Message-ID:

Conquest is easy. Control is not. -- Kirk, "Mirror, Mirror", stardate unknown

computers / alt.comp.hardware.pc-homebuilt / Re: How do email managers know you changed your password and can log in for you?

How do email managers know you changed your password and can log in for you?

<b96edaf3-3da9-4775-a172-03b17b7240f7n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=1576&group=alt.comp.hardware.pc-homebuilt#1576

copy link Newsgroups: alt.comp.hardware.pc-homebuilt

X-Received: by 2002:ac8:6b0d:0:b0:41c:b3a9:1aad with SMTP id w13-20020ac86b0d000000b0041cb3a91aadmr84864qts.3.1699761229309;
Sat, 11 Nov 2023 19:53:49 -0800 (PST)
X-Received: by 2002:a17:902:ef8a:b0:1ca:8c48:736e with SMTP id
iz10-20020a170902ef8a00b001ca8c48736emr1000672plb.9.1699761229028; Sat, 11
Nov 2023 19:53:49 -0800 (PST)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: alt.comp.hardware.pc-homebuilt
Date: Sat, 11 Nov 2023 19:53:48 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=71.114.78.26; posting-account=fRZa_AkAAACE3nlFA9zM1Eq00OKq1Ycq
NNTP-Posting-Host: 71.114.78.26
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <b96edaf3-3da9-4775-a172-03b17b7240f7n@googlegroups.com>
Subject: How do email managers know you changed your password and can log in
for you?
From: raylope...@gmail.com (RayLopez99)
Injection-Date: Sun, 12 Nov 2023 03:53:49 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2183

by: RayLopez99 - Sun, 12 Nov 2023 03:53 UTC

In the old days when you changed your password on an email account (like Gmail, Yahoo, Outlook) and tried to login using an email manager (like Huawei or Outlook Office or maybe Thunderbird (not sure)) the manager would ask for your new email password and it took a few minutes to set it up. Nowadays they don't. Why?

From what I surmise, there must be a 'master' or 'master session' password that's encrypted and if your "recognized or authorized device" (tablet, phone, pc) that is "verified" to be yours is trying to log into your email, the email manager will negotiate the login without having to actually store and send the new password. This is done as a convenience but it's a bit unnerving. I recently lost a phone to a thief and I deactivated it, but the thought that even if I change the password for my email one minute after I lose my phone, that the thief can still read and access my emails on Gmail until I "unauthorize' the stolen phone is unsettling, since he has an "recognized" or "authorized" device.

Paul, Starbuck, others?

Re: How do email managers know you changed your password and can log in for you?

<uiq5nv$1m2a$1@dont-email.me>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=1577&group=alt.comp.hardware.pc-homebuilt#1577

copy link Newsgroups: alt.comp.hardware.pc-homebuilt

Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: nos...@needed.invalid (Paul)
Newsgroups: alt.comp.hardware.pc-homebuilt
Subject: Re: How do email managers know you changed your password and can log
in for you?
Date: Sun, 12 Nov 2023 04:26:22 -0500
Organization: A noiseless patient Spider
Lines: 37
Message-ID: <uiq5nv$1m2a$1@dont-email.me>
References: <b96edaf3-3da9-4775-a172-03b17b7240f7n@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 12 Nov 2023 09:26:23 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="a85ad6cebcfea94291a29128578f5b2f";
logging-data="55370"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ZvG+03+tOwj1DXz0C5eGpgY8uQISycak="
User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802)
Cancel-Lock: sha1:ZGN4vZIRRl1eU5uCJjLcFevodzo=
Content-Language: en-US
In-Reply-To: <b96edaf3-3da9-4775-a172-03b17b7240f7n@googlegroups.com>

by: Paul - Sun, 12 Nov 2023 09:26 UTC

On 11/11/2023 10:53 PM, RayLopez99 wrote:
> In the old days when you changed your password on an email account (like Gmail, Yahoo, Outlook) and tried to login using an email manager (like Huawei or Outlook Office or maybe Thunderbird (not sure)) the manager would ask for your new email password and it took a few minutes to set it up. Nowadays they don't. Why?
>
> From what I surmise, there must be a 'master' or 'master session' password that's encrypted and if your "recognized or authorized device" (tablet, phone, pc) that is "verified" to be yours is trying to log into your email, the email manager will negotiate the login without having to actually store and send the new password. This is done as a convenience but it's a bit unnerving. I recently lost a phone to a thief and I deactivated it, but the thought that even if I change the password for my email one minute after I lose my phone, that the thief can still read and access my emails on Gmail until I "unauthorize' the stolen phone is unsettling, since he has an "recognized" or "authorized" device.
>
> Paul, Starbuck, others?
>
> RL
>

The only mechanism I know of, is the "token".

