As always, Kenneth, thank you for taking the time and having the patience to explain and re-explain and then re-explain some more. Good news--your words made more sense to me because I had the opportunity to do more experimenting prior to reading your post. Please see more below in *blue*.
*~Diane* On Wed, Jul 29, 2015 at 1:10 AM, Kenneth Ayers <[email protected]> wrote: > Diane, > > On Wed, Jul 29, 2015 at 12:08 AM, DEP/Dodo <[email protected]> wrote: > >> On Tue, Jul 28, 2015 at 10:10 PM, Kenneth Ayers <[email protected]> >> wrote: >> >>> > >> If you're taking a computer out of the house and that computer doesn't >>> require you to enter a password when logging into your Google account then >>> that's an issue. >>> *I have had no need to log into my Google account, yet have been able >>> to access Gmail, Chrome browser, Google to search, etc. * >>> If the computer is stolen, you have zero protection. Any computer you >>> take with you should be requiring a password to login. >>> *And mine does. Wait--are you still talking about a password for >>> the Google account or a password to get into your computer? * >>> >> > If you're accessing Gmail then you're logged into your Google account. > Think of it this way. From your laptop, do you have to type in any password > to enter your Gmail account or do you just click on something to enter it? > If you don't have to type in a password then neither would anyone else if > you lost that laptop or it was stolen. So for a computer that you're taking > with you out in public to someplace where it might get lost or stolen, make > sure that a password is required to enter Google/Gmail. If you have a > password on the computer itself than that's better still but I think it > safer to require a password on Google/Gmail too just in case someone gets a > hold of your computer after you've already logged into the computer with > the computer's password. > > *The computer I'd be taking out of the house has been trusted. * >>> >> > I don't think I understand what you mean anymore when you say your > computer "has been trusted." > *It has been explained to me and I believe I have read it: With regard > to 2-step, when I opt to not require a verif. code on a particular > computer, it is "trusted." I have also read the term "registered." My > opinion is it is "more trusted" (my terminology) when both the account > password and a verif code are required. * > > > To me I've meant by that phrase that I'm telling Google that I don't want > to have to enter a 2 step verification code anymore for that > computer/browser. > *Agreed. * > But that doesn't increase security for that computer, rather, if anything, > it reduces security for that computer. By not requiring verification codes > for that computer, I'm counting on my own ability to keep the computer out > of the hands of a thief or hacker and I'm willing to forego the protection > of 2 step verification just because I trust that I can protect it on my own > and I'd like to not have to take the extra tedious step of entering a > verification code. > > So if you would ever "trust a computer" (or decline having to enter > verification codes) that should be on a computer that you have securely at > home, not one that you take with you out in public. That seems to be the > opposite of what you say you're doing. > > > >> *Therefore, a password would be required for me or anyone to login to my >>> Google account.* *No verif. code would be required on that trusted >>> computer.* >>> * Can't recall to what I was referring. I do understand if I am >>> required to sign into my Google account, I will need my password. * >>> >> > Not having to enter a verification code does NOT mean that you are forced > to enter a password. > *I think we agree a person is forced to enter only a password to sign > into a Google account if signed out. That is a general requirement with or > without 2-step. * > Not having to enter a verification code only means that, if your account > login requires a password, then you won't also have to provide the code. > > *This, to me, means if 2-step has been enabled but I opt to not require > codes to sign into Google on a particular computer. * > > But if you have your password saved via cookies such as the "stay signed > in" option then you won't have to enter a password in the first place. If > you're not having to enter a password because it appears that you're always > logged in for some reason, then the verification code is irrelevant. > *Understood and agreed as dissected above. If I'm mistaken, please > advise!* > > > >> *Both before and after enabling 2-step, I was required to provide my >>> password to sign into the account. I rarely had a need to do this. And, >>> then and now, I can turn on the computer and go right into Gmail w/o being >>> required to sign into my account. I * >>> *essentially * >>> *have repeated what I wrote above (#1 item). * >>> *Any and all repetition on my part is an effort to be clear. * >>> >> > There's the risk. You can go right into Gmail without having to enter a > password. If you can do it from that computer then so can anyone else who > gets a hold of your computer. > *Of course.* > > Whether you believe it or not, you're not having to enter a password > indicates that you're already logged into your Google/Gmail account. > *I do believe that and now understand how to not remain signed into my > account.* > I understand that going to the account settings requires you to > "re-enter" your password. It does that for all of us. This is just an > extra security step to make sure that whoever is about to enter that area > of Google from which passwords can be changed really does know the > password. So maybe the thief who takes your laptop from you won't be able > to access that part of Google where your password can be changed but he > doesn't need to change it anyway if no password is required to get into > your Gmail. If you don't want your emails and email contacts exposed to > anyone who steals or finds your laptop, you need to logout of Google/Gmail > and disable the stay signed in option when you next enter the password. > And not requiring verification codes does not force you to enter a > password. You've already proved that as you've trusted your computer but > are still able to get into Gmail without entering a password. > > > >> >> >>> *In repetitious summary: If the trusted computer is stolen, the thief >>> would have to know my password to get into my Google account. * >>> >> > You mean the thief would have to enter your password to enter that > security settings area of Google. Everyone has to re-enter a password to > get in there even when they're already logged in. It's just an extra > security step but the thief doesn't necessarily care to go there anyway. > > *That's what I'm saying--so the thief, or anyone, would have to know my > password in order to enter it. Aren't we saying the same thing?* > > > >> *However, he/she would have no problem going directly into Gmail as I >>> apparently am always signed in. * >>> >> > Exactly. You need to disable whatever is keeping you always signed in. > This is your greatest risk unless you keep your computer locked up at home > and don't take it out in public. > *As stated above, I now see how to sign out of my account to require > signing in at the next visit. Because I had always remained signed in, not > paying attention to the "sign out" option, I did not "connect the dots."* > > >> * In experimenting, I have signed out of the account, tried to open >>> Gmail, had to sign in,* >>> >> > So if you logout of Google then Gmail requires a password to sign back > in. That's good. That also proves, by the way, that you have to be logged > into Google to get into Gmail. Your Gmail account is your Google account. > > > > >> * and then I remain signed into the account. * >>> >> * The next time I open Gmail, no problem. * >>> >> > You mean no password required, I think, but that's the problem. Somewhere > on the page where you had to enter a password, there must have been some > option in small print possibly that said something about staying signed in > or keep me signed in. If you see that, disable or uncheck that option. > > > >> *Please see next paragraph.* >>> >> >> >>> Only have the "stay signed-in" option enabled for a computer that you >>> feel is secure, i.e, one that stays inside a locked house. >>> *I don't know how to enable "stay signed in." As I said, it's like >>> a default setting.* >>> >>> >> > You need to find it and disable it. > > *Done.* > > > -- > Regards, > > Kenneth > -- You received this message because you are subscribed to the Google Groups "Gmail-Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/gmail-users. For more options, visit https://groups.google.com/d/optout.
