Pros & cons_oAuth vs "secure password"_ATT email

Discussion in 'other security issues & news' started by phkhgh, Sep 28, 2019.

  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    170
    What are some respected internet security experts opinion on oAuth's security or privacy, right now - not what it may be in the future? Do its current downsides outweigh advertised benefits? ATT touts that oAuth encrypts UN / PWs. Isn't that what TLS does? I don't think Thunderbird sends login data in clear text.

    My main questions are about oAuth - security, privacy. I've read a good bit on it.
    Like all things internet, it's had its security problems.

    I'm not sure if oAuth increases real world security over a (longer) random char PW in Tbird.
    If Tbird solves the oAuth issues w/ yahoo / ATT, I don't know whether to use oAuth or a good random PW.

    AT&T is changing requirement for email CLIENTS (only) to use oAuth.
    Or, if you don't use an oAuth compatible client, AT&T generates a 16 char "secure mail key," which will replace (my current 24 char) server PW.
    Not sure how reducing PW length increases security.
    Fortunately, I don't use ATT email for anything important or private.

    I use Tbird 68.1 - Linux. My understanding is Tbird is oAuth compatible, but NOT w/ yahoo / ATT (yahoo provides ATT's email service).
    I forgot the finger-pointing reasons given why Tbird won't work.
    There's a Yahoo / oAuth selection in Tbird for type connection, but I've read there are problems on ATT / Yahoo & it's not listed as a compatible client.

    Apparently, new or replacement keys can only be generated by ATT, You copy to clipboard or write down.
    I'm not thrilled about them issuing my PW or reducing the length. Special chars have never been allowed.
    Probably issuing PWs to stop use of easy dictionary word PWs.

    If I've overlooked important points, please let me know.
    Thanks.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,688
    Location:
    U.S.A.
    Interesting posting.

    One of my e-mail accounts is AT&T/Yahoo e-mail since AT&T is my ISP provider. I also use T-Bird as my e-mail client. I also was forced into using the new "secure e-mail key" bit which now is what T-Bird is using.

    Now I also have another e-mail account setup for AOL e-mail. T-Bird set that up automatically as oAuth2 using IMAPS. T-Bird set-up the AT&T e-mail account as POPS. What I have found out is the AT&T e-mail does support IMAPS. What I am wondering is if there is an IMAPS element here? Perhaps it is IMAPS that is the only method that works w/o issue with oAUTH? I haven't yet tried to set up the AT&T e-mail account in T-Bird using the IMAPS servers. Note that T-Bird does not offer the oAUTH option for the AT&T POPS servers.

    To add to the confusion is this posting by Microsoft: https://answers.microsoft.com/en-us...ail-apps/22539248-4455-4f8a-9385-11cde2e3f4b3 and others like it on the web stating that Thunderbird is not oAuth compatible. This is garbage-speak since as I posted above, I am using oAuth2 for my AOL e-mail server connection in Thunderbird. My take is that it is AT&T servers that are the problem in that it appears however T-Bird is connecting is not supported by them.

    -EDIT- OK. This pretty much describes the current situation: https://support.mozilla.org/en-US/questions/1269328 . That is "finger pointing" between Mozilla, Yahoo, and AT&T.
     
    Last edited: Sep 29, 2019
  3. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    170
    @ itman - Did you ever hear or see if users will ever be able to choose their own 16 char PW, or will it always be generated by AT&T? Even in the future, if it needs resetting, or you just want to change it for security reasons?

    My take is that it is AT&T servers that are the problem in that it appears however T-Bird is connecting is not supported by them.

    I read something about Mozilla & possibly the security certificate used by Yahoo (who provides the service) or maybe ATT. At least, I think that was the reason given.

    So that's a little strange. As I said,
    1, does anyone have thoughts / concerns about using oAuth (v2). Having another player in the mix?

    2. What does oAuth (really) do; how much user info do they really get & hasn't oAuth (v1 & 2) had serious security holes, making it no more secure in the long term than SSL transmitting login data?

    - I'm not sure about POP & oAuth. In my Tbird, after setting up the 1st page of adding an acct, then go "manual" configuration. Further along, there's an "Advanced" setup button.
    When I set up a fake Tbird acct & selected POP, it did show oAuth2 as an authentication method FOR SMTP, if I chose SSL as security method first. But apparently doesn't offer it for POP - incoming.

    From itman's link, a user commented,
    "at least the AT&T gang has now gone to all alpha from all numeric in their keys."
    [please - a 16 char anything isn't "a key." It's just a PW.]
    I'm not sure what they meant unless under this NEW oAuth / 16 char policy, starting out, they only generated ALL NUMERIC PWs?? That would be really stupid (which Yahoo has proven themselves to be).

    Same person mentioned their PW manager showed it a weak PW. I doubt -A- person could hack into an acct w/ a 16 char PW (all alpha or all numeric). They won't be allowed that many attempts. But if Yahoo's user DB is stolen (AGAIN) & some or all isn't securely encrypted (again), it won't matter how many chars are used.

    That said, given Yahoo's dismal security record as an email provider, I'm not sure about them continuing to hold some of my personal data w/ an all alpha or numeric PW.

    I don't know how much private data Yahoo has on AT&T ISP customers, to authorize AT&T customers in setting up accts or give email support.
    It's unknown what data Yahoo gets from AT&T, other than our IPa.

    I could read the privacy policy(ies) again, but a lot of policies from big businesses aren't worth the paper they're written on (or digital bits they use). I could call one / both CS depts, but consulting a Magic 8 ball would be as reliable. Ask me how I know.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,688
    Location:
    U.S.A.
    Appears it has to be generated by AT&T.
     
  5. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    170
    For those interested in Thunderbird not being "oAuth compatible" - specifically with AT&T / Yahoo email, I found out a few things.
    Here's a decent explanation of what Open Authorization (oAuth) is supposed to do, in layman's terms - and some other links.
    https://www.varonis.com/blog/what-is-oauth/

    1. The AT&T's instructions I saw, on where the "create a secure mail key" (a misnomer) generating tool was located in your MyAT&T profile, were a bit off. I've found that incorrect instructions on where to find things are fairly common for AT&T & other large companies.

    2. As of Oct 10, 2019, their secure key generator used ONLY lower case letters (16) to generate a "secure key."
    The bit strength of a PW using that character set is far less than what AT&T email users would have if they use the former 24 char limit, upper & lower alpha, plus numerals, plus the minus sign & underscore characters. So if users don't use an oAuth-2 compatible email client & don't want to change clients, AT&T is forcing security conscious users to drastically lower their PW strength.

    However, AT&T says the secure key (or using oAuth) only applies to email clients. Why? I never saw a reason given.
    IN FACT, make sure to backup / save all other PWs used on any AT&T logins, beside PWs used for an email client.

    For now, AT&T allows keeping the same 24 max char, alpha / numeric PWs for either web mail or areas of AT&T.
    Why they chose to use only lower case letters is unknown.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.