An Interesting article in NBC News technology security section: A security firm found it could bypass Google’s two-step login verification process, reset a user’s master password and gain full control of the account “simply by capturing a user’s application-specific password.”
Application-specific passwords are passwords generated by Google that you can opt to use instead of your master password. They are long and awkward, and the whole point of them is that they aren’t really something you’d ever remember or even store anywhere. The trouble was, users were led to think they could only be used once, but Duo Security said, in a report, that they could in fact be used anywhere — and without a second point of authentication. The trick for the hacker was to obtain the application-specific password, and that’s really hard.
To read more click here: