A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Google screwed up my Gmail acct in Thunderbird



 
 
Thread Tools Rate Thread Display Modes
  #16  
Old September 8th 18, 04:39 AM posted to alt.windows7.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Google screwed up my Gmail acct in Thunderbird

On Fri, 7 Sep 2018 18:42:42 -0700, T wrote:
On 09/07/2018 06:16 PM, T wrote:
On 09/07/2018 05:18 PM, Ralph Fox wrote:
If you change Thunderbird to use OAuth2 authentication with Gmail,
then Thunderbird will not be "less secure".


You would think.Â* But gMail kicks Thunderbird out anyway.


Not here it doesn't.

I correct this issue ALL-THE-TIME.


When Thunderbird installs, it automatically sets gMail up with
OAUTH and then sends you to turn on less secure apps.


Here Thunderbird uses OAuth2, "less secure apps" is turned off, and
Thunderbird continues to work flawlessly with Gmail month after
month.


Where I see this is when gMail sends out a "Security Checkup" and the
first thing it requests you do it turn off "less secure apps". Then
my phone turns red. And they are ALL on OAUTH.


"They" on the phone won't be Thunderbird, whatever they are.
Something is wrong with those phone apps, if they claim to use OAuth2
and they save the OAuth2 authentication token for logging in, but
they still fail to work when "less secure apps" is turned off.


--
Kind regards
Ralph
Ads
  #17  
Old September 8th 18, 04:59 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Google screwed up my Gmail acct in Thunderbird

On 09/07/2018 08:39 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 18:42:42 -0700, T wrote:


Where I see this is when gMail sends out a "Security Checkup" and the
first thing it requests you do it turn off "less secure apps". Then
my phone turns red. And they are ALL on OAUTH.


"They" on the phone won't be Thunderbird, whatever they are.
Something is wrong with those phone apps, if they claim to use OAuth2
and they save the OAuth2 authentication token for logging in, but
they still fail to work when "less secure apps" is turned off.



Not the phone. The eMail. I got one myself this morning.
You can follow their link and see for yourself.


Turn off less secure access


Your personal information is vulnerable because you allow
apps & devices to access your account in a less secure way.

Turn off this type of access and see other personalized
security recommendations in the Security Checkup.

Take action
Worried about clicking links? Visit the Security Checkup at
https://myaccount.google.com/security-checkup
  #18  
Old September 8th 18, 05:41 AM posted to alt.windows7.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Google screwed up my Gmail acct in Thunderbird

On Fri, 7 Sep 2018 18:20:25 -0700, T wrote:
On 09/07/2018 05:18 PM, Ralph Fox wrote:

Google "app password"


is not any more secure any more than Thunderbird over ssh.


An "app password" does three things:
1. It ensures the password is strong;
2. It ensures the same password is not used with multiple accounts;
3. It can be revoked without having to change your password on multiple devices.

If you yourself already have a strong password, and you don't use the
same password on other accounts, then you yourself already have 2 out
of 3.

But too many people have weak passwords like "Mary123", and/or they
use the same password more than one account. (If a hacker gets a
user's fleecebook password he will try it on the user's Google account
to see if it works there too.)

Google's policy tries to encourage the many users with 0 or 1 out of 3
to have a higher level of security.


This is about you not seeing their pop ups.


This looks more like about reducing Google's labour costs for recovering
people's hacked accounts after those people have used weak passwords
and/or used the same password with other accounts. If Google earns $0.50
from showing ads to Billy, Google does not want to spend $50.00 to verify
Billy's claim and recover his hacked account.


I do not get nagged by Google, and I do not get Google pop-ups in either
Thunderbird or Forté Agent.
i) "Less secure apps" is turned OFF;
ii) Thunderbird is configured to use OAuth2 authentication;
iii) Forté Agent is configured to use an "app password".


--
Kind regards
Ralph
  #19  
Old September 8th 18, 06:19 AM posted to alt.windows7.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Google screwed up my Gmail acct in Thunderbird

On Fri, 7 Sep 2018 20:59:06 -0700, T wrote:

On 09/07/2018 08:39 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 18:42:42 -0700, T wrote:


Where I see this is when gMail sends out a "Security Checkup" and the
first thing it requests you do it turn off "less secure apps".


Well, did you actually turn off "less secure apps"?

Then
my phone turns red. And they are ALL on OAUTH.


Then what does your phone or its colour have to do with the matter ?


"They" on the phone won't be Thunderbird, whatever they are.
Something is wrong with those phone apps, if they claim to use OAuth2
and they save the OAuth2 authentication token for logging in, but
they still fail to work when "less secure apps" is turned off.


Not the phone. The eMail. I got one myself this morning.
You can follow their link and see for yourself.


Turn off less secure access


Your personal information is vulnerable because you allow
apps & devices to access your account in a less secure way.

Turn off this type of access and see other personalized
security recommendations in the Security Checkup.

Take action
Worried about clicking links? Visit the Security Checkup at
https://myaccount.google.com/security-checkup



It is saying that because it believes you have "less secure apps"
turned ON. You can set Thunderbird and all your other programs
to OAuth2, but if you still have "less secure apps" turned ON
then the email will still say that.

If "less secure apps" is turned ON, then that also means John Q.
Hacker does not need to use OAuth2 when trying to hack into your
Google/Gmail account. Google considers this to be "insecure".

You can set all of your own programs to OAuth2, but that does not
force John Q. Hacker to do the same with his hacking program. Only
turning off "less secure apps" will do that.


To summarise
* Setting Thunderbird to use OAuth2 does _not_ stop this email.
* Setting "less secure apps" to OFF stops this email.
* Setting Thunderbird to OAuth2 lets you use Thunderbird with Gmail
when "less secure apps" is set to OFF.


--
Kind regards
Ralph
  #20  
Old September 8th 18, 06:55 AM posted to alt.windows7.general
cameo[_2_]
external usenet poster
 
Posts: 453
Default Solved: Google screwed up my Gmail acct in Thunderbird

On 9/7/2018 8:03 PM, T wrote:
On 09/07/2018 07:40 PM, cameo wrote:
On 9/7/2018 7:24 PM, T wrote:
On 09/07/2018 07:22 PM, cameo wrote:
On 9/7/2018 6:00 PM, VanguardLH wrote:
cameo wrote:

One day it popped up a message saying that my Gmail account was not
secure there and offered me a button to click to fix it.

That would not be due to an e-mail you viewed in any e-mail client
UNLESS you are so deliberately ignorant as to allow Javascript to
run in
HTML-formatted e-mails.Â* You got that message when you used Gmail's
webmail client, not when using Thunderbird.

So I did click it and ever since I can't use that email account in
Thunderbird.

Google considers any e-mail client that doesn't employ OAUTH2 to be
insecure.Â* OAUTH was never about security of content or
communiction but
about identification (of who was accessing an account).Â* Google (and
others) got involved and royally screwed up OAUTH2 to make it for
their
own ID purposes.Â* They want to track WHO is accessing an account.

One of the original collaborators, and who turned out to be the major
contributor to OAUTH, relinquished all involvement with OAUTH2 and
apologized for what Google (and Microsoft) turned it into.Â* Watch:

Â*Â* "**** OAUTH"
Â*Â* https://vimeo.com/52882780
Â*Â* (gee, I wonder why this video isn't at Google's Youtube)

Go into your Gmail account and *allow* "less secure" clients to access
your Gmail account.Â* If you are using IMAPS or POPS then your
communication is secure.Â* If you are using a *strong* password then
your
account is secure (and NEVER use the same password at multiple sites -
you should use a unique password at each site).Â* OAUTH[2] won't
improve
on that security.Â* When Google is claiming non-Google clients are less
secure, they are lying.

The fix is up in your online account.Â* You have to change the
setting to
ALLOW what Google claims (but is untrue) are insecure clients to
access
your account.

