problems again with pop peeper - gmail access

[Jeff]

it is not wise to opt for the less secure approach which lowers the security bar for ALL apps accessing that account

Is this something that GMail says? Or do you simply mean that in the sense that any app that access the account uses your main password? Just because you've enabled SSL/TLS, doesn't mean that other apps are going to stop using OAuth.

[jmjsquared]

No, jeff, it is not something that I am repeating from reading anything from Google. It is my own, humble, non-OAuth-expert, non-program-developer, layman's, commonsense deduction. That is to say: It seems to me that, if Google offers the option to secure our email accounts with a 2-Step Authentication process, then, I must conclude that, their experts deem it worthwhile, whether or not SSL/TLS is also used.

My opinion,

it is not wise to opt for the less secure approach which lowers the security bar for ALL apps accessing that account

appears to be shared by Google which DID block even SSL/TLS IMAP/SMTP access by POP Peeper to my email account because that account did not use their 2-Step Authentication process or, alternatively use their own "workaround", namely an App-Specific Password.

The one alternative to that, enabling Less-Secure-Apps, specifically is NOT recommended by them.

NOTE: The only other app similar to POP Peeper that I've used had the same issue/problem/limitation. Unlike with POP Peeper, however, I did not care enough to try and figure out why.

[mjs]

Of course in contrast to the regular method of sign-in, what "2-step verification" provides is an extra level of security in regards to "access" (sign-in) as opposed to any differences regarding "connection" security considering the fact that both the connection and the apps used would presumably be the same regardless of the sign-in procedure used.

The "less secure apps" option provides a way to keep Google from blocking users who do not have the latest in app security.
Basically the user has the choice to:
1) Upgrade to a more secure app.
2) Enable "Less secure apps" so that Google will not block these "less secure" apps.

If is fortunate for many users that this is provided in the event upgrading is either not practical or in some cases impossible or they just can't get around to it for awhile thus allowing users in these circumstances continued access to their email, which again is a totally separate concept from what "2-step verification" provides in the way of increased "access" (sign-in) security.

So as I understand it, a user has the option to use "2-step verification" to enhance access (sign-in) security but still may need to use "less secure apps" if in fact they are using what Google considers apps that are in their opinion "less secure" which in that case presumably Google would block preventing the user access to their email unless "less secure apps" is enabled.

Neither option precludes the other and it would appear there are pragmatic reasons why either procedure would be useful depending upon circumstances.

[jmjsquared]

Remeber, lakrsrool : my observations and suggestions to Jeff and the OP were in response to her having recurring problems with POP Peeper intermitently not being able to access her Gmail account(s). Luckily, I encountered the same issue/problem with one of my Gmail accounts but not with others that were identically configured (SSL/TLS; IMAP/SMTP), except that the problem account, I finally realized, was not configured to use 2-Step Authentication.

Once I realized that that was the only difference, it was simple to solve POP Peeper's inability to access that "problem" account. I did so by using Google's suggested solution; that is, an Application-Specific Password. In so doing, that specific email account has not had its security deprecated by allowing Less Secure Apps access to it. Now, the trusted POP Peeper can access the account but other less/not trusted applications cannot, as would have been the case had I chosen to allow Less-Secure-App access. Two-Step Authentication is still active on the account AND I can use POP Peeper as I want.

The debate arises because Jeff correctly points out that the "less secure app" route is that taken by most email providers while I argue that that is "not wise" because, in the specific instance being discussed - Gmail, there is a solution that does not require taking that less secure route. ( Besides, since when is the fact that "Everybody does it" been an acceptable reason for one to do the same? Your, my and Jeff's parents never bought that defense, right? ) Arguing that enabling 2-Step Auth or App Specific Passwords is too time consuming, cumbersome or anything else, merely attempts to dodge the fact that "less secure" means less secure. Period.

In a nutshell: My beloved and trusted POP Peeper now can access ALL my email accounts and I still have 2-Step Authentication enabled for those that are Gmail.

ASIDE: "Only a fool learns from his own mistakes. The wise man learns from the mistakes of others." -- Otto von Bismarck

[Jeff]

Now, the trusted POP Peeper can access the account but other less/not trusted applications cannot, as would have been the case had I chosen to allow Less-Secure-App access.

That's not quite accurate. GMail doesn't know *what* app is logging in with the app-specific password that you've assigned for POP Peeper. That is, you could use the same password for POP Peeper AND Thunderbird AND Outlook AND etc. What you *have* done by assigning an app-specific password, is protected your primary account/password. That is, if someone manages to steal the password that POP Peeper is using, they can't use that password to access your main account -- they could access your email using POP3/IMAP/SMTP (and possibly other data that google decides is acceptable), but they can't log into gmail.com (or any other google service) to change your password, etc.

Personally, I think that the information that Google has presented is confusing in itself. First, the term "app-specific password" is a misnomer as described above ("secondary" or "limited" would probably be a better name). But take some of the information here:
https://support.google.com/accounts/answer/185833?hl=en

"Instead, you’ll need to authorize the app or device the first time you use it to sign in to your Google Account by generating and entering an App password."
- doesn't that sound like you use the password once and then... what? Well, you still need to continue using the password.

"Note: You may not be able to create an App password for less secure apps."
- Well, as we've learned here, that's not true.

"Every App password is only used once."
- Again, not true; although it's unclear exactly what they mean.

