I'd be curious to read what people on HN think of one particular aspect of the story: she's not planning on using her old Gmail address anymore, which made me think of the longevity of one's email address and what one can do to keep control of it.
In particular, I'm thinking that backups of all your "cloud" data mostly takes care of the fear of losing it like written in the OP. However, to not lose your email address itself, you have to have your own domain, but is that really sufficient? In the end, you mostly lease it rather than owning it, so can it just be assumed that a .com address won't be messed with (as long as there aren't any trademark issue)? (as opposed to, say, a .ly)
Do you use your own domain for email? Do you think that email addresses have some inherent risks that make them potentially disposable after 5-10 years?
A bigger question is how could anyone (that is: people who have currently no idea what a domain really is and how to get one) take control of their addresses in a similar way?
As far as I'm concerned, I haven't used my own domain yet for emails but my alumni association gives me a lifelong forwarding address. I haven't been super strict with using it everywhere though, so it's a bit all over the place. The truth is too that my Gmail address is much easier to type and give away than either my alumni one or my own domain…
I think it's dangerous to rely on some corporate owned address as your long term identity. Even a company as big as Google or Microsoft could disappear in 20 years. It is much better to own your domain and be able to switch out the underlying service provider as needed. Though DNS wasn't really designed for that and it is probably beyond the capability of the average user, I do recommend it for the technically inclined.
I have my own domain for email which is iain@workingsoftware.com.au but I also have iaindooley.com (although I haven't used that for email for some time).
I run a DTC server (like open source CPanel) on which I manage email addresses for my workingsoftware.com.au domains, but I just forward all mail from there (for multiple accounts) to a single gmail account, iaindooley@gmail.com.
I have setup that account to allow me to send email as multiple different accounts, and send using my own, external SMTP server so that it looks "real".
I then have fetchmail running on one of my servers which downloads everything from gmail (except the spam) and I mostly read my email with alpine although using gmail as a waypoint has the advantage of lots and lots of free storage, excellent search and very easy accessibility from the web and multiple devices.
I periodically archive this when it gets too big onto the same server that holds my nightly backups (a 5.3TB RAID-Z NAS in the same rack as my primary development machine).
If my gmail account got hacked and all my messages were deleted, I'd still have them (because I POP them off) and the email address that I use publicly is not associated with my gmail address, so I would just be able to open a different gmail account and forward my mail there. I'd lose the ability to search a crapload of messages, though, without un-archiving all my old tarballs that I'd popped off of gmail but that's more of an inconvenience than a catastrophe.
I think that at some point in the future (after DNSSEC takes hold), FQDNs will be used both for identity and messaging (both realtime like IM/voice and non, like email). We're already seeing some of this in the form of *@personaldomain.com addresses.
I think that most people's FQDNs will be third-level or deeper, granted by some identity provider, though once the whole user@host format is abandoned I'm guessing that there will be lots of identity/email providers that allow one to one-stop register a domain and integrate it with the service (something that's beyond most casual users of email today).
I thought one of the big lessons of OpenID is that the non-technical world thinks FQDNs are for web sites (or something you type into Google!) and user@host is for identity? I still have trouble explaining that jay@jay.fm is my entire e-mail address, and that there is no .com at the end of it.
I think there was a point where everybody wanted to blog, and thus might have an URL that they considered "me", but that's gone away with Twitter and Facebook. Come to think of it, many people have a Facebook claimed URL, but I've never typed or clicked one, and I don't even know my own.
Painful. Great they got their stuff back but apparently it takes knowing people at google to get stuff done beyond the 'sorry we can not answer further emails about this'.
I understand that there are limits to what technical support you can offer your end users but the fact that someone is a reporter with 'access' should not be the determining factor in who does and does not get back their email after a hack (which is a large word, account compromised would be a better description) like this.
I think it's incredible anyone would think a free service should be expected to recover six years of email. I would rather Google delete my email permanently when I empty my trash and do my own backups.
