Ask HN: Gmail account security

[+] steelframe|4 years ago|reply

Once upon a time I worked at Google.

I returned to Austin to visit old friends and took the opportunity to visit the Google office there. The Googlers sitting around me were primarily corporate sales.

They weren't getting any corporate sales calls at all as far as I could tell, but there was one extremely irate user who was locked out of their GMail account and was repeatedly calling them because they were the only human beings at Google the user was able to get in touch with, via something like "Press 3 for Corporate Sales." Of course these poor Google corporate sales people had absolutely no way to help this user even if they wanted to. Google literally did not have any GMail account phone support (at least at the time).

I could hear the poor guy screaming through their headsets about how he paid Google something for some service and was entitled to phone support and he demanded someone help him, but they just kept saying, "This is corporate sales. We do not offer consumer account support. If you want support, please visit the Google Support Forums at www dot..."

After they hung up on him 3 or 4 times, eventually a manager got on the phone and told him (between his screams), "Look, you're not getting any phone support because it doesn't exist. There's nowhere for us to transfer you. There's nobody who can call you back about this. Your only option is to search the forums for an answer to your problem. I am going to terminate this call now. Sir, I'm going to terminate this call. No, we can't help you. Nobody at Google can help you. I am terminating this call now. We asked you to stop calling this number. Do not call us again. <click>"

I'd frequently tell my co-workers, "If you're not paying for it, you're the product." That experience underscored that notion for me.

[+] zxcvbn4038|4 years ago|reply

Even when you have paid Google products that come with support, it is really awful. They once asked me to submit a business case justifying how answering my support question benefited Google. Just a simple clarification of something in their documentation. I was already under pressure to migrate to Office360, I stopped fighting after that.

My employer is a huge AWS user and Google is constantly chasing us with a treasure chest of free credit to migrate over, their prices are significantly cheaper, but everyone agrees it’s worth the premium to stay with AWS simply because they answer the phone.

(If you have never used AWS’s enterprise support, those guys are worth every penny.)

[+] leoh|4 years ago|reply

You are actually pointing out a tremendous opportunity that Google has internally and externally. I work at Google and recently tried to file a bug about the calculator embedded in search. It was dastardly difficult to find how to file the ticket. It took me maybe an hour. A better system for filing tickets internally and for filing and triaging tickets from external users would be a tremendous asset for Google.

[+] joering2|4 years ago|reply

> "If you're not paying for it, you're the product."

Xoogler here - actually we used to say "if you are not buying advertising from us, Google can't help you at all".

And just recently I am great example of that. I used to have a Gsuite account at $6/per month for 3 years, then decided to give up on it b/c I wasn't using it. But unfortunately the domain expired before I could properly disconnect it and cancel my account. You can probably already imagine at this point what kind of hell I went thru with "google help". Ultimately I had someone from India called me 3 times to explain - the questionnaire they sent me has to be answer in specific format: each question has to have one paragraph space, then tab (9), then my answer. I kid you not! I spent 3 weeks, been transferred over email ticket about 10 times and every time they told me the same thing. Even if I did exactly how they want it - I guess email was automatically eating up the tabulate key and replacing it with spaces. Eventually a buddy of mine who still works there (different dept) told me customer support forwards your email to some account that parses message automatically, and they cannot even change one single letter in your message. Even when explaining them on the phone that I am following up with their stupid protocol of one new line, then tab, then my answer, then next line must be second question, their program must be messing it up.

Eventually I gave up on their customer support. It took me/them six months of chargeback disputes for $6 each month until my account must have popped out on someones screen and Google employee gave me 3.5 seconds of their time to click "close this account".

[+] bamboozled|4 years ago|reply

Once we were having trouble with GKE hosted in Asia, it was causing out business a major outage and it wasn't something which I had the power to fix, from memory, half way through a cluster upgrade, Google ran out of compute so the upgrade was stuck half and the control plane ended up in a bad state and some how this impacted the networking (it shouldn't but it happened). I was unable to provision a new cluster due to the lack of capacity so we were stuck.

