How secure do you feel GMail is?

Discussion in 'privacy problems' started by Carbonyl, Aug 6, 2010.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Hi everyone. Not sure if this is the right place for this, but I've been curious about something, and wanted to see what everyone's opinion of the matter was.

    Lately I've been somewhat concerned about GMail's security. I admit that I'm pretty much a layperson when it comes to web security, particularly on the server end, but I've been seeing more and more accounts compromised from people I know. It seems that every week someone is dealing with being "locked out" of their account, either because of IP activity outside of their normal country of operation, or just out and out password failure (presumably due to a malicious password change).

    The thing that makes me worry about all this is that some of these folks are my friends, and run fairly decent security software. I also trust their intelligence enough to know they're unlikely to be phished. For example, one friend of mine only navigates to GMail from a bookmark, so unless his HOST file got poisoned, I doubt it was phishing. Of course, he also runs MSE, scans regularly with MBAM, and browses the web in a Linux Virtual Machine.

    Checking on the GMail google group only seems to reinforce this: A LOT of people are regularly losing their accounts.

    I guess that's all a long winded way of asking this: Do you think that GMail is secure in terms of credentials/login information? Or do you think that GMail iteself has some server-side flaw that keeps getting exploited, making it inherently unsafe? Are all these folks just getting hit with keyloggers, or getting phished? Or is something else happening here?

    Sorry for the probably clueless-sounding question. I'm just shocked at the magnitude of compromised GMail accounts I'm seeing these days, and curious about what everyone has to say. I'd be willing to suspect that "the problem exists between keyboard and chair", but it's starting to hit a little too close to home for me to be fully comfortable with that assumption.

    Edit: I see that my topic was moved to the privacy subforum. I just wanted to clarify - My question is NOT about the ability of third parties to intercept unencrypted GMail mails, nor is it about Google's ability to retain and read all messages on their servers. Again, I'm concerned about account credential compromises - Not email privacy.
     
    Last edited: Aug 6, 2010
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    https://www.wilderssecurity.com/showthread.php?p=1724939#post1724939. That should tell you if GMail is safe. Yes, I understand you're asking about compromises, but between that thread, the ads that are inside your inbox with topics related to the contents of your email, and Google's reliance on old, insecure software on their side, would you consider it secure?
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I use gmail (and Yahoo! Mail) without any problem. Only thing is that I sign in, read or compose mail, and sign out immediately. I do not store my password in the browser.
     
  4. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    No unencrypted e-mail connection is 'secure'. Especially not from Google, whose main mission anymore seems to put data collection at the forefront.

    There are steps you can take-- don't use .html, use the 'https' connection vs. 'http', for example.

    But you should always assume, with g-mail or any other client, that any communications without direct encryption being shared between the two parties are not private.
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Oh no ... I love Gmail. Now I have something else to worry about. LOL! :doubt:
     
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Can you give some more details?

    Does gmail lock you out if someone tries (unsuccessfully) to login as you a number of times? Ie, if there is an attack on your account?


    I'm sure gmail has many flaws. Uptil recently, there was a flaw in its cookie system; such that even if the user usd SSL, the cookie could be hijacked and an adversary could log in as the user.
     
  7. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    dw426 and ABee - Those are certainly facts to think about. Again, I'm mostly concerned about credentials being stolen somehow. After cruising through the GMail groups, and seeing some OS X / Linux folks complaining about lost accounts, I have to consider that you're both quite correct.

    wearetheborg - Sorry for being scant on the details. From what I can gather of accounts related to me, people are actually being actively denied access to their accounts by a couple of problems. Either (1) their passwords are being rejected as invalid, presumably because the accounts have been compromised and the passwords have been changed by a malicious party, or (2) attempting to log into GMail greets the user with a "Suspicious Activity Detected" screen. From what I've been able to research, the "Suspicious Activity Detected" warning is actually legitimate - If GMail detects activity outside of your normal IP range, it will lock you out of your account unless you can verify your identity with an SMS text message. Of course, not everyone has a cell phone (oops).

