Does someone really have my new password already?
October 15, 2018 5:50 AM   Subscribe

About a month ago, I got a critical security alert from google saying that someone had tried to log in to my gmail account with my password. I changed the password immediately to a unique password that I have never used anywhere else. In the last week, however, I have gotten three more critical security alerts saying that someone is trying to log in with my password, presumably meaning the new one.

Like I said, the new password is completely unique and I'm pretty sure it's relatively strong. It includes numbers and letters and is not based on any dictionary words, so I'm pretty sure it can't have been brute forced very easily.

The good news is that this is my secondary email account rather than my primary one. It's the account that I use almost solely for signing up for internet services and such, with the intent of keeping my primary account safe from spam and security risks. In the past, I admit that I have had some bad password hygiene and I'm pretty sure that I unthinkingly signed up for a couple of services using that email address and chose as my password for the service the same password that secured the email account itself, so the first critical security alert honestly wasn't much of a surprise.

But, since changing my password, I have only logged into the account from a single computer which runs Ubuntu and has all the most up-to-date security patches. So, I'm really unsure how my new password could have been compromised. Is there any chance that there is somehow a keylogger or something on my system? How would I go about finding out? What other possible vectors are there for my password to have been compromised? Or is there a chance that google is just wrong?

Oh, and it did occur to me that the security alerts might not actually be originating from google despite coming from a google.com address and looking very authentic. But, if it's a phishing attack, I don't see how it would work. The emails do not contain a single link.

I've changed my password again this morning, but the whole thing is pretty worrying.
posted by 256 to Computers & Internet (31 answers total) 4 users marked this as a favorite
 
Open gmail and look for the "account activity / details" link at the bottom. It will show you all recent login attempts on the account. Does it look legit?
posted by JoeZydeco at 5:56 AM on October 15, 2018 [3 favorites]


This happened to me last month. My partner had started using a long-dormant iPad, and it immediately tried to log-in to Google, Facebook, etc. Checking that account activity section that JoeZydeco mentioned helped me figure out what was going on.
posted by papayaninja at 5:57 AM on October 15, 2018 [1 favorite]


Response by poster: The account activity details shows blocked log in attempts from China and Brazil, so that pretty much confirms that the emails are legit.

Also, the alerts specifically say that they tried to log in "with my password" so I'm assuming they mean the new one. I know Google stores old passwords. Is there any chance that the email is just poorly worded and it is still my old password they are using?
posted by 256 at 6:00 AM on October 15, 2018 [1 favorite]


The notification is that someone is unsuccessfully trying to log into your account using an incorrect password, not that they are using your password. If they were using your password they’d be in. And anyway gmail doesn’t technically actually know your password. They’re notifying you that someone is trying to get into your account.

As it is your secondary account that you are using more willy nilly, this is not surprising. This email address is probably more widely circulated making it more vulnerable for shady people to try and access.

As long as you continue to use good password practices (change regularly, use two factor authentication, etc) then you should be ok.
posted by like_neon at 6:02 AM on October 15, 2018 [5 favorites]


Response by poster: like_neon: I really don't think that's the case. Below is the text of the alert.
Someone just used your password to try to sign in to your account from a non-Google app. Google blocked them, but you should check what happened. Review your account activity to make sure no one else has access.
Oh and I know that google (hopefully) doesn't technically know my password, but they can obviously tell if someone is logging in with a password that matches the hash (otherwise I wouldn't be able to log in either).
posted by 256 at 6:03 AM on October 15, 2018 [1 favorite]


"Zxcvbn" is arguably the industry standard for determining the strength of a password. You might use it to see how strong your password actually is. For Google, aim for a Strength Score of 5.
posted by davcoo at 6:04 AM on October 15, 2018 [8 favorites]


"non-google app" can mean anything from Apple Mail (OSX, iPhone) to Thunderbird to who knows. Doesn't mean they're in, just that they're using some other kind of program to attempt access.
posted by JoeZydeco at 6:06 AM on October 15, 2018 [3 favorites]


Do you use two-factor authentication? I wonder whether this is a situation in which a hardware key would be helpful.
posted by tapir-whorf at 6:20 AM on October 15, 2018 [3 favorites]


You might use it to see how strong your password actually is

Typing your passwords into someone else's hosted site is not a great idea. Telling non-security professionals to do so is training them to enter their passwords anywhere...

