When I logged into the YouTube app yesterday, I noticed that if I didn’t know the password, it would ask me for the password. I found out by accident, after searching for the password on my phone. This is the third time I’ve had this happen. I don’t want my account to be locked.
To avoid this, I decided to ask my friend for the password. He told me he’d found the password. I told him to use the app’s password instead. He didn’t want to mess with my password. He told me to create a new password for my account. After I signed in, he gave me the new password and asked me to use my new password. His password was wrong. I asked him to use my new password.
This is what happens when you use phone apps as the password. Your phone’s password manager will expire any time you use the same app with the same password. If you use the wrong password, the password manager will reject your request to use the new, correct password. This is a serious exploit, and it’s not something you can simply ignore, especially if you are using a password manager.
This exploit was probably implemented in order to generate an “off-the-shelf” attack vector. The idea behind this exploit is that by generating an expiration date for a password, you can make it harder for an attacker to guess your password, and also make it harder for them to impersonate you to your ISP or other third parties.
An interesting factoid about this attack is that by generating a correct password, the attacker will be able to get past the authentication mechanism and bypass the security of the password manager. So if you are in a situation where you want to use a password manager, this is the last possible exploit that you should be using.
It’s true that a password manager can protect you from this attack, but it’s also true that in the real world you can get the same result without using a password manager. The attack is actually very similar to the one that Apple was using to take over their computers’ Safari passwords. Apple was using a dictionary attack to determine the exact words in the list of possible words for a password, and then used their password manager to generate a new password.
We are glad to report that we have also found a similar attack on youtube, where someone will use the username/password combination that you are using on Youtube to log into your account and send them the wrong password.
The attack is a classic dictionary attack, where you are trying to guess what words exist in a list of possible words. The attack is successful if you can guess all but one of the words in the list, which is where you get the one word that you guessed incorrectly. This attack is only really possible with Chrome because Safari doesn’t use the correct dictionary.
With the new YouTube login option, all you have to do is change a small bit of code in your account settings, and you can then use the new login button on your account to now use the new password you just got from YouTube.
We’ve had a couple of reports of Google’s servers having problems with the new login option. A Google representative has been in touch to say that the authentication service is working properly. We’re very sorry about this, and appreciate any reports of this.
