-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 7/1/20 11:57 am, Adam Bolte wrote:
On Thu, Jan 02, 2020 at 06:13:07PM +1100, Brian May wrote:
I notice the instructions say "The resulting setup is not more secure than a regular getmailrc with 0600 permissions." - which is no surprise really.
Application passwords were, arguably, less secure than what you could actually use as a password and you lost the 2FA aspect of the login. So, lots of room for improvement.
As I understand it, there is arguably a *slight* security improvement in the initial application setup. If the user has two-factor authentication enabled, it would be difficult for someone who learns the password to access e-mails - they would need to have a copy of either the 2FA device, or the security token.
If you know the secret to generate the codes, you don't need any security token. Of course you need the username (email address generally) AND the actual password as well. TOTP, as per "Google Authenticator" and other implementations is still better than plain username and password, but it isn't bulletproof.
I suspect the real reason Google is forcing this is because they want to help make using client applications less convenient over the web interface.
Perhaps, but adding security can add all sorts of "other" risks or pain.
I have a user who is using gmail with Outlook 2007. They might be affected more so then me. I have told said user they will need to upgrade to Outlook 2019 or Office 365, or use gmail from the website, it looks like Outlook 2007 does not support OAUTH from what I can tell.
I just wish people would stop using Google mail services altogether, same with Outlook (hotmail / m$, Yahoo and other bad providers.
Maybe you could put in a plug for Thunderbird or something else that's free software, since it sounds like the user will have to upgrade anyway. Better to make it a true upgrade. :)
Sadly too many people / business are happy to keep paying M$ taxes on everything with subscription services; hence why Microsoft is taking in considerably more income in this area, so much so, that they care less about Windows license fees as anyone using Windows is more likely to be using O365 and/or other pay for services for their lifetime. All in all, lots of pain points ... enough said :( A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXhQmpgAKCRCoFmvLt+/i +2otAP4rwrk3C+8lJwm9U1yL+YX9cSpcvBBB+UlnZ5OACP5sRgD/bpQCz0RlR9Ht f/OpJzkl+JwryjjNtDQQ24WczWZuJaY= =DVK2 -----END PGP SIGNATURE-----