Outsourcing

Gmail password reset options a security hole

If your users user Gmail, you might want to give them a refresher on password safety. Tom Merritt shows you how attackers can steal a Gmail passwords using the service's several password reset options.

If your users use Gmail, you might want to give them a refresher on password safety. Like many sites, Google's Gmail service provides several ways to reset forgotten passwords. Users can do this in one of three ways:

  1. Email: Sends a note that includes a password-rest link to a secondary email address.
  2. SMS: Sends a text message that includes a password-reset link to a mobile phone number.
  3. Security Question: Allows you to reset your password online after answering a personal security question.

While convenient, these password-reset tools can be a security hole--as a Twitter employee recently discovered when her Gmail account was hacked and sensitive company documents were post around the Web. In this video, CNET Executive Editor Tom Merritt explains how the alleged attack took place. If you aren't able to watch the video, you can read a text version of Tom's examination of the Gmail password reset options on the CNET TV blog.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

19 comments
Oldmanmike
Oldmanmike

I've commented on other postings that videos are blocked for my enterprise. I'm sure I'm not alone, and am not the only person who would appreciate a link to the information in a text format. It's already been getting more and more difficult to get to the downloads, articles, and other content when you have to navigate multiple pop-up windows, and now this change to video postings is forcing me to wait until I'm home to get to the content. Any chance we'll have a response from someone about how users in environments like mine might get some help?

The 'G-Man.'
The 'G-Man.'

Some info on the actual security hole insetad of the ways to reset a gmail password, which we all know.

boxfiddler
boxfiddler

You reminded of me that I need to hunt down a variety of Google breach articles I've seen recently. I've users needing enlightenment.

Michael Kassner
Michael Kassner

This should be a mandatory video to all new Google users.

Bill Detwiler
Bill Detwiler

We provide transcripts for nearly all our TechRepublic videos, but occasionally we republish videos from other CBS Interactive sites, which don't. That was the case with this video. I thought I'd added a link to Tom Merritt's related article on the CNET TV blog, but apparently not. Whoops! I've updated the blog post and just to be sure, here it is: http://cnettv.cnet.com/8301-13415_53-10293429-11.html Note: Edited for typo

Bill Detwiler
Bill Detwiler

As Tom points out at the begging of the video, it appears Gmail's password reset option was the security hole. Allegedly, the user who's account was compromised had listed an old Hotmail address as her secondary account. She had allowed this secondary e-mail address to be deactivated. The attacker was able to re-register the Hotmail account and then have Google send a password reset e-mail sent to that account. How did the attacker "guess" the Hotmail address? Allegedly, they were able to gather enough information about the victim from information she posted on social networking sites.

BlueCollarCritic
BlueCollarCritic

My personal choice with passwords is to keep a small set (3) that I rotate amongst sites/logins & the like. I also expand these passwords over time so that the 16 character password I have now is actually easy to memorize because I did it in pieces. I first started out with an 8 character password consisting of Alphanumerics and commonly allowed special characters like the underscore. AFter several months I expanded this by adding 2 more characters. I've now worked my way up to 3 passwords that are between 8 & 16 characters in length and are of a combination of characters that not dictionary hack or brute force guess hack will ever crack. Does that mean my passwords can never be cracked? Of course not, only that they are so hard to crack that the effort required to do so would not provide a big enough pay off to justify it.

BlueCollarCritic
BlueCollarCritic

If you think about it, Gmail/Google really didn't do anything wrong. The Password reset option that was used in the hack is one that many sites use and I don't recall (before today) anyone ever raising concerns about this being a big security hole in the past. This is just a case of a clever invidual exploiting something yet to be exploited or yet to be exploited on a scale or incident that garners publicity.