When you enter a password, a "token" can be kept on the equipment.
The "token" even continues to work after a password change (done on
another device), but eventually the token will expire, and the
new password should be needed at some point.

I have not tested password change on my setup, so I have not personally
witnessed the dynamics. I was just reading somewhere, that the "token"
is a "proof of purchase" in a sense, and only time (or knowledge of an
unexpected device trying to log in), might make it expire. It's
a convenience that can be revoked as the issuer (Google etc) desires.

I was surprised how long the "token" lasted on one of my browsers.
Days long. Silly really, and insecure.

And I don't know if there is any way to set up an account, such that
tokens are never used, and only fresh password authentication works
on each session.

I expect part of the rationale for this, has nothing to do with
"user convenience". Authentication requires computing resources,
and if the arch has a flood of auth operations going on, this
can be a rate limiting step and slow down the server end. The usage
of the token, just might be so that the sessions perform well.

Paul

Re: How do email managers know you changed your password and can log in for you?

<62fd7f20-8258-491e-9929-eaf9ee510b75n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=1578&group=alt.comp.hardware.pc-homebuilt#1578

copy link Newsgroups: alt.comp.hardware.pc-homebuilt

X-Received: by 2002:a05:620a:284d:b0:774:1e91:949 with SMTP id h13-20020a05620a284d00b007741e910949mr278714qkp.1.1699820986656;
Sun, 12 Nov 2023 12:29:46 -0800 (PST)
X-Received: by 2002:a17:90a:4548:b0:27d:ba3:fbf9 with SMTP id
r8-20020a17090a454800b0027d0ba3fbf9mr1464007pjm.8.1699820986242; Sun, 12 Nov
2023 12:29:46 -0800 (PST)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: alt.comp.hardware.pc-homebuilt
Date: Sun, 12 Nov 2023 12:29:45 -0800 (PST)
In-Reply-To: <uiq5nv$1m2a$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=71.114.78.26; posting-account=fRZa_AkAAACE3nlFA9zM1Eq00OKq1Ycq
NNTP-Posting-Host: 71.114.78.26
References: <b96edaf3-3da9-4775-a172-03b17b7240f7n@googlegroups.com> <uiq5nv$1m2a$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <62fd7f20-8258-491e-9929-eaf9ee510b75n@googlegroups.com>
Subject: Re: How do email managers know you changed your password and can log
in for you?
From: raylope...@gmail.com (RayLopez99)
Injection-Date: Sun, 12 Nov 2023 20:29:46 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2251

by: RayLopez99 - Sun, 12 Nov 2023 20:29 UTC

On Sunday, November 12, 2023 at 4:26:27 AM UTC-5, Paul wrote:
> I expect part of the rationale for this, has nothing to do with
> "user convenience". Authentication requires computing resources,
> and if the arch has a flood of auth operations going on, this
> can be a rate limiting step and slow down the server end. The usage
> of the token, just might be so that the sessions perform well.
>
> Paul

Thanks Paul, I think you are right. I notice for Outlook Office 2019 Manager after a while did ask for the new password (a day or so later). The Huawei email manager never did, so maybe it's less secure a bit. I suppose you could make things more secure by setting up two-factor authorization every time you want to sign in (which would not work if your stolen phone is what receives the two-factor code, if anything that would lock you out of all your devices), and/or use that 'dongle' USB stick for authorization, like the Yubico Security Key.

Subject	Author
How do email managers know you changed your password and can log in	RayLopez99
Re: How do email managers know you changed your password and can log	Paul
Re: How do email managers know you changed your password and can log	RayLopez99