Discussion:
How do email managers know you changed your password and can log in for you?
(too old to reply)
RayLopez99
2023-11-12 03:53:48 UTC
Permalink
In the old days when you changed your password on an email account (like Gmail, Yahoo, Outlook) and tried to login using an email manager (like Huawei or Outlook Office or maybe Thunderbird (not sure)) the manager would ask for your new email password and it took a few minutes to set it up. Nowadays they don't. Why?

From what I surmise, there must be a 'master' or 'master session' password that's encrypted and if your "recognized or authorized device" (tablet, phone, pc) that is "verified" to be yours is trying to log into your email, the email manager will negotiate the login without having to actually store and send the new password. This is done as a convenience but it's a bit unnerving. I recently lost a phone to a thief and I deactivated it, but the thought that even if I change the password for my email one minute after I lose my phone, that the thief can still read and access my emails on Gmail until I "unauthorize' the stolen phone is unsettling, since he has an "recognized" or "authorized" device.

Paul, Starbuck, others?

RL
Paul
2023-11-12 09:26:22 UTC
Permalink
Post by RayLopez99
In the old days when you changed your password on an email account (like Gmail, Yahoo, Outlook) and tried to login using an email manager (like Huawei or Outlook Office or maybe Thunderbird (not sure)) the manager would ask for your new email password and it took a few minutes to set it up. Nowadays they don't. Why?
From what I surmise, there must be a 'master' or 'master session' password that's encrypted and if your "recognized or authorized device" (tablet, phone, pc) that is "verified" to be yours is trying to log into your email, the email manager will negotiate the login without having to actually store and send the new password. This is done as a convenience but it's a bit unnerving. I recently lost a phone to a thief and I deactivated it, but the thought that even if I change the password for my email one minute after I lose my phone, that the thief can still read and access my emails on Gmail until I "unauthorize' the stolen phone is unsettling, since he has an "recognized" or "authorized" device.
Paul, Starbuck, others?
RL
The only mechanism I know of, is the "token".

When you enter a password, a "token" can be kept on the equipment.
The "token" even continues to work after a password change (done on
another device), but eventually the token will expire, and the
new password should be needed at some point.

I have not tested password change on my setup, so I have not personally
witnessed the dynamics. I was just reading somewhere, that the "token"
is a "proof of purchase" in a sense, and only time (or knowledge of an
unexpected device trying to log in), might make it expire. It's
a convenience that can be revoked as the issuer (Google etc) desires.

I was surprised how long the "token" lasted on one of my browsers.
Days long. Silly really, and insecure.

And I don't know if there is any way to set up an account, such that
tokens are never used, and only fresh password authentication works
on each session.

I expect part of the rationale for this, has nothing to do with
"user convenience". Authentication requires computing resources,
and if the arch has a flood of auth operations going on, this
can be a rate limiting step and slow down the server end. The usage
of the token, just might be so that the sessions perform well.

Paul
RayLopez99
2023-11-12 20:29:45 UTC
Permalink
Post by Paul
I expect part of the rationale for this, has nothing to do with
"user convenience". Authentication requires computing resources,
and if the arch has a flood of auth operations going on, this
can be a rate limiting step and slow down the server end. The usage
of the token, just might be so that the sessions perform well.
Paul
Thanks Paul, I think you are right. I notice for Outlook Office 2019 Manager after a while did ask for the new password (a day or so later). The Huawei email manager never did, so maybe it's less secure a bit. I suppose you could make things more secure by setting up two-factor authorization every time you want to sign in (which would not work if your stolen phone is what receives the two-factor code, if anything that would lock you out of all your devices), and/or use that 'dongle' USB stick for authorization, like the Yubico Security Key.

RL

Loading...