This wasn't the first problem we'd had either.

There was absolutely no one to call, no one to even alert to warn other customers, the status pages were all green.

Instead of bothering with Google, I just opened an account on AWS and migrated whole stack to AWS in ~ 3 hours, pointed DNS at the new load balancers and we never went back and continued doing business without issue for as long as I can remember.

[+] ulrikrasmussen|4 years ago|reply

It's pretty crazy to think about the fact that your email is de-facto your online identity, as it is the universal second factor that is used as a fallback if other login mechanisms fail. An email service is two things: a global name [email protected], which is really your online identity, and an email service that hosts the SMTP, IMAP and DNS services required for the identity to function. People are willing to hand over not just the ownership of the service but also their global digital identity (the email address) to a third-party which now assumes total control of it, and which does not have any interest in supporting you. It is a major hassle to move to another provider, even a paid one, because your email address is tied to the service provider.

Because email addresses are practically a requirement to function in society, I think they should be a public service. Everyone should have the right to get an email address controlled by a public service institution which guarantees you that you can move between service providers as you please. There could even be a standardized protocol that service providers could use to easily update DNS entries when the user requests a move, assuming that you can identify yourself via some other means.

[+] kodemager|4 years ago|reply

You’d wonder why they have corporate sales. I’ve worked in enterprise for a long time and we’d laugh at the notion whenever someone suggested we buy any Google service because easy access to phone support when things go wrong is one of the key selling points in enterprise.

It’s why Microsoft has done so well for itself in this area over the decades. Sure Office helps, but the fact that your operations guys can be on the phone with their Seattle based offices, and get hourly updates where Microsoft calls you, when something big goes wrong is pure gold to any IT manager in any enterprise. Not only because it lets you solve issues faster, but also because you can tell the organisation that IT is on the phone with Microsoft’s head offices and you are working on a solution with them.

[+] bryanrasmussen|4 years ago|reply

>about how he paid Google something for some service

>I'd frequently tell my co-workers, "If you're not paying for it, you're the product."

it seems even if he did pay he was the product, which frankly jibes with my experience of paying for things at Google.

[+] RubyRidgeRandy|4 years ago|reply

only tangentially related but that phrase is a pet peeve of mine. You are always the product if you are using software - free or paid. Netflix is sure as hell going to use your data the same way youtube would.

The only exception of course is most but not all FOSS.

[+] martyvis|4 years ago|reply

I've subscribed to Google One for a few years. (When I say "pay", I'm using credit from answering surveys from Google a few times a week). It's only a couple of dollars a month, it gives you more online cloud storage, but it also gives you a chat and call service to Google. I have used it a couple of times - once to help me push LG to release updates on a phone (they kept saying it was Google's responsibility), another to one get my wife properly added to be able to use the Home smart speaker. Both times chat was followed up a call to a real person (that was understandable, and willing to chase up and respond to the issue). I feel if I had an account issue it would similarly work out.

[+] 1vuio0pswjnm7|4 years ago|reply

"I'd frequently tell my co-workers, "If you're not paying for it, you're the product.""

But it sounds like this "extremely irate user" was paying for it.

[+] eschulz|4 years ago|reply

Was the screaming guy no paying for some service?

[+] ngold|4 years ago|reply

Disclaimer. I'm a new Google play thing, by giving them money. Just registered a website through them and am about to release a game on the playstore. Fully dependant on zero custom service now.

The one thing I've never understood about google. Some sort of law for a trillion dollar company to have customer service or something.

Google should be employing 10's of thousands of customer service employees to take calls to troubleshoot their customers issues.

On a side note.

Here is my.... the simplest website you have seen since 1989.

https://simplegametime.com

I'm not running a user data farm. I just want to make stupid games, like...

