To the Ministry's main lobby The Ministry Blog
concert setlists

13 October, 2008

Safer webmailing

If you use webmail, there's always a risk of its security being compromised and, worse, of someone changing the login details to prevent the legitimate owner gaining access.  Hence, it's important to verify that one's account is correctly configured NOW for security and restoration of access after an attack; as Lifehacker says, "test your webmail's password recovery (before someone else does)".

There is a logical flaw in adopting these recovery measures afterwards, which I won't highlight publicly. However, don't misunderstand (as I nearly did, initially): in this context, configuring the recovery process is about preventing its use as an attack vector.

So what happens if your webmail is compromised and the standard recovery procedure fails? I can't speak for Yahoo! or Hotmail, but GMail has a secondary system which identifies a genuine user by long-term account usage rather than questions an attacker could influence.
Again, it requires a little preparation. The form asks about other Google products associated with the webmail account, including their first usage dates. Collecting such specific information would be more challenging if one loses access (it's not easy with access!), so do it now.

Even more importantly, perhaps, one might wish to seriously consider the consequences before using webmail for anything really important or confidential.

Site Home Tull Tour History Annotated Passion Play
Day in the life... Page design and original graphics © NRT, 2003