Who here uses Gmail and haven't enable 2factor auth?

[Pray To Jesus]

If so, why not?

 

[Apple Of Sodom]

I have enabled it. I thought it would be a bit of a hassle but it really isn't. I always access gmail on the same few computers and devices. For the times I don't I'm really glad I have it on.

 

[Crono]

You fishing for potential targets

Not me, I have 2 step authentication on, plus I regularly change my password.

I have to provide a PIN fairly often though as I use different browsers, mobile devices, and computers. I always have my phone on me though.

 

[waggy]

Gmail?

why would i wnat to replace hotmail? really. sheesh

 

[Anubis]

because i dont use gmail

 

[DesiPower]

I use lastpass

 

[SKORPI0]

OP forgot to mention why it's needed. :thumbsdown::thumbsdown::thumbsdown:

How to use Google two-factor authentication
Getting started with 2-step verification

 

[wirednuts]

no. i get into gmail from a number of sources, most of which are not compatible with 2 step... meaning to get in you have to first get a virtual password or whatever... and even when you get that done you have to do it every 30 days. it ends up seeming like every time i want to login to anything google, i have to go through a 5min process.

f. that.

if someone hacks into my life, they will be stealing a mountain of debt. have at it idiots

 

[edro]

I installed Chrome on my iPhone yesterday.
When I went to sync up my Chrome account, it asked for my Chrome password.
I created an application specific password and started to enter that.
As I was typing the password, it popped up a red message saying "Do not enter your Application Specific Password yet. Enter your standard account password first."
I thought that was pretty cool that they would check for that as you typed.

After I entered my standard password, it then asked for the application Specific one.

 

[edro]

no. i get into gmail from a number of sources, most of which are not compatible with 2 step... meaning to get in you have to first get a virtual password or whatever... and even when you get that done you have to do it every 30 days. it ends up seeming like every time i want to login to anything google, i have to go through a 5min process.

f. that.

if someone hacks into my life, they will be stealing a mountain of debt. have at it idiots

It TXTs you the code, which is 6 numbers. I always have my phone nearby... so I simply look at my phone as Google asks for the code. The TXT msg appears almost instantly and I enter it into my browser.

I thought it would be a pain, but it is simple.

 

[Mark R]

I have it. The only hassle I have is accessing at work (which I don't do very often), because the work machines have a group policy setting to block cookies, as a result, you can't "trust" a work machine.

That, and the fact I don't get cell signal at work.

 

[cronos]

I have had it for a while now. It was a hassle at first, but it's worth it for the peace of mind.

 

[FelixDeCat]

unnecessary overkill

thats why

 

[DnetMHZ]

Lastpass with 2 factor + super long Gmail password + Gmail 2 factor.

 

[TallBill]

Just signed up. Might as well....

 

[TheSpy007]

After my account was accessed by someone in the Philippines i had to enable 2factor auth. Not sure how they knew my password unless i fell prey to a clever phishing site.

 

[wirednuts]

It TXTs you the code, which is 6 numbers. I always have my phone nearby... so I simply look at my phone as Google asks for the code. The TXT msg appears almost instantly and I enter it into my browser.

I thought it would be a pain, but it is simple.

didnt know that. hmmm..... maybe i should give it another shot. ive had a hotmail account hacked before, and i never was able to get back into it. microsoft "couldnt verify my identity".... whatever

 

[Mark R]

unnecessary overkill

thats why

I was slow to take-up 2 factor.

It was after a number of friends had their accounts compromised (one of whom is an expert, and runs an IT consultancy firm - this was they guy who introduced me to things like passwordcard and a number of other security tricks) that I realised that account compromises are easier to pull off than most people think.

As I use my gmail for so much stuff in and out of work, it's simply too valuable to allow to be compromised.

 

[theevilsharpie]

I use too many applications that aren't compatible with Google's 2-factor auth, and their application-specific passwords have practically no access restrictions and are substantially weaker than the password I use for my account.

I use Google Apps, so I set up 2-factor auth for the Google Apps administrator account, but for my actual account, I'll continue to use single-factor auth and change the password every few months.