[jmjsquared]

I was shocked and disappointed when I tested and found that you're right when you say,

That's not quite accurate. GMail doesn't know *what* app is logging in with the app-specific password that you've assigned for POP Peeper. That is, you could use the same password for POP Peeper AND Thunderbird AND Outlook AND etc.

The same App-Specific Password (hereinafter, ASP) that I assigned to POP Peeper was able to give Outlook access to a "secured" Gmail account. I incorrectly had assumed that Gmail required use of something akin to a User-Agent-String to identify each unique application. The fact that they don't, actually makes the whole ASP mechanism less than worthless; in fact, it use makes my Gmail account much, much less secure: Google assigns a rather short, purely alphabetical, 16-character ASP, whereas, my other passwords are between 48 - 64 alphanumeric/special characters.

I had concerns using such a diluted password but, since it could be used by only one, "specific" ,trusted application and the Less-Secure-Apps alternative was/is unacceptable to me, I went ahead. Now, after finding out that that password is not "specific" at all, I'm angry!

I agree that Google's is confusing in addressing this matter. For example, the ASP does give full access to the whole Google Account, not just to the associated GMail.

Go to the settings for your Google Account in the application or device you are trying to set up. Replace your password with the 16-character password shown above.
Just like your normal password, this app password grants complete access to your Google Account. You won't need to remember it, so don't write it down or share it with anyone.

This patently false statement is why I thought that one App-Specific Password could be used with only one specific application.

Anyway, thanks for better educating me.

Speaking of education, a couple questions, Jeff:

1. Why, do you think, are applications acting on my behalf not required to uniquely identify themselves to services like Gmail?
2. Is POP Peeper considered a "less-secure-app" by Google, which also says that Outlook may fall into that category?
3. POP Peeper doesn't store the passwords it uses to access my email accounts anywhere but on my compouter, right? Assuming they are stored only on my computer/device, are they encrypted or is that mish-mash in the App Data Folder plain-text?

[Jeff]

Neither POP3 nor IMAP identify the app that's being used -- that's why it's impossible for GMail to restrict access like that. However, I want to stress the point that this method is still protecting your main password. Furthermore, GMail still forces the IMAP client to use SSL and it's not as broken as GMail wants you to think.

Also, I'm not sure what scenario you're suspecting could happen just because your account is not app-restricted? The only method that I can think of that this wouldn't restrict is a brute-force method. I think it's safe to assume that GMail would detect such an attack on your account and shut it down quickly.

So, in the end, my intention was not to scare you into thinking that your accounts are insecure. The fact of the matter is, SSL is more than sufficient and adding 2-step is even better because it protects your main account in the *very* unlikely event that your email password is compromised. AND, use common-sense: don't use unencrypted wifi.

> 1. Why, do you think, are applications acting on my behalf not required to uniquely identify themselves to services like Gmail?

Answered above: it's not part of the email protocol. And, to be honest, asking the email client to identify itself is just "security through obscurity" and is not going to be effective in this case.

> 2. Is POP Peeper considered a "less-secure-app" by Google, which also says that Outlook may fall into that category?

Yes, but I can't comment on any other email clients, including Outlook/Thunderbird, etc. because I don't know.

> 3. POP Peeper doesn't store the passwords it uses to access my email accounts anywhere but on my compouter, right?

Correct -- your passwords are only stored on your computer and are only sent to the specified email servers for the purpose of logging in.

> are they encrypted or is that mish-mash in the App Data Folder plain-text?

They are encrypted.

[jmjsquared]

I really appreciate the time and thought you've expended with me. Thank you.

However...

Two more questions: What about POP Peeper causes it to be a "Less Secure Application", per Google, anyway? And, what, if anything can/will you do to make it "More Secure"?

EDIT: My apologies to the OP for any rudeness on my part in "hijacking" this thread.

Jeff: Please delete whatever you want to.

[pop_pepper]

i still have issues with 5 accounts, i have enabled IMAP , however it doesn't seem to want to work on different accoutn, worked on first. am wondering if on microsoft edge it works off the original cookie from the sign in and therefore if the old cookie is in it won't respond to a different gmail account.


and then i have tried re-adding those accounts

but when i check for server i get this

[Jeff]

pop_pepper --

Don't bother using the Find/Discover Server function for GMail -- POP Peeper will automatically use the correct settings without having to use that. If you want to compare, see this:
http://www.esumsoft.com/images/PP_GMail_Settings.png

Furthermore, I have found and fixed the bug that caused the correct settings to return "Bad Connection" in the Find Server.

If POP Peeper still returns an error (when using a real check mail) using the correct GMail settings, let us know what the error is.

(Sorry for your original topic getting hijacked)

[Jeff]

jmjsquared --

This discussion has nothing to do with the original topic, so this will be my last reply here. If you want to discuss it further, feel free to either email me or start a new thread in the Email forum.

GMail calls SSL/TLS "less secure." Technically, I'm sure it probably is; but I assume that OAuth uses the same technology as SSL/TLS as far encryption, so it's not cut and dry. Saying that something is "less secure" does NOT mean that it is "not secure." As far as POP Peeper is concerned, I did some preliminary investigation when GMail first enforced this many months ago, but I will be looking into it further in the coming months after POP Peeper v4.1 is released and work on Aeris v3.0 declines. I don't want you to think that security is not the highest priority, but I think the fact that Google uses the term "less secure" is detrimental. And, fwiw:
https://en.wikipedia.org/wiki/OAuth#Security

Again, please do not reply to this topic so we can get it back on track for the OP.