top | item 24379688

(no title)

1. If someone intercepts your password you're screwed anyway. How many of your emails are intercepted regularly?

2. If someone has access to your email, you're screwed anyway because they can lock you out and reset every password.

Your email password, effectively, becomes the password for that website. I.e. security-wise, I think they're equivalent.

discuss

ikiris|5 years ago

No they cant for any entity that properly implements security. This is the entire point of u2f.

garmaine|5 years ago

> If someone intercepts your password you're screwed anyway. How many of your emails are intercepted regularly?

Every single one of them. Email is a plain text protocol.

tialaramex|5 years ago

In practice, today, this is not very true.

There are three components worth looking at. Each of them is popularly secured with TLS.

Firstly, submission, sending an email you just wrote from your client to a server. This is usually done over a specifically TLS-secured "SMTP submission port" 587 although it can also be done with STARTTLS.

Second, relay, getting email from your server to somebody else's server. A large proportion of today's servers default to STARTTLS over SMTP for MX. So this means when they connect to a peer server to exchange mail they'll enquire about using TLS and do so if possible. A passive adversary can't stop this happening.

Finally, delivery. Almost all modern IMAP clients default to using TLS with IMAP, so this step will be encrypted. Even in clients that don't require TLS a passive adversary can't stop them upgrading by default if possible.

wffurr|5 years ago

95% of inbound email traffic to Gmail is encrypted with TLS.

https://transparencyreport.google.com/safer-email/overview?h...

Password reset emails are already extremely common and a way of implementing the "second factor only" method in the OP.