P.S. Zero advertising for anything including my game. Just a 7 line privacy policy. Don't need much more.

[+] minusSeven|4 years ago|reply

>I'd frequently tell my co-workers, "If you're not paying for it, you're the product." That experience underscored that notion for me.

But this isn't true for all of us, google provides support through paid programs and sells services to other businesses. This is more of google specific problem.

[+] vbezhenar|4 years ago|reply

I submitted security bug to Chrome. It was not very serious or urgent. Somebody looked at it in the first hour, in the first day it was analyzed and in the first week it was resolved. I was kind of surprised, because I was sure that public feedback from nobody is going to be put in a very long queue.

[+] neycoda|4 years ago|reply

Google makes money on Gmail. That means they can pay for customer support.

[+] hericium|4 years ago|reply

> Google office there. The Googlers sitting around

Seriously? You stated that you left the cult.

[+] parhamn|4 years ago|reply

They also do this thing now where they block [1] smaller browsers (even ones using the latest version of chromium) under the guise of security. According to their docs they're fighting MITMs by generally disallowing any browser they can't identify (so the big few).

If you're not on a whitelisted browser by Google, you can't log in (effectively, use) any of their properties.

This feels very anti-competitive to me. Notably all the whitelisted browsers are either theirs (Chrome) or sell them their search traffic. I'm building a browser for research [2] and have to frequently find workarounds. I'm not quite sure who I'd contact to get on said whitelist either...

[1] https://imgur.com/a/DASVkhl (here is the issue in the Vim browser and Min browser)

[2] https://synth.app

[+] Andrew_nenakhov|4 years ago|reply

Had this. It was telling me to try again 'later'. Ok, i did 'try later' every day for three weeks, and they didn't let me in. Using the very same IP address as I used to always access it, no less.

Then, I gave up, moved all my services to another email account, and after 2 or 3 months tried logging in, and it suddenly allowed me to log in.

Needless to say, I will never again use gmail for critically important things.

[+] alerighi|4 years ago|reply

My solution is, buy your own domain. It's cheap and it will cost you only 20$ a year or something like that. I'm not saying run your own email service (I do, but I recognize that it's complex and not worth for most people), but use a public email service (like also GMail) with your own domain.

That way at least if you no longer can access your account, or you get banned, or whatever, you don't loose your address (since you can just move to another provider).

Also, use an email client on your PC (such as Thunderbird) and configure it to keep a copy of all your emails locally (and possibly have the PC backed up). That way if you loose access to your account you don't loose access to your mail, that you can even upload again in the new provider server.

[+] alisonatwork|4 years ago|reply

This is exactly my experience too. My Google accounts just randomly decide to stop working from time to time, and if I no longer have the same phone number that I did before (or if I'm traveling overseas and cannot get a "confirmation call"), there is no way at all to get in. Usually after a mysterious and unexplained period of time, my account gets un-flagged again and I can log in as per normal.

The first time this happened I completely lost all access to my Google account. I transferred all of my important email correspondence over to a Microsoft account and I have never looked back. Unfortunately I still need to maintain another Google account for my phone (Android) to work properly, so there are times I still get bitten by it. It's absolutely infuriating when you get a new phone and specifically need to log in with your Google account to be able to do anything, that's exactly the time Google blocks you from being able to get into your account, because it's apparently detected the new phone and decided you're a hacker.

This also happens to me regularly with PayPal, almost always when I am traveling overseas, at exactly the moments that I really need PayPal to work so I can pay for something related to my travel. It's so annoying. Tech support never, ever solve the problem. All you can do is wait and try again later until magically it works. Sometimes weeks later.

The only thing I can say for certain is to never try log into your account over open wifi or over a VPN connection, because somehow Google (and PayPal) seem to flag that as a hack attempt no matter how many times you correctly confirm your identity. And once you've been flagged once, your account gets caught in some kind of loop where even after you get back onto an apparently blessed IP address, you're still locked out for some unspecified period.

[+] dheera|4 years ago|reply

Yeah this sounds like utter bullshit to me. What if you're travelling, all your devices get stolen, and you're logging in from a public computer or friend's computer to contact your family?

This is mindblowingly idiotic. Do they have such a bad vacation policy for their employees that not a single ONE of their engineering managers has experienced the above? Do they just sit in front of their desks for 365 days a year and never leave their country borders?

[+] hansvm|4 years ago|reply

Not just Google, I'm regularly locked out of banks, state resources, and all kinds of other shit because of various combinations of bad decisions producing toxic login flows.

One of my personal favorites -- a bank automatically associated phone numbers you called them from to the account, and later they forced SMS 2FA onto the account regardless of any other security you had in place (and of course made the common mistake of allowing account takeovers with JUST that 2FA and a username). Those automatically registered numbers weren't exempted.

[+] croutonwagon|4 years ago|reply

I make a habit of

1. Forwarding everything to my free tier google apps for business on my domain

2. Annually logging into my throwaways. it seems if i login to them once a year from home, they dont pull this.

3. do NOT attempt to login to my throwaways from a proxies connection (SSH/SOCKS on a VPS or something like that, which i frequently use at work)

[+] jjcon|4 years ago|reply

Had the same thing happen to me, I know the password, have access to the recovery email but Google won't let me login. Spent months in a support thread with Google and eventually gave up. Still really bummed about it tbh

[+] abider|4 years ago|reply

> Needless to say, I will never again use gmail for critically important things.

That's a hot take. If it was critically important, you'd have 2FA and a recovery phone number associated with it - which would have prevented you from getting stuck in a trust-fail situation to begin with.

Use whatever service you want, but your takeaway from this situation is a bit absurd.

Edit to add: I'm not saying Google's algorithm is perfect here, but relying on heuristic voodoo ("I use the same IP, so I should be fine") for "critically important things" instead of using well-established means of securing access to critically important things (e.g. 2FA, backup mobile number) is a bit insane.

[+] anter|4 years ago|reply

Yep, have had that issue for over a year now, I am completely unable to access my old gmail account despite having the password, recovery email and everything else.

Just says "you can’t sign in" and that's it: https://i.imgur.com/4YrElkJ.png

[+] jscheel|4 years ago|reply

Not, Google, but I'm having sort of the same problem with Facebook. My church has a Facebook account that we used to set up our public page years ago. We assigned editors to the page, then promptly never used that account again. Fast forward to this year, and I need to add a new editor, which only the page admin can do. I reset the password on the church's facebook account (it was lost years ago), but when I log in, it says it doesn't recognize my location and it needs me to get codes from a list of trusted contacts (a list that I'm fairly certain we never set up). When any of those trusted contacts go to the page it lists, Facebook tells them they aren't trusted contacts. I have tried to get Facebook to respond to me in every single possible way. I have gone through all of their help pages, talked to their bot until it said it would forward my message to a human that could help, sent emails to every address I could find, reported the page and account on every form I could, hit up Meta on other social media, and even reached out to Oculus support and offered to buy a headset if I needed one for them to be able to help me get access back to the account. The only response I've gotten is from Oculus telling me they can't do anything. That's it. No other responses at all. I swear it would be easier to answer one of the 37 recruiters that have reached out to me, interviewed for a position, gotten hired, and then fixed it myself.

[+] supermatou|4 years ago|reply

Yep, and it was even more aggravating.

> have three gmail accounts

> primary, [email protected]

> secondary, [email protected]

> tertiary, [email protected]

> secondary and tertiary have primary as a recovery address

> log in/out once a week in 2nd and 3rd

> last August, try to log into name.surname.work

> "Password is incorrect"

> WTH?! of course it's correct.

> try several times, Google blocks me ("temporarily")

> next day, try again, no dice.

