackers just hack via IMAP login instead which won't be 2-factor?
It seems like it would be better to use private keys on the client with 2 factor auth for authentication recovery. That way as long as you have the right private key locally that your mail client uses, you are set- otherwise you have to both provide a password and an SMS delivered code in order to use a different private key on the client.
Ironical as it may be and as the author mentioned briefly in the article, "there is an app for that". Google provides an authentication app for at least Android and iOS.
I personally put my phone in "airplane mode" for the trip (still waiting for that market changing deal where you can travel easily across the globe and call/use data without being robbed by your provider) then use the authentication app. I also carry my authentication codes during the trip and they should be enough for even a longer trip, if not, I can generate new security codes during the trip using the security codes I already have with me.
What J2ME app are you using? I ended up porting (really just copying one Java class) part of Google Authenticator to J2ME. It works, but isn't great. What're you using?
When I'm travelling and expect to be using dodgy internet connections & cafes -- I set up a separate email account and forward my email to it. If that account gets hacked, I just turn off the forward.
That's exactly what I've been wondering about enabling two factor authentication for something I use as often as email.
Apparently you can print a series of one-time use verification codes that work any time to sign into your two-factor account. Stick a few on a card in your wallet and don't forget to generate more before you're out!
When you do run out of verification codes, but you do have a working phone the 6 digit codes can also be sent to you through text messages or even a phone call from Gmail.
I access my email from _one_ app over SMPT, using a unique password. For me, this 2-factor auth would just mean having a different and slightly longer password for SMPT.
SMTP is only for sending mail to and between mail servers. Did you mean something else?
And no, 2-factor is not the same as a long password, because it is less likely that both factors will get compromised at the same time. However long your password is, a single software flaw could expose it.
It's interesting that the "hacker" send out a mugged in Madrid email. A friend in Nepal had his Yahoo account hacked last week with the same email sent out. I wonder how they targeted people or gained access since his wife was using Gmail and is (most likely?) in a western country and my friend is from Nepal. It doesn't seem like they would be using any of the same websites.
Just like a lot of lead generation/spam email campaigns I've seen, I'd assume a lot of phishing and scam email "campaigns" are strictly copy and pasted from a single source (ie, a forum post somewhere), with very few scammers actually putting any effort into changing it to be somewhat unique in favor of trying to get the message to as many people as quick as possible.
The article sounds like this requires you to sumbmit a cell number to Gmail. (In fact, I think merely registering an account nowadays requires a number, but I'm not sure about that.)
If you think that's the only way to get 2-factor authentication working, you're wrong. If you think there is nothing wrong with your email provider demanding info like cell phone numbers, you're wrong again.
I don't think there is anything wrong with an email provider asking me for my cell number to send me text messages, how else would they send them?
In addition, a cell phone number is NOT required to create a Google account. Sure they ask (and gender is apparently required, I just made an account), but if you leave it blank, they won't complain.
There is nothing wrong with providers giving you an option to use your number for notifications. However, if we are required to provide phone number for security features that can be implemented without using phones, there are a few things wrong with it.
How can this be implemented without using a phone number? Well, the article actually contains one way - pre-shared secret codes that you print out beforehand. There are many others.
I’ve enabled and stayed with 2-factor auth on my Google account, but it broke my Google Talk login on Adium and I’ve never found anyone to talk to about it (bug report on Adium went unnoticed and Google got rid of bug reporting for Google Talk). Hopefully a burst of attention will throw up some other people with the same problem.
Did you use an application specific password for Adium login? When you enable 2 factor auth, you need to generate those password for every app you use.
Yep, done that. This approach works with my 3 copies of Reeder (work, home, phone) and Calender on my phone, but for some reason Adium refuses to log in. Bug report (along with network trace) is:
I’m guessing it’s because my Google account doesn’t have a Gmail account associated with it, but Google Talk still works fine from the widget on iGoogle.
I think you are right about the gmail issue. I use adium on an iMac and Macbook for work and Digsby on my Windows box at home and the application specific passwords work fine for me.
Create an "Application Specific" password on Google (as the article mentions). This will let you bypass 2-factor in the case of a client application like Adium as Adium does not know how to accept the 2-factor OTP.
I have two-way enabled, but when logging in via Google Talk (windows app) it seems to bypass it. If I go straight to gmail.com and login I'm asked for the second auth, but clicking via Google Talk (already signed in) it logges me in to GMail directly. Anybody know if this is normal / expected?
