3

I turned on 2-step verification and had to setup an application specific password for Outlook. I noticed the password generated is actually weaker than the one I had before turning on 2-step verification. Is it worth it? How exactly does the application specific password work, for example after the first time the app logs in does Google somehow remember some sort of finger print of the app?

EDIT: after reading the possible duplicate it is a very similar question. However, even the answers to that do not address if 2-step verification it's necessarily safer. In a nut shell the answers given say that it is very difficult to brute force the generated application specific passwords, but the same could be said about a normal password (without 2 step verification) so in this sense 2 step verification would be pointless?

Celeritas
  • 10,089
  • 22
  • 79
  • 144

1 Answers1

-1

Google just associates that password with only that service. You could reuse that password for that account across, say, multiple email clients connecting to Gmail. But you wouldn't be able to also use that password for Youtube.

As far as password strength, they use a 16-letter random password. Simple arithmetic shows that the entropy in a random 16-letter string is a little over 75 bits (2616 is roughly equal to 275). This isn't quite strong enough to use as an encryption key, but is more than strong enough as a password, particularly if they also use a slow-hash for storage.

Stephen Touset
  • 5,774
  • 1
  • 23
  • 38
  • "Google just associates that password with only that service." but how? How does it automatically know that the request being sent is from Outlook? Even if it does know it seems easy to spoof. – Celeritas Apr 29 '14 at 00:47
  • The *service*, not the client. Gmail is a service. Youtube is a service. Outlook is a client. The Youtube iPhone app is a client. – Stephen Touset Apr 29 '14 at 00:53
  • I seriously don't understand what point is trying to be made? – Celeritas Apr 29 '14 at 01:01
  • I'm not sure how much more simple I can make it. An application-specific password is not specific to the application on your own computer; it's specific to a *Google product*. The first time you use an application-specific password, it's bound to the Google product it was used against. If you use it to log into Youtube with your iPhone, that specific password only work for any Youtube client, but can not be used to log into Gmail. Additionally, these passwords only work over their APIs, and not through the web interface. – Stephen Touset Apr 29 '14 at 01:04
  • Right my question is how does it know that it's your iphone logging in and not some hackers computer? – Celeritas Apr 29 '14 at 03:07
  • Because presumably the attacker doesn't have the password. – Stephen Touset Apr 29 '14 at 03:19
  • The purpose of the feature is to allow third-party apps to authenticate without requiring an OTP. As a tradeoff, Google gets to ensure that the password is: a) unique and not used on any other site where it may be compromised, b) difficult to guess, and c) are limited in scope to only one component of your Google account. They, for pretty obvious reasons, wouldn't be able to enforce these properties for normal web-based logins. – Stephen Touset Apr 29 '14 at 03:26
  • 5
    AFAIK the application specific passwords are not actually associated to the service that they are first used for. Google prevent you from logging into the web UI with them, but you could use the same one for multiple clients. Have you any sources to back up your claim? I found [this page](https://support.google.com/accounts/answer/185833?hl=en) with a screenshot that states `Note that this [application specific] password grants complete access to your Google Account`. – SilverlightFox Apr 29 '14 at 08:41
  • @SilverlightFox so in this sense it could actually lower security... – Celeritas Apr 29 '14 at 09:27
  • 1
    @SilverlightFox I actually tested this before I posted the answer, and wasn't able to use the same application-specific password successfully for the iPhone Youtube app and Mail app. It's possible I made a mistake, though. – Stephen Touset Apr 29 '14 at 17:15