Are email providers giving you the code instead of asking for tel #?
February 19, 2023 1:56 PM Subscribe
I couldn't fit all the words in the title. Are the main email providers nowadays giving you the code phrase/words (in case you forget your password) instead of asking you for your phone number or alternate email? If so which ones are they? I'm thinking Gmail Outlook, Yahoo, etc. It looks like it is better than email of phone number since what happens if you don't have access to the alternate email, , etc.?
Best answer: Gmail, memory says, will offer you the opportunity to print a page of one time codes to use in case of emergencies. You need access to the codes, but you don't need a functioning device, for instance if you've lost your phone. It's more a recovery mechanism of last resort than one suited to every day use, mind.
As a general best practice, most sites avoid using only a password or passphrase (or answers to personal questions, whatever) that (a) you made up and (b) is sent over the network from you to them while being reusable. Weak passwords are obviously a problem, and they're common if you leave the choice up to the user, but even strong passwords are a problem if they can be reused, because they might be phished or intercepted. A one time password sheet is a low tech way to make solidly random, non-reusable credentials.
A site that does let you use a passphrase, on the other hand, is not implementing good security and you should ask yourself how you might hack someone's account if that's what they do (think gamil.com, for example).
posted by How much is that froggie in the window at 2:57 PM on February 19, 2023
As a general best practice, most sites avoid using only a password or passphrase (or answers to personal questions, whatever) that (a) you made up and (b) is sent over the network from you to them while being reusable. Weak passwords are obviously a problem, and they're common if you leave the choice up to the user, but even strong passwords are a problem if they can be reused, because they might be phished or intercepted. A one time password sheet is a low tech way to make solidly random, non-reusable credentials.
A site that does let you use a passphrase, on the other hand, is not implementing good security and you should ask yourself how you might hack someone's account if that's what they do (think gamil.com, for example).
posted by How much is that froggie in the window at 2:57 PM on February 19, 2023
Best answer: Regardless most repeatable services are going to allow multiple versions of a recovery mechanism. You should definitely use more than one scheme.
posted by mmascolino at 4:48 PM on February 19, 2023
posted by mmascolino at 4:48 PM on February 19, 2023
Best answer: I have noticed a change with lost password protocols. The old way was that, once prompted, the site sent a email containing a link to a new page where a new password could be entered. The new way is to send an email or text containing code number that has to be taken back to the original page.
posted by SemiSalt at 6:21 PM on February 19, 2023
posted by SemiSalt at 6:21 PM on February 19, 2023
Response by poster: Thank you all.
I'm all rereading the answers.
1)How do you make an account independant of other accounts or tel number? What if the alternate email gets hacked?
2) what do "repeatable" or "reusable" mean?
posted by amfgf at 5:52 PM on February 21, 2023
I'm all rereading the answers.
1)How do you make an account independant of other accounts or tel number? What if the alternate email gets hacked?
2) what do "repeatable" or "reusable" mean?
posted by amfgf at 5:52 PM on February 21, 2023
I believe mmascolino meant 'reputable'.
When I said 'reusable' about passwords I mean that the same password will work again, even if it's in the hands of someone else.
I think you understand that there are two categories of login or recovery mechanism, one which relies on another service (a text message to your phone account, an email) to log in, and ones which don't. If it's dependent on another service it's pretty much compromised if the other service is compromised. Ultimately, then, it comes down to whether that service is secure, so somewhere you need a service that is independent of any other service.
The non-dependent mechanisms I've seen ultimately still require you to secure something else, but it's more likely to be a physical thing.
The ones that come to mind are
- time based one time password generators ('TOTP'); this runs on a device so make sure that device is secure, but note that that device doesn't have to talk to the internet to do its job
- yubikeys - it has information on it that you can use to login but that can't be extracted; don't lose it. In a similar vein, the little keypads that banks used to give you where you typed in a challenge and it made up a response code
- one time password sheets - don't lose them or let anyone else see them.
And you can't always make one account independent of others. Not every service supports a method for that. I would start by setting up your email with strong security ao that is doesn't get hacked, and then you can worry less about using that email account for password recovery of other accounts where there is no alternative.
posted by How much is that froggie in the window at 8:56 AM on February 23, 2023
When I said 'reusable' about passwords I mean that the same password will work again, even if it's in the hands of someone else.
I think you understand that there are two categories of login or recovery mechanism, one which relies on another service (a text message to your phone account, an email) to log in, and ones which don't. If it's dependent on another service it's pretty much compromised if the other service is compromised. Ultimately, then, it comes down to whether that service is secure, so somewhere you need a service that is independent of any other service.
The non-dependent mechanisms I've seen ultimately still require you to secure something else, but it's more likely to be a physical thing.
The ones that come to mind are
- time based one time password generators ('TOTP'); this runs on a device so make sure that device is secure, but note that that device doesn't have to talk to the internet to do its job
- yubikeys - it has information on it that you can use to login but that can't be extracted; don't lose it. In a similar vein, the little keypads that banks used to give you where you typed in a challenge and it made up a response code
- one time password sheets - don't lose them or let anyone else see them.
And you can't always make one account independent of others. Not every service supports a method for that. I would start by setting up your email with strong security ao that is doesn't get hacked, and then you can worry less about using that email account for password recovery of other accounts where there is no alternative.
posted by How much is that froggie in the window at 8:56 AM on February 23, 2023
Response by poster: Ok. Very interesting. A lot to absorb. Thank you all again.
.
posted by amfgf at 6:00 PM on February 24, 2023
.
posted by amfgf at 6:00 PM on February 24, 2023
This thread is closed to new comments.
posted by SPrintF at 2:33 PM on February 19, 2023