1

Okay I thought people might find this one amusing, even if it did set me swaring a lot.
My lady has a Gmail account that I setup for her since she needed a new email address. It's running through microsoft outlook on her windows 7 machine and mostly works fine.
However as I said elsewhere at the moment we're visiting my parents in Nottingham, so my lady starts up aoutlook and bang! no mail, just a box asking for username and password whenever she hits send and recieve.

Having a suspicion, I then go and log in to google on my lady's computer with her email and password.
at first I think I have the wrong password because I get a screen saying "confirm it's you" and various verrification methods.

I tried the text message method, no go, and finally had to go with the verrification email. All of this just to sign in to google.

When i finally! did, I then have a big banner saying "suspicious activity" and I have to verrify that yes, it was indeed my lady's outlook on her laptop at my parents that tried to log in to google.
All of this just! to get email.

Security is one thing, but this level is absolutely insane! especially when it's using a legitimate email proram, hell why google consider any mail client but their own website to be suspicious I don't know.


I was considering getting a gmail address myself for private correspondance, as my previous private address is no longer usable (due to btinternet being stupid), now however I'm revising that idea.

Really, in a world of multiple access from multiple devices is this level of security even logical? Yes I know, protection bla bla, but frankly this seems more monopoly than protection, ie, if your not a user of google's own products we're going to make your lives as hard as possible intigrating with other programs, then again where have I heard that one before, *cough apple *cough.

With our dreaming and singing, Ceaseless and sorrowless we! The glory about us clinging Of the glorious futures we see,
Our souls with high music ringing; O men! It must ever be
That we dwell in our dreaming and singing, A little apart from ye. (Arthur O'Shaughnessy 1873.)

Thumbs up

2

I doubt it has anything to do with the fact that she was using outlook.  What I'm assuming happened is that the first time she tried to log in, it asked for the same verification, but since Outlook doesn't know how to interpret that information, it probably just assumed it failed and had her try to log in again.  Normally if you log in to your account from a new location, they'll ask for that if you're logging into a new device, although sometimes they'll ask for devices you've used too.  So yes, it might be a little frustrating, but everyone does it.
I also do think that amount of security is important to have in today's world.  Most people do not use secure passwords and need that basic protection.

Mammon slept. And the beast reborn spread over the earth and its numbers grew legion. And they proclaimed the times and sacrificed crops unto the fire, with the cunning of foxes. And they built a new world in their own image as promised by the sacred words, and spoke of the beast with their children. Mammon awoke, and lo! it was naught but a follower.
from The Book of Mozilla, 11:9

Thumbs up +1

3

I'm afraid I disagree. people these days use laptops, phones, devices on the go, and google just needs to accept that this means altering locations rather than instantly deciding that no, the location has changed so it must be an insicure hack attempt so requires extra verrification, heck you don't get this with other services, I don't need to re login to my apple id everytime I use my Iphone somewhere else, and it wasn't as if outlook hadn't already verrified itself with the password, which is exactly the same verrification even something like paypal use.

With our dreaming and singing, Ceaseless and sorrowless we! The glory about us clinging Of the glorious futures we see,
Our souls with high music ringing; O men! It must ever be
That we dwell in our dreaming and singing, A little apart from ye. (Arthur O'Shaughnessy 1873.)

Thumbs up

4

It's just 2FA and believe me you want it. Any security is going to be at the cost of convenience, but especially if you're using it for business, and even if you're not, you do want this. Once you authorize it to the location or computer you shouldn't have to do it again until you change locations or computers. A lot of companies are implementing this and its an important step towards keeping your account safe. It's not perfect mind, but if you've ever had your email hacked, you'll be glad you have the extra steps to keep it secure.

Friend me on Steam
and follow me on Twitter

Thumbs up +1

5

This is definitely an incredibly useful feature, one that many companies now implement. You will get a similar situation with Microsoft and Facebook. So I definitely have to disagree with this being a waist of time.