I agree with you, but I think that this was within the 30-day permanent-delete-from-trash window. If you are saying that the the 30-day window is too long, that's a reasonable opinion. Maybe Gmail could offer a user-settable window length, with the default at 30, while more savvy users who trust their own email management could set it to zero.
Update: I would even be willing to pay Google for extra features such as the above, and more importantly, for guaranteed/quicker support from them if anything goes wrong.
But the problem with a user-settable window is that a supposed hacker could set it to zero, then delete--which is exactly one of the use cases the "undelete project" desires to handle.
Don't allow the new window to take effect until the length of the old window has lapsed. I.e., make the window apply not just to deletion, but also to the window setting itself.
No, but I can't think of any additional threat that Google keeping backups of your mail exposes you to that just using Google as your email provider doesn't also expose you to.
If you don't trust them to keep your email backups safe, you shouldn't be using them.
take a phrase - ask not what you can do for your country -> Anwycd4yc
for each site mix in some letters from the domain, ie 2nd two letters of amazon -> maAnwycd4yc
bingo
- easy to remember
- strong
- unique for each site
password safe like keypass is also good. occasionally you get services with silly password rules where your generator function doesn't return a valid password.
still important to have 2 factor on that one email account that has your banks etc., otherwise one encounter with one of these bad boys and it's all over -
It's really quite amazing that I can use 2 factor authentication both my google accounts and facebook. When I see people get "hacked" and lose access to their email and facebook I always advise them to turn it on. Ironically, they decide that its too much work to protect themselves and would rather take the risk. For non-techies I think that mentality is quite common, its quite scary. I wonder if its possible to have an user friendly, secure authentication system.
They just don't know the merits of two factor authentication. That's said, however, as both services allows users to "remember" the sessions for a lengthier period of time, it's still insecure to sign in two those services even with two-factor authentication.
What attack can you make with the "remembered browsers" feature that you couldn't do without it? Stealing someone's computer and password and doing things with that?
This is a silly advice. When you do this for lots of websites you most likely won't remember all of them correctly. I think the best solution is using a password manager (KeepassX, Lastpass, etc) which store the passwords in an encrypted file (only requiring one master password). Put that encrypted file into Dropbox and the passwords are available across all your devices as well as online.
Actually, I do exactly this, and I do remember them all correctly. The key is to be consistent about WHAT you mix in from the site. I also use 1Password, but it's frankly a pain on the iPhone (there's no good way for them to integrate with Mobile Safari), and it's handy to be able to use my passwords on others' computers without having to look them up.
Yeah, well, even if you use 1/8 of the Oxford dictionary you're still around parity with a 10-symbol password using lower case, capitols, symbols and numbers. At which point we fall back to Randall's observation- one is a whole hell of a lot easier to remember than the other.
The comic actually had a mouseover punch line about people like you:
> To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
You are the "someone who does not".
Please do the calculations described in the comic and tell us what your results are.
If someone gets hold of your password from one source, the goal is that they won't be able to use it in other places, hence the "ma" from Amazon in his example.
If I have maAskNotWhatYouCanDoForYourCountry then someone seeing it could possible guess the relevance of the ma, and try ew or hn, etc. on this site.
Woth maAnwycd4yc on the other hand, without being told, are you going to guess that maybe it's a generic password with a small site-specific portion?
Some websites cut your password off at twelve or even six characters. What this means is that your long password when you enter it into the password form is only 'AskNot'. That's not so hard to brute force.
To avoid confusion some websites let you type in x characters, but only take the first y characters.
My main reason is: a pain to type on a mobile device
As others mentioned: may also get truncated or not accepted as a valid password due to length; if you added Amazon in there somewhere it might be easy to reverse engineer for other sites
I personally use a really stupid trick for remembering my passwords - use profanities, vulgarities and "things that you shouldn't say out loud" in your passwords and mix them with something silly. They are infinitely easier to remember then.
Yeah, I actually had to send one of my passwords to one of my friends in SMS (I know, totally insecure etc, but time was more critical at that time than security). I felt a little.... embarrassed afterwards.
I'm far more used to emails cautioning not to reveal my password to anyone since they will never ask for it than to having my password legitimately asked for.
