Experiment: forgetting your Google account password

July 25, 2007 / Filed under: Google, Security

I thought of an interesting conundrum the other day, involving my Google account.

Since I store a lot of valuable, personal information on my Google account, I decided to change my password.

I realized that if I ever forgot my Google password, I'd be locked out of all Google applications, such as Gmail, Google Notebook, Google Calendar, etc.

For convenience, I store my master passwords in a Google Notebook. However, that would do me no good if I forgot the very password to that notebook.

Also, if I tell Google I forgot my password, they'll send me it via email. But remember I can't get into Gmail, so what good would that do?

Turns out Google asks you for an alternate email address, presumably something outside of the Gmail realm.

OK. This won't work either, since I currently forward all of my "custom" email addresses to my Gmail account.

I bet you're starting to see the circle here...

Even if I could access an "alternate" email address, what's to stop someone from supplying their own email address for my account?

Let's test it

I decided to test the process, in order to see for myself how it works.

Logging out of my Google accounts session, I chose: "I cannot access my account."

Screenshot of Google login page

I then picked; "I forgot my password."

Screenshot of Google account page

I put in my Gmail account username, and hit Submit.

Screenshot of Google account section

After inserting a CAPTCHA, I was presented with this message:

We've sent instructions to the secondary email address you provided during signup.

If you don't have a secondary email address, or if you no longer have access to that account, please try the "Forgot your password?" link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account.

To prevent someone from trying to break into an account you're actively using, the security question is only used for account recovery after an account has been idle for five days. The Gmail team cannot waive the five day requirement or access your password under any circumstances.

If you're unable to answer your security question or access your secondary email account, we regret that the Gmail team cannot provide further assistance. If you're concerned about the security of your account, please visit our Security Center.

So you should probably make sure the secondary email address is active and accessible, outside of Gmail.

Still, this approach seems awfully insecure. The security question is the only thing between my data and a malicious person? Not a very comforting thought.

Isn't there a better way to achieve this kind of confirmation?

Related

A day after I wrote the draft to this post, I noticed this article fromm ZDNet, discussing secure email.

Comments/Mentions

# Michael at 7/26/2007 10:18 am cst

I have switched from gmail to BigString.

Here's some info if your interested: BigString (http://www.bigstring.com), the new free webmail program, offers revolutionary features. When you send mail from your BigString account, you are protected. BigString is like an automatic shredder for your email. You can self-destruct or change an email that's already been sent or read. Don't leave your messages sitting in peoples' inbox forever.

# wAAH at 9/8/2007 11:51 am cst

what if you forget your alternate email? thats what I did

# Ravi Rathod at 12/29/2008 3:33 am cst

I am having some problems while surfing through the gmail?? It says please check the password. But when i refresh the page, it accepts my password.. I am very confused?