As for your comment that you usually wouldn't have to deal with it on a phone, or with other services where you're often changing locations, you aren't ask to reverify a Gmail account if you travel, and this is due to the fact there are 2 authorisation methods in use today.

The first, more modern which is in-use by iOS, Android, the Gmail app or the modern Windows 10 "mail" application is by asking Google for authorisation tokens. You can recognise this method by the fact that after you tell your Email application you are signing into a Gmail account, it will open a Google log in page where after entering your Gmail address and password you will get  a prompt saying "Application X wants to have access to the Email on this account" with an "allow" button. At that point, Google sends back what's called a token, a random string of characters, which will from then on be used every time by the application whenever it wants to do something. This is very secure, because the application never even sees what your password is, so if you get your phone or laptop stolen you can just go on the Google site and ask them to invalidate that token which will cut off access. And these tokens will remain valid until you delete them yourself either from the Google security settings or by logging out in the application. They are also not affected by your IP address changing. I have traveled quite a lot between different countries, and was never asked to sign in again on my phone, Mac or Windows 10 mail app which all use these tokens.

That long explanation out of the way we come to the second, older method of accessing Gmail, which is over the Imap protocol. That's what you're going to be using if you use an app like Outlook express, Thunderbird, Windows Mail or older versions of Outlook (Office 2016 may support the new token system, though I have never used Office Outlook for Email so don't quote me on this). You can recognise this by the fact that you just get 2 edit boxes for your user name and Password and are never directed to the Google page to sign in. So, in this case, every time the Email program wants to do anything, it has to send the username and Password to Google. This in turn is treated as a new Log in every time which is why it considered it suspicious activity.

One last thing, Google accounts are not used just for Email access. You can store your calendar or contacts there. You could possibly have payment information on file, or store sensitive information in the Google keep notebook. And just like an Apple ID can be used to manage an iPhone, Android phones can be remotely locked with a security code or wiped from the google account they are signed into. So having such a system in place means that even if some Russian hackers can figure out your password, they wouldn't be able to do anything.

The twins of Mammon quarrelled. Their warring plunged the world into a new darkness, and the beast abhorred the darkness. So it began to move swiftly, and grew more powerful, and went forth and multiplied. And the beasts brought fire and light to the darkness. - from The Book of Mozilla, 15:1

Thumbs up +4

6

Well, this does generally happen with Outlook since it happened to me and my friend many times when we set up outlook.
When I set my e-mail up on Mozilla thunderbird, I didn't get any message like "suspicious activity on your gmail account" or something like that. Neither did it send any similar message when I set it up on the mail app for iPhone. The only message I get from Google is, "New log in from x browser on Windows", or "new log in from iPhone".
Not sure if your wife has enabled any step verification method, but really I haven't experienced what you wrote above on post 1.
Facebook has actually introduced some very important security features; one I like is log in approvals and give permition to a device through a confirmation code from my phone number.

Thumbs up

7

The reason you most likely don't remember having to see that on thunderbird is that, because thunderbird allows you to do simple web browsing, the varification page opened up for you in thunderbird itself.  I know there's a way to disable that functionality but the actual option escapes me.  Either way, when you first begin setting up the email address with TB you input your username and password along with any other information you think might be useful to change or edit, after which, a cute little HTML page launches where you are asked whether in fact you do want to let TB access your google account.  Most often the email address is already filled in for you and you just type in your password and read a bunch of bla bla bla about what your remote client will be able to get its sticky little binaries on should you varify it.  Of course, if you continuously try to varify and are unsuccessful either because you didn't enter the password in correctly or tried too many times for some other reason you may or may not be locked out for some time while you attempt to resolve the issue.  more than likely what happened is that, since outlook was unable to launch the page she never got it and she tried to repeatedly sign in, sure that she had the correct information, which she more than likely did, and google threw a fit about it.

I do not know what my future holds, but I do know who holds my future.

