// Internet Duct Tape

Password Recovery — The Achilles Heel of Your Online Security

Posted in Google Calendar and Gmail, Technology by engtech on October 31, 2007


I had a fun surprise when I woke up this morning: I was locked out of my Gmail account. I sometimes play in bad neighbourhoods on the internet, and this immediately brought up worries of that I might have a keylogger Trojan, but a system scan revealed nothing. The actual truth of what happened was much stranger…

password recovery - locked out of my gmail account

Like most people who grew up in the last quarter of the 20th century I have been inundated with information technology since a very young age. I had one email address in high school, two others during university, and new email addresses with each job and change of internet service providers. For the last few years I’ve been stabilized on Gmail, but I still switch between four different accounts (real name, nickname, gaming, blog). Schizophrenic? Yes.

Email aside, I use around twelve different online user accounts over the course of a week, and many more irregularly. When it comes to those dusty accounts I often have to use the password recovery feature to retrieve my login information over email. Despite my distaste for OpenID, I have to admit that I see the appeal. Password recovery works fine only if you can remember which email account you used to sign up with and you still have access to it. Jobs change, ISPs’ switch, and that free web-based email account you got in 1999 eventually goes down.

It was that last scenario that blindsided me. Like any other web account, Gmail’s recover password feature will send a verification message to your secondary email address on file. In my case that secondary email address was a free account I used infrequently in the hazy years following the turn of the century. Because I used it so infrequently I had no idea that it had been sold and was under new ownership. And I would have remained ignorant for much longer if I hadn’t been using a common name for my gmail account.

Being a Gmail beta tester had it’s perks, one of which was being able to grab the good names before anyone else could. But as Gmail became more popular, that perk changed into a disadvantage: the world is full of idiots who don’t know what their email address is and put down your email address instead. The amount of spam I receive is almost equal to the amount of misdirected email I get because Erica T. put down the wrong email address when the professor was handing the sheet around the classroom. Often these savants trigger the Gmail password recovery cycle as they try to log in to “their” account.

I ignore these password recovery emails the same way as I ignore the misdirected emails. Unfortunately, the good Samaritan who bought the domain my password recovery email was pointing to wasn’t as laissé-faire. Things were eventually sorted out, but not before I had a heart palpitation when he tried to do me a favour by changing my Gmail password and trying to find an alternate means of contacting me. Don’t let this happen to you, and make sure you know what email address the password recovery feature is going to use for your most important accounts.

How to Change Your Secondary Email Address and Your Security Question With Gmail

Click on the Google Accounts Settings link. (It’s hidden in Gmail under Settings >> Accounts).

Click on the Change Security Question link.

gmail change your security question

Change your security question or your secondary email.

gmail change your password recovery email

The Moral of the Story Is…

Well, I’m not quite sure what the moral of the story is, to be honest. Obviously, there is something to be said for having one email address and keeping it for as long as you can. There is something else to be said for using an email provider who requires voice confirmation with personal identifying information before changing your password. Don’t get me started on the benefits of having an account name that other people are unlikely to use.

I know that I’ve got a long boring task ahead of me over the upcoming weeks. I have to assume that any other accounts that were linked to that email address could have been compromised in the 12 hours I lost control of my account. Searches of the trash and sent folders showed no tampering, but that means nothing since a smart person would have just downloaded all of the mail and started data mining with a copy. Can I safely assume because the guy went out of his way to contact me to restore access to my account that nothing bad happened to it? Would you?

14 Responses

Subscribe to comments with RSS.

  1. adam said, on October 31, 2007 at 4:09 pm

    ugh. that sucks.
    that’s not much of a favor, and i wouldn’t trust such a person. I’m in the process of having to change a large percent of my online passwords, since last night i found out someone brute-forced (or worse) my paypal account. they’re sending me one of these things, but in the mean time, I have to try to remember everywhere I’ve used that password.

  2. syahidali said, on November 03, 2007 at 10:12 am

    strange thing here. i wonder what happened to your Gmail account.

  3. Kevin said, on November 03, 2007 at 10:51 pm

    Quite an odd story you have here. Luckily I have only ever had two main emails, one was with a dialup provider I had for seven years, and I thought through it when I switched to broadband and bought a domain just for the guaranteed for-life email which has been my second ever since. I absolutely hate switching email, addresses, or phone numbers – and your email history makes me shudder.

  4. Su Yuen said, on November 03, 2007 at 11:34 pm

    I had this EXACT scenario before. I forgot the username and password for Yahoo! sometime back and they had the option of NOT specifying your secondary e-mail address. I even forgot the answers to the security question coz I just so simply filled it in a rush to get my account set up. E-mailed Yahoo!, they said they couldn’t do anything. In the end I just sat down and tried numerous passwords before I finally found the right one.

    (note: They should put down Phone Number. “Password will be sent to you via SMS” haha!)

  5. […] Password Recovery — The Achilles Heel of Your Online Security […]

  6. engtech said, on November 08, 2007 at 5:40 pm

    @Su Yuen:

    One of the handiest techniques I’ve found for remembering the really important accounts is keeping a book around for writing passwords in. I keep it under lock and key in the filing cabinet until I need it — but I’ve been able to recover accounts from 5-7 years back with it.

  7. engtech said, on November 08, 2007 at 5:44 pm


    My history of email changing makes me shudder too. I’m equally bad for changing phone numbers and addresses every 3-4 years as well.

    Whenever doctor’s office, or bank asks me to confirm my phone number or address I do this little dance in my head of trying to remember which one I used when I signed up for them.

  8. […] Password Recovery — The Achilles Heel of Your Online Security […]

  9. if 6 was 9 said, on January 10, 2008 at 1:52 am

    It’s this “Achilles Heel” that makes it so easy for me to compromise the Facebook and Email accounts others. I thinks it’s also advisable that one doesn’t throw out so much information on useless blogs. You’d be surprised how easy it is to guess a security question due to those blog questionnaires that people answer.

    P.S. – I don’t attempt to be malicious on other’s Facebook accounts. I just use them to browse friends or networks that I don’t belong to.

  10. engtech said, on January 10, 2008 at 10:54 am

    @ if 6 was 9:

    I hate it when the security questions can’t be changed. “Mother’s maiden name” and “place of birth” are so trivial to guess for most people.

  11. synergyinfosystem said, on July 24, 2008 at 11:26 pm

    pLEASE HELP ME IN GETTING MY PASSWORD RECOVERED OF MY gOOgle Id synergyinfosystem@gamil.com


  12. yuva said, on August 22, 2008 at 4:37 am

    i never reget my login again.. try to tee clearly..

  13. zlatan24 said, on October 03, 2008 at 3:26 am

    I heard about not bad application-microsoft outlook password recovery, this application know how recover forgotten or lost passwords for *.pst files created in various versions of the Microsoft Outlook mail client: Microsoft Outlook 97 – Microsoft Outlook 2002 and Microsoft Outlook 2003, can save the configuration of Microsoft Outlook identities to a plain text file. All settings of mail accounts, including the settings of IMAP and HTML mail accounts, will be saved to this file and some other features.

  14. Mobile Hard Drive : said, on October 28, 2010 at 3:56 am

    actually, the best filing cabinets are those that are made of tempered steel because they are very strong “

Comments are closed.

%d bloggers like this: