I don't know much about the verification mentioned here, but google/gmail has a 2-step verification, which solves the problem a little bit better imo. When you try to log in from a new computer you will be prompted for a code which is sent via sms to your phone. And that is the only place where you can log in with your google user+pass, every other application requires an application specific password, which can be only generated after you successfully log in into the web interface(with an exception: I remember that trying to add my google account to my android phone triggered an application specific password to be sent via sms).. So if the 2-step verification is turned on, you won't compromise your account instantly, the attacker has to have access either to your phone, or a device which is already on your trusted device list.. http://support.google.com/a/bin/answer.py?hl=en&answer=175197 On Tue, May 15, 2012 at 9:32 PM, Thor (Hammer of God) <[email protected]>wrote:
> Logging on to IMAP mail as one would be doing hundreds of times per day > is not going to reset the web cookie. If that is what the OP is reporting, > I would have to question if his recollection is correct since, by that > logic, the password reset feature would never be activated since any other > IMAP logon would clear it. **** > > ** ** > > If the user logged in, and was presented with the questions as stated, > then it probably cleared any requirement since he would have to accept > that. Unless he is saying that when presented with the questions he > purposefully did not put them in and tried to logon to IMAP which I find > odd.**** > > ** ** > > Regardless, if you already know the username and password for the email, > it doesn’t matter anyway no does it? You could always get the mail via > IMAP or POP or whatever options were configured in gmail. There wouldn’t > be any need to go to the web interface in the first place. **** > > ** ** > > Now that I know I’m not missing anything, I’ll just let this one die on > the vine. **** > > **** > -- Ferenc Kovács @Tyr43l - http://tyrael.hu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
