I get what you are saying but my point was more about lack of crypto or reversible crypto than stealing the account. I like what Owen is describing, they should present all account recovery options and let the user toggle on/off which ones they want to be usable this way the user can make their own decisions and live with their own choices.
On Tue, May 26, 2015 at 12:06 PM, John Levine <jo...@iecc.com> wrote: > In article < > caknnfz_apy8khbxj0umgoq6ufcd640jtxe9a+2tqu-d761-...@mail.gmail.com> you > write: > >Haha I cringe when I do a password recovery at a site and they either > email > >the current pw to me in plain text or just as bad reset it then email it > in > >plain text. Its really sad that stuff this bad is still so common. > > If they do a reset, what difference does it make whether they send the > password in plain text or as a one-time link? Either way, if a bad > guy can read the mail, he can steal the account. > > Given the enormous scale of Gmail, I think they do a reasonable job of > account security. If you want to make your account secure with an > external account or an external token (a physical one like a yubikey > or a software one like the authenticator app), you can. > > Or if you consider your account to be low value, you can treat it that > way, too. > > R's, > John >