    The problem, in either case, seems to be that intrusion into the account occurs by an outside party - whether or not credentials are changed, obviously this requires theft of the login details.

    The question I'm wondering about is whether this is due to the fault of the user (malware/phishing/weak password) or if the compromise is somewhere serverside (GMail compromise). Usually I'm inclined to think it would be an issue on the user's end, but given the security practices of some of the folks I know who have experienced this, I'm wondering what's really going on.
     
  8. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Yes, they will lock you out of your account and if you keep reading those boards it wont take you long to realize that it does not have as much to do with your security as it does with Google keeping your digital dossier in order. You, and as much as possible about you, in one tidy dossier, has rapidly become part of the central mission of Google.

    Oh, and if you didn't sign-up for that opportunity for an "alternative email address" and/or cell-phone verification? Forget about all those security questions you thought would get your account back.
     
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have used several IP addresses and have never had a problem. All Xerobank exit nodes and more recently Tor just to see if geolocation showed up. But I like Gmail too. However, Zoho looks pretty similar. I may switch.
     
  10. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    As far a logging in, secure as most. I use POP3 access 99% of the time anyway and HTTPS when I use the web interface. I think most accounts that are compromised are because of weak, easily guessable passwords.
     
    Last edited: Aug 8, 2010
  11. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Same here.
    No password storage.
    Just sign In & Out.
     
  12. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Hmmm...thanks. This is of concern as I travel quite often.

    Good thing I dont use gmail as my primary email :D
     
  13. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    I understand now what you are concerned of . But what you describe could happen with any other email account (especially free ones). Google Mail is not something special when it comes to this .

    As for security , Google is considered secure especially recently they made the access to it all encrypted . In my country all institutions and autorities started to accept only GMail from the free ones to be used with official documents and communication.No othet free mail is accepted.
     
  14. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Secure enough for my standards and uses :rolleyes:
     
  15. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    I've used it for years,no issues.

    If you gonna be paranoid online,best thing to do is shut the PC off and walk away,because soon as you log on,there's always someone who knows what your doing,etc...
     
  16. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Paranoid? How about well-informed instead of living in passive complacency.
     
  17. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    question:..gmail password accepts only letters and numbers for passwords,length?..
     
  18. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    I take risks in my own hobby that are much higher and have more important things to worry about,if you do not,then more power to you.
     
  19. Judge Dee

    Judge Dee Guest

    acuariano,
    Gmail does accept other characters.
    As far as length, I don't know the exact limit, but mine is 19 characters.

    Regards,
     
  20. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Boost, That's a little harsh. In fact, it's almost insulting. It has nothing to do with having (or not having) more important things to worry about. We all have our areas of interest/families/work/hobbies, etc. Remember what sub-forum you're posting in? What do you expect? We care about privacy. That shouldn't be a surprise here in a forum called, "Privacy-Related Topics." So really, I should say to you what you said to me. If you don't care - more power to you; but most of us here do care.

    Have a good weekend. :)
     
  21. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Concur, I am using some in my password.
     
  22. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    thanks...i'll change some numbers and charaters.and extend the lenght.
     
  23. Metastasio

    Metastasio Registered Member

    Joined:
    Aug 8, 2010
    Posts:
    28
    With a sufficiently strong password, I feel GMail is secure. Private is a whole other matter, of course.

    As a rule, try to make your passwords >=128 bits in length. That is ~22 chars. consisting of uppercase, lowercase, and numbers. Something like:

    JtFnnqb7TVLxA97sbCDkfb

    Double-clicking on the string lets you copy and paste it easily, whereas non-standard, high-ASCII chars. like $, #, and @ mean you have to use the mouse to manually select the whole string.
     
    Last edited: Aug 8, 2010
  24. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    So I guess you use a password managing program?
     
  25. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Nothing much better than this freebie - http://lastpass.com/
     
Loading...
Thread Status:
Not open for further replies.