In the past few days Google has announced that its Gmail system suffered an attack in which the Chinese authorities apparently tried to gain information about activities of human rights activists. In its corporate blog, Google posted information about the attack and about how it is responding. Interestingly, some of the accounts were accessed not through a security breach at Google but through a misuse of Gmail credentials.

…as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

In response to the attack, Google changed the default connection to Gmail from http to https. This is good news for Gmail users, especially users who like to access their e-mail through unsecured networks. However, Google did not address security of password reset, which has been used more than once to hijack e-mail accounts, including Gmail. (See examples here and here.) Gmail still uses either a link sent to an alternative e-mail account (with a hint on the Password help page about which account is used) or an answer to a secret question if the alternative e-mail account is no longer accessible. Both of these password reset techniques have been shown to be insecure. As a result, a Gmail account holder can follow all the security precautions recommended by Google—use anti-virus software, install patches, be careful about downloads—and the account credentials can still be compromised through the password reset mechanism.

As we increasingly rely on e-mail for communications in the workplace, in our personal lives, and in political activism and charitable endeavors, we should have the option to have strong protection for our e-mail credentials. Using two-factor authentication for password resets can provide greater protection to users than current password reset mechanisms. Technology is now available to do this easily and inexpensively.