Bill Detwiler
Bill Detwiler

Unfortunately, I would bet the vast majority of Gmail users are guilty of the same lax security.

alan
alan

I very much appreciate the link. Can you please make this very much more obvious. I have a Gmail account so was very interested, but the video is disastrous trash that so crippled my 4400 kbps bandwidth and or Firefox by thrusting Flash and Active'X down its throat. I decided it was not worth the hassle and shut off the video. Fortunately before I closed the tab I saw there were 12 comments, and your title for comment 11 got my attention just before I closed the Tab and got on with the rest of my life. There must be other Gmail users who also need this information, and will not persevere to see this link. My preference is normally the transcript. I will accept the much slower transfer of information at the much higher bandwidth consumption of video - but not this atrocious video. I strongly object to a video filling my screen with the left hand side of portions of documents fluttering in and out of view. Life is too short for such rubbish. So I launched the Comments in a fresh tab to read the comments while listening to the video voice-over, and it took for ever to see any comment because the redundant video that I was NOT watching hogged all of some resource. I remember many failed attempts as a school boy at making a "cats whisker detector", and my joy when I spent pocket money on a germanium diode and heard "London Calling Europe" with headphones on my Crystal Radio set. Good days. Far happier than trying to get information by watching a CBS video ! ! !

johndoe4024
johndoe4024

Still no help. Here at my work we have been inflicted with the heavy-handed filters provided by Websense (more like WebNONsense) which doesn't actually look at what's at the end of a target link, but simply colors everything evil if it doesn't like the top-level domain name. How bad is Websense? I recently needed some information regarding remote access. I figured I'd start with PCAnywhere. Uh-uh. Blocked.

N4AOF
N4AOF

This is moderately interesting, especially the convulted way that this hacker supposedly accessed the information, but the focus is on the wrong security hole. There appear to have been several security holes here, but the primary security hole was the Twitter Employee herself. Anyone using any kind of webmail account for information that ought to be secure is quite simply a fool. The fact that information in this employee's Gmail somehow provided access to company files containing sensitive information just further demonstrates the degree of culpability of the employee involved. I notice that there have been several comments in this discussion about the need to use "strong" passwords -- but not one mention of the need to be security conscious about what you put in email and in files accessible via the net. Why does anyone need a "strong" password on a purely social email address? Or on most non-financial websites? Two of my pet peeves are websites that require a username and password when there is no reason to even have a user account, and any website that forces a "strong" password. This is NOT JUST an aversion to the futile notion of protecting users from their own incompetence. The problem with forcing a "strong" password is that the stronger the password, the more likely that it will be compromised in some other way. The proliferation of "strong" password requirements means that the vast majority of users have just one or two passwords that they use on all sites and that far too many people have their password written on their deskpad or a stickynote stuck on their computer. If you are logging on to the Dumb-Movies-I-Watched-Last-Week discussion forum, why would you need a 10 character password containing upper and lower case letters, numbers, and symbols? One of the best examples of doing it right, is Tech Republic where you don't need to constantly type in some gargantuan string of jaberwocky just to read and post trivial comments.

CG IT
CG IT

this CIO Cloud drill down article outlines the pitfalls of users and 2 factor authentication. and this artilce on Network World is also an eye opener. http://www.networkworld.com/news/2009/080609-cyber-attackers-empty-business-accounts.html?page=2 They phished whoever was in charge of the $$ and loaded in a klogger to the browser. Cloud computing is being touted as the next best thing since sliced bread, but no matter the security in place, users can be the clouds biggest security hole. Heck, the hack can simply be a cloud user.

The 'G-Man.'
The 'G-Man.'

but a bad on the user who let an e-mail address lapse that was used as a secondary security contact point.

Zwort
Zwort

For free, an oubliette : http://www.mirekw.com/winfreeware/pins.html Sure, even CDs/DVDs can fail, and thus the password can be lost. It takes a few years though. I put nonsense into my reminder question and answer sections, and my passwords are as long as the system concerned will allow; PINs can generate passwords with upper case, lower case, digits, symbols, and user defined characters. I rarely use anything simple.

boxfiddler
boxfiddler

It seems, is becoming less common every day.

driebesehl
driebesehl

If you have an active email account (or 10), shouldn't you make sure on a regular basis that your "security" for these accounts are up-to-date by making sure secondary email and security questions noted in the settings are current and valid? Things change over time. On any account I use regularly, I check occasionally to make sure the "back-end settings" are still accurate and valid.

BlueCollarCritic
BlueCollarCritic

'G-Man' Are you gonna tell me that you've never had the case where you forgot about 1 or more email accounts because you just never used them (for whatever reason)? In this day & age it's easy to forget about what you have setup where and keeping a document that notes all of tehse is a security risk in itself.

Editor's Picks