If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
On Fri, 7 Sep 2018 18:42:42 -0700, T wrote:
On 09/07/2018 06:16 PM, T wrote: On 09/07/2018 05:18 PM, Ralph Fox wrote: If you change Thunderbird to use OAuth2 authentication with Gmail, then Thunderbird will not be "less secure". You would think.Â* But gMail kicks Thunderbird out anyway. Not here it doesn't. I correct this issue ALL-THE-TIME. When Thunderbird installs, it automatically sets gMail up with OAUTH and then sends you to turn on less secure apps. Here Thunderbird uses OAuth2, "less secure apps" is turned off, and Thunderbird continues to work flawlessly with Gmail month after month. Where I see this is when gMail sends out a "Security Checkup" and the first thing it requests you do it turn off "less secure apps". Then my phone turns red. And they are ALL on OAUTH. "They" on the phone won't be Thunderbird, whatever they are. Something is wrong with those phone apps, if they claim to use OAuth2 and they save the OAuth2 authentication token for logging in, but they still fail to work when "less secure apps" is turned off. -- Kind regards Ralph |
Ads |
#17
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
On 09/07/2018 08:39 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 18:42:42 -0700, T wrote: Where I see this is when gMail sends out a "Security Checkup" and the first thing it requests you do it turn off "less secure apps". Then my phone turns red. And they are ALL on OAUTH. "They" on the phone won't be Thunderbird, whatever they are. Something is wrong with those phone apps, if they claim to use OAuth2 and they save the OAuth2 authentication token for logging in, but they still fail to work when "less secure apps" is turned off. Not the phone. The eMail. I got one myself this morning. You can follow their link and see for yourself. Turn off less secure access Your personal information is vulnerable because you allow apps & devices to access your account in a less secure way. Turn off this type of access and see other personalized security recommendations in the Security Checkup. Take action Worried about clicking links? Visit the Security Checkup at https://myaccount.google.com/security-checkup |
#18
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
On Fri, 7 Sep 2018 18:20:25 -0700, T wrote:
On 09/07/2018 05:18 PM, Ralph Fox wrote: Google "app password" is not any more secure any more than Thunderbird over ssh. An "app password" does three things: 1. It ensures the password is strong; 2. It ensures the same password is not used with multiple accounts; 3. It can be revoked without having to change your password on multiple devices. If you yourself already have a strong password, and you don't use the same password on other accounts, then you yourself already have 2 out of 3. But too many people have weak passwords like "Mary123", and/or they use the same password more than one account. (If a hacker gets a user's fleecebook password he will try it on the user's Google account to see if it works there too.) Google's policy tries to encourage the many users with 0 or 1 out of 3 to have a higher level of security. This is about you not seeing their pop ups. This looks more like about reducing Google's labour costs for recovering people's hacked accounts after those people have used weak passwords and/or used the same password with other accounts. If Google earns $0.50 from showing ads to Billy, Google does not want to spend $50.00 to verify Billy's claim and recover his hacked account. I do not get nagged by Google, and I do not get Google pop-ups in either Thunderbird or Forté Agent. i) "Less secure apps" is turned OFF; ii) Thunderbird is configured to use OAuth2 authentication; iii) Forté Agent is configured to use an "app password". -- Kind regards Ralph |
#19
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
On Fri, 7 Sep 2018 20:59:06 -0700, T wrote:
On 09/07/2018 08:39 PM, Ralph Fox wrote: On Fri, 7 Sep 2018 18:42:42 -0700, T wrote: Where I see this is when gMail sends out a "Security Checkup" and the first thing it requests you do it turn off "less secure apps". Well, did you actually turn off "less secure apps"? Then my phone turns red. And they are ALL on OAUTH. Then what does your phone or its colour have to do with the matter ? "They" on the phone won't be Thunderbird, whatever they are. Something is wrong with those phone apps, if they claim to use OAuth2 and they save the OAuth2 authentication token for logging in, but they still fail to work when "less secure apps" is turned off. Not the phone. The eMail. I got one myself this morning. You can follow their link and see for yourself. Turn off less secure access Your personal information is vulnerable because you allow apps & devices to access your account in a less secure way. Turn off this type of access and see other personalized security recommendations in the Security Checkup. Take action Worried about clicking links? Visit the Security Checkup at https://myaccount.google.com/security-checkup It is saying that because it believes you have "less secure apps" turned ON. You can set Thunderbird and all your other programs to OAuth2, but if you still have "less secure apps" turned ON then the email will still say that. If "less secure apps" is turned ON, then that also means John Q. Hacker does not need to use OAuth2 when trying to hack into your Google/Gmail account. Google considers this to be "insecure". You can set all of your own programs to OAuth2, but that does not force John Q. Hacker to do the same with his hacking program. Only turning off "less secure apps" will do that. To summarise * Setting Thunderbird to use OAuth2 does _not_ stop this email. * Setting "less secure apps" to OFF stops this email. * Setting Thunderbird to OAuth2 lets you use Thunderbird with Gmail when "less secure apps" is set to OFF. -- Kind regards Ralph |
