← Back to context

Comment by mattbis

1 day ago

You are probably right... I tend to change my password semi often. It's always a super complex impossible to remember string - and always keep an eye on the account activity.

Not to mention ; you would assume he should have more than one device linked to the account and then that adds another layer, since Google will ask you " is this you trying to logon ". <-- that is the only way to get Google to do the unrecognized flow you mention.

If you are suggesting it was exposed and he didn't immediately randomise all his passwords.. WORDS FAIL ME

It's all security 101 the irony is immense...

if the US government / FBI need someone to give some talks on how to do security ...

4 comments

mattbis

Reply
ffsm8  1 day ago

Changing a password that's randomly generated is security theatre. It doesn't meaningfully improve security

Also it's entirely possible they only compromised a honeypot.

Considering their track record, that's actually more likely tbh

  • mattbis  1 day ago

    Honeypot sure I didn't think of that.. But I was under the impression the FBI confirmed it ? So we can rule it out.

    Making the password impossible to guess - how could that not be?

    Since then you know you have a breach, as its randomised gibberish, if you then get the 2nd device asking " is this you trying to login " you can definitely know you are compromised....

    I can't see your logic here, that isn't " theatre " ????

    If you think that is theatre what is better then? Words and numbers.. easily brute forced.. Sorry can't agree.

    • ffsm8  1 day ago

      Why would they willingly destroy their successful honeypot if the other party announced they've access to it?

      I haven't seen what's in it either though, but I would not rule it out yet, especially when the FBI is involved - which love those tactics

      When you're compromised, changing the password is obviously not theatre - but changing a password which is randomly generated with enough entropy is what's pointless theatre. A secure password is secure, esp. If you're already using a password manager then the act of changing isn't meaningfully increasing your security (unless you're aware that your password was compromised) because the way to compromise it is what...? Having a keylogger on a device you logged in on? Then the changed password will be just as compromised

      1 reply →