> OK, the hell with this: let's reset the password

> "what's the last password you remember?" duh, the last and only password is the one I already gave you, you stupid machine.

> "we need additional verification; input the recovery address" Finally! type my main address

> mail from Google arrives pronto, code in it

> type code in verification field

> new mail from Google: "Thank you for verifying your mail address" [my primary one?!] Based on the information provided, we cannot ascertain that [tertiary account] belongs to you"

This has been happening since. A few weeks ago, secondary account went down too, yielding the same error OP got.

Note: a) I have been using the same IP and the same machine to log into those accounts for many years; there is no other device or location where I've signed in before! b) primary account has multiple (4) Yubikeys associated with it, so it should be clear I'm a real person and not a bot.

I'm currently in panic mode: if my main account goes down, it will take a huge part of my life with it, from banks to government stuff.

[+] armchairhacker|4 years ago|reply

This is because most people use Gmail for basically all their online accounts: if you don't directly login to the site via Gmail, you can use your account to change your password. Imagine the damage which can be done if a malicious user breaks into someone's Gmail, if not your own, then the average person who uses the same password everywhere and trusts Gmail with everything.

Not defending the practice at all. It shows we as a society and Google in particular need better security if they are flat-out locking people out of their Gmail accounts and others are still being compromised (I know they are). I honestly support Google forcing people to use recovery addresses and 2-factor authentication but I don't support them making the recovery authentication not work and providing literally no options for a legitimate user.

I think the best you can do right now is complain on HN and Twitter and you'll probably get your account back. In the future, maybe if you have a YubiKey or stronger form of 2FA Google won't lock you out, because obviously if someone can authenticate with a YubiKey they are practically guaranteed to be the real person.

[+] Groxx|4 years ago|reply

>obviously if someone can authenticate with a YubiKey they are practically guaranteed to be the real person.

Or someone grabbed your backpack.

I understand why Google wants 2FA - it gives them a stronger claim to not provide support. Personally I don't want 2FA - I use strong passwords, and I don't trust them to provide support if my device is lost. Imagine a house fire, for instance, and losing not only your possessions but also basically all your online accounts. I have password backups, nobody has device backups.

[+] tpoacher|4 years ago|reply

this only works if your post gets upvoted.

which in the grand scheme of things is rare. have you been to the "new" page lately?

[+] ttty|4 years ago|reply

[deleted]

[+] jacekm|4 years ago|reply

Things I can recommend in your situation, which helped me in the past, in no particular order:

* log into other gmail account (with a long history) using Chrome without any addons, log out and then immediately try logging into the primary account (ideally google should ask you if you want to add another account)

* log in from the same location. I once spent two years abroad, and could not log in to one of my accounts. I regained access only after returning to my home country

* if you are working in an organization that owns an IP range, try logging in from work, i.e. do not use publicly available ISP.

You'll get best results if you can combine two or more of these points. Unfortunately even following this advice you are not guaranteed to be successful...

For the future reference, the only prevention that I know which works 100% times is using YubiKey for 2FA. 2FA with TOTP codes often helps unlocking the account, but I had cases where even the codes did not help.

[+] alecco|4 years ago|reply

> using YubiKey for 2FA

Today Google/Gmail suddenly logged me out and asked me for the hardware key, and I thought no problem as I have OTP with my Password Manager, but OTP didn't work. I had the key somewhere else. Luckily after insisting a bit Google gave me the option to use my mobile Gmail app to verify it's me (note it was not Google Authenticator, why did they made me install it?). All this hassle even though I've been on the same ISP/IP range and computer for weeks. No VPN or anything.

On top of the multiple authentication options, I'm going to add a second hardware key in case I lose my main one and Google decides it's the only way to log in.

Edit: the OTP option is not there anymore in my Google account 2-Step Verification, but it did ask for it and it failed.