#20
|
|||
|
|||
Solved: Google screwed up my Gmail acct in Thunderbird
On 9/7/2018 8:03 PM, T wrote:
On 09/07/2018 07:40 PM, cameo wrote: On 9/7/2018 7:24 PM, T wrote: On 09/07/2018 07:22 PM, cameo wrote: On 9/7/2018 6:00 PM, VanguardLH wrote: cameo wrote: One day it popped up a message saying that my Gmail account was not secure there and offered me a button to click to fix it. That would not be due to an e-mail you viewed in any e-mail client UNLESS you are so deliberately ignorant as to allow Javascript to run in HTML-formatted e-mails.Â* You got that message when you used Gmail's webmail client, not when using Thunderbird. So I did click it and ever since I can't use that email account in Thunderbird. Google considers any e-mail client that doesn't employ OAUTH2 to be insecure.Â* OAUTH was never about security of content or communiction but about identification (of who was accessing an account).Â* Google (and others) got involved and royally screwed up OAUTH2 to make it for their own ID purposes.Â* They want to track WHO is accessing an account. One of the original collaborators, and who turned out to be the major contributor to OAUTH, relinquished all involvement with OAUTH2 and apologized for what Google (and Microsoft) turned it into.Â* Watch: Â*Â* "**** OAUTH" Â*Â* https://vimeo.com/52882780 Â*Â* (gee, I wonder why this video isn't at Google's Youtube) Go into your Gmail account and *allow* "less secure" clients to access your Gmail account.Â* If you are using IMAPS or POPS then your communication is secure.Â* If you are using a *strong* password then your account is secure (and NEVER use the same password at multiple sites - you should use a unique password at each site).Â* OAUTH[2] won't improve on that security.Â* When Google is claiming non-Google clients are less secure, they are lying. The fix is up in your online account.Â* You have to change the setting to ALLOW what Google claims (but is untrue) are insecure clients to access your account. I've been in my Gmail account via the Chrome browser but can't see where the option is to allow less secure apps. 1) log into your gMail account in a web browser 2) In a second tab, turn on Less Secure Apps Â*Â*Â* https://support.google.com/accounts/.../6010255?hl=en HTH, -T Thanks, I've got it and it fixed the problem. You are most welcome. One thing I still wonder about is that in some implementations I see googlemail.com instead of gmail.com but they both seem to work. Are those two names just pointing to the same servers? |
#21
|
|||
|
|||
Solved: Google screwed up my Gmail acct in Thunderbird
On Fri, 7 Sep 2018 22:55:01 -0700, cameo wrote:
One thing I still wonder about is that in some implementations I see googlemail.com instead of gmail.com but they both seem to work. Are those two names just pointing to the same servers? They are effectively the same in *most* countries. When Google first set up Gmail, the name "Gmail" was already owned by various other parties in several countries. So Google had to use the name "googlemail" in those countries (UK, Germany, Poland, Russia). Google has since came to an arrangement with the original owners of the name in UK (2009) and Germany (2012). -- Kind regards Ralph |
#22
|
|||
|
|||
Solved: Google screwed up my Gmail acct in Thunderbird
cameo wrote:
One thing I still wonder about is that in some implementations I see googlemail.com instead of gmail.com but they both seem to work. Are those two names just pointing to the same servers? Google got into a lawsuit regarding their gmail moniker in the UK. They were forced to change it to googlemail there although nothing in their server farm changed except the domain name in their nameserver. https://en.wikipedia.org/wiki/Histor...emark_disputes The trademark dispute started in 2004. Eventually Google acquired the gmail trademark in the UK, Germany, and Russia. |
#23
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
Ralph Fox wrote:
