Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

Email - The Password Backdoor

2nd March 2019

Last week there was much hype around a recent publication by Independent Security Researchers. I won't go into the details, but it is fair to say that there was plenty media coverage. However, this this not the topic of this post. It has some relation to the topic of the post however. While there was much debate as to whether password managers are safe enough to use (they are), this is in fact something which has been going way before this publication. However there is something which I rarely, see mentioned. And that's how well do people protect their email accounts?

You may be asking yourself what on earth emails have to do with passwords. Well the reasoning is simple. Go to most sites, and you will find a link along the lines of "Forgot password?". Click on this link and almost always you are asked to enter in your email address associated with your account. You will then receive an email with a reset link which then allows you to reset your account password. So ultimately, if an attacker gains access to your email account, they have the ability to reset (and thus obtain) almost all (if not all) of your account passwords.

I recently asked a poll on Twitter, asking how many people use MFA on their email accounts:

While most do, which is encouraging, 16% do not. Also worth noting that a large number of participants of this poll are likely to be within the InfoSec community. I suspect that if the same poll was conducted to more general users, the results would be a bit different.

So the point I'm trying to make is that while there is a large focus on tools such as password managers (and there needs to great scrutiny of them, given what they do), little attention is payed to avenues that could allow an attacker almost the same, if not the same, access.

In order to help protect your account ensure that you at least do the following:

  • Have a unique password for your email account, which is not that same as any other account.
  • Enable MFA/2FA on your email account.
  • Try to avoid using shared systems (such as Internet cafes) to access your email accounts.
  • Ensure that you connect to your email account over a secure connection, i.e. HTTPS.
  • If you have multiple email accounts, try keep accounts together to a specific email account. For example have 1 email account for non-critical things such as online gaming accounts, then have another email account for more critical things such as financial accounts.

The list above will not provide absolute protection (there never is), but it will go some way to help strengthen the security of your email accounts.

While this may not seem realistic, it can and has happened before. An important snippet from the article is:

Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened

View Comments