Google's 2 step verification

Cheetah Designs · 26 Mar 2012 at 16:11

Am I right in saying that this doesn't protect you if you give an application password to a malicious program?

Cheetah Designs · 27 Mar 2012 at 00:23

Azza said:
A malicious program that could do what exactly? You can just revoke the password from your application list easily.

Login to your email and delete everything....grab all the messages, grab all the contacts....you get the picture...

Cheetah Designs · 27 Mar 2012 at 10:33

But the system is still (and will always be) flawed if you give an application password to a malicious program as you can't choose what that password has access to.

You can actually use the application specific passwords to login via the browser and it just lets you in...(well it did when I tried it a while ago)...so giving one of these passwords to the wrong application will open yourself up to attacks.

Cheetah Designs · 27 Mar 2012 at 11:18

mrk said:
Why would you give the wrong password to another app? The name Application Specific should give that away anyway and if you assign an application specific password (only you can do this) to a malicious app then it’s your own fault surely.

Malicious is the wrong word here. I'll give a specific example I am facing/what made me think about this.

Currently I wish to have a Google Talk application on my iPhone. There is no app directly from Google so I have to use a third party app. Now the application developers themselves may not use the information, but they still have to store my login details unencrypted in a database so they can login via their service. That means that if they get hacked, or an employee wishes to, they could find my login details and sell them on.

EDIT: I do agree its a better system that having just one password...I was just saying, it would be nice to be able to choose what the application has access to.

Cheetah Designs · 27 Mar 2012 at 12:20

shine said:
If you knowingly hand your password in clear text to a third party then it doesn't matter how good the security or password encryption methods are - you're the weak link!

I don't. But lets say there is a database where my user information needs to be stored. The database is encrypted, but if the holder of the database has been hacked, it is likely that they will also have access to the private key needed to decrypt the database.

All I am simply saying is that it would be nice to control what each password has access to...so i can give a password access to google talk alone.