How can I stop someone from changing my gmail password?
June 17, 2010 11:47 PM Subscribe
Gmail security: Someone keeps trying to recover, or change, the password for my gmail account. I'd previously set my gmail recovery option to send me an SMS, and I'm getting a lot of SMSes saying, "Your Google Account recovery code is: ... If you did not request this code, you can safely ignore this message". I've already changed my secret question to be really obscure, but what else should I do to protect my account? Every couple of weeks, I get bombarded with SMSes because someone is trying to access my account. Can I temporarily disable the recovery option? I'm just worried that someone might guess the answer to my secret question by brute force or some other means.
Response by poster: Could it just be Joe Smith after Joe Smith after Joe Smith attempting to access their account but forgetting they are joe.smith or joe.s.smith?
That's definitely a possibility. My email is rather joe.smith-y. I'd still like to protect myself, though.
posted by surenoproblem at 12:06 AM on June 18, 2010
That's definitely a possibility. My email is rather joe.smith-y. I'd still like to protect myself, though.
posted by surenoproblem at 12:06 AM on June 18, 2010
Best answer: Why don't you make the answer to your secret question a complete non sequitur? Something like a 20 character string of gibberish...
posted by felix betachat at 12:28 AM on June 18, 2010 [4 favorites]
posted by felix betachat at 12:28 AM on June 18, 2010 [4 favorites]
Best answer: A thought - if you're worried about someone managing to stumble upon or force their way into the answer to your secret question, either lie egregiously (Why yes, my first pet was indeed Lord Whimsypants-Snugglebottoms the IVth!) or enter the answer in some kind of cyphered manner. Backwards is easiest, or replace certain letters with numbers, ROT-13, that kind of thing. So, Lord Whimseypants-Snugglebottoms would become Smottobelgguns-Stnapyesmihw, for example. No cipher is unbreakable, but that would probably keep away the Joe Smiths of the world.
(Just for fun - ROT-13 of the reverse becomes Fzbggborytthaf-Fganclrfzvug. Slightly harder to remember, but a few minutes with a bit of notepaper and you can get it back. I just tried to 1337-speak that, but there are limits....)
posted by MShades at 12:31 AM on June 18, 2010 [3 favorites]
(Just for fun - ROT-13 of the reverse becomes Fzbggborytthaf-Fganclrfzvug. Slightly harder to remember, but a few minutes with a bit of notepaper and you can get it back. I just tried to 1337-speak that, but there are limits....)
posted by MShades at 12:31 AM on June 18, 2010 [3 favorites]
Best answer: If you think it's someone making an honest mistake, make the recovery question (if you can edit it freely) a message to them. Perhaps "I don't know who you are, but this isn't your account." Then make the answer something secure.
posted by Rinku at 12:44 AM on June 18, 2010 [21 favorites]
posted by Rinku at 12:44 AM on June 18, 2010 [21 favorites]
+1 for Rinku's answer.
By "make the answer something secure", try something like a long random string e.g. 20 letters from http://www.random.org/strings/ (tick all 3 boxes)
Write this string down somewhere that you won't lose, for example in your address book. (Don't label the string with what it is for).
Anything you've thought of is (theoretically) guessable. A long random string is not.
posted by richb at 2:02 AM on June 18, 2010
By "make the answer something secure", try something like a long random string e.g. 20 letters from http://www.random.org/strings/ (tick all 3 boxes)
Write this string down somewhere that you won't lose, for example in your address book. (Don't label the string with what it is for).
Anything you've thought of is (theoretically) guessable. A long