As it turns out my father-in-law had the same thing happen to him (and the same mugged-in-madrid form letter). It is a tragedy, and soon email will cease to be viable for a large portion of the community.
That being said, I've pushed off and on some development for a network identity device. Not the big 'Identity' problem that most people run away screaming from but a much reduced (and tractable) part of the problem. A device which can prove that the person making a request is in physical possession of the identity device they had when they created the account.
Such a unit prevents people in Lagos from exploiting your password even if they get it as they don't have the device.
No, if they were then you wouldn't have to type extra numbers into your browser.
That seems kind of like a 'nit', I know, but if we learned anything from Steve Jobs it is that there is a difference between providing an answer and providing a solution.
The elements that will be present in a solution include;
1) You won't have to type anything else, a program will have an API which can definitively tell it you are making this request or you are not.
2) The 'key' won't be anything else, it won't be an app on your phone or a plug-in to your browser.
3) It will work with any service you care to use it with and if it has not been implemented there will be no legal/enumberance/techincal barriers to doing so.
4) It will not degrade your privacy options.
Google's two factor authentication fails on a number of these, not the least of which that it requires that you own a 'smart phone' which is something my father in law will never do before he dies.
As I said elsewhere in this thread, some countries in Europe require you to use a fob that generates another key for your second authorization factor. But you still have to type in extra numbers. How would you get around that? How does the service know that you're in possession of the key unless you give it some kind of input about the key that's unique to the key and to the current time?
Personally, I much prefer having it on my smartphone, and this seems like a good approach considering smartphone adoption rate. But Google's 2-factor will sms your dumb phone, too.
How does the service know that you're in possession of the key unless you give it some kind of input about the key that's unique to the key and to the current time?
Lets say you've got a 'fob' which is plugged into a USB port. Application sends the fob a challenge, fob responds. Application validates the response and proceeds. Perhaps the key uses 2.4mhz wireless, perhaps it uses bluetooh (a protocoled 2.4mhz wireless solution :-). The benefit is that these things can only occur when you're key is present. No key, no transaction.
We don't worry about Nigerians stealing our cars, but we should consider what they might do with our self-driving cars if we don't have some durable way to say we're in the car right now.
I appreciate that you prefer having something like this on your smart phone, but such a solution fails for the larger internet population. And while SMS works for 'dumb' phones you cannot have it validate on every send, every post, every tweet, every page view.
You may not share my urgency on this as a threat but I invite you to start to watch more closely. In the Atlantic article a Google representative said "Thousands per day" this is big business for folks. I was talking with a senior executive at Wells Fargo who mentioned hundreds of millions of dollars 'lost' every year. This is a growing problem, its getting more expensive, and like some digital herpes my expectation is that it is going to pop out suddenly in boils of financial putritude dripping pain, financial suffering, and expense for everyone involved. With luck we'll fix it before then but most folks who are getting burned are more interested in covering it up rather than addressing it sadly.
I think it would be wonderful to have a possible solution prototyped and demonstrable for people in pain. Your passwords will be compromised, and if you do anything financial online you will have money vanish and you will experience arguing with a bank as to why they should give it back to you and take the loss. This isn't a 1 in 10, or 3 out of 5 type statistic, I'm pretty confident that every single person who has an online account which can tranfer funds (whether its an iTunes account or a checking account) will experience this. 100%.
> Lets say you've got a 'fob' which is plugged into a USB port
I still fail to see how this solves anything. Once you get malware on your computer, that malware can send requests to the USB device, and you're back at square one.
One of the features of RSA security fobs is that only someone physically present can use it. What you've made is an RSA fob that's vulnerable to viruses.
The protocol between the service and the FOB allows for any program sitting on the computer to snoop the entire exchange and be unable to reproduce it. The simplest example of this was the Millicent protocol which used an MD5 running backwards as a one time pad, although that had other issues.
But lets say that at the 'introduction' stage the service set a cookie with the fob by saying 'remember this about me, I'll call my self ecb994af and your magic number is 3551eff' then later on verification passes it sends a message encrypted by its self key to 'tell me your magic number divided by 2 and encrypted with your id.' The attacker can see the whole sequence but if they don't understand what is being asked and returned they can't reproduce it, and they don't have the initial secrets either.
