Gmail vulnerable to password cracking
Best Prevention — A Muscular* Password
Vicente Aguilera Diaz posted a warning on Insecure.org that there currently is a weakness in Google’s extremely popular (free) Gmail that allows hackers to use automated scripts to guess passwords.
“An existing abuse of functionality in the “Check for mail using POP3” capability permits automated attacks to the password data of the accounts of the Gmail users evading the security measures adopted by Google. The abuse of this functionality permits an attacker to do thousands of authentication requests during a day over one user account, so if the user is using a weak password is a matter of time to guess to have access to the mail account.”
The solution is to use an un-guess-able password.
Gmail is Google’s free webmail service, and arguably it is the best such service out there. It comes with built-in Google search technology and over 7,300 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you’re looking for, and make sense of it all with a new way of viewing messages as part of conversations. It is excellent at filtering spam.
Tip of the day: Please read A Word About Words — Passwords, That Is. It is a short article that describes what makes a good, strong password; why that’s important; and as a bonus, provides a link to a top-rated “password manager” tool.
Today’s free link: I learned of this recent alert on Windows Secrets.com
* strong
Copyright 2007-9 © Tech Paul. All rights reserved.
post to jaanix
| Share this post : |  |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
8 Comments »
Post your Comment/Question
• About Tech Paul
I am a Retired computer & network technician. I used to think the machines were pretty cool. Now I don’t.
They’re anything but.
I regularly posted how-to’s and tricks & tips and general computing advice here starting in 2007. (Use the Search tool to find answers. But be aware, many are rather dated.) Sometimes I answered (your) specific questions in an article if I believed the answer was generally helpful to “everyone”. All the writing you see was my own, typos and all. There always is/was an implied “IMHO” in what you see here.
Note: You are responsible for using this blog and its content. I am in no way liable for any losses caused by user error, viruses and/or other malware, hardware or software failure, or any other conceivable reason.
-
Say "thank you!" Buy Tech Paul a cup of coffee (and keep T4E ad free).
-
-
McAfee® Cybersafety Resource Portal, an online help center designed to assist victims of computer crime and provide information on how to avoid becoming a victim.
-
Subscribe to Tech--for Everyone by EmailRecent Comments
-
-
-
-
Also:
-
-
Tech - for Everyone 
Another Solution would be to disable POP access for your Gmail account. Although you would still have the weak password problem.
LikeLike
Jgoto,
Doing so would preclude you from using an e-mail client (Outlook, Thunderbird). And understanding (and using) a good password policy is a much more important “lesson” to be learned here.
Most of these attacks are automated, meaning they will run a dictionary (list) at you. If they fail because your password is “1st0pSnooPerz!FERshur!” (not in a dictionary), they will move to the next, where the odds are pretty good the owner will have password of “password” (in the dictionary).
LikeLike
True but that’s not the problem the report illustrates. The Proof of Concept attack is using a built in Gmail feature to break into other gmail accounts (The feature is called mail fetcher and it imports email from another account using the POP protocol). You could just as easily use the same feature to break into any other POP account, but other servers would probably block the IP much sooner than 100 attempts and it’s kind of funny having a someone attack gmail with gmail. Not trying to excuse bad passwords. If you are using 12345, asdfdsa, secret or psswrd you should certainly change it. Still if you you don’t use POP, why leave it open.
LikeLike
Jgoto,
I agree with all your points.
And I think Google’s policy of 100 needs to be significantly lowered. Just MHO.
LikeLike
Hello. Thank you for this great info! Keep up the good job!
LikeLike
Glad I came back to this site some new very interesting items which I wanted to know more about. Great work on your site.
LikeLike
Good to see that people still know what they are talking about. So much BS around these days!
LikeLike
thank you! I really liked this post!
LikeLike