[velshin]

Is it really that easy to hack someones gmail account?

I realize phishing and key loggers are easy ways to grab a password, but if you avoid typing your gmail password at public internet kiosks and the like, is it really that easy for someone to get at? Assuming you use a reasonably long and impossible to guess password, the captchas would prevent brute forcing.

An attack targeted specifically at you will inevitably succeed but most of us are not that special.

The article's advice seems far too easy to lock yourself out (losing my wallet with my magic paper codes and my phone could do it). The additional inconvenience does not seem worth it.

Most of us have used physical 2 factor authentication (like RSA SecurID) for banking and work related VPN access. This works well because the provider (your office, your bank) has a vested interest in getting you back into your account if you get locked out. Google, Yahoo, MS, etc. have no such obligation.

[bigiain]

A _startlingly_ large number of people are (still) re-using passwords across multiple sites. The Gawker/Sony(/PerlMonks for me) compromises revealed a _lot_ of email addresses and passwords, some significant portion of which almost certainly allowed attackers access not only to the specific website that was attacked, but also to the email service of the exposed user.

I'm pretty sure none of Jeff's advice helps you against a government-agency level attack agains you specifically, but following it _will_ protect your email even if some other random website you once registered for exposes the login details you used there. I _hope_ that's not a problem for any HN readers (any more), but what about your partner/children/parents/coworkers? I'd bet good money that _someone_ you know and care about is reusing their email account password on random website signup forms.

[alanbyrne]

My name is Alan Byrne, I work in IT and I'm a password re-user :(

On that note, does anyone know of a secure keysafe app that will sync across my various PCs, iPad and Android phone? This is what is stopping me from going the single use password route.

[andrewaylett]

I use Keepass (or KeepassX, or KeepassDroid, and there's an iOS app too) and Dropbox.

[mseebach]

Me too. Just remember to set the load-factor quite high. I've got it set to about 8 million rounds which is about one second on my beefy work computer, two on my private laptop and ~eight on my Android phone. The last bit is a bit annoying but at this point my key database is a pretty high value target - and I can't revoke access to it remotely if I lose my phone.

[bhousel]

I'm very satisfied with 1Password..

[jamesgeck0]

I've been using Firefox Sync on my desktop and Android tablet. Unfortunately, I don't think the Firefox Home app on iOS does passwords.

[random42]

lastpass should work.