I've been in my Gmail account via the Chrome browser but can't see
where the option is to allow less secure apps.



1) log into your gMail account in a web browser

2) In a second tab, turn on Less Secure Apps
Â*Â*Â* https://support.google.com/accounts/.../6010255?hl=en

HTH,
-T

Thanks, I've got it and it fixed the problem.


You are most welcome.

One thing I still wonder about is that in some implementations I see
googlemail.com instead of gmail.com but they both seem to work. Are
those two names just pointing to the same servers?

  #21  
Old September 8th 18, 07:50 AM posted to alt.windows7.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Solved: Google screwed up my Gmail acct in Thunderbird

On Fri, 7 Sep 2018 22:55:01 -0700, cameo wrote:

One thing I still wonder about is that in some implementations I see
googlemail.com instead of gmail.com but they both seem to work. Are
those two names just pointing to the same servers?



They are effectively the same in *most* countries.

When Google first set up Gmail, the name "Gmail" was already owned by
various other parties in several countries. So Google had to use the
name "googlemail" in those countries (UK, Germany, Poland, Russia).

Google has since came to an arrangement with the original owners of the
name in UK (2009) and Germany (2012).


--
Kind regards
Ralph
  #22  
Old September 8th 18, 08:44 AM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Solved: Google screwed up my Gmail acct in Thunderbird

cameo wrote:

One thing I still wonder about is that in some implementations I see
googlemail.com instead of gmail.com but they both seem to work. Are
those two names just pointing to the same servers?


Google got into a lawsuit regarding their gmail moniker in the UK. They
were forced to change it to googlemail there although nothing in their
server farm changed except the domain name in their nameserver.

https://en.wikipedia.org/wiki/Histor...emark_disputes

The trademark dispute started in 2004. Eventually Google acquired the
gmail trademark in the UK, Germany, and Russia.
  #23  
Old September 8th 18, 04:24 PM posted to alt.windows7.general
Frank Slootweg
external usenet poster
 
Posts: 1,226
Default Google screwed up my Gmail acct in Thunderbird

Ralph Fox wrote:
On Fri, 7 Sep 2018 20:23:17 -0400, Big Al wrote:

On 09/07/2018 08:01 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 16:08:42 -0700, cameo wrote:

One day it popped up a message saying that my Gmail account was not
secure there and offered me a button to click to fix it. So I did click
it and ever since I can't use that email account in Thunderbird. The
worst thing is that I can't even go back to the state before that
security warning. Interestingly, I also have 2 other Gmail accounts
there and they work fine because I did not try to "fix" them.
I tried to remove the failing account and then re-add it to Thunderbird
with the same server settings as the other 2 working accounts, but it is
still a no-go. Any suggestions?

There is a simple fix:
In Thunderbird, change your Gmail account to use OAuth2 authentication.

Here is a screen-shot of the OAuth2 option in Thunderbird.
http://i.imgur.com/dPUg7N3.png

Someone made the comment that OAuth2 only works for IMAP. (Unless TB
added it for pop).


AFAICT OAuth2 works for IMAP and for SMTP, but not for POP.


Indeed it does not work for POP. I saw that your screenshot shows the
'Server Settings' for an IMAP server, so I checked and the IMAP
'Authentication method' can indeed be set to 'OAuth2', but for a POP
server, that setting ('OAuth2') is not available.

If someone wants to POP their Gmail, use a Google app password with
the POP account. A Google app password also meets Gmail's requirements
for not being "less secure".


How do I do that? I don't know what "a Google app password" is (in
this context) and hence not how/where to set one.

Thanks.
  #24  
Old September 8th 18, 07:06 PM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Google screwed up my Gmail acct in Thunderbird

Frank Slootweg wrote:

Ralph Fox wrote:
On Fri, 7 Sep 2018 20:23:17 -0400, Big Al wrote:

On 09/07/2018 08:01 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 16:08:42 -0700, cameo wrote:

One day it popped up a message saying that my Gmail account was not
secure there and offered me a button to click to fix it. So I did click
it and ever since I can't use that email account in Thunderbird. The
worst thing is that I can't even go back to the state before that
security warning. Interestingly, I also have 2 other Gmail accounts
there and they work fine because I did not try to "fix" them.
I tried to remove the failing account and then re-add it to Thunderbird
with the same server settings as the other 2 working accounts, but it is
still a no-go. Any suggestions?