There are lots of ways to do this with smart protocols. Something I tried (and failed) to patent back in the Java days where you sent a packet which could be executed. The nice thing about such protocols is they can be dynamically designed between device and service and malware is stuck out in the cold.
There are things it cannot protect against, malware running in the Google servers or Amazon's for that matter which has access to all of their server data. But if it does get compromised it only compromises one relationship, no additional damage is done because other systems can have their own protocols, their own dynamic data.
For this to work, you'd need a trusted connection between the fob and the server. So this reduces down to relying on a CA system, which first of all isn't open, and second we now know works very poorly. Heck and on the USB device you wouldn't even have a secure way to able to update the CA store to remove bad actors.
The problem I see with this solution is that it would require a plugin to be installed on your browser in order for the browser to have access to the fob. This alone is enough to discourage a lot of people from using it.
Also, you wouldn't be able to log into a public terminal.
In the ideal world, the spec would be open and anyone could implement it in their service (be it a browser or other). For most operating systems we're talking about something that looks like a device connected over a serial port. The Android service is pretty straight forward and I've played a bit with ideas on an old G1 which had a serial port hidden in the USB port, not sure about iOS. Computers like laptops etc its very straight forward (for both wireless and wired solutions).
"Also, you wouldn't be able to log into a public terminal."
Actually depending on capability (no pun intended) I could easily see 'read' access being usable without the key but recognize the issue there. The real 'issue' if you will is universal appeal/buy-in which is to say if anyone can use it then you will get some early adopters who will provide support as a differentiating factor and that can drive adoption into more slowly changing markets. Because it has to be everywhere to be effective it won't be a big money maker (this is where a lot of VCs stop listening :-) basically the barrier to implementing it has to be 0 and the value to the implementor has to be non-zero. Given how thinly marginallize 'security' fixes are, this margin won't leave anything for the manufacturer in terms of on going revenue so the key itself has to define the value for the company. (I've actually thought a lot about this :-)
So to your point, for early adopters the experience would be to get a 'key' and to install a plug-in and then enabled sites and services would be secured. Pretty easy sell to an enterprise if their only cost is the 'fob cost' and there isn't some giant consulting revenue stream attached to it. For big companies it has to be completely implementable (once the key infrastructure is set up) in a way that is custom (and probably private) that enterprise. That gives their IT folks confidence and it makes the risk low.
For more general engagements like PayPal or Facebook its a bit different. On things that are appifyable (if that makes sense) there is a potential for differentiation (look at how the World of Warcraft Authenticator stuff was worth it for them to implement).
The key for me is that the existing way of doing things is under attack and it will eventually succumb, when it does there is a tremendous opportunity there.
Using a TPM to ensure that only trusted software is accessing the fob as well. We're still a little ways off from a completely cryptographically secure software stack.
less of a nit - if your browser automatically confirms your identity, whatever token it's based on, the privacy implications may not be completely warm and fuzzy
Separate them in time. If the protocol is well documented and there are free source code implementations available then that removes the barriers to implementing it in new systems, and plug-ins or some other form would be needed for older systems but the plug-in itself could be implemented by a third party rather than have to come from the key manufacturer because of the open spec.
For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.
I'm curios as to what the reasons are? How do you bruteforce a gmail account? Surely Google will not allow you millions of tries?
Password reuse by end users puts even a relatively well secured site like gmail at risk of user passwords being brute forced.
Break into a less-well-secured site, steal the password file, which may use something like md5. Brute force offline. Then, try that password and username on a more secure site like gmail.
This. I continue to be saddened at the extent to which "DON'T REUSE PASSWORDS EVER" isn't the first sentence and summary to any discussion of this stuff. Even people who should know better (c.f. posters right here on this site) don't, and those who do get distracted talking about more "interesting" stuff like GPU hashing algorithms instead.