On Fri, 7 Sep 2018 20:23:17 -0400, Big Al wrote: On 09/07/2018 08:01 PM, Ralph Fox wrote: On Fri, 7 Sep 2018 16:08:42 -0700, cameo wrote: One day it popped up a message saying that my Gmail account was not secure there and offered me a button to click to fix it. So I did click it and ever since I can't use that email account in Thunderbird. The worst thing is that I can't even go back to the state before that security warning. Interestingly, I also have 2 other Gmail accounts there and they work fine because I did not try to "fix" them. I tried to remove the failing account and then re-add it to Thunderbird with the same server settings as the other 2 working accounts, but it is still a no-go. Any suggestions? There is a simple fix: In Thunderbird, change your Gmail account to use OAuth2 authentication. Here is a screen-shot of the OAuth2 option in Thunderbird. http://i.imgur.com/dPUg7N3.png Someone made the comment that OAuth2 only works for IMAP. (Unless TB added it for pop). AFAICT OAuth2 works for IMAP and for SMTP, but not for POP. Indeed it does not work for POP. I saw that your screenshot shows the 'Server Settings' for an IMAP server, so I checked and the IMAP 'Authentication method' can indeed be set to 'OAuth2', but for a POP server, that setting ('OAuth2') is not available. If someone wants to POP their Gmail, use a Google app password with the POP account. A Google app password also meets Gmail's requirements for not being "less secure". How do I do that? I don't know what "a Google app password" is (in this context) and hence not how/where to set one. Thanks. |
#24
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
Frank Slootweg wrote:
Ralph Fox wrote: On Fri, 7 Sep 2018 20:23:17 -0400, Big Al wrote: On 09/07/2018 08:01 PM, Ralph Fox wrote: On Fri, 7 Sep 2018 16:08:42 -0700, cameo wrote: One day it popped up a message saying that my Gmail account was not secure there and offered me a button to click to fix it. So I did click it and ever since I can't use that email account in Thunderbird. The worst thing is that I can't even go back to the state before that security warning. Interestingly, I also have 2 other Gmail accounts there and they work fine because I did not try to "fix" them. I tried to remove the failing account and then re-add it to Thunderbird with the same server settings as the other 2 working accounts, but it is still a no-go. Any suggestions? There is a simple fix: In Thunderbird, change your Gmail account to use OAuth2 authentication. Here is a screen-shot of the OAuth2 option in Thunderbird. http://i.imgur.com/dPUg7N3.png Someone made the comment that OAuth2 only works for IMAP. (Unless TB added it for pop). AFAICT OAuth2 works for IMAP and for SMTP, but not for POP. Indeed it does not work for POP. I saw that your screenshot shows the 'Server Settings' for an IMAP server, so I checked and the IMAP 'Authentication method' can indeed be set to 'OAuth2', but for a POP server, that setting ('OAuth2') is not available. If someone wants to POP their Gmail, use a Google app password with the POP account. A Google app password also meets Gmail's requirements for not being "less secure". How do I do that? I don't know what "a Google app password" is (in this context) and hence not how/where to set one. Thanks. You have Google generate a *strong* password that is unique to their service. Google believes users are incapable of creating strong passwords AND to use unique passwords at each site. https://support.google.com/accounts/answer/185833?hl=en https://support.google.com/accounts/.../1070455?hl=en Since a Google app password is unique per device, Google can track which device you are using to login. Yep, more tracking data for them. The link doesn't work (https://myaccount.google.com/apppasswords or https://security.google.com/settings.../apppasswords). I have to login, go to my account settings, and under the "Sign-In & security" section is an "Apps with account access" link. It's the same place where I have to go to enable the "Allow less secure apps" option. I'm not sure what process that Google uses. I think it's more of a smartphone thing, like Android account management. You want an app to login, get a prompt from the OS, and choose to allow which then records something in your Google account where you can see online a list of apps you've granted access. Microsoft's app password has you create a new password to get around their 2-step verification procedure since many apps don't support it. Again, they assume users are too stupid to create strong and per-site unique passwords. They create a different set of login credentials as a workaround to their 2-step verification process, so instead of using your normal site login credentials you instead use their login credentials. Pretty stupid but then they aren't that off about the expertise of the user community regarding the use of global passwords that aren't strong. |
#25
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
On 8 Sep 2018 15:24:24 GMT, Frank Slootweg wrote:
If someone wants to POP their Gmail, use a Google app password with the POP account. A Google app password also meets Gmail's requirements for not being "less secure". How do I do that? I don't know what "a Google app password" is (in this context) and hence not how/where to set one. A Google "app password" is a 16-character code where * Google generates the "app password"code for a specific program (e.g. Thunderbird). You would have a separate "app password" code for each different program. * You will get Thunderbird to save the "app password" just like it can save a normal password. (In Thunderbird, set 'Authentication to "Normal password". * You can invalidate an app password without having to change your Google password (for example, if you lose a device). You manage your app passwords from your Google account's "app passwords" page. Here is how I created an "app password" last year... 1) To create an "app password", you first need to turn on "2-Step verification" in your Google Account Settings. If you don't want 2-step verification, you can turn it off again after you have created the app password. 