top | item 41280699

(no title)

KMag | 1 year ago

I lost a few GMail accounts because I changed countries and computers since I created them. I tried logging in, Google said my password was correct, but both the device and the IP were unfamiliar. I don't recall exactly what was wrong with using the recovery address to recover from the problem, but that didn't work, despite my still having access to my recovery email address. I think I might need to be able to tell Google what my recovery email address is, and I may have used one of those randomized + suffixes to my recovery address.

I used to use Google Authenticator with my GMail accounts, but disabled that out of fears it's just one more thing to go wrong, with Google providing little recourse.

My password is a bit over 96 bits of entropy, generated by extracting 256 bits from /dev/urandom as a multi-precision integer, divmod'ing to extract one instance from each of the character classes (digit, lower, uppper, symbol) and then the rest from the combined alphabet (digit + lower + upper + symbol), and finally the leftover entropy used for Fisher-Yates shuffle of the password so the first digit isn't always a digit, etc. Passwords are per-site, stored using a gpg-based password manager I wrote in the early 2000s.

MFA would still help for some types of ongoing active compromise, but not for dumps of password hashes from a DB compromise. It really kills me that recovery from my recovery email address doesn't work, even though I know my password.

Honestly, if you haven't logged in from anywhere in a few months and you have the correct password, they should at least just send some verification link/code to your recovery address without requiring you to tell them your recovery address. Sure, maybe don't say where you're sending the recovery link, but turning the recovery address into another password you need to memorize without ever telling you it's some weird combination of recovery email address and recovery password is just highly annoying.

discuss

mihaaly|1 year ago

Damn! I did not know that.

I set recovery address to an other (dormant) gmail account, just to aggravate the risk put upon me! :D (I do not trust google now with more data than I already given and must give, see later)

I need to speed up the migration of my email life to the paid account I initiated and testing (protonmail) because some serious problem could emerge otherwise (there is an international move on the horizon). I started to give gmail to various governmental (taxation, healthcare, authorities) organizations when it was innocent, as contact of the account used for light things at the time, when everyone started to discover how to manage bureaucracy online. Which succeeded and my gmail became an important tool managing matters throughout some international moves. Some accounts here and there are dormant but still with important matters that I might need once (how is it with that many years valid Australian travel authorisation or what that I did not need last year?...). Still gmail was innocent enough, despite the mass surveillance sped up, which was a bit inconvenient feeling but rarely got any real secrets or deeply persoanl matters apart from the fact I have dealings with that organization here and there. But now, as online administration is borderline mandatory being other means left to the bare minimum (when I am sent online in an office for something, that's a turning point in mind) or in other country. Gmail is very inconveniently in the center with all the worrysome things their automated bots carry out against unsuspecting user without mercy and appeal, that the migration process had to be started. Hence test with protonmail. But it so damn widespread now, I have not enough time going through all, some forgotten and need to dig into faint memories, it is torture. But has to be done. Has to be done.

Our twin girls should not be put up with the mercy of google bots when they get into the age of requiring email for official matters.

notRobot|1 year ago

You would have received a notice to your recovery email when you added it to the account in question and you might be able to find that email in your inbox and figure out the randomised suffix in the "to" field.

kevincox|1 year ago

I have something similar. I was added to the Google domain of some open source project, given an email address. But I can't log in because Google is demanding a phone number.

I guess I could probably talk to the admin and get it reset, but it's pretty upsetting that the are basically holding accounts hostage until you hand over personal information.

aflag|1 year ago

And the fact that there's no one to talk to means that if computer says no, that's it.

8organicbits|1 year ago

I recently tried Google support for an issue with an out of support Pixel I was messing with. I assumed I'd get a "sorry that device isn't supported" response, but they gas-lit me, claimed that they could help, and proceeded to send me completely unrelated links until I gave up. Links unrelated to the Pixel and the problem I was facing.

I think I was talking to a bot and they made it appear human by slowing everything down so the whole exchange took 30 minutes, but maybe it was just a human following a script. Either way, it was worse than if they didn't have support since they just wasted my time.

alchemist1e9|1 year ago

There is absolutely nobody. It’s crazy. Realizing how dependent I am on gmail has been scary.

I’ve started a project to attempt to move to my own domain and self hosting full email stack. It’s a huge amount of work. However the power Google has over me, should my gmail account be hijacked or turned off is incredible.

Starting from the bottom is the security of the domain registrar and DNS records. It looks like there are some good options, though obviously with additional price. Basically you have to use the corporate services with additional security features.

The self-hosting email and server security is something I have the background to handle.