I think the biggest problem with their new sign-in which most people are having is that it is more time consuming, i.e. two steps means clicking the sign-in button twice, waiting for transition between pages.
Secondly, it breaks almost all password managers including Lastpass, and it breaks a lot of extensions like these[1]
I don't know how they could consider it a feature. If someone is using lastpass, that person is probably many times more security-conscious than their average user.
That is a sweeping generalization about security habits of non-users of Lastpass. My point is that the security-consciousness does not necessarily go hand in hand with using a password management system. If someone gets into your single point of truth, they not only have all your passwords, they know about all your other accounts after - needing only to break into just one of them.
It's about risks and exposure. If it was reasonable for people to have randomly generated, unique, memorable, passwords for every account (also change them periodically and after database "leaks"), then we wouldn't have a need for password managers.
Odds are, people compromise on many or all of those things (even smart or meticulous ones). What you sacrifice with a password manager is a single point of failure. Although, that's a bit dire, generally (and arduously) you could reset those passwords one-by-one if you lost your master password and/or database.
What I like though is that the exposure of your master password is controlled by you and limited between your keyboard and the application (and the various few things in between; the OS, perhaps RAM, etc). This is usually a lot more narrow than the path your passwords usually take (your browser, http, their server). Because it's a single password (and I'm not limited to a site's stupid max character or other constraints), I can make it as obnoxiously long as I'd like--and I don't have to try 3 or 4 obnoxiously long passwords because I can't remember if I typed the wrong one or if I typoed the right one until I get locked out of that website.
Like I alluded to earlier, I also like knowing how long ago I changed my password, what it used to be (in case my db is updated and I didn't quite change my password like I thought I did), unsecure or duplicate passwords (as I migrate them over), or if there has been a database compromise on their end and I though update my password. I'm kind of surprised nobody has released features to automatically change passwords on specific sites.
It's not a generalization but absolutely truth about all people who don't use password managers. They use same password for multiple accounts or invent some "complex" rule to create passwords by url or title or something else. And second option is in light years away from secure way of storing passwords :)
Most of these password managers support 2 factor auth. And personally I would consider it unwise not to use 2 factor if your passwords are kept in the cloud (as opposed to a local password vault).
Except it doesn't even take a second for the password input to appear. Where are you getting those numbers from anyway? When I tried it, it only took about 152 ms for all the data to load after submitting the e-mail address.
It depends greatly on your location, connection and browser. Many users are stuck on low quality internet connections or mobile devices where things can easily take a full second or more.
Every spammer will now know the full name of any google user since it's displayed on the second page. Eventually in the near future, even if you remove the name and keep the display image and the display image is of a person, face recognition software could determine who the person is due to Facebook and other social media platforms. Displaying a display image or showing the full name is a complete breach of security and privacy. Eventually one could theoretically find all Google accounts a person has with Google.
Yeah I suppose that is possible if they didn't spoof it or your device becoming compromised. I haven't seen/read anything on what they're doing to handle this scenario.
> As we’ve said many times, we're working towards introducing new authentication solutions that complement traditional passwords. We’ve already separated the ‘username’ and ‘password’ fields onto separate pages on a successful launch in Android last year. This change to our web sign-in page is another step in that direction.
It may make them angry but its pretty clear Google is working towards a:
"Username" -> "Auth Factor 1; Maybe not Password" -> "Auth Factor 2; Also maybe not Password" model.
It prevents someone from faking Google's login page (or any other service) to capture users' passwords. This is the same as showing a "trusted image" that you selected.
Does it? What stops them from MITM-ing your answer on the first screen to get the trust image for the second screen? (In a way that's meaningfully different than the single-screen version, I mean, so not HTTPS certs.)
As TFA mentions, it only shows the image if logging in from a known IP or device, so the MITM won't have access to it, unless of course they can hijack your device or connection, but that's orders of magnitude harder than setting up a fake login page.
Bank of America has had 2-part login screens forever. IIRC they are going in the opposite direction and will be putting them together in a single page very shortly.
Right, because if one day your sitekey is missing, you'll shrug and think "I guess my cache cleared, whatever", and not distinguish a data reset from a MITM attack.
Google is in a transition to optimize for your account security over the convenience of saving 500ms every week or so by having a single page.
For the business "this is wasting my time" complaint I just read a whole lot of: you're about to spend an hour or so reading inconsequential emails instead of doing anything productive anyways. What is another 500ms?
Secondly, it breaks almost all password managers including Lastpass, and it breaks a lot of extensions like these[1]
[1] https://chrome.google.com/webstore/detail/quick-login-for-go...