undefined | Better HN

0 pointsDouble_a_923y ago0 comments

People can't remember many good passwords. So they start reusing them. If one site has a leak, everything is lost without 2FA.

0 comments

sph3y ago

So the choice is for them to permanently lose access to their email?

Homeless people aren't stupid and strong password don't have to be incredibly hard to remember. I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

There is literally nothing more important than your email. Even stuff like your bank account has secondary means of recovery, whereas if you lose access to your email you're pretty much fucked.

UncleMeat3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

When your account is stolen the attacker changes your password. You lose access to your email forever and lose access to all of the services that use your email as a recovery platform.

crooked-v3y ago

The point here is that that happens to these people already. I'm sure they'd much rather have only a chance of it happening than it being a guarantee.

judge20203y ago

Who's to say that your email account getting hacked is less dire than losing access to it? Attackers can easily search your inbox for 'verify your email', visit any website of value, and use their access to change the account away from your email to an address that they own, effectively removing your access to your third-party website accounts entirely.

Wowfunhappy3y ago

I don't know that it is less dire, but I do think it's less likely. Are homeless people's email accounts getting hacked three times per year?

Also... maybe getting hacked is worse, or maybe loosing access is worse, but the user should have the right to make that decision! Google can set the default, but the user knows his or her own life.

1 more reply

sph3y ago

Because you can still use an account everybody knows the password of.

It's a terrible place to be in, but isn't nowhere as bad as being a homeless person with no access to HN and Twitter, having Google delete your account and nowhere to complain about. Because that is even worse.

yellowapple3y ago

> So the choice is for them to permanently lose access to their email?

If an attacker breaks in and changes your password, you already do very likely permanently lose access to your email. Account recovery from that point is a hairy process even for people who have a place to safely store important documents, let alone those who don't.

> Even stuff like your bank account has secondary means of recovery

Those rely on forms of identification that the unhoused disproportionately lack (for the same reasons that they are more prone to lose access to phone numbers). This is also among the reasons why being unhoused tends to correlate with being unbanked.

everforward3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

This is functionally the outcome of getting hacked, if you want any kind of decent security measures.

Any way that Google can give you access back on a password-only account is going to be rife with bad actors using social engineering to gain control of accounts. As long as that form/page exists, it is a threat vector.

What you're asking is for the password to be the only proof that someone owns an account, which means a hacker can demonstrate ownership just as much as you can.

Banks have more options for account recovery because we're willing to give them a lot more info. They can force me to come in to a branch and compare my ID to my face, or ask for my SSN, or any number of things we're not comfortable handing over to Google (especially over the web).

bombcar3y ago

I would rank a home as more important than email; I'd certainly rather lose access to my email than my home.

But by definition, the homeless have already lost a home (assuming they weren't born homeless) - and I've forgotten passwords before. So "the stupid homeless just need to memorize their password" isn't a solution.

Wowfunhappy3y ago

It's not a solution, but it's a heck of a lot better than locking them out of their accounts even if they still know their password!

syrrim3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

step 1: get your account hacked

step 2: hacker changes password

step 3: lose access to your email, forever

What you've presented is not in fact a dichotomy, for any practical purposes.

crooked-v3y ago

Except that they're already losing access to email, forever. A small chance of it happening because of a hacker is better than a statistical guarantee of it happening from phone theft.

1 more reply

n8cpdx3y ago

Is it though? Just because a password leaked doesn’t mean it will actually be abused. A homeless person without a credit card in their Google account is naturally limited in the amount of damage that can be done.

Security questions are probably enough, at least for people who can’t handle 2FA.

j / k navigate · click thread line to collapse

0 comments

sph3y ago

So the choice is for them to permanently lose access to their email?

Homeless people aren't stupid and strong password don't have to be incredibly hard to remember. I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

There is literally nothing more important than your email. Even stuff like your bank account has secondary means of recovery, whereas if you lose access to your email you're pretty much fucked.

UncleMeat3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

When your account is stolen the attacker changes your password. You lose access to your email forever and lose access to all of the services that use your email as a recovery platform.

crooked-v3y ago

The point here is that that happens to these people already. I'm sure they'd much rather have only a chance of it happening than it being a guarantee.

judge20203y ago

Wowfunhappy3y ago

I don't know that it is less dire, but I do think it's less likely. Are homeless people's email accounts getting hacked three times per year?

Also... maybe getting hacked is worse, or maybe loosing access is worse, but the user should have the right to make that decision! Google can set the default, but the user knows his or her own life.

1 more reply

sph3y ago

Because you can still use an account everybody knows the password of.

yellowapple3y ago

> So the choice is for them to permanently lose access to their email?

> Even stuff like your bank account has secondary means of recovery

everforward3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

This is functionally the outcome of getting hacked, if you want any kind of decent security measures.

What you're asking is for the password to be the only proof that someone owns an account, which means a hacker can demonstrate ownership just as much as you can.

bombcar3y ago

I would rank a home as more important than email; I'd certainly rather lose access to my email than my home.

Wowfunhappy3y ago

It's not a solution, but it's a heck of a lot better than locking them out of their accounts even if they still know their password!

syrrim3y ago

> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.

step 1: get your account hacked

step 2: hacker changes password

step 3: lose access to your email, forever

What you've presented is not in fact a dichotomy, for any practical purposes.

crooked-v3y ago

Except that they're already losing access to email, forever. A small chance of it happening because of a hacker is better than a statistical guarantee of it happening from phone theft.

1 more reply

n8cpdx3y ago

Security questions are probably enough, at least for people who can’t handle 2FA.

j / k navigate · click thread line to collapse