-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 8/1/20 7:54 am, Brian May wrote:
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> writes:
Application passwords were, arguably, less secure than what you could actually use as a password and you lost the 2FA aspect of the login. So, lots of room for improvement.
No, not really. e.g. if you look at the getmail implementation, it is still just storing a secret (token) stored on the filesystem that is completely usable without any 2FA. You do need 2FA to obtain the original token (just like you need 2FA to obtain an application specific password), but once you have that there is no need for 2FA anymore.
I think you misunderstand my views on Google authentication. If you login to your Google account, then you can add in 2FA using Google Authenticator app or anything compatible with TOTP (I use a python script myself). When you set up 2FA, at least way back (not sure if it any different now), you could setup "application passwords" for things like Thunderbird or something else that has to login to your Google account. It is these passwords that use a fixed length and a small number of hexadecimal characters (so only 16 base characters, not even close to base64 or the printable character set and forget about using non-printable characters). If you want a secure password, then long is great, but using a range of characters or perhaps better still a long list of dice words so it can be easily typed. Anywhere you have plain text tokens or passwords stored in the file system, then you had better take care of those well. Use FDE (full disk encryption and/or ensure proper use of file permissions, etc). btw my use of a Google account or rather accounts is more for testing purposes or for Android devices -- I should probably be using F-driod though instead of the play store, but that's a whole different story and can of worms ;) Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXhcZpwAKCRCoFmvLt+/i +yk/AQCUJupTt81Pt3EAV0H4qBj7HcicQfjpf02noiUFuHWr4wEAsuKRpgDfyoHM i07apxT5MzESBu0CUA/v1uTMprIWeWE= =nKnF -----END PGP SIGNATURE-----