There is a simple fix:
In Thunderbird, change your Gmail account to use OAuth2 authentication.

Here is a screen-shot of the OAuth2 option in Thunderbird.
http://i.imgur.com/dPUg7N3.png

Someone made the comment that OAuth2 only works for IMAP. (Unless TB
added it for pop).


AFAICT OAuth2 works for IMAP and for SMTP, but not for POP.


Indeed it does not work for POP. I saw that your screenshot shows the
'Server Settings' for an IMAP server, so I checked and the IMAP
'Authentication method' can indeed be set to 'OAuth2', but for a POP
server, that setting ('OAuth2') is not available.

If someone wants to POP their Gmail, use a Google app password with
the POP account. A Google app password also meets Gmail's requirements
for not being "less secure".


How do I do that? I don't know what "a Google app password" is (in
this context) and hence not how/where to set one.

Thanks.


You have Google generate a *strong* password that is unique to their
service. Google believes users are incapable of creating strong
passwords AND to use unique passwords at each site.

https://support.google.com/accounts/answer/185833?hl=en
https://support.google.com/accounts/.../1070455?hl=en

Since a Google app password is unique per device, Google can track which
device you are using to login. Yep, more tracking data for them.

The link doesn't work (https://myaccount.google.com/apppasswords or
https://security.google.com/settings.../apppasswords). I have to
login, go to my account settings, and under the "Sign-In & security"
section is an "Apps with account access" link. It's the same place
where I have to go to enable the "Allow less secure apps" option.

I'm not sure what process that Google uses. I think it's more of a
smartphone thing, like Android account management. You want an app to
login, get a prompt from the OS, and choose to allow which then records
something in your Google account where you can see online a list of apps
you've granted access.

Microsoft's app password has you create a new password to get around
their 2-step verification procedure since many apps don't support it.
Again, they assume users are too stupid to create strong and per-site
unique passwords. They create a different set of login credentials as a
workaround to their 2-step verification process, so instead of using
your normal site login credentials you instead use their login
credentials. Pretty stupid but then they aren't that off about the
expertise of the user community regarding the use of global passwords
that aren't strong.


  #25  
Old September 8th 18, 10:46 PM posted to alt.windows7.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Google screwed up my Gmail acct in Thunderbird

On 8 Sep 2018 15:24:24 GMT, Frank Slootweg wrote:

If someone wants to POP their Gmail, use a Google app password with
the POP account. A Google app password also meets Gmail's requirements
for not being "less secure".


How do I do that? I don't know what "a Google app password" is (in
this context) and hence not how/where to set one.



A Google "app password" is a 16-character code where
* Google generates the "app password"code for a specific program
(e.g. Thunderbird). You would have a separate "app password"
code for each different program.
* You will get Thunderbird to save the "app password" just like
it can save a normal password. (In Thunderbird, set
'Authentication to "Normal password".
* You can invalidate an app password without having to change your
Google password (for example, if you lose a device).
You manage your app passwords from your Google account's "app
passwords" page.


Here is how I created an "app password" last year...

1) To create an "app password", you first need to turn on
"2-Step verification" in your Google Account Settings.
If you don't want 2-step verification, you can turn
it off again after you have created the app password.

2) Next, to create the Google "app password" go here and
follow the instructions
https://security.google.com/settings/security/apppasswords

If you don't see the option to *create* an app password,
then "2-Step verification" still needs to be turned on.

3) The app password is a 16-character code which you will use in
Thunderbird (and only in Thunderbird) in place of your Google
Gmail POP3 account password. You set authentication to
"Normal password" and still put your Google username in the
"User Name" field.


