Shahid Shah recently posted a piece I wrote on Securing Cloud Services to his popular “HealthCare IT Guy” blog. In light of the highly publicized hijack of Mat Honan’s iCloud & gmail accounts, I thought I’d expand on point #5 “Don’t use reset tokens without expiration” in that piece and reframe it as “Understand the weaknesses of email-based password reset processes“. Mat’s gmail account was compromised because he had configured a “backup/alternative” email address and Google supports password reset through such backup addresses. After the attacker was able to compromise that backup email address through separate means, Google’s password reset process enabled the attacker to easily reset Mat’s gmail password and gain control of that account as well.
The lesson to be learned here is that when any account’s password reset process is tied to an email address - that account’s security is wholly dependent on the security of that email address. FolderGrid’s high security file server accounts are no exception. We rely upon domain administrators to ensure the security of the email addresses used as credentials for their FolderGrid service. Unfortunately, users tend to select weak passwords for those very email accounts due to their desire for ease of access.
If you are not hosting and securing your own email service then you should most definitely be using a provider offering two-phase authentication such as Google’s 2-Step Verification or equivalent measures. Forewarned is forearmed in the ever escalating online security arm’s race.