Gmail Passwords Trusted, Yet Not Trusted
My memory sucks. I have trouble remembering things, like, you know, passwords. I often reset my passwords. I forget them, so I request a password reset, I press the link that comes to my inbox and go on with my merry day.
So now I wanted to do that again, and I couldn't log into my Gmail inbox to which the password reset link was sent. Google, for some odd reason, had decided that me knowing my password (which is highly secure, by the way!) wasn't enough proof that I am me. (Well, who could blame them – it would have been more realistic if I had actually forgotten my password …)
So I entered my password successfully, but instead of being logged in I was presented with three verification options:
- Send a verification email to an old, no longer existing email address;
- Answer a security question I have long since forgot the exact answer to; or
- Pick out the exact month and year I created the Gmail account, which in practise becomes some sort of combination of the above two
I couldn't receive emails on the no longer existing email inbox, so I tried various combinations of the other recovery methods, but ultimately all of them ended in a "Sorry, we couldn't verify you are you" message.
That shit annoys me. How about the fact that I am the only one who knows my password? I was locked out of several services simply because Google have decided that passwords aren't uniquely identifying phrases anymore.
The Hole
Then in a last act of desperation, I went back to the old free email service that my old address used to be registered at before they purged it for inactivity. Guess what?
It was now available for registration.
Think about that. I once had an email address, that ended up purged. Later it was made available for re-registration by anyone. This is not some small-time local free email provider. This is one of the big ones. It's backed by a big Redmond-based corporation.
So I re-registered it. And asked Google to send a verification email to my brand-spanking-new inbox with no verification it belongs to me anymore. And sure, they did. And I could let myself into my inbox again that way.
Don't get me wrong. I'm happy I was let into my inbox! I'm just really disappointed that they first pretend my password isn't enough verification, and then end up hinging the security of the account purely on my password anyway.