Thumbs up

8

Woohoo!  @pitermach proved I didn't do the matter justice with post 7!  This is what I get for not reading everything on a topic before posting.  lol Thumbs up, champ!

I do not know what my future holds, but I do know who holds my future.

Thumbs up

9

Hi.
I must say even though I am a bit naughty and don't use 2 step and neither does my dad mainly because we would need app bypass passwords and we have so many of those, to many.
Gmail is quite safe.
Once I got a message saying someone was trying to hack in.
His info was put out, I immediately emailed his previder with the info packet and they immediately said they had sorted it.
I have also had issues where I do get messages about me signing in with another device.
It states, if this is you then you can safely ignore it but you can look if you want.
Where it is a bit inflexable though.
My mum and dad were in another country for a holiday.
On her end there was an error with some email service, something that had issues.
I knew her password, I immediately went in to try to fix it.
Google responce was that I was trying to hack in, yes that could be construde as a reasonable warning.
I went down the page google has locked your account.
Ok, fine, no problem I'd do the same thing.
Thats when I started saying one really long f***************************ck!!!
As loud as I could.
Your account has been suspended, please change your password if you don't do this your account will be deleted or something like that.
No way for me to varify my access.
I had to ring my mum up in the middle of the night over skype, and guide her through a password reset and varification.
Then my dad had to help her delete her email profile from her phone, and then reinstate it.
She lost all her saved mail.
I do wander if you have lagit reasons ie using multipul devices, in different places, if there is a way to have a dule access varification.
While the system is certainly secure, if you actually need to get into it where one device is over the other side of the world, there is no way to get into it at all.
Mum has at least 2 devices on the same address and so does my dad.
I do wander that while over the other side of the world if for example he tries to access his mail with mobile phone and if I for example ever needed to access his mail client locally what would happen.
Essentually you can only run 1 instance of gmail anywhere.
Thats fine but what if someone you trust needs access.
I do agree thats highly unlikely but what if you ran something by mistake.
There is probably a way to get round this if you really need access but I have never looked.
There is probably a way to handle it somehow but its not like I can call google up in nz I don't even know if google have any contact info for support, so god knows what I will do if the mail system ever went down at all.
It hasn't but thats the problem.
I had a similar issue with avg at the time I was needing to legally convert linux text files to dos text files and named files with .txt.lnx or unx and then named them back.
Avg started going on about unknown viruses and killing files.
To get out of this I turned off the security including firewall, malware and virus protection to convert the files.
I didn't have vary many but it meant I would have to shut down the net while I did that.
So no back ground tasks, no getting downloads for listening to after I was done.
It became a real damn chore.
If I ever found how to save linux text files as dos text files natively I would have done that instead.
The issues are that linux files like most unix files don't need any extention to run unless they are compressed archives, just the state of them would change as well as extra feed chars.
Ofcause back in those days early 2003 there wasn't unicode as it is now.
I probably could get away with it now.

Thumbs up

10

hi,
This feature litterally saved my mail from getting hacked once. Someone, retrieved my mail password once.  This person then tried to log in from spain. However, google locked them out and allowed me to change my password.

A learning experience is one of those things that say, "You know that thing you just did? Don't do that."

Thumbs up

11

I always like these techno-rants. I think they're good for the soul. smile

First thing's first. @Dark, if the service is free, you're the product. If you need quality email services, and you aren't hosting your own, you definitely ought to pay for them. No affiliation at all, I just know from first-hand experience that FastMail and Runbox both provide excellent services. Oh, and since you love Apple so very much, you should know that your iCloud storage can also be used for mail, if you set it up. This service is basic, but it's standards-compliant and ad-free.

