What are some respected internet security experts opinion on oAuth's security or privacy, right now - not what it may be in the future? Do its current downsides outweigh advertised benefits? ATT touts that oAuth encrypts UN / PWs. Isn't that what TLS does? I don't think Thunderbird sends login data in clear text. My main questions are about oAuth - security, privacy. I've read a good bit on it. Like all things internet, it's had its security problems. I'm not sure if oAuth increases real world security over a (longer) random char PW in Tbird. If Tbird solves the oAuth issues w/ yahoo / ATT, I don't know whether to use oAuth or a good random PW. AT&T is changing requirement for email CLIENTS (only) to use oAuth. Or, if you don't use an oAuth compatible client, AT&T generates a 16 char "secure mail key," which will replace (my current 24 char) server PW. Not sure how reducing PW length increases security. Fortunately, I don't use ATT email for anything important or private. I use Tbird 68.1 - Linux. My understanding is Tbird is oAuth compatible, but NOT w/ yahoo / ATT (yahoo provides ATT's email service). I forgot the finger-pointing reasons given why Tbird won't work. There's a Yahoo / oAuth selection in Tbird for type connection, but I've read there are problems on ATT / Yahoo & it's not listed as a compatible client. Apparently, new or replacement keys can only be generated by ATT, You copy to clipboard or write down. I'm not thrilled about them issuing my PW or reducing the length. Special chars have never been allowed. Probably issuing PWs to stop use of easy dictionary word PWs. If I've overlooked important points, please let me know. Thanks.
Interesting posting. One of my e-mail accounts is AT&T/Yahoo e-mail since AT&T is my ISP provider. I also use T-Bird as my e-mail client. I also was forced into using the new "secure e-mail key" bit which now is what T-Bird is using. Now I also have another e-mail account setup for AOL e-mail. T-Bird set that up automatically as oAuth2 using IMAPS. T-Bird set-up the AT&T e-mail account as POPS. What I have found out is the AT&T e-mail does support IMAPS. What I am wondering is if there is an IMAPS element here? Perhaps it is IMAPS that is the only method that works w/o issue with oAUTH? I haven't yet tried to set up the AT&T e-mail account in T-Bird using the IMAPS servers. Note that T-Bird does not offer the oAUTH option for the AT&T POPS servers. To add to the confusion is this posting by Microsoft: https://answers.microsoft.com/en-us...ail-apps/22539248-4455-4f8a-9385-11cde2e3f4b3 and others like it on the web stating that Thunderbird is not oAuth compatible. This is garbage-speak since as I posted above, I am using oAuth2 for my AOL e-mail server connection in Thunderbird. My take is that it is AT&T servers that are the problem in that it appears however T-Bird is connecting is not supported by them. -EDIT- OK. This pretty much describes the current situation: https://support.mozilla.org/en-US/questions/1269328 . That is "finger pointing" between Mozilla, Yahoo, and AT&T.
