Thursday, February 26, 2009

Gmail: be sure you have a working secondary account

I was unable to access Gmail this evening. My password wasn't working.

I can't explain this. I believe I was entering the password correctly. It was nerve wracking; I'd much rather lose both my wallet and my car key than lose my Google identity.

I ended up having to follow Google's password reset procedure. The first step in their reset is that they send a special link email to your secondary account. (see [1], below).

Rigggghhht. My secondary account forwarded to Gmail, so that didn't help.

Fortunately I have control over the secondary account, so I logged in there and changed the mail redirect to BOTH my Gmail account and one of my dozen or so Google Apps accounts. I then repeated the Google reset behavior and the link showed up at my secondary Google Apps account.

So I'm back, which is why I'm able to post this.

After defibrillating myself I took another look at Google's "My Account" settings. Here's what I learned:
  1. The secondary email address is specified under the "security question" area. That's not obvious, you click on the "security question" link to get to it.
  2. I generally blow off "security questions" since I have a reliable system for managing passwords. In this case though something didn't work. I went back to Google and carefully setup a unique security question.
  3. I changed my "secondary email" to a safe destination.
  4. The "secondary email" is optional, I presume if you don't set it Google goes directly to asking the security question.
The moral of the story is that everyone with a Gmail account needs a secondary email account with real mail storage. So check now and make sure your secondary account is valid.

Oh, and you do realize that if anyone gets access to the secondary account they are in a very good position to seize your Google identity. So the secondary account is as critical as your primary account. So maybe the secondary account should be top secret -- and all email should be deleted from it ....

Damn, but we need to get rid of #$#@$ passwords. I would love to see Google do right what OpenID flubbed (two factor authentication).

Now, I'd like to know what happened to my Google account access in the first place. I assume the problem wasn't related to this transition, or maybe this weird bug ...

[1] Google's password reset process:
To initiate the password reset process, please follow the instructions sent to your xxxx email address.

If you don't have an alternate email address, or if you no longer have access to that account, please try to reset your password again after 24 hours. At that point, you'll be able to reset your password by answering the security question you provided when you created your account.

We use the security question for account recovery only after an account has been idle for 24 hours. We do this to prevent someone else from taking over your account.

If you're unable to answer your security question or access your secondary email account, please complete this form. If you're concerned about the security of your account, please visit our Security Center.
Update 9/8/09: It's been a week or so since this happened and I'm still finding passwords I need to update. I've probably entered my new Gmail/Google Account pw in 20-25 places, and I think I'm only half-done. I've entered it so far across five computers and two iPhones. This is, of course, insane. Unsurprisingly, only obsessives can tolerate changing passwords very often. We SO need to kill the password. Also, following that link to my old post I rediscovered this "gem":
Always keep the verification number you get when you sign up for Gmail. When you sign up for Gmail, we'll ask you for a secondary email address and then email a verification number to that account. This number is the best way to prove ownership of your account, so be sure to hang on to it.
How many people have that bloody verification number?! I'm pretty sure when I signed up for Gmail Google didn't provide those ...

No comments: