Somewhat ironically, I think the information technology industry of old had a better handle on things. They relied a bit more on trust, which in today’s world is seemingly a bad word. When you get down to the nitty-gritty, strong and layered trust models are the only way security can ever be successfully applied. For example, the *nix “last” utility – fairly innocuous at first sight, and been around for so long that its genius is sometimes overlooked – needs to be brought back out of the cupboard and dusted down (or at least the concept behind it). For the uninitiated, the principle of the “last” utility is that it shows a list of dates, times and terminals used to login to the system for each user, against which you can check your own login times and determine whether someone else has been using your account without your knowledge. Nice and simple. Given that you trust the system administrator to do their job and be fairly vigilant, the output of “last” should at least be accurate; now the onus is on you to regularly check that the output matches your use – which take almost no time at all. To cap it all off, on most *nix platforms you get a nice helpful message when you log in telling you when you last logged in – brilliant!

Now apply that scenario in the context of your web-mail account, whether that be Gmail, Yahoo, Hotmail or whatever; if your password is compromised how would you ever know your account is being accessed without your knowledge (unless the attacker is really stupid and decides to mess about with your mail)? There are a multitude of possible vectors for your password being compromised: key-logger at the internet café you’ve just used, malware on your home PC, phising attack, someone “shoulder-surfing”, the list goes on. To make matters worse, there’s no way of mitigating – you cannot apply IP address restrictions on your webmail account – its not available and just impractical anyway. Even if you change your password as frequently as once a day, if your account is compromised just once then all mail in your account is readable and now in the open. For me at least, I would appreciate the ability to check my login records to at least determine whether my password has been misused or not – and it would be at very little cost to the webmail providers (as far as I know, this information is kept anyway)**. And before I get shouted at, yes I have suggested this on many occasions to webmail providers with no response. Go figure.

UPDATED 18th September 2008: GMail now has this ability, cool huh?  See this post for more details.

UPDATED 12th April 2010: Added [] extra meaning in title.