Hacker News new | past | comments | ask | show | jobs | submit login

Forget Googles' other properties, my gmail account pasword is my password for everything for the simple reason that an attacker with access to my gmail account can reset my password on almost every other web system by requesting that a password update email be sent to me.

This is one of the reasons I caved and got an iPhone with push mail notification. I want to know the moment I get a password reset email. Alas, a really clever attacker would probably read and delete the mail before I could see it.




That seems backwards. The problem isn't your gmail password getting leaked, but some other site leaking your password. If that site also has a clue about your email address, now they have access to your email, since you made them the same password.


No, he says that it's like gmail's password is his password for everything, since someone can then reset his other passwords; not that he uses gmail's password for everything.


Although you're right that websites might have access if you use the same password for everything, in this case even if you use all different passwords, you're completely blown if somebody gets the gmail password, because they can just reset all the other ones.


That was the point I was trying to make, thank you for finding a way to use one word where I used two :-)


Seems a lot of people missed the point. This wasn't about using the same password everywhere (obviously insecure) but rather, if someone did get your email password it immediately defeats the security of every other service you use.


What I'm saying is if you use the same password for everything, that makes it more likely they can get the gmail password.

Take, for example, the reddit password leak. A clever attacker can probably guess my email from my username. If I had used my gmail password for my reddit password, now they have access to everything. But, since I don't cross contaminate my password like that, I didn't risk my gmail account.


I don't think that you understand what you're saying. Let's look at a few examples:

  Scenario #1
  ===========
  - I have 3 online accounts: gmail, hacker news, okcupid
  - I use the same password for all accounts
  - someone hacks okcupid
    - they now have the password to my gmail account
    - they also have my email which is attached to the okcupid account
  - hacker uses okcupid password to access my gmail account.
  - hacker users access to gmail account to reset password for hacker news

  Scenario #2
  ===========
  - I have 3 online accounts: gmail, hacker news, okcupid
  - I use the same password for both hacker news and okcupid,
    but I use a different password for gmail.
  - hacker breaks into okcupid
    - hacker now has my email address and my password for
      okcupid/hackernews
  - hacker attempts to access my gmail account, but cannot
    because the password is different
  - hacker attempts tot access my hacker news account, and
    gains access since it's the same password as my okcupid
    account

  Scenario #3
  ===========
  - I have 3 online accounts: gmail, hacker news, okcupid
  - I use separate passwords for each account
  - hacker breaks into okcupid
    - hacker now has my email and password for okcupid
  - hacker accumpts to access my gmail and hacker news
    accounts, but cannot.
You're saying that because it's possible for someone to gain access to your gmail account, you use the same password everywhere, but this is the wrong conclusion to draw here.

Scenario #3 where each account has a different password is the best, but Scenario #2 is still better than Scenario #1. Just because a compromise on your Gmail account is a 'Game Over' scenario just means that you have to apply extra security measures to your Gmail account. Your Gmail password should definitely never be used as a password anywhere else and should be the strongest password that you use (other than maybe an online banking password).

tl;dr version:

You email account password should be your strongest password, even if you use the same password everywhere else. The odds of someone hacking your email account are low, the odds of someone hacking a no-name website and using your account information to get your email password are high.


So when you have such a powerful "master" password, you shouldn't go blabbing it to a bunch of websites with unknown security. You have to trust it with Google, by nature, but using different passwords elsewhere means that leaks on other sites are contained.


Don't trust the safekeeping of your password with the entire internet. Use a different password for every website, it's really the only way.


He doesn't reuse the password all over the net. He uses many google services, and each requires his gmail password. It's google that's forcing him to authenticate himself via gmail.


The post to which I replied says:

"The problem isn't your gmail password getting leaked, but some other site leaking your password."

Some other site could only leak your password if they've got the same one.


If he is stupid enough to give his email password to "find your friends" type websites, he deserves what he gets. OAuth was invented for a reason.


Especially with things like the Twitter leak, I've become increasingly frustrated with the fact that someone could basically just become me if they a) found out my Gmail password or b) had access to a pre-authenticated session (e.g. my flatmate borrowing my laptop). The fact that the Gmail password in and of itself also ties access to other Google services, as pointed out in the OP, doesn't scare me half as much.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: