Again: "Somebody knows your password" (Google)
Volker Wysk
post at volker-wysk.de
Fri Oct 20 16:30:17 UTC 2017
Am Samstag, 14. Oktober 2017, 12:44:04 CEST schrieb Karl Auer:
> On Sat, 2017-10-14 at 00:46 +0200, Volker Wysk wrote:
> > Am Samstag, 14. Oktober 2017, 00:34:30 CEST schrieb Karl Auer:
> > > Turn on multifactor authentication. It's really easy and makes a
> > > breach much, much less likely. Even if they know your password they
> > > cannot get in.
> >
> > So, I'd turn on two-factor authentication, and turn it off for my
> > computer again? I'm retrieving my mail via fetchmail every few
> > minutes, A second factor isn't feasible. For my smartphone, it's
> > similar.
>
> Google allows you to set up additional passwords for specific
> applications.
How do they determine, which application is trying to log in at Google..?
> As this is a machine fetch, the password can be
> arbitrarily complicated, so go wild! As long as the sessions are SSL
> protected. I haven't done this except for my phone, so let us know if
> it works for you. It is definitely doable for your phone.
>
> However, if your fetch process can handle 2FA, it's quite easy to
> script.
It's fetchmail. I haven't found anything about two-factor-authentication in
the feature list.
> Store the TOTP in a text file somewhere eg key.txt with
> suitable permissions, install oathtool, and get the current code in
> your scripts with:
>
> oathtool --totp -b `cat key.txt`
>
> Since you have the password stored somewhere already for fetchmail, I
> guess this is no less secure, but it absolutely prevents a password
> hack. Guessing or brute-forcing a TOTP secret is effectively
> impossible.
I'll try to enable two-factor-authentication, with exceptions for my machines,
now. Like I sayed above.
Bye
V.W.
More information about the ubuntu-users
mailing list