Category Archives: Google

Use Google Authenticator with Microsoft’s live.com

Two-step authentication is the technology to use everywhere as much as possible, to prevent identity and data theft. Many online services, including Dropbox, LastPass, Facebook, are using Google’s Authenticator app. It generates random time-dependent one-time codes that should be entered in the process of the two-factor authentication.

Microsoft’s live.com service also supports the 2-step authentication. However, by default Microsoft wants you to use its own app to generate the one-time codes. It does not make much sense to use it, if you are using Google Authenticator (GA) for all other services. Luckily, Microsoft is smart enough to support GA as well, just in a little hidden, even though simple, manner. Here is how to set it up:

  1. “Add a new identity verification app”
  2. Choose “Android”, press “Next”
  3. (If you now choose “Install the app from the Google Play Store.”, you’ll be offered to install a Microsoft app.) DO NOT DO IT.
  4. At the bottom, there is a line: “Android device not compatible? Try this app instead.” It is a link to the Google Authenticator. Click it.
  5. On the next page, a QR-code for Google Authenticator is shown. Scan it with “Set up account” function in Google Authenticator, verify the code and you are good to go.
Advertisements

Paste pure text in Windows

Background

Years ago, text could only be copied in Windows between the programs as a plain text. That is, only the content, without the format. Today the situation has improved changed and in many programs now when you copy and paste the text, you do so together with the format, whatever it may be.

Problem

In my opinion, this is a really poor approach from the user experience perspective. You should use styles to control the look of your text, so the text properties should not be connected to its content. One should really move around the text, not the look. (Word actually does it pretty neatly, by moving the style rather than the look of the text. The problem however is still there if you copy & paste the text from Word to, say, Excel.)

Another problem with moving the text properties around is that sometimes it is really not what you want. Have you ever tried to copy the content of a web page and paste it into Word? You know what happens. Word tries to keep the whole structure of the web page and transfer it to your document. The problem is that web pages are formatted inherently differently than the paper documents. Adding the structure of a web page to a text document means adding numerous redundant elements, such as tables, to your document. Besides, you just wanted the content, the text.

Solution

In Google Documents with Windows + Chrome, you can now press Ctrl+Shift+V. For other OS and browsers, see here.

In MS Office, use the Paste Special command. And if you do not like using it all the time, the PureText program comes to help. It is beautifully simple, tiny, and does not require installation. You can assign a new combination for pasting text-only (such as the default Windows+V or Google-like Ctrl+Shift+V) or overrule the standard Ctrl+V. The only two drawbacks are that the program needs admin rights to be run and is not as fast as Windows own clipboard.

Gmail Watcher

In Windows, I was relying on Google Talk to check my Gmail account for new emails. It was also providing easy and secure access (without entering Google master password) to my Google account.

In Linux, I am using Gmail Watcher plug-in for Firefox.

Contra: You need a running Firefox to see it, which is a disadvantage in comparison to Google Talk. You also cannot benefit form Google application passwords if you use two-step authentication.

Pro: Unlike Google Talk, if a Gmail tab is already open, Gmail Watcher doesn’t create a new one but switches to the one available.

Google’s two-step verification

With some people using an “online office” with Gmail as their email client, Google Docs as their office suite and Picasa Web as a photo hosting service, security of their Google account is critical. The Google’s support forum is full of desperate stories from people having lost access to their accounts due to hijackers.

This normally happens if a user is not careful about his login data. Common mistakes include:

  • weak passwords and
  • logging to Google account (particular service—Blogger, Google Docs, YouTube, or Picasa—doesn’t matter) using unsafe computers (friends, colleagues, internet cafe) and not changing the Google Password soon after it.

Once the password is discovered, a hijacker can log into a Google account and change the password. At that moment, the original user basically looses all means to reliably restore his access: there is practically no way to prove that you have any more rights for the account than the current password owner. Google has introduced a few means of restoring the access in simple situations. You may be able to request a password reset code sent to your mobile or to an alternative email address; you may be asked, when approximately you have started using Google services or who have your most contacted addressees been; and there is a security question. However don’t forget that as soon as a hijacker knows your password, she can change your security question, download the list of most contacted people, and change the mobile number and the alternative email address connected to your account. It is very hard indeed to prove anything in such situation.

The above-mentioned mistakes are of course those, which should be never made. However, there is one threat against which even experienced users can do little if not nothing: key logging. However careful one may be with one’s account and password, it is impossible to prevent a well-written trojan from getting on your computer and monitoring your input of the Google password. Once this has happened, see above.

Now Google has introduced a new log-in method which may well prevent most of successful hijackers’ attacks: a two-step verification. While you still have access to your account, enable this feature (My Account > Personal settings, Security, Using 2-step verification) and get your mobile phone be used for verification. From now on, when you try to login to any Google service, you’ll be getting an SMS with a one-time code. This method is used by some banks to secure their online banking service. Even if a hijacker gets your password and the code, she will not be able to change your password, since she would need to enter a new one-time code which will be sent to your phone.

There are two security leaks in the current Google authentication procedure.

1) If, while entering the one-time verification code, you select “Remember verification for this computer for 30 days”, one gets the full control over your account (including changing the password and the connected phone number) provided that one has your Google password and access to this computer. Which is exactly the case if you have a trojan in your system. Therefore never select this option. If you don’t do so, Google asks to provide a verification code again when one tries to change the password. Therefore a hijacker will not be able to do any harm.

2) Google Talk, Google’s instant messaging client, allows to log-in to the Google Account without entering your password in the browser (and thus also without the one-time code). This would be perfectly fine and even useful if Google still required the one-time code for changing the account password. However it is not the case: once you’re logged in, you can change the password knowing just the password, no one-time code is required. This means that if a hijacker has intercepted both your main Google password (when you were entering it in a browser) and also the Google Talk password, it is enough to change the main password. Let’s hope that this will be improved soon. And for now try to never enter both the Google Talk and the Google account passwords on the same computer.

Google contacts in Thunderbird

Mozilla Thunderbird with IMAP synchronisation with Gmail is a feasible alternative to Gmail web interface. Staying online within Google office with a one-click access to documents, RSS subscriptions and photos is nice. However there is one case in which the web interface fails: if you want to seriously use encryption.

In such cases GnuPG + Mozilla Thunderbird + Enigmail work fine. However, you immediately face a problem: if you’re normally using online interface, your contacts are in Google Contacts, and Thunderbird doesn’t know them.

To get access to your addressees in the Google Contacts, use Google Contacts add-on for Thunderbird.

It supports groups of contacts, postal addresses, telephone numbers although in a bit less flexible manner than Google Contacts does.