Question about Gmail security

quote:

---

stealing an account or Google

---

This has been discussed here before, but it's crazy not to enable free Google 2-Step Verification on your Gmail account.

This eliminates nearly all potential to hijack the account, and you'll never know the 2-Step Verification is there unless you change one of your devices.

As Google says on that page, "It's easier than you think for someone to steal your password."

ETA: I've heard of many cases of criminals harvesting web mail passwords (for example, from Yahoo!), but it's vastly more difficult to hijack multifactor authentication.

quote:

---

Has there ever been a known case of a person's entire Gmail account being "leaked"? I don't mean meta data...I mean literally someone hacking Google itself and stealing an account or Google giving it to somebody?

---

If you count password guessing as "hacking", then yeah I'm sure it's happened lots of times. As for an actual security breach, I haven't heard of any, but of course it's possible.

quote:

---

Can Google (or anyone else) do this without knowing your password?

---

Yes, some Google employees have access to your email, but there is a process in place to minimize the access and keep it secure. Obviously, you still have to trust that everyone is doing their job properly. Of course you also give their systems access to the content of your email in order to serve you ads based on them.


Email has never been secure. If you are concerned about certain private data, you should encrypt the message.

quote:

---

Google knows your password

---

I'd be shocked if Gmail stores anyone's password.

I suspect that Google stores your salted password hash that allows them to verify the password without ever saving it.

ETA: darn, beat me to it...

quote:

---

I suspect that Google stores your salted password hash that allows them to verify the password without ever saving it.

---

So in plain English...is that identical to them having your password? Do they even need your password to access your account? What would have to happen for the sort of breach that would leak a significant % of all the contents of a Gmail account?

I guess I'm talking less about one person getting stuff and more of just a data dump on the internet.

quote:

---

So in plain English...is that identical to them having your password?

---

No. Storing a hash of a password is not enough to be able to login to an account normally. You need the actual password, which Google doesn't have.

quote:

---

Do they even need your password to access your account?

---

No, they don't. As far as I know, they store all your emails in plain form (like almost all other email systems). Email is not secure. Anyone with the necessary access to the machine it is stored on can read the emails.

quote:

---

What would have to happen for the sort of breach that would leak a significant % of all the contents of a Gmail account?

---

Aside from guessing a password in cases where 2-factor is not used, then either someone internal at Google could dump data, or a hacker could gain access and dump data. But I would imagine that there are layers upon layers of security protecting that data from the outside world.

And I guess I will explain password hashing (and salting) a little bit more.

Have you ever downloaded a large file, and were provided with an MD5 sum? It just looks like a long string of nonsense characters. Anyway, MD5 is just one of many hash algorithms, and what they do is take an input file (or password) and produce an output that looks like gibberish. If you put in the exact same file, it will produce the exact same gibberish every time. If you change one single bit of a large input file, the resulting gibberish will be totally different, so you can't tell how close it is to being right. You only know that it is wrong. This is a quick way to tell if your downloaded file is corrupted.

In the case of passwords, a different algorithm might be used, but the principle is the same. You store the gibberish, but as long as the correct password is put into the algorithm, the resulting gibberish can be compared to the stored gibberish for verification. There is no reverse algorithm. There is no way to produce the actual password given only the gibberish. This is the absolute minimum security that any website or service should have. If you are using a site that emails your password to you in plaintext, they are NOT hashing passwords and you should NOT use that password ever again for anything.

Now, if someone manages to get a database dump that has millions of hashed passwords in it, an attacker can try to crack as many passwords as possible via various methods. Usually they will start with what's called a rainbow table, which is just a giant list of pre-hashed common passwords. All they have to do is search the database dump for matching hashes, and they know which password produces those hashes. This is very fast and very effective, and they can probably crack a very large percentage of the passwords in very little time. If you have a million hashed passwords, you can probably figure out 100k of them in an afternoon.

To protect against this type of attack, passwords should be salted and hashed. Salting a password is just adding a little bit of gibberish to the actual password before you hash it. The salt used will be stored right there in the database, but the salt will be different for each user's password. This makes the rainbow table attack essentially useless, because practically zero of the password+salt combinations will be pre-hashed. It basically makes it so that one would need a rainbow table so large that it is essentially unable to be stored and used. So the attacker would have to fall back to a brute-force method of cracking passwords, which, thanks to each password having a unique salt, would take basically forever for each password.


Hope this helps.

EMAIL UNSAFE

Logjam, Part 1: Why the Internet is Broken Again (an Explainer)

Using the internet is like living with kids. Nothing is sacred and nothing is private!