As to the subject matter, I agree with Dark that this is overkill. It's the end-user's job to select a strong password. Google should only provide a log, and the option to use two-factor authentication. Instead, what they are now doing is forcing application developers to adopt OAuth, which is the method described by others above, using fear tactics and account defaults guaranteed to harm straightforward interoperability--that's above and beyond those already imposed by Google's broken IMAP services. If you want to argue that it's more secure, you go right ahead, but I've no patience for this kind of bullying. Even Apple don't do this: if two-factor is not on, you simply use your account password, and if it is on you will generate an app-specific password, per force. Apple's token exchange is proprietary to Apple, and there's no technical benefit to using it over an app-specific password (which is what Google is calling "less secure").

So in summary: find another email provider. They're just better. smile

Just myself, as usual.

Thumbs up

12

She was traveling, so I don't see a problem with these precautions. The login attempt could have been her traveling, or somebody else who social engineered the password and logged in without permission. I'll take this over stolen personal information and someone impersonating me by email anyday.

Proud to be the official hosting provider for http://www.vgstorm.com!

Thumbs up

13

Agree with posts 5 and 12. In ten years of using gmail, I've never had this problem. Whenever I log into different locations, I get an email notifying me but telling me that if this really was me I can just ignore it. I'm guessing the repeated logins via microsoft outlook were the cause of the problem. But as Trajectory said, I'd rather extra security than stolen personal information any day.. especially since I've never yet had to do the runaround and go through all the hoops to get any issues sorted.

regards,
assault_freak

Thumbs up

14

@Trajectory, so what you're saying is that users shouldn't be trusted to pick secure passwords, is it? If so, I respectfully disagree. The job of any service provider ought to be to help users to choose good passwords, to admonish them to keep them safe, and use two-factor methods of authentication where available with good, well-isolated app-specific passwords where needed. And, ideally, for users to begin seriously looking into the use of password managers, because that's inevitable anyway at the rate databases are being dumped. Google are simply strong-arming people, IMNSHO. You can tell, because if the authentication were any good, they wouldn't need to do it.

Just myself, as usual.

Thumbs up

15

My point was more about social engineering than whether or not your password meets sensible security requirements.
My passwords have upper and lower case letters, numbers and symbols and are quite lengthy. I would consider myself unlikely to fall for a social engineering attempt, but if I did, or if I got a keylogger on my machine, then the efficacy of my password becomes purely academic.
Services have to protect themselves as well from unnecessary financial disputes caused by unauthorized access to an account.
I would also hope that these protections would provide a last line of defense if heaven forbid someone found a bug in the site which allowed the password to be bypassed in some way (like a database injection).
Given the efficacy of scams in general I say bring it on.

Proud to be the official hosting provider for http://www.vgstorm.com!

Thumbs up

16

Social engineering, eh? Mmm, time people looked for the padlock and made sure the address in the address bar is what they expect. Yes, yes, asking the impossible, I know. But still the only viable solution, unless we'd all like to have an Internet run exactly like the iOS App Store.

If services like Google's are to be trusted with all this important data (and I'm damned if I understand why they should), then I think they need controls sufficient to let users decide what level of security is required, such as the second factor. What I take issue with fundamentally is the idea that users can't be trusted with security. It's exactly like all these fraud detection systems at banks, the only practical consequence of which are to lower the bar on security, cost the banks (and hence the taxpayer) in reparations, and piss off customers. Nobody wants risk or liability, I understand completely, but an authentication mechanism should stand alone on merit. Otherwise it's just snake oil that leads people to a false sense of security.

Just myself, as usual.

Thumbs up

17

yep, asking the impossible, sadly. Even my generation didn't have internet safety in school (at least where I was).
but yes, don't click on unexpected links in emails and check the URL in the address bar should be as fundamental as "look both ways before you cross". but unfortunately, even if it were that way data theft doesn't end there (drive-by downloads on hacked websites and such).
I suspect that were frawd detection systems and the like eliminated, coverage and other protections would be as well. While I by no means trust big companies with sensitive data (but it's a necessary evil, to some extent) I appreciate the fact that I won't be held accountable for something done under my account by someone smart enough to defeat the security.

Proud to be the official hosting provider for http://www.vgstorm.com!

Thumbs up