Google and the end of May

[Dave]

Good day folks,
My dear Fay (Wife) has been pestered recently (As I guess many of us have)
by BOT mails from google, about access to google accounts being cut off on
May 30th... Or somesuch.

Now she's pestering me to explain, and to be quite honest, I have very
little understanding of it myself.

I have been to the google pages about this stuff but really am no wiser.

Any chance that some knowledgeable person here might do some illumination
on the matter?

Thanks

Dave

VRPC-DL RISC OS 6.20
Hermes is our RISC OS app of choice, and Thunderbirds if on the other side.
D.

[Chris Newman]

In article <59e12ad...@triffid.co.uk>, Dave <ne...@triffid.co.uk>
wrote:

> Good day folks, My dear Fay (Wife) has been pestered recently (As I
> guess many of us have) by BOT mails from google, about access to google
> accounts being cut off on May 30th... Or somesuch.

> Now she's pestering me to explain, and to be quite honest, I have very
> little understanding of it myself.

> I have been to the google pages about this stuff but really am no wiser.

> Any chance that some knowledgeable person here might do some
> illumination on the matter?

As I understand it, if you wish to keep accessing Google on older (Less
secure?) kit you will need to get a new password to put in to your mail
transport prog. This only needs to be done once unless you have some sort
of catastrophic failure of your set up. Presumably even then, if you've
saved it, you can re-insert. You can still log in online with your
original password.
Then each time you connect with said older kit, you will have to get a 2
factor code from them. Whether that arrives by phone, mail or what I know
not.

This is why I'm in the process of getting a domain so I can forward Gmail
stuff to that then gradually phase out Gmail.
My wife has the same problem with Hotmail which is refusing to recognise
Office Outlook 2010. Hey, ho for progress.

--
Chris Newman

[Harriet Bazley]

On 30 Apr 2022 as I do recall,
Chris Newman wrote:

[snip]

> As I understand it, if you wish to keep accessing Google on older (Less
> secure?) kit you will need to get a new password to put in to your mail
> transport prog. This only needs to be done once unless you have some sort
> of catastrophic failure of your set up. Presumably even then, if you've
> saved it, you can re-insert. You can still log in online with your
> original password.
> Then each time you connect with said older kit, you will have to get a 2
> factor code from them. Whether that arrives by phone, mail or what I know
> not.

Ouch. So *every single time* your mail transport tries to fetch from
your inbox, you will have to manually confirm your identity... i.e.
every twenty minutes or so?


--
Harriet Bazley == Loyaulte me lie ==

The fact that you're paranoid.... doesn't mean they're NOT out to get you.

[Theo]

Harriet Bazley <har...@bazleyfamily.co.uk> wrote:
> Ouch. So *every single time* your mail transport tries to fetch from
> your inbox, you will have to manually confirm your identity... i.e.
> every twenty minutes or so?

I haven't tried it so don't know specifics of how it relates to Gmail with
app passwords, but in other parts of Google you only need to do the full
authentication when something changes - eg a different browser or logging in
from a different IP address. There's a heuristic they use about 'something
is different' that means you have to reconfirm. With mail clients there are
no cookies to remember your browser, but it's possible they don't ask for
reconfirmation from the IP you've previously come from.

(although even that could be annoying if you're flitting between different
cafe/etc wifi)

Theo

[Chris Newman]

In article <6da978e15...@bazleyfamily.co.uk>, Harriet Bazley

<har...@bazleyfamily.co.uk> wrote:
> On 30 Apr 2022 as I do recall, Chris Newman wrote:

> [snip]

> > As I understand it, if you wish to keep accessing Google on older
> > (Less secure?) kit you will need to get a new password to put in to
> > your mail transport prog. This only needs to be done once unless you
> > have some sort of catastrophic failure of your set up. Presumably
> > even then, if you've saved it, you can re-insert. You can still log
> > in online with your original password. Then each time you connect
> > with said older kit, you will have to get a 2 factor code from them.
> > Whether that arrives by phone, mail or what I know not.


> Ouch. So *every single time* your mail transport tries to fetch from
> your inbox, you will have to manually confirm your identity... i.e.
> every twenty minutes or so?

That's why I'm now getting my own domain. Hopefully two fingers to Google
in the future.

--
Chris Newman

[Chris Newman]

In article <aKk*5v...@news.chiark.greenend.org.uk>, Theo

That intensley annoying behaviour is what happens now. The new regime is
another layer of obfuscation on top for those using older email clients.

--
Chris Newman

[Mik Towse]

In article <59e2d537...@waitrose.com> Chris Newman wrote:
> That's why I'm now getting my own domain. Hopefully two fingers to Google
> in the future.

Very wise, they are good value these days and gives you so much more
flexibility with ISPs.

R-Comp keep Hermes pretty much up to date on standards and handles multiple
domains very well. We certainly have no issues with it on ours.

