Tech – for Everyone

Tech Tips and Tricks & Advice – written in plain English.

Gmail vulnerable to password cracking

Best Prevention — A Muscular* Password

Vicente Aguilera Diaz posted a warning on Insecure.org that there currently is a weakness in Google’s extremely popular (free) Gmail that allows hackers to use automated scripts to guess passwords.

An existing abuse of functionality in the “Check for mail using POP3” capability permits automated attacks to the password data of the accounts of the Gmail users evading the security measures adopted by Google. The abuse of this functionality permits an attacker to do thousands of authentication requests during a day over one user account, so if the user is using a weak password is a matter of time to guess to have access to the mail account.

The solution is to use an un-guess-able password.

Gmail is Google’s free webmail service, and arguably it is the best such service out there. It comes with built-in Google search technology and over 7,300 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you’re looking for, and make sense of it all with a new way of viewing messages as part of conversations. It is excellent at filtering spam.

Tip of the day: Please read A Word About Words — Passwords, That Is. It is a short article that describes what makes a good, strong password; why that’s important; and as a bonus, provides a link to a top-rated “password manager” tool.

Today’s free link: I learned of this recent alert on Windows Secrets.com

* strong

Copyright 2007-9 © Tech Paul. All rights reserved.jaanix post to jaanix

Share this post :

August 6, 2009 - Posted by | advice, computers, cyber crime, e-mail, Google, Internet, passwords, security, tech | , , , , , ,

8 Comments »

  1. Another Solution would be to disable POP access for your Gmail account. Although you would still have the weak password problem.

    Like

    Comment by jgoto | August 6, 2009 | Reply

    • Jgoto,
      Doing so would preclude you from using an e-mail client (Outlook, Thunderbird). And understanding (and using) a good password policy is a much more important “lesson” to be learned here.

      Most of these attacks are automated, meaning they will run a dictionary (list) at you. If they fail because your password is “1st0pSnooPerz!FERshur!” (not in a dictionary), they will move to the next, where the odds are pretty good the owner will have password of “password” (in the dictionary).

      Like

      Comment by techpaul | August 6, 2009 | Reply

  2. True but that’s not the problem the report illustrates. The Proof of Concept attack is using a built in Gmail feature to break into other gmail accounts (The feature is called mail fetcher and it imports email from another account using the POP protocol). You could just as easily use the same feature to break into any other POP account, but other servers would probably block the IP much sooner than 100 attempts and it’s kind of funny having a someone attack gmail with gmail. Not trying to excuse bad passwords. If you are using 12345, asdfdsa, secret or psswrd you should certainly change it. Still if you you don’t use POP, why leave it open.

    Like

    Comment by jgoto | August 6, 2009 | Reply

    • Jgoto,
      I agree with all your points.

      And I think Google’s policy of 100 needs to be significantly lowered. Just MHO.

      Like

      Comment by techpaul | August 6, 2009 | Reply

  3. Hello. Thank you for this great info! Keep up the good job!

    Like

    Comment by johnny | August 7, 2009 | Reply

  4. Glad I came back to this site some new very interesting items which I wanted to know more about. Great work on your site.

    Like

    Comment by hard drive | August 7, 2009 | Reply

  5. Good to see that people still know what they are talking about. So much BS around these days!

    Like

    Comment by GoogleGuy | August 7, 2009 | Reply

  6. thank you! I really liked this post!

    Like

    Comment by machoman | August 9, 2009 | Reply


Post your Comment/Question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: