[Users] Can't login to my GMail IMAP acct

Ralf Mardorf kde.lists at yahoo.com
Fri Jun 10 18:28:17 CET 2022


On Fri, 10 Jun 2022 19:37:42 +0200, Slavko wrote:
>AFAIK, the problem which OAuth solves are not weak passwords, but
>reused (leaked) passwords.

Hi Slavko,

that's correct, but...

it's that complicated to have a bunch of devices and each is required
to verify something else that users are stressed out. Not necessarily
by 2-factor-auth, but by the chain from one super secure method to the
next one. In the first place or banks sent us a printed TAN list and
right after that one thingy replaced another thingy, the same for
email accounts and anything else.

>Kerckhoff's principle tells, that security by obscurity doesn't work,
>at least doesn't work for long time. I cannot tell now, if OAuth is
>secure or provides only secure feel, we will see it after some time.
>But my (long) army experiences learn me, that any weapon will soon or
>later have anti-weapon, either direct or indirect...

I posted the link to the English Wiki related to Crypto AG, the German
Wiki [1] mentions "Security through obscurity", hence indirectly 
"Kerckhoffs’sche Prinzip"/"Kerckhoffs’ Maxime", too.

It's not just about open source vs closed source, since it's always
possible to reverse engineer or to disassemble. If you make it more
complex you don't gain nothing over just keeping a single key secret.

So we are on top of this email again. The right way is a classical
password that is secure (not stupid) and doesn't get leaked + it gets
change by rotation.

Unfortunately the weapon analogy does fit. Especially the approach to
workaround the weapon vs anti-weapon issue. In both cases, weapons and
computer security the common approach is completely wrong.

>Reading these never-ending gmail problems, i am really happy, that i
>have no account (email hosted) there.

It's not just Gmail, they are just ahead.

Regards,
Ralf

[1]
https://de.wikipedia.org/wiki/Crypto_AG


More information about the Users mailing list