@ itman - Did you ever hear or see if users will ever be able to choose their own 16 char PW, or will it always be generated by AT&T? Even in the future, if it needs resetting, or you just want to change it for security reasons? My take is that it is AT&T servers that are the problem in that it appears however T-Bird is connecting is not supported by them. I read something about Mozilla & possibly the security certificate used by Yahoo (who provides the service) or maybe ATT. At least, I think that was the reason given. So that's a little strange. As I said, 1, does anyone have thoughts / concerns about using oAuth (v2). Having another player in the mix? 2. What does oAuth (really) do; how much user info do they really get & hasn't oAuth (v1 & 2) had serious security holes, making it no more secure in the long term than SSL transmitting login data? - I'm not sure about POP & oAuth. In my Tbird, after setting up the 1st page of adding an acct, then go "manual" configuration. Further along, there's an "Advanced" setup button. When I set up a fake Tbird acct & selected POP, it did show oAuth2 as an authentication method FOR SMTP, if I chose SSL as security method first. But apparently doesn't offer it for POP - incoming. From itman's link, a user commented, "at least the AT&T gang has now gone to all alpha from all numeric in their keys."[please - a 16 char anything isn't "a key." It's just a PW.] I'm not sure what they meant unless under this NEW oAuth / 16 char policy, starting out, they only generated ALL NUMERIC PWs?? That would be really stupid (which Yahoo has proven themselves to be). Same person mentioned their PW manager showed it a weak PW. I doubt -A- person could hack into an acct w/ a 16 char PW (all alpha or all numeric). They won't be allowed that many attempts. But if Yahoo's user DB is stolen (AGAIN) & some or all isn't securely encrypted (again), it won't matter how many chars are used. That said, given Yahoo's dismal security record as an email provider, I'm not sure about them continuing to hold some of my personal data w/ an all alpha or numeric PW. I don't know how much private data Yahoo has on AT&T ISP customers, to authorize AT&T customers in setting up accts or give email support. It's unknown what data Yahoo gets from AT&T, other than our IPa. I could read the privacy policy(ies) again, but a lot of policies from big businesses aren't worth the paper they're written on (or digital bits they use). I could call one / both CS depts, but consulting a Magic 8 ball would be as reliable. Ask me how I know.
For those interested in Thunderbird not being "oAuth compatible" - specifically with AT&T / Yahoo email, I found out a few things. Here's a decent explanation of what Open Authorization (oAuth) is supposed to do, in layman's terms - and some other links. https://www.varonis.com/blog/what-is-oauth/ 1. The AT&T's instructions I saw, on where the "create a secure mail key" (a misnomer) generating tool was located in your MyAT&T profile, were a bit off. I've found that incorrect instructions on where to find things are fairly common for AT&T & other large companies. 2. As of Oct 10, 2019, their secure key generator used ONLY lower case letters (16) to generate a "secure key." The bit strength of a PW using that character set is far less than what AT&T email users would have if they use the former 24 char limit, upper & lower alpha, plus numerals, plus the minus sign & underscore characters. So if users don't use an oAuth-2 compatible email client & don't want to change clients, AT&T is forcing security conscious users to drastically lower their PW strength. However, AT&T says the secure key (or using oAuth) only applies to email clients. Why? I never saw a reason given. IN FACT, make sure to backup / save all other PWs used on any AT&T logins, beside PWs used for an email client. For now, AT&T allows keeping the same 24 max char, alpha / numeric PWs for either web mail or areas of AT&T. Why they chose to use only lower case letters is unknown.
Slight correction - I just finished creating "secure mail key" on AT&T. It appears they do use upper / lower case letters & digits 0 - 9 (or at least did around Sept 28, 2019. But a few days ago, I created more keys for other accts. This time it only generated lower case alpha for the 16 char keys. I only generated a couple more (replacing the 1st ones that day), but still all lower case alpha. That's OK, as long as their policy sometimes uses upper case alpha & numeric. I'll change them again but it's crazy to drop their former max length from 24 to 16 chars & call it a "secure key." I doubt I'll be using oAuth for much of anything. Concerning how oAuth really works, the devil's in the details. If Google or any provider near the same ball park as Google wants to access anything on my computer - too bad (unless Mr. Johnson is laying on my computer). Here's a quote from that link. Correct me if I'm wrong, but isn't one website (or one web giant - Google / MS / several others) confirms that you're the same person on both websites (& when), isn't that the precise definition of tracking? Maybe the few things I've read are totally wrong, but the masses don't seem too concerned about oAuth providers accessing ANYTHING on their computers. It seems to me that if people let Site A access their account on Site B & post something into their acct, those people need to do some reading.
I'm not sure that I'd call it tracking. It just telling one site that it's OK to post stuff as you on another site. In what might be a secure way. Or at least, lots more secure than sharing your password. It's like authorized tracking, I guess.
It is not that crazy. Many people use really weak passwords such as qwerty or name and append one number at the end. Even if people use strong password they tend to reuse it on many sites. Generating unique, random 16-digit passwords increases strength of password for most people tremendously.