An app password gives you two advantages
1. You can turn off "allow less secure apps";
2. You can invalidate an app password without having to re-enter
your Google password in every program which uses it.


The problem for Google is that too many people have weak passwords
like "Mary123", and/or they use the same password more than one account
(yes, Google does have to deal with many people who are not like
VanguardLH :-) ). An app password ensures those people have strong
passwords which are not re-used across different accounts.

Also if someone loses a device they may be reluctant to change their
Google password as this means updating the password on multiple devices.
An app password can be revoked without needing to change your main
Google password on multiple devices.



--
Kind regards
Ralph
  #26  
Old September 9th 18, 12:44 AM posted to alt.windows7.general
cameo[_2_]
external usenet poster
 
Posts: 453
Default Solved: Google screwed up my Gmail acct in Thunderbird

On 9/7/2018 11:50 PM, Ralph Fox wrote:
On Fri, 7 Sep 2018 22:55:01 -0700, cameo wrote:

One thing I still wonder about is that in some implementations I see
googlemail.com instead of gmail.com but they both seem to work. Are
those two names just pointing to the same servers?



They are effectively the same in *most* countries.

When Google first set up Gmail, the name "Gmail" was already owned by
various other parties in several countries. So Google had to use the
name "googlemail" in those countries (UK, Germany, Poland, Russia).

Google has since came to an arrangement with the original owners of the
name in UK (2009) and Germany (2012).


Thanks for that interesting bit of history. I've never heard it before.

  #27  
Old September 9th 18, 02:48 PM posted to alt.windows7.general
Frank Slootweg
external usenet poster
 
Posts: 1,226
Default Google screwed up my Gmail acct in Thunderbird

Ralph Fox wrote:
On 8 Sep 2018 15:24:24 GMT, Frank Slootweg wrote:

If someone wants to POP their Gmail, use a Google app password with
the POP account. A Google app password also meets Gmail's requirements
for not being "less secure".


How do I do that? I don't know what "a Google app password" is (in
this context) and hence not how/where to set one.



A Google "app password" is a 16-character code where
* Google generates the "app password"code for a specific program
(e.g. Thunderbird). You would have a separate "app password"
code for each different program.
* You will get Thunderbird to save the "app password" just like
it can save a normal password. (In Thunderbird, set
'Authentication to "Normal password".
* You can invalidate an app password without having to change your
Google password (for example, if you lose a device).
You manage your app passwords from your Google account's "app
passwords" page.


Here is how I created an "app password" last year...

1) To create an "app password", you first need to turn on
"2-Step verification" in your Google Account Settings.
If you don't want 2-step verification, you can turn
it off again after you have created the app password.

2) Next, to create the Google "app password" go here and
follow the instructions
https://security.google.com/settings/security/apppasswords

If you don't see the option to *create* an app password,
then "2-Step verification" still needs to be turned on.

3) The app password is a 16-character code which you will use in
Thunderbird (and only in Thunderbird) in place of your Google
Gmail POP3 account password. You set authentication to
"Normal password" and still put your Google username in the
"User Name" field.


An app password gives you two advantages
1. You can turn off "allow less secure apps";
2. You can invalidate an app password without having to re-enter
your Google password in every program which uses it.


The problem for Google is that too many people have weak passwords
like "Mary123", and/or they use the same password more than one account
(yes, Google does have to deal with many people who are not like
VanguardLH :-) ). An app password ensures those people have strong
passwords which are not re-used across different accounts.

Also if someone loses a device they may be reluctant to change their
Google password as this means updating the password on multiple devices.
An app password can be revoked without needing to change your main
Google password on multiple devices.


Thanks, Ralph and VanguardLH! Very clear!

I'll save this for the next time Google will be bothering me again
with its false security warnings, probably when we'll use ('free') Wi-Fi
hotspots [1] on our next trip in Australia.

[1] Yet another reason for trying to avoid Wi-Fi hotspots and just use a
personal mobile-data hotspot instead.
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 11:18 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.