[+] kccqzy|4 years ago|reply

Similar case here. One of the Google accounts I have has three 2FA setups: SMS, TOTP, and Yubikey. One time I tried logging in I didn't have my Yubikey with me. I thought no problem I'll use the TOTP authenticator app. Google told me I can't login even though the code was correct.

There wasn't any way to address that except by actually using the Yubikey to log in.

I'm using a fresh install of Chrome with no addons.

[+] AshamedCaptain|4 years ago|reply

One day I logged in to my Amazon account from a different country. Mind you, I have 2FA/OTP enabled in my account, and I entered it correctly. They also made me click on a link they sent via email to "verify my login".

A couple hours later my account was blocked due to "suspicious login(s)" (i.e. mine), and the order I placed cancelled. They had me wait 24h until I could contact someone at support that could unblock it. He told he was going to disable 2FA (?) and send me a code that I could use to change my password.

The code was sent via SMS.

They think that someone who has just my SIM card (or a clone, FFS) is more trustworthy than someone who has my password, 2FA token, and email address.

These companies take user security as a joke, or as pure theater.

[+] moralestapia|4 years ago|reply

Google is absolute trash now compared to what it was.

Most accurate search engine is now almost useless even for VERBATIM queries; queries that took milliseconds earlier (they even built a product around that, Google Instant), now take 2-3 seconds on average.

Best email service, now feels clunky and slow plus the spam algorithm not only stopped working, but is now working backwards.

Everything just worked and it was simple to grasp and to work with, now we have issues everywhere with their draconian 2FA among other "wise" decisions in the name of "security".

All this while on Android, basic stuff like calling 911 so you don't die is not possible because of all the other "features" they keep adding to the platform, see: https://news.ycombinator.com/item?id=29492884

[+] slig|4 years ago|reply

>Best email service, now feels clunky and slow plus the spam algorithm not only stopped working, but is now working backwards.

That's annoying, and they don't even care anymore. Now I have to check my spam folder multiple times a day. A lot of legitimate email is going to spam and vice-versa.

[+] exolymph|4 years ago|reply

Wasn't aware of this, but can't say I'm surprised.

Personally, I'm still happy with Fastmail, which uses customer subscriptions fees to fund a professional support department, as well as contributing to email-related FOSS. (Among other things, obviously.)

[+] alanh|4 years ago|reply

Reminder: Google paid for an ad campaign with this gist: A father creates a Gmail account for his daughter when she is born, and sends her important photos and mementos as she grows up. Sweet. Reality: At least one person tried this in real life, and the child's account was automatically deleted without recourse.

https://tech.slashdot.org/story/11/12/18/2046221/why-google-...

[+] js2|4 years ago|reply

Edit: I just got back in! I had to give a real phone # for the SMS step. It pretended to accept a Google Voice # but would never send a code and I just got stuck in the loop I describe below. I've now closed the account. Oh, the irony...

Yup, I've got an old gmail account that Google won't let me into. First I get:

"This device isn’t recognized. For your security, Google wants to make sure it’s really you."

With options for "Confirm your recovery email" and "Get a verification code at <elided recovery email>."

Regardless of which I choose, it then asks me for a phone # for an SMS code. So I give it one, just to get:

"Unavailable because of too many failed attempts. Try again in a few hours."

Except, "a few hours" is a lie. I last tried this weeks ago. I get a "Try another way" option which prompts me "Enter the last password you remember using with this Google Account." at which point I'm at a dead end because this account only ever had one password.

The best part is that shortly after going through this exercise I get an email to the recovery address:

"Sign-in attempt was blocked. Someone just used your password to try to sign in to your account. Google blocked them, but you should check what happened."

With a "Check Activity" button that takes me right back to the Google sign page...

Buttle? Tuttle?

The irony in all of this is that I'd forgotten about the account until Google sent an "new terms of service" email to the recovery email address and decided I wanted to close the account. But I can't login to do so.

