undefined | Better HN

0 pointsxyzzyz13y ago0 comments

I'm not talking about 10 passwords I have as a backup. I'm talking about 10 application specific password that are used every day by my phone, mail client, xmpp client etc. They just need to intercept any single of these password to compromise my mail account. How's this different from the situation before two-factor authentication?

0 comments

simon_weber13y ago

You are confused by the misleading "application-specific password" terminology. These passwords each allow the same degree of access: the password you use on your phone could be interchanged with the one on your xmpp client. Aside from being able to revoke each independently, there's not much benefit from having many of them.

These are not equivalent to 2-factor auth (which grants you the benefits described in an earlier comment). App-specific passwords exist only to allow you, a 2-factor user, to use applications which do not yet support 2-factor auth.

trotsky13y ago

The primary purpose is to reduce the impact of password reuse or the user interactively disclosing their password to an attacker. Primarily leaked password hashes and phishing attacks, but it also combats sslstrip style mitm attacks and keyloggers on public computers. Nobody is going around typing in ASPs.

It's not designed to mitigate your personal computer being compromised - the only solutions that can move the needle in that situation are far beyond anything normal folks are willing to put up with.

marshray13y ago

All I can figure is it makes it easier to revoke one password without changing all the others.

bigiain13y ago

I think this is the answer, and I think it would have made sense if they'd called it a "device specific password" instead of an "application specific password".

I've got an asp (dsp?) for my phone (which all the applications that need one on my phone use), another for my iPad, another for each of my laptops, home computers, and my work computer. If I lose (or have stolen) my phone, I can revoke the password it knows - without needing to change any of my other devices.

Using the word "Application" allows everybody (including, I think, google's own security people) to make the incorrect assumption that the "iPhone mail password" is "specific" to mail - and only allows POP and IMAP to work. Instead, what "application" means is not the easily assumed "a piece of software" interpretation, but the "use to which something is put" interpretation. The decision and management of that "use to which a password is put" is not made nor emforced by Google, but is all up to _me_ (or, as it turned out, to any attacker who could lever one out of me).

marshray13y ago

Right. AFAICT, there's nothing inherently "specific" about the password at all, that name is mostly just a "serving suggesion" to the legitimate user (one which the attacker is free to ignore).

So calling it a "device specific password" doesn't make it any more sensible to me. I'd call it an "alternate weakest-link redundant password" to be precise, but Marketing rarely goes with my suggestions. :-)

cwb7113y ago

Google does intentionally make it a little more difficult to do what you are doing by refusing to ever show you the password again once it has been generated. You have to store that "unmemorizable" sixteen letter password somewhere.

The workflow they seem to encourage is that an "application" asks for your password, you open a browser and generate a new ASP, then save it in that app and forget it forever.

By "application" they mean "something that asks for your password." Thunderbird or iChat, not IMAP or XMPP.

sneak13y ago

Accessing your email box is a different matter than taking over the whole account. The former you can generally recover from.

bigiain13y ago

Your right, a password that only works for a specific service or property or protocol would help, but "email box" is not the best example of your point - even if the only Google access is could steal off you was the ability to read you mail, you've pretty much hosed - I can now go to every other website and ask them to send you a password reset, and you're now lost down the Mat Honan rabbit hole. Where does your appleID reset go? Or your domain registrar accounts? Your Facebook/Twitter/HN password reset email?

sneak13y ago

> I can now go to every other website and ask them to send you a password reset

Yes, and, provided I've discovered the issue in time, I can use one of my ten reset codes or OTP to log in, revoke/disable all my ASPs, and reset them again. Recoverable.

If you'd stolen my whole Google account, you've likely regenerated the codes and changed the backup email and phone number. No exit.

1 more reply

rdl13y ago

The Google "Application Specific Passwords" are actually complete passwords which give you access to all data in the account, which is the problem.

sneak13y ago

They don't let you log in via the web, only via protocols that have a single field for "password", like xmpp, imap, and smtp. There is tons of data in the account which is not accessible with an ASP.

When you try to log in on the web with an ASP, it asks for the account password + OTP.

1 more reply

Tyr4213y ago

That's the problem though, isn't it? They don't do password specific permissions, so any leak escalates up to taking over the whole account.

sneak13y ago

No, ASPs can only be used to access account data available over imap, smtp, xmpp, and other non-web protocols that don't allow cookies/asking for the OTP.

1 more reply

j / k navigate · click thread line to collapse

0 comments

simon_weber13y ago

trotsky13y ago

It's not designed to mitigate your personal computer being compromised - the only solutions that can move the needle in that situation are far beyond anything normal folks are willing to put up with.

marshray13y ago

All I can figure is it makes it easier to revoke one password without changing all the others.

bigiain13y ago

I think this is the answer, and I think it would have made sense if they'd called it a "device specific password" instead of an "application specific password".

marshray13y ago

Right. AFAICT, there's nothing inherently "specific" about the password at all, that name is mostly just a "serving suggesion" to the legitimate user (one which the attacker is free to ignore).

cwb7113y ago

The workflow they seem to encourage is that an "application" asks for your password, you open a browser and generate a new ASP, then save it in that app and forget it forever.

By "application" they mean "something that asks for your password." Thunderbird or iChat, not IMAP or XMPP.

sneak13y ago

Accessing your email box is a different matter than taking over the whole account. The former you can generally recover from.

bigiain13y ago

sneak13y ago

> I can now go to every other website and ask them to send you a password reset

Yes, and, provided I've discovered the issue in time, I can use one of my ten reset codes or OTP to log in, revoke/disable all my ASPs, and reset them again. Recoverable.

If you'd stolen my whole Google account, you've likely regenerated the codes and changed the backup email and phone number. No exit.

1 more reply

rdl13y ago

The Google "Application Specific Passwords" are actually complete passwords which give you access to all data in the account, which is the problem.

sneak13y ago

They don't let you log in via the web, only via protocols that have a single field for "password", like xmpp, imap, and smtp. There is tons of data in the account which is not accessible with an ASP.

When you try to log in on the web with an ASP, it asks for the account password + OTP.

1 more reply

Tyr4213y ago

That's the problem though, isn't it? They don't do password specific permissions, so any leak escalates up to taking over the whole account.

sneak13y ago

No, ASPs can only be used to access account data available over imap, smtp, xmpp, and other non-web protocols that don't allow cookies/asking for the OTP.

1 more reply

j / k navigate · click thread line to collapse