You can reuse your password as long as it's for an account that you don't care about. The more secure the account needs to be the more secure that password needs to be. I.e. use the same password for all crap accounts, use a pattern for semi-secure accounts, and use separate, secure passwords for all secure accounts.
I'm kinda shocked that of all the "experts" the reporter talked to, nobody used more than a dozen passwords. I'm no crypto geek, I don't force SSL everywhere, I've never used TOR or anonymous VPNs or anything - but I have a few different password systems that allow me to use and remember semi-unique, word-free passwords on any site I care about. If you were targeting me personally, and you obtained the plaintext of a few dozen passwords, you could probably figure one of them out; if you're running a typical automated attack, you're going to miss me.
I can't possibly be the fastest runner from this bear.
1. Stick non-alpha characters in the middle of words. Not 31337 substitutions; additions. Now your dictionary word isn't a dictionary word anymore.
2. Use the first letter of each word in a phrase. Again, now it's easy to remember but not a dictionary word.
3. Find a way to customize the password for each site in such a way that you can remember the pattern. Use letters from the stock symbol, the dominant color, the domain name, or some other word you associate with that site. Boom - now your password is unique per site.
But it's so hard to. Really. Most people aren't willing to spend the time (I know I'm not). It takes more memorization (unless you use exploitable tricks) and most people think they're mostly safe, so "what's the point?", they think.
Pick one good pass phrase and use it an the encryption key to a gpg-locked file where your auto-generated passwords are stored. This is what I do. There are commercial products that are isomorphic to this process, though I haven't used any of them. Even a web browser will do this for you (sans the auto-generation part), though they're not good at archival or replication of the passwords.
That's not possible. If you use the internet a little bit, you are almost constantly required to chose more and more new passwords. To newspapers sites to comment, to registration forms, to buy tickets to some concert, etc etc. You cannot use different password for each of them. And password systems are overkill for most people (certainly is for me).
Really, what IS sensible is having sensitive sites with different passwords and "who cares" sites with simillar ones. As the author actally says in the end of the article.
Sure it's possible. Use a mentally computable one-way "hash" when creating your passwords, such that you (and only you) can generate a unique password based on some attribute of the system you're creating the password for (name, domain name, etc).
Of course that's also too much work for the average user.
I think single sign-on systems with two factor authentication and other advanced security are a step in the right direction.
I'm glad I switched to 1Password and switched all of my accounts to a different randomly generated password. I'm sure I'm using it in some insecure way but at least all of my passwords are different.
if you use the same password on multiple sites and any one of them gets hacked, hackers can brute force against the stored hash to "recover" your original password, which is probably tied to an email address.
True, but the article makes it sound like the systems themselves are vulnerable to brute forcing, whereas the vulnerability you describe is with the user (plus a vulnerable unrelated system).
Not sure what he meant, but it's usually possible to brute force even decent online auth systems.
Since most of these systems are rate-limited per-account, instead of iterating over passwords for a given account, you can iterate over accounts for a given (common) password. This won't work for a targeted attack, but if you have thousands of valid email addresses, trying them all with e.g. "password" as the password will likely yield a few for which it works.
This becomes hard when you have many users behind one IP (corporate NATs, schools, entire countries, etc), and when attackers can hop proxies fairly easily.
Unless you don't use the same email account for password recovery, your email address is as important as it seems.
However many sites won't allow you to have a different email account just for password recovery, that is insecure, as people would then know where to go for.
Today's security model is broken. And most people, included readers here at HN equate safety with a low probability of being hacked. I've signed up for at least 50 sites, probably more. The chances are good that not all of these sites have great security. And if anyone gets my password from that weak link, many of my other account are at risk.
Worse is if someone manages to get malicious software directly to my computer. At that point I'm screwed, and everything including email/bank accounts are an open book.
I don't know what the answer is but I sure hope someone would fix it.
I've started using two-factor authentication with my Google account and it isn't that bad. The mild pain of having to type in my authentiation number occasionally is offset by my increase peace of mind. It does require you to use an authenticator app on your smartphone though, so for some it might not be an option.
Two-factor authentication is nice. I know many of my different logins are vulnerable, but they're also for sites that aren't very important, even if comprimised.
Gmail is a different story. Anyone with access to that gets access to most other things. So the inconvenience of inputing a text message code once a month pales in comparison to the hurdle it adds to accessing my account.
You can use SMS notifications, so a smartphone isn't strictly required. Is the authenticator app experience much better? Using SMS is fairly painless, as far as possible with two-factor auth.
(I'm not affiliated, just a user. It works a charm.)
Only downside is that the keychain file is not encrypted as a whole, only the passwords, so if someone steals your database file they've a list of all your usernames and sites that you have an account on (but not the passwords thereto). It's the same for the OSX keychain, e.g.:
On PokerStars, all high-volume players get an RSA SecureID tag. That feels safe. SecureID were hacked but apparently Stars weren't compromised... anyway, they seem like a good idea. I wish my bank and email account each had one also.
"The account had seemed sluggish earlier that morning because my wife had tried to use it at just the moment a hacker was taking it over and changing its settings [...]"
It does not sense to me that GMail is sluggish when someone else changes the settings.
>> On Google’s side, one explanation involved complexities of the law. My wife and I might think that Google had a “duty” to be able to find her messages after some hacker had erased them. But according to Google’s legal department, its higher and more stringent duty is to ensure that messages are erased, if whoever is in charge of an account wants them gone.
That is a good reason. Moral of the story: make your own personal backups of everything that you wouldn't want to lose.
Has anyone ever wondered why spammers don't use proper grammar? Is it because the majority of people they target can't type with proper grammar, or because they're foreign?
I seem to remember spammers doing this in order to evade naive spam filters. For example, substitute "v1agra" for "viagra", and get through to the inbox. Though once you use a trick like that and it gets marked as spam a few times, you can't use it again. So yeah, perhaps your reason is more sensible.
Not that native English speakers always use proper English grammar in situations where proper grammar is not required for business success (and spam is obviously one).
Expecting average users to use unique sufficiently complex passwords, or even just a few "tiers" of passwords, will never work because users just don't care... until it's too late.
Single sign-on systems are the only reasonable solution. Of course that introduces a single point of failure, so they need to be extremely secure, but at least it's easier to secure one system with two factor authentication, advanced monitoring, etc than every site on the web.
The first thing I did was to back them all up onto her hard disk, with Thunderbird—and then back up those archives elsewhere, just in case.
If you care about your mail, you should be doing some kind of personal backup with any service like this. I just fire up Thunderbird, like the author, but I'm sure there must be a lot of scripts and programs out there to do local gmail backup.
I use getmail on linux. All it really does is backup the mail in mbox format, but it'll be really handy one day I'm sure.
This person's tale should be a warning to those who have not done a backup recently. Harddrives have never been cheaper in terms of price per byte. It only takes a couple of steps to set it up so that it's done automatically.
Get Thunderbird (or any email client), on local or hosted box. Or hosted mail service that can fetch POP. Set it to download Gmail via POP, leave copy on server.
A friend of mine got his gmail hacked - he believes through POP password brute forcing vulnerability. The person or persons who stole it used it to steal his domain. Fortunately he was able to get it back. I turned on 2-factor auth for gmail soon afterwards.
In particular, I'm thinking that backups of all your "cloud" data mostly takes care of the fear of losing it like written in the OP. However, to not lose your email address itself, you have to have your own domain, but is that really sufficient? In the end, you mostly lease it rather than owning it, so can it just be assumed that a .com address won't be messed with (as long as there aren't any trademark issue)? (as opposed to, say, a .ly)
Do you use your own domain for email? Do you think that email addresses have some inherent risks that make them potentially disposable after 5-10 years?
A bigger question is how could anyone (that is: people who have currently no idea what a domain really is and how to get one) take control of their addresses in a similar way?
As far as I'm concerned, I haven't used my own domain yet for emails but my alumni association gives me a lifelong forwarding address. I haven't been super strict with using it everywhere though, so it's a bit all over the place. The truth is too that my Gmail address is much easier to type and give away than either my alumni one or my own domain…