Anyway, I switched my primary email away to Fastmail years ago and I'm still happy with that decision.

[+] kingcharles|4 years ago|reply

Did you have a 27B/6?

https://www.youtube.com/watch?v=CGeT5cutXgU

[+] voisin|4 years ago|reply

Nearly every interaction I have had with Google in the last two years makes me think the company has devolved into warring factions that cannot communicate let alone coordinate for the betterment of their users. Do they not eat their own cooking, or how do they manage to make everything so dysfunctional?

[+] sercand|4 years ago|reply

Google added one of my employee's LinkedIn account address as our LinkedIn URL to our company Google business profile. We have contacted google support about this to change URL to our own but we got response like following:

    I understand that you are referring to an incorrect LinkedIn profile which is visible under your business profile in Google. Please be informed that information from social profiles are collected by automated algorithms.

    There's no way to manually remove these social profiles from our end. This is something which is driven by Google’s algorithm, based on the visibility, ranking, web presence, etc. of the particular business page. We at Google do not have any manual control over this.

Google and its algorithms are going bad and they have no control over it. It is getting ridiculous.

[+] dfdz|4 years ago|reply

Just FYI there is a solution to this: enroll your gmail account in the advanced protection program

https://landing.google.com/advancedprotection/

When you login you are required to use a security key (like Yubi key) but it removes all the annoying emails and texts with codes, IP filtering, login AI, etc

[+] dTal|4 years ago|reply

Hit this over XMas. Dad got a new fire stick. Wanted to use the YouTube app. Wanted to sign in to YouTube for channel subscriptions. Had a GMail account he'd not used in years. Tried to recover it with the whole send-a-code-to-secondary-email rigmarole. Google went to the trouble of sending a code, but upon successful entry decided that it just wasn't good enough. Maddening. Gmail account gone forever. Can't sign up for a new one because "phone number used too many times". Fuck me I guess, guess we'll have to use one of the unofficial YouTube apps that do client-side subscriptions and incidentally block ads.

[+] pkulak|4 years ago|reply

It’s this kind of thing that has had me moving most everything off Google over the last 6 months. It’s just not safe for me to have 20 years of photos, emails and documents in the hands of a company that may cut me loose at any moment. After decades of slowly moving my life to “the cloud”, I bought a Synology nas, and now all my stuff lives in my own house (though backed up externally, of course).

[+] ncann|4 years ago|reply

Same here, I got an email to my main mail account saying Google has blocked a login attempt to another old Gmail account of mine that I haven't used for a long time (the old account has the new account listed as the recovery email). So I tried to log in to that old account, and got the same message to "try again later". I tried a few more times over the next few weeks but always the same message. So even with the correct password and access to the recovery email I still can't log in to the old account, and there's no way to get around it. I just gave up.

[+] Frost1x|4 years ago|reply

From my experience, as a non-Apple user, they are the absolute worst. I bought a family member an iPad for Christmas. They had an Apple account associated with their iPhone. They forgot their password. No big deal, I'll just reset their password.

Ha! We have to wait 24 hours after wrestling through the page, I leave my holiday visit in 36 hours, that's fine we have time I say to myself. A little odd but whatever, the account itself has no payment or important data associated with it really. 24 hours pass and the recovery page then suggests 14 days for recovery. What?!?! Why!?! (I mean, I get why, sort of, but I've done highly secure work that has less/shorter security processes than a consumer phone account). Apple says there's nothing they can do.

That's fine, well just create a new email and account for them I say to myself for their iPad annoying and yet another account for them to remember, lose the password, and deal with but whatever. Ok new email, new Apple account, sign in and perfect. Now I just need to disassociate the phone with the account its locked out of and switch it to the new Apple account to make syncing things a bit easier between devices. Wait, I can't do this until I recover the account to sign in to then log out of in the device. Wow. Again, I understand the security model here, but wow, a consumer device? Insanity.

774 comments