 

[wirednuts]

I use too many applications that aren't compatible with Google's 2-factor auth, and their application-specific passwords have practically no access restrictions and are substantially weaker than the password I use for my account.

i thought that was the point though. with 2 step, once that app specific password is enabled, you log into your account on whatever device you want with that password.

once you do that, google remembers what device you just logged into and remembers it. that way, anyone else trying to login with that password can not, even if they have the password right they wont be using the same device or the same ip address.

 

[HeXen]

You fishing for potential targets

Not me, I have 2 step authentication on, plus I regularly change my password.

I have to provide a PIN fairly often though as I use different browsers, mobile devices, and computers. I always have my phone on me though.

i did that too, but a few months ago i had some repeated problems on all 3 of my accounts. Google would shut down the accounts and i'd have to reactivate. i used alpha numerics and changed it each time, after the 3rd time i think it was, i assumed someone might be hacking their servers and stealing pass's?

 

[AkumaX]

does anyone feel the need to install an app on their phone that saves your passwords? seems kind of...

 

[Mark R]

i thought that was the point though. with 2 step, once that app specific password is enabled, you log into your account on whatever device you want with that password.

once you do that, google remembers what device you just logged into and remembers it. that way, anyone else trying to login with that password can not, even if they have the password right they wont be using the same device or the same ip address.

No. The application specific passwords are essentially single-factor alternative passwords direct into your account. There are virtually no restrictions on what they can access. They aren't matched to IP, device or application. There is nothing stopping you generating a single app-specific password and using it on 20 devices.

They are potentially less secure than a good quality, long master password.

However, they do have some advantages because they are moderately long, and randomly generated, they are much better quality than most people's self-chosen passwords.

Additionally, individual app-specific passwords can be revoked on an individual basis. This way if you lose your smartphone, which has an app-specific password to your gmail, you can revoke the unique password used by your phone. This avoids the inconvenience of having to reconfigure your ipad, work PC, laptop, etc. with new passwords. You only need to revoke the potentially compromised password. This discourages the continued use of a known potentially compromised password, because of the need to change the configuration of multiple devices.

 

[wirednuts]

No. The application specific passwords are essentially single-factor alternative passwords direct into your account. There are virtually no restrictions on what they can access. They aren't matched to IP, device or application. There is nothing stopping you generating a single app-specific password and using it on 20 devices.

They are potentially less secure than a good quality, long master password.

However, they do have some advantages because they are moderately long, and randomly generated, they are much better quality than most people's self-chosen passwords.

Additionally, individual app-specific passwords can be revoked on an individual basis. This way if you lose your smartphone, which has an app-specific password to your gmail, you can revoke the unique password used by your phone. This avoids the inconvenience of having to reconfigure your ipad, work PC, laptop, etc. with new passwords. You only need to revoke the potentially compromised password. This discourages the continued use of a known potentially compromised password, because of the need to change the configuration of multiple devices.

oh. so its nothing like i thought it was. well, in that case, screw 2 step.

 

[Mark R]

oh. so its nothing like i thought it was. well, in that case, screw 2 step.

Even though the app-specific passwords aren't as secure as they could be, they aren't bad. They are robust against dictionary attacks and offer about 72 bits of entropy, which is perfectly adequate for an account login.

Network speed and login-throttling will ensure that the password can't be brute-forced.

Super-complex passwords are only needed if you are protecting encrypted data (where the encryption can be brute forced in situ by high-performance hardware), or if you are reusing passwords and need to protect a password against an application provider having their database compromised and cracked (e.g. via rainbow tables, etc.)

Normally, you would only be using app-specific passwords on trusted personal devices (e.g. a home PC, or a personal smartphone/tablet). These should always be set up to communicate over an SSL connection, so are robust against eavesdropping (even on insecure wifi networks), and most software will select an SSL connection as default.

2 factor is still useful when you need to use untrusted devices or untrusted networks and also protects you against silly blunders (e.g. typing your password into the wrong box and/or allowing shoulder surfign). E.g. you're on vacation in some foreign country with flaky GPRS (nevermind EDGE or 3G) connectivity and you're being bent-over by roaming data charges, but need to send some urgent emails and need to stop at a seedy internet cafe. There, 2-factor is ideal, as even if your master password is compromised, without additional authentication, it is useless.