--
Mik Towse * mik....@xemik.com * http://www.xemik.co.uk/
My writers' site can be found at: http://www.lexis.org.uk

xemik.net - cost effective web hosting : http://xemik.net

Only those who will risk going too far,
can possibly find out how far one can go.

[Chris Newman]

In article <6da978e15...@bazleyfamily.co.uk>, Harriet Bazley
<har...@bazleyfamily.co.uk> wrote:

> On 30 Apr 2022 as I do recall, Chris Newman wrote:

> [snip]

> > As I understand it, if you wish to keep accessing Google on older
> > (Less secure?) kit you will need to get a new password to put in to
> > your mail transport prog. This only needs to be done once unless you
> > have some sort of catastrophic failure of your set up. Presumably
> > even then, if you've saved it, you can re-insert. You can still log
> > in online with your original password. Then each time you connect
> > with said older kit, you will have to get a 2 factor code from them.
> > Whether that arrives by phone, mail or what I know not.


> Ouch. So *every single time* your mail transport tries to fetch from
> your inbox, you will have to manually confirm your identity... i.e.
> every twenty minutes or so?

Seemingly, its not as bad as I thought. You won't need to confirm every
time.
Thanks to an article in Computer Active magazine, I've sorted the first
of my Google accounts.

I've tried to make an idiot's guide. Herewith....

2 factor authentication for "insecure" apps.

Sign into your Google account.
Select "Security" in the left hand menu.
You may have to keep signing back into you account to verify it's you
during the process.
Follow instructions to enable 2-step verification.
You will need a phone for the set up as they send you a code. I had one
listed with them as I have an Android phone which needs the ridiculously
named "PlayStore."
You can ignore the bits about further safety measures.
Go back to "Security" page.
With a bit of searching you should see a new option "App Passwords"
Select "Mail" in the "Select App" drop down menu no matter what
app/client/transport you are using.
In the "Select device" menu, choose the device you want to access gmail
on. I chose other and when asked, called it Hermes.
Select "Generate" to get you 16 digit password which appears in a
yellowish box.
Enter this in your email/transport client in place of you old code.
You should only have to do this once but keep a copy of the code in case
of disasters. If the worst comes to the worst, you can get Google to
generate a new one.
You may have to do a capcha or get another code. I was so confused, I
slightly disremember the order of events.
Then all should work.

When I accessed my Google account on-line it was my original password
that was needed. I had to get a code to log in the first time but there
is a "Don't ask again on this device" box to tick to prevent that each
time you login in future.

How does it know my device? IP address, MAC address?

--
Chris Newman

[Harriet Bazley]

On 9 May 2022 as I do recall,

Chris Newman wrote:

> In article <6da978e15...@bazleyfamily.co.uk>, Harriet Bazley
> <har...@bazleyfamily.co.uk> wrote:
> > On 30 Apr 2022 as I do recall, Chris Newman wrote:
>
> > [snip]
>
> > > As I understand it, if you wish to keep accessing Google on older
> > > (Less secure?) kit you will need to get a new password to put in to
> > > your mail transport prog. This only needs to be done once unless you
> > > have some sort of catastrophic failure of your set up. Presumably
> > > even then, if you've saved it, you can re-insert. You can still log
> > > in online with your original password. Then each time you connect
> > > with said older kit, you will have to get a 2 factor code from them.
> > > Whether that arrives by phone, mail or what I know not.
>
> > Ouch. So *every single time* your mail transport tries to fetch from
> > your inbox, you will have to manually confirm your identity... i.e.
> > every twenty minutes or so?

> Seemingly, its not as bad as I thought. You won't need to confirm every
> time.
> Thanks to an article in Computer Active magazine, I've sorted the first
> of my Google accounts.
>
> I've tried to make an idiot's guide. Herewith....
>

[snip]

Tried this - I couldn't log into the 'Standard' Gmail page using
Iris (it just seemed to hang up indefinitely while displaying 'Google
Workspace'), but I managed to get access to the 'Simple HTML' page and
turn on 2-step authentication, and then find 'App passwords' under
Security. Simply substituting this new password for my old one
in AntiSpam seems to function the same as before - without actually
requiring the 2-step process at all, despite the fact that it is now
supposedly switched on.

I'm not clear why changing passwords to random digits issued by Google
is magically super-secure, even if you had to use a one-time PIN sent to
a specific phone number in order to get it in the first place, since
presumably this is just as hackable as any other password stored in a
database anywhere.

--
Harriet Bazley == Loyaulte me lie ==

Reality is for people who can't face science fiction.

[Chris Newman]

In article <1603ffe75...@bazleyfamily.co.uk>, Harriet Bazley

Glad you got it sorted. It's certainly a bit of a faff. I couldn't figure
how it was any more secure either but it's exactly what Yahoo did some
months ago. Bit of a pointess exercise, I thought.