I put a copy of the single-use backup verification codes into an alternate dropbox account I have (that isn't linked to my primary email address). Figured if I'm somewhere with enough internet access to get to gmail, I'll be able to get to dropbox.com and get the codes.
The sucky part is that nothing enforces their app-specificness. It would be neat if I could generate a password that only works from my home connection. Or only works for GChat, but not other services.
you can't use an app specific password to login to the gmail web interface and change your password.
so while you could use a compromised application specific password to do horrible things (download all your email and send e-mail as you), you could not use that app specific password to immediately log in to the administration page for your account and lock the legitimate user out...
Really? I could have sworn I tried and it worked just like a full login. I signed up for two-factor very early so perhaps that was fixed along the way. Neat!
How would it? If the app were built to send some sort of an identifier with it... well, it might as well use oAuth and then it could use the two-factor sign in anyway.
Uh what? Google uses oAuth all over the place and in fact that is the correct solution to this problem. (I assume NIH is never-in-hell or something, can't say I've seen that before)
So the app-specific passwords are single-factor authentication keys. Why not just skip the two-factor authentication altogether and use a longer password/phrase?
dropbox really needs this too. although my information on that account is not nearly as sensitive as on gmail, i'm sure it will amount to a similar sensitivity in the future.
Indeed, anytime I login a a mental note pops up saying how insecure this is considering the files stored on Dropbox. Yesterday I received a phonecall from a friend whose Gmail and Facebook were hacked, after I had advised her to use 2-factor authentication and she ignored it. So glad that I do use it but now Dropbox remains the weakest link.
I'm surprised that nobody has yet commented on the second website mentioned on the application specific password section... nice touch to a great article!
fetchmail is very handy for this sort of problem. Regularly pull and remove your mail from your webmail account. Then you can manage it locally the same way you would all your other archives.
Not foolproof, of course, but it improves matters. Also note I don't present this as a solution for John Everyman, but rather the sorts of folks who might be reading Coding Horror.
That's actually my current setup. It still kind of defeats the purpose though; I have to be logged in to Google Voice in order to authenticate logging in to Gmail with the same account. I'll wait for them to get a little more creative before I expect it to be much safer.
Two factor auth works fine without a cell phone. You can put a land line in as a backup and of course you should store the extra physical codes somewhere safe as well.
Obviously though, this would be a pain to use without a portable device that can generate the appropriate time-based code.
(You can check the "remember me for 30 days on this device" checkbox so you don't have to do this every time.)
No thanks. Google remembers a lot more than "this device," more like everything I do within that device thanks Search cookies, Adsense, Analytics on millions of sites and who knows what else
Yes, because it is a pain. Try going on a vacation, you know the one where you don't use cell roaming. SMS is out, so then one must find a Wifi hotspot to use one of the smartphone time based tokens (edit: seems the token don't need a network connection, could have fooled me). And those time based tokens go out of wack if your phone didn't sync the timezone properly to match Google's setup, so every token ends up not working.
Use the print out backup verification codes on a piece of paper? No, because they are single use. So you end up using up all your backup codes depending on the length of your vacation. I've used 2 step for a long while, I liked it, but I really could not get used to whipping out my phone every time I needed to check something related to Google.
I've had other hiccups such as mobile provider down, phone died etc. Maybe my best option was to keep all the backup codes on hard plastic with checkmarks next to used backup codes and secure them the same way I do my banking cards, maybe, I'll just try this one day.
If one is going to jump through all these spy-style codes might as well just change your password on a regular basis, forcing all previous sessions to invalidate.
When you reach a point where you have, say, half of your backup verification codes remaining and for some reason your timezone is that far out of sync that Google Authenticator no longer works (and for some reason you can't just sync your clock), then simply generated new backup verification codes and print those out. It seems like a pretty weird assumption that your clock will go out of sync and you won't be able to even manually sync. If you can get online to reach a Google login page, why can't you get within 30 seconds of the correct time for Google Authenticator to work?
Assuming you were able to use half the backup codes, since you have internet access you can always generate a new batch. I've been using 2 pass since it came out and it's honestly not that bad for the sense of security. Some banks are already using this system.
I recently traveled for 6 months without a data connection on my phone and used the Google Authenticator app without any problems at all. I changed the timezone setting many times too.
http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-f...
Do you have any passwords in your email older than six months? Any account numbers? Anything... incriminating or embarrassing?