Atwood Drops the Ball on Email Security
I'm a huge fan of Jeff Atwood, guru of software development and all things Web, and his Coding Horror blog. However, in a recent post entitled "Make Your Email Hacker Proof," he makes some harrowingly false claims about email security.
Burried deep in this post, which is specific to GMail only, is this confession:
The upside is that once you enable [two-factor authentication for GMail], your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
Wrong, wrong, WRONG!
Two-factor authentication makes accessing your email account by normal authentication vastly more difficult[*]. That is, it takes more than knowing your email address and obtaining (or guessing) your password to gain access by logging into your account the same way you do. Using a secure connection (HTTPS), which Atwood fails to mention until backpedaling in the comments, removes an additional attack vector.
However, the email is transmitted in the clear, and stored unencrypted on the servers. DO NOT email yourself or anyone else passwords or other sensitive information, ever.
[*] Using the word "proof" after "hacker" was mistake #1.