// Internet Duct Tape

Password Recovery — The Achilles Heel of Your Online Security

Posted in Google Calendar and Gmail, Technology by engtech on October 31, 2007


I had a fun surprise when I woke up this morning: I was locked out of my Gmail account. I sometimes play in bad neighbourhoods on the internet, and this immediately brought up worries of that I might have a keylogger Trojan, but a system scan revealed nothing. The actual truth of what happened was much stranger…

password recovery - locked out of my gmail account

Like most people who grew up in the last quarter of the 20th century I have been inundated with information technology since a very young age. I had one email address in high school, two others during university, and new email addresses with each job and change of internet service providers. For the last few years I’ve been stabilized on Gmail, but I still switch between four different accounts (real name, nickname, gaming, blog). Schizophrenic? Yes.

Email aside, I use around twelve different online user accounts over the course of a week, and many more irregularly. When it comes to those dusty accounts I often have to use the password recovery feature to retrieve my login information over email. Despite my distaste for OpenID, I have to admit that I see the appeal. Password recovery works fine only if you can remember which email account you used to sign up with and you still have access to it. Jobs change, ISPs’ switch, and that free web-based email account you got in 1999 eventually goes down.

It was that last scenario that blindsided me. Like any other web account, Gmail’s recover password feature will send a verification message to your secondary email address on file. In my case that secondary email address was a free account I used infrequently in the hazy years following the turn of the century. Because I used it so infrequently I had no idea that it had been sold and was under new ownership. And I would have remained ignorant for much longer if I hadn’t been using a common name for my gmail account.

Being a Gmail beta tester had it’s perks, one of which was being able to grab the good names before anyone else could. But as Gmail became more popular, that perk changed into a disadvantage: the world is full of idiots who don’t know what their email address is and put down your email address instead. The amount of spam I receive is almost equal to the amount of misdirected email I get because Erica T. put down the wrong email address when the professor was handing the sheet around the classroom. Often these savants trigger the Gmail password recovery cycle as they try to log in to “their” account.

I ignore these password recovery emails the same way as I ignore the misdirected emails. Unfortunately, the good Samaritan who bought the domain my password recovery email was pointing to wasn’t as laiss√©-faire. Things were eventually sorted out, but not before I had a heart palpitation when he tried to do me a favour by changing my Gmail password and trying to find an alternate means of contacting me. Don’t let this happen to you, and make sure you know what email address the password recovery feature is going to use for your most important accounts.

How to Change Your Secondary Email Address and Your Security Question With Gmail

Click on the Google Accounts Settings link. (It’s hidden in Gmail under Settings >> Accounts).

Click on the Change Security Question link.

gmail change your security question

Change your security question or your secondary email.

gmail change your password recovery email

The Moral of the Story Is…

Well, I’m not quite sure what the moral of the story is, to be honest. Obviously, there is something to be said for having one email address and keeping it for as long as you can. There is something else to be said for using an email provider who requires voice confirmation with personal identifying information before changing your password. Don’t get me started on the benefits of having an account name that other people are unlikely to use.

I know that I’ve got a long boring task ahead of me over the upcoming weeks. I have to assume that any other accounts that were linked to that email address could have been compromised in the 12 hours I lost control of my account. Searches of the trash and sent folders showed no tampering, but that means nothing since a smart person would have just downloaded all of the mail and started data mining with a copy. Can I safely assume because the guy went out of his way to contact me to restore access to my account that nothing bad happened to it? Would you?