Sorry - no I do not trust sites like this - or that someone hasn't cloned it and re-hosted it, or isn't doing javascript injection. While the library is also available for download - so one could use the code oneself, I wouldn't trust that either without manually reviewing all the code.

If you do decide to test a password with a site like this, don't use your real password, but use something similar in style.
posted by jkaczor at 6:28 AM on October 15, 2018 [13 favorites]


FWIW, if you use a password manager, it will automatically generate passwords for you that pass their strength test. (And if you use old passwords, many managers will also evaluate the strength of those, too.)
posted by tapir-whorf at 6:41 AM on October 15, 2018


Have you used Gmail with another email client (Thunderbird, Outlook, etc.)? Gmail will let you set up App Passwords so that other email clients can check your email -- you can go to that page to revoke any old passwords that you haven't used in a while.
posted by ectabo at 7:14 AM on October 15, 2018


I'm pretty sure it's relatively strong. It includes numbers and letters and is not based on any dictionary words, so I'm pretty sure it can't have been brute forced very easily.

How long is it? Gmail has no problem with the 29-character passwords I habitually generate (5 dot-separated groups of 5 randomly chosen lowercase letters, like lmwpe.qmxmq.bgxyq.nmtog.dniih) and if you're letting your devices remember your passwords and/or using password management software like KeePass (which you absolutely should be) there's no good reason to pick anything shorter.

since changing my password, I have only logged into the account from a single computer which runs Ubuntu and has all the most up-to-date security patches.

Is that also the computer you used to perform the actual password change? If not, the device you did use might be compromised.

That said: the overwhelming majority of Google "somebody has used your password" alerts I've seen customers get turn out to be due to an email client on one of their own devices trying to log into imap.gmail.com and/or smtp.gmail.com using the normal IMAP or SMTP login authentication mechanism that involves transferring passwords in clear text, albeit over an encrypted (SSL or STARTTLS) channel.

Any decent modern client will allow you to use the Google-preferred OAuth 2 authentication with IMAP and SMTP accounts instead (Thunderbird does) but there are still quite a few that apparently haven't read the memo.

If your usual email software has mysteriously started failing to receive new mails since you changed the password, this is quite possibly what's going on. There's a setting you can alter in your Google account to allow the older IMAP and SMTP password login methods again, but I've seen Google reset this at random without telling anybody.
posted by flabdablet at 7:18 AM on October 15, 2018 [1 favorite]


Last time I looked into App Passwords, Google was only allowing them for paying G Suite customers. That was a while ago though, so it might have changed.
posted by flabdablet at 7:22 AM on October 15, 2018


12 characters is too short in 2018.
posted by flabdablet at 7:25 AM on October 15, 2018


While the library is also available for download - so one could use the code oneself, I wouldn't trust that either without manually reviewing all the code.

The zxcvbn demo page linked from the original zxcvbn announcement does download the library and run it in your browser. Once you've navigated to that page, you can physically disconnect your Internet connection and still test as many passwords as you want.

That said, I completely agree that typing live passwords into online password testers is in general an idea about as terrible as sending tens of thousands of dollars to the alleged nephews of alleged Nigerian ex-bankers.
posted by flabdablet at 7:43 AM on October 15, 2018


Response by poster: For the record, I use the web client, and I changed my password on the same computer I access the account from.

The zxcvbn page gives a password that is structurally similar to mine a "20 hours to crack" rating, so that may be the problem, but is it really likely that anyone has gone to the effort of cracking my password in the last month, and doesn't Google limit log-in attempts?
posted by 256 at 7:57 AM on October 15, 2018


As "like_neon" stated - if they actually had your password, they would be logged in - and have changed it, so you wouldn't be able to login.

The wording on the notification message is poor - it should really say "a password login attempt occurred", not "...your password...".

"flabdablet" mentions KeePass - I swear by that, have used it since it came out - amazingly great software.

Google supports "2-factor", "multi-factor" authentication, if you are really concerned, then I would definitely enable that.
posted by jkaczor at 8:10 AM on October 15, 2018 [2 favorites]


As "like_neon" stated - if they actually had your password, they would be logged in - and have changed it, so you wouldn't be able to login.

That's not true. What the message suggests is that Google didn't recognize the app or the machine so even though the password was correct, Google blocked the login and issued a second request, either a second factor (text message, key or auth token) or, if that's not enabled, a "Secret Question", which Google requires for new logins.

This messages suggests that the password was correct and the attempt failed the second level check.

It's interesting and surprising and I don't quite know what's up, but it's not as simple as "if they had your password they would be in". Google adds extra protection for logins from unfamiliar countries/apps/machines.
posted by The Bellman at 8:38 AM on October 15, 2018 [3 favorites]


Assuming you have two-factor enabled, I second the possibility that your computer is compromised.
posted by purple_bird at 8:56 AM on October 15, 2018 [2 favorites]


If it is, it's more likely to be a browser exploit than anything else. Do you run uBlock Origin or some similarly competent advertising filter? What other extensions are installed in your browser?

Alternatively, are you browsing with Tor or some similar privacy enhancement? Tor exit nodes are everywhere in the world, and if you log into Google through Tor, Google is going to make incorrect assumptions about where you are.
posted by flabdablet at 9:11 AM on October 15, 2018


> The zxcvbn page gives a password that is structurally similar to mine a "20 hours to crack" rating, so that may be the problem, but is it really likely that anyone has gone to the effort of cracking my password in the last month, and doesn't Google limit log-in attempts?

The 20-hour figure assumes the person has direct access to the username-password database and is using a computer to attempt to decrypt it. That isn't the case here. 20 hours is fine.
posted by davcoo at 9:27 AM on October 15, 2018 [1 favorite]


> If you do decide to test a password with a site like this, don't use your real password, but use something similar in style.

You are correct. This is stated in the fourth paragraph on the page.
posted by davcoo at 9:31 AM on October 15, 2018


I have never gotten a notice like this from any service that ever said anything about the password being used. If I got something like that, I would trash it and move on.
posted by humboldt32 at 9:32 AM on October 15, 2018


If someone's trying to get into your account, you need to have two-factor enabled.

"20 hours to crack"

That sort of rating isn't really that important for this unless you're reusing passwords (don't!). Other than extremely simple things (e.g. password123, letmein), most sites take strong enough steps to block brute forcing accounts that anything with moderate complexity is not going to be possible to guess randomly.

The difficulty to crack rating comes from when an attacker compromises a site and obtains the databases of the password hashes and can turn GPU based crackers loose on it. This, while possible that it could happen to Google, is unlikely and if someone did such an attack they'd be going after really high value targets.

I suspect this is poorly worded on their part and that the attackers are using an incorrect password but it's also possible that you've got malware on your system and they do have the actual password.
posted by Candleman at 9:49 AM on October 15, 2018 [1 favorite]


I was given the password and username for a gmail account hosted in France; I can't log in even with the correct password because I don't have the second factor for authentication (unless I coordinate with the person who originally signed up, which is a hassle) and I'm logging in from an unrecognized device/random IP. They definitely could have your password.
posted by ChuraChura at 10:31 AM on October 15, 2018


Response by poster: You guys have all been really helpful, but the biggest question not yet answered (and the one that is really bothering me) is: Do I need to be worried that my computer is compromised? And, if it is, what can I do on Ubuntu to track down the problem aside from a clean install?

I'm only moderately worried about my throwaway email being compromised, but if my computer itself is compromised than a whole bunch of other things (like my internet banking for example) are at risk.

Also, FWIW, I use Chrome and the only plugin installed is AdBlock Plus.
posted by 256 at 10:40 AM on October 15, 2018


You’d be a fool not to enable two factor authentication at this point.
posted by LoveHam at 3:56 PM on October 15, 2018 [1 favorite]


Do I need to be worried that my computer is compromised?

It is very uncommon for Linux end users to get attacked. So while it's possible, it is unlikely. I see that you're a journalist - if you have written about something that foreign governments are interested in or found offensive, it is possible they might have targeted you but that is also relatively unlikely, especially on a personal machine. Most nationstate level attackers still are either doing Windows attacks or social engineering attack rather than hitting Linux, at least for small level targets like yourself.

Without knowing everything about your background, I think it's most likely that they're continuing to try the old password from the initial issue (a lot of places keep the hashes of at least the past five passwords) or that it's flat out confusingly worded.

And, if it is, what can I do on Ubuntu to track down the problem aside from a clean install?

You can't trust the OS to tell you accurate things if you're compromised, so you have to do something like boot from a version of Ubuntu and then mount the drive and look for anomalies. For a desktop system, I wouldn't personally bother with anything other than a reinstall unless I was really curious what had happened. There's tools like rootkit hunter that can find Linux malware if you really want to go that route, but unless you know what you're doing, you may just be wasting time.
posted by Candleman at 5:59 PM on October 15, 2018 [1 favorite]


If you save all four of the Google security notifications you mention in the form of .eml files, zip them up and email them to me (email address is in profile), I'm happy to look through them and try to work out whether they're (a) genuine (b) worded identically to other Google notifications I've seen before and for which I know at least some of the specific causes. That should also let me run nmap scans against your IP address to see whether you have anything open to the Internet that looks backdoorish.

If your Ubuntu desktop installation is compromised, it's literally (literally literally) the first one I've ever heard of that having happened to in the wild. And I've seen more desktop computers than most people.
posted by flabdablet at 10:58 PM on October 15, 2018 [3 favorites]


That's not true. What the message suggests is that Google didn't recognize the app or the machine so even though the password was correct, Google blocked the login and issued a second request

Right - sorry, I am not a big Google services user (other than Search) - I recall having seen that when I first try to access on a new work machine (or radically different geographic location).
posted by jkaczor at 6:49 AM on October 16, 2018 [1 favorite]


At least if it is malice, it is also repeatedly incompetent and failing to cover tracks.

I've had one of the "Critical security alert" mails this month, with the wording "Someone just used your password to try to sign in to your account from a non-Google app. Google blocked them, but you should check what happened". AND I can match the mail exactly against the full account security page - https://myaccount.google.com/notifications -

In my account security page , it shows up as a "Recent security event": "Google prevented a sign-in from a less secure app", with a red shield and exclamation mark. It shows a time that exactly matches the time the alert email was sent.

If I were you I would try to make this same match up. In my case, the alert was due to me using the *correct* password, but using an ostensibly "less secure" access method. And the security event shows the correct country I was connecting from.

At least if all your "less secure app" events are actually in the countr(ies) you expect your devices to be hailing from, you can relax a bit.

It sounds like flabdablet has a more comprehensive sample of messages for comparison. I guess you could also send them a screenshot of the "Recent security events" on your account security page.

(Years ago, I actually did have a Linux desktop that was compromised. Due to dialup access (i.e. no NAT), having deliberately installing an SSH server, and then set a weak password on a test account. That was almost certainly an attack targeted to exploit servers though, not desktop stuff like grabbing passwords from a web browser).
posted by sourcejedi at 6:52 AM on October 16, 2018 [1 favorite]


« Older Is the movie "First Man" worth seeing in IMAX?   |   Superlatives Newer »
This thread is closed to new comments.