My GMail password scares me with its power

Forget Googles' other properties, my gmail account pasword is my password for <i>everything</i> for the simple reason that an attacker with access to my gmail account can reset my password on almost every other web system by requesting that a password update email be sent to me.<p>This is one of the reasons I caved and got an iPhone with push mail notification. I want to know the moment I get a password reset email. Alas, a really clever attacker would probably read and delete the mail before I could see it.

I think it would be nice if Google provided a rsa key fob for those of us who do keep a crap ton of stuff in their gmail.

I definitely support the author's suggestion that Google offer a premium RSA-style keyfob for extra security.<p>It would be much more secure and still have the ease of a single authentication process for all Google services.

I don't understand why someone wouldn't be able to create more than one GMail account and use separate accounts for separate google related purposes? (Use one GMail account for RSS and a seperate GMail account for App Engine, etc)<p>There is still the possibility that everyone you give information to is tied to a single GMail account (for your own convenience), but that is still your own fault, not Google.

I don't think we'll see Google splitting off their gmail/gtalk logins from everything else, and I don't necessarily agree that they should. One of the major benefits to using google services is the shear amount of services you get without having to login to multiple sites, or keep multiple bookmarks, google takes care of it all for you. We're slowly seeing this same idea take over the rest of the web with facebook connect and OpenID. People want convenience and don't like remembering a ton of passwords, or even having to retype a login/password on every site they go to. Ideally, for most internet users i'm sure, FB connect or OpenID or Google would take over the "login market" and include a key fob, so you just log your computer onto the internet and you're good to go. But I agree with most here, a key fob is, well, key.

Not that these solve the problem, but here are some tips to help mitigate negative effects:<p>1. Audit your Gmail access history. In the footer, there is a a message "Last account activity...Details". Click the "Details" link to view recent access history (web and mobile), and for the option to deauth all other sessions.<p>2. Under your Google account settings, go to Security &#62; Password recovery options. Add your cell phone number under SMS. (<a href="https://www.google.com/accounts/ManageAccount" rel="nofollow">https://www.google.com/accounts/ManageAccount</a>)<p>3. Use a separate e-mail address for password resets, and just for that.<p>I only follow 2 out of 3 of my suggestions. I was pleased to discover the auditing and SMS recovery features, and thought I'd share them.

+1 Where is OAuth integration for Gmail IMAP?<p>This kind of thing weighs down innovation. Take Threadsy.com for example. I'm sure people aren't thrilled about having to give out gmail passwords to make full use of their service.. It's a shame that Google hasn't addressed this yet.

The article seems trivial compared to what I see as the real security risk - unrelated sites that have an "I forgot my password" option which relies on e-mail to reset the password.<p>If an attacker has your gmail, they can go to your bank, your stock brokerage, your retirement accounts, your credit cards, etc and say "I forgot my password" and use the e-mail access to reset those.<p>I hate that my bank wants me to put in "Your mother's maiden name" as a "security question" when that information is painfully easy to get (relative to password). I always enter fake information, but I really wish there was just an opt-out for the password reset feature.

Why not create separate accounts for each service? If you are really security conscious, you could even have a separate password for each one.<p>For that matter, you might simply solve the gmail/blackberry problem by making a second account for your email, setting your primary account to forward to the second account, and setting the phone to check the second account rather than the first.

The blackberry argument is exactly the place where open source is the answer. I have a python script that I fully understand (and wrote much of it myself) grabbing email data off the internet, and only it knows my password - I wouldn't dare trust proprietary software with something that sensitive.

I don't even know my Gmail password. I do know my KeePassX password though. It knows my 25 char passwords

I agree about sharing the password, but if you want to avoid cleartext sending, just go into your settings and choose "use HTTPS for everything"...

This is why I don't use Google apps much.