Windows 7 or firewall troubleshooting help

Alexandros Papadopoulos alexandros.papadopoulos at gmail.com
Sun Apr 15 14:48:46 EDT 2012


On 15 April 2012 18:48, Lynn McLeod <lynn.mcleod at gmail.com> wrote:
<snip>
> I assume the app-specific password we need for Pidgin is for google talk.
>
> Maybe we will start over and create new google accounts without the 2-step
> verification. It's a pain.

If 2-step verification is turned on, Google demands a 2nd auth token
for anything that tries to use your main account password. This is a
good idea, because that password has the power to change settings,
setup forwarding rules, see all your browsing history, other Google
services you used, what the friends of your friends are upto etc.

As far as I'm aware this only works for browser-based authentication.
For application authentication (GMail on your phone, Google Talk on
the desktop, Pidgin on your laptop etc) you need an
application-specific password. Such passwords do not allow full access
to your Google profile, and are therefore safer to save on untrusted
devices that might fall in the wrong hands.

Google don't advertise the fact that a single "application-specific"
password can in fact be used across many different applications.
Presumably to stop people creating a single "application specific"
password and using it for all their apps which would defeat part of
the purpose.

If you take application-specific passwords at face value and treat
them as unique and specific to one instance of one application, you've
bought yourself a little extra security. Let's say you use Pidgin on 2
laptops and you have a unique application-specific password for each
Pidgin instance accessing the Google Talk service on each laptop, e.g.
"Pidgin on Toshiba Laptop" and "Pidgin on work PC". Your laptop gets
stolen. No biggie - just login to your Google account with a browser
with your main password and deactivate that particular password. Your
Google account is not exposed.

To sum up, think of your "main" Google password as your administrative
password and your "application specific" password(s) as "regular user"
passwords. You can (and probably should) have many of the latter.

Google try to strike a balance between security & usability with this
model. If protecting your users' main accounts is not a big deal, by
all means revert to standard single-factor auth and everything will
play nicely with the same password. It will be similar to the
convenience of allowing all your users to go about their regular work
tasks using administrator accounts on Windows. Sometimes it's the only
thing you can do.

Alex



More information about the Support mailing list