2) Next, to create the Google "app password" go here and follow the instructions https://security.google.com/settings/security/apppasswords If you don't see the option to *create* an app password, then "2-Step verification" still needs to be turned on. 3) The app password is a 16-character code which you will use in Thunderbird (and only in Thunderbird) in place of your Google Gmail POP3 account password. You set authentication to "Normal password" and still put your Google username in the "User Name" field. An app password gives you two advantages 1. You can turn off "allow less secure apps"; 2. You can invalidate an app password without having to re-enter your Google password in every program which uses it. The problem for Google is that too many people have weak passwords like "Mary123", and/or they use the same password more than one account (yes, Google does have to deal with many people who are not like VanguardLH :-) ). An app password ensures those people have strong passwords which are not re-used across different accounts. Also if someone loses a device they may be reluctant to change their Google password as this means updating the password on multiple devices. An app password can be revoked without needing to change your main Google password on multiple devices. -- Kind regards Ralph |
#26
|
|||
|
|||
Solved: Google screwed up my Gmail acct in Thunderbird
On 9/7/2018 11:50 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 22:55:01 -0700, cameo wrote: One thing I still wonder about is that in some implementations I see googlemail.com instead of gmail.com but they both seem to work. Are those two names just pointing to the same servers? They are effectively the same in *most* countries. When Google first set up Gmail, the name "Gmail" was already owned by various other parties in several countries. So Google had to use the name "googlemail" in those countries (UK, Germany, Poland, Russia). Google has since came to an arrangement with the original owners of the name in UK (2009) and Germany (2012). Thanks for that interesting bit of history. I've never heard it before. |
#27
|
|||
|
|||
Google screwed up my Gmail acct in Thunderbird
Ralph Fox wrote:
On 8 Sep 2018 15:24:24 GMT, Frank Slootweg wrote: If someone wants to POP their Gmail, use a Google app password with the POP account. A Google app password also meets Gmail's requirements for not being "less secure". How do I do that? I don't know what "a Google app password" is (in this context) and hence not how/where to set one. A Google "app password" is a 16-character code where * Google generates the "app password"code for a specific program (e.g. Thunderbird). You would have a separate "app password" code for each different program. * You will get Thunderbird to save the "app password" just like it can save a normal password. (In Thunderbird, set 'Authentication to "Normal password". * You can invalidate an app password without having to change your Google password (for example, if you lose a device). You manage your app passwords from your Google account's "app passwords" page. Here is how I created an "app password" last year... 1) To create an "app password", you first need to turn on "2-Step verification" in your Google Account Settings. If you don't want 2-step verification, you can turn it off again after you have created the app password. 2) Next, to create the Google "app password" go here and follow the instructions https://security.google.com/settings/security/apppasswords If you don't see the option to *create* an app password, then "2-Step verification" still needs to be turned on. 3) The app password is a 16-character code which you will use in Thunderbird (and only in Thunderbird) in place of your Google Gmail POP3 account password. You set authentication to "Normal password" and still put your Google username in the "User Name" field. An app password gives you two advantages 1. You can turn off "allow less secure apps"; 2. You can invalidate an app password without having to re-enter your Google password in every program which uses it. The problem for Google is that too many people have weak passwords like "Mary123", and/or they use the same password more than one account (yes, Google does have to deal with many people who are not like VanguardLH :-) ). An app password ensures those people have strong passwords which are not re-used across different accounts. Also if someone loses a device they may be reluctant to change their Google password as this means updating the password on multiple devices. An app password can be revoked without needing to change your main Google password on multiple devices. Thanks, Ralph and VanguardLH! Very clear! I'll save this for the next time Google will be bothering me again with its false security warnings, probably when we'll use ('free') Wi-Fi hotspots [1] on our next trip in Australia. [1] Yet another reason for trying to avoid Wi-Fi hotspots and just use a personal mobile-data hotspot instead. |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|