--
Chris Newman

[Theo]

It's because this 'app password' is *only* for your email. It doesn't give
access to all the myraid other Google services available through your Google
account. If somebody stole this password they can only access your email,
whereas stealing your Google password gives them access to a whole lot more
(including various financial-related things, which maybe you don't use but
plenty of other people do).

The other thing about app passwords is they're specific to individual apps.
That means you can disable them individually - if your computer was stolen
or compromised you can revoke its access to your email without having to
reset your password in every other place you used it.

Theo

[Harriet Bazley]

On 14 May 2022 as I do recall,

Theo wrote:

> It's because this 'app password' is *only* for your email. It doesn't give
> access to all the myraid other Google services available through your Google
> account. If somebody stole this password they can only access your email,
> whereas stealing your Google password gives them access to a whole lot more
> (including various financial-related things, which maybe you don't use but
> plenty of other people do).

Ah - that makes sense. From my point of view the GMail service is just
a backup address for Web purposes (and not as anonymous as it was, since
accessing it via Messenger and POP3 rather than Netsurf now inserts
bazleyfamily.co.uk into the Message-ID of every reply I send, rather
than the old gmail.com ones!)

>
> The other thing about app passwords is they're specific to individual apps.

Which came back to bite me this morning when I actually tried to *send*
a email reply, and discovered hours later that it hadn't gone; I'd
forgotten that the sending function of AntiSpam uses a separate app
(!MSC) which has its own copies of all the mailbox passwords. And
which fails silently if the SMTP server at the far end rejects the
message.

So if you're using AntiSpam rather than Hermes, you need to alter your
password twice; once to receive and once to send!

--
Harriet Bazley == Loyaulte me lie ==

C++ - the language in which only friends can access your private members

[Matthew Phillips]

In message <1603ffe75...@bazleyfamily.co.uk>

on 13 May 2022 Harriet Bazley wrote:

> I'm not clear why changing passwords to random digits issued by Google
> is magically super-secure, even if you had to use a one-time PIN sent to
> a specific phone number in order to get it in the first place, since
> presumably this is just as hackable as any other password stored in a
> database anywhere.

Many people pick passwords that are much easier to guess than a set of random
characters provided by a computer.

(But Theo's answer is more to the point, I think.)

--
Matthew Phillips
Durham

[Harriet Bazley]

On 14 May 2022 as I do recall,

Apparently the next planned step is to require biometric identification
(which so far as I can see means that such sites can only be accessed
via a smartphone with built-in fingerprint sensing/face recognition
technology):
https://www.theguardian.com/technology/2022/may/11/techscape-fido-passwords

--
Harriet Bazley == Loyaulte me lie ==

Micro Credo: Never trust a computer bigger than you can lift.

[Stuart]

In article <8010b1e95...@bazleyfamily.co.uk>,

Harriet Bazley <har...@bazleyfamily.co.uk> wrote:
> Apparently the next planned step is to require biometric identification
> (which so far as I can see means that such sites can only be accessed
> via a smartphone with built-in fingerprint sensing/face recognition
> technology):
> https://www.theguardian.com/technology/2022/may/11/techscape-fido-passwords

O FFS.

--
Stuart Winsor

Tools With A Mission
sending tools across the world
http://www.twam.co.uk/

[Theo]

Harriet Bazley <har...@bazleyfamily.co.uk> wrote:
> Apparently the next planned step is to require biometric identification
> (which so far as I can see means that such sites can only be accessed
> via a smartphone with built-in fingerprint sensing/face recognition
> technology):
> https://www.theguardian.com/technology/2022/may/11/techscape-fido-passwords

It is not 'only', that is just a convenient way of doing things for a lot of
people. The spec allows for other means, for example hardware tokens or
other kinds of 2FA.

The point of this spec is to simplify the dance where your bank sends you an
SMS, which you have to find on your phone and type into their website, etc
etc. Basically it allows the bank's website to confirm presence of the
second factor (the phone) by communicating with it directly, in a more
secure manner, rather than all this copying of SMS codes. You login to your
bank on your computer, a message pops up on your phone saying 'do you want
to login to your bank', you put your finger on the sensor, your computer is
now logged in. It also checks that your phone is physically near your
laptop, so it's not possible to accidentally approve somebody else to login.

It also means that fingerprint sensors on laptops can become useful for
logging in to websites: Apple does this, but thus far Windows laptops with
fingerprint sensors mostly only use them for logging into Windows.

If you don't have those things, I would expect you can use a hardware token
that generates access codes. Banks already do this, but the new standard
means it should be possible to enroll a token from one place with a
different website. Which means you only need one hardware token, not a bag
of tokens to carry around.

That's the theory, anyway. How it plays out remains to be seen.

Theo