This reminds me of my bank, where the password can only be 12 characters long and only alphanumeric, but they compensate with "security questions", "Web pin" and SMS auth, where I would be perfectly content (and save time) sec-wise if they would just let me use my normal >24 character password scheme, and maybe the pin on unfamiliar computers.
Oh, and their mobile app? Only requires my 4 number debit pin and no username. I'd be much more worried about losing my phone that's preauthed than someone scanning my brain and discovering the password. On May 12, 2012 7:59 AM, "Michael J. Gray" <[email protected]> wrote: > Effective since May 1, 2012.**** > > Products Affected: All Google account based services**** > > ** ** > > Upon attempting to log-in to my Google account while away from home, I was > presented with a message that required me to confirm various details about > my account in order to ensure I was a legitimate user and not just someone > who came across my username and password. Unable to remember what my phone > number from 2004 was, I looked for a way around it.**** > > The questions presented to me were:**** > > Complete the email address: a******[email protected]**** > > Complete the phone number: (425) 4**-***7**** > > ** ** > > Since this was presented to me, I was certain I had my username and > password correct.**** > > From there, I simply went to check my email via IMAP at the new location.* > *** > > I was immediately granted access to my email inboxes with no trouble.**** > > ** ** > > From there, I attempted to log-in to my Google account with the same > username and password.**** > > To my surprise, I was not presented with any questions to confirm my > identity.**** > > This completes the steps required to bypass this account hijacking > counter-measure.**** > > ** ** > > This just goes to show that even the largest corporations that employ > teams of security experts, can also overlook very simple issues.**** > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
