I get what you are saying but my point was more about lack of crypto or reversible crypto than stealing the account. I like what Owen is describing, they should present all account recovery options and let the user toggle on/off which ones they want to be usable this way the user can make their own decisions and live with their own choices. On Tue, May 26, 2015 at 12:06 PM, John Levine <johnl@iecc.com> wrote:
In article < CAKnNFz_apy8KHBXj0umGoq6UfCD640Jtxe9A+2TqU-d761-eug@mail.gmail.com> you write:
Haha I cringe when I do a password recovery at a site and they either email the current pw to me in plain text or just as bad reset it then email it in plain text. Its really sad that stuff this bad is still so common.
If they do a reset, what difference does it make whether they send the password in plain text or as a one-time link? Either way, if a bad guy can read the mail, he can steal the account.
Given the enormous scale of Gmail, I think they do a reasonable job of account security. If you want to make your account secure with an external account or an external token (a physical one like a yubikey or a software one like the authenticator app), you can.
Or if you consider your account to be low value, you can treat it that way, too.
R's, John