lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFhH=NZS5m8Wtc=E50FYPWTosiHYLZk3Q-w0Oq8LoQ1+4e3agQ@mail.gmail.com> Date: Thu, 17 May 2012 14:51:26 +0200 From: Mike Hearn <hearn@...gle.com> To: "Michael J. Gray" <mgray@...tcode.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google Accounts Security Vulnerability I understand your concerns, however they are not valid. You can be assured of the following: 1) We do not see this system as a replacement for passwords. If we block a login the user is notified and asked if it was them, if it wasn't we ask them to pick a new password. In very high confidence cases we will immediately force the user to choose a new password, because passwords are still the first line of defense. 2) We do not see this system as a replacement for 2-factor authentication. However the reality is that the vast majority of our users do not use 2-factor authentication and this is unlikely to change any time soon. 2SV imposes a significant extra burden on the user such that despite heavy promotion many users refuse to sign up, and of those that do, many choose to unenroll shortly afterwards. Therefore we also provide this always-on best effort system as well. 3) In fact it is very effective at stopping the large, botnet driven types of attacks we see on a daily basis and so saying it doesn't add any security is wrong. Since going live the system has successfully defended tens of millions of users who have a compromised password. A single unrepresentative data point based on one account isn't enough for you to judge the utility of the system, whereas we can clearly see the stopped campaigns (and drop in number of attempts). That said, if you have friends and relatives who use Google and you'd like to to make them more secure, by all means encourage them to set up two-factor authentication. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists