mailing list archives
Re: Google Accounts Security Vulnerability
From: Michael Gray <mgray () emitcode com>
Date: Thu, 17 May 2012 08:29:38 -0700
Regardless of how you say it works, I can bypass it every time it would
seem. Again, by using the method in my original post. It's likely you have
a bug if this isn't the functionality you're after.
I appreciate the statistics but they mean little to me.
Thank you for taking the time to respond. I hope my suggestions and
findings will assist you in correcting these issues
On May 17, 2012 5:51 AM, "Mike Hearn" <hearn () google com> wrote:
I understand your concerns, however they are not valid. You can be
assured of the following:
1) We do not see this system as a replacement for passwords. If we
block a login the user is notified and asked if it was them, if it
wasn't we ask them to pick a new password. In very high confidence
cases we will immediately force the user to choose a new password,
because passwords are still the first line of defense.
2) We do not see this system as a replacement for 2-factor
authentication. However the reality is that the vast majority of our
users do not use 2-factor authentication and this is unlikely to
change any time soon. 2SV imposes a significant extra burden on the
user such that despite heavy promotion many users refuse to sign up,
and of those that do, many choose to unenroll shortly afterwards.
Therefore we also provide this always-on best effort system as well.
3) In fact it is very effective at stopping the large, botnet driven
types of attacks we see on a daily basis and so saying it doesn't add
any security is wrong. Since going live the system has successfully
defended tens of millions of users who have a compromised password. A
single unrepresentative data point based on one account isn't enough
for you to judge the utility of the system, whereas we can clearly see
the stopped campaigns (and drop in number of attempts).
That said, if you have friends and relatives who use Google and you'd
like to to make them more secure, by all means encourage them to set
up two-factor authentication.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Google Accounts Security Vulnerability Alex Buie (May 14)
Re: Google Accounts Security Vulnerability Michael J. Gray (May 16)
Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
Re: Google Accounts Security Vulnerability Jann Horn (May 21)
Re: Google Accounts Security Vulnerability Michael J. Gray (May 21)
- Re: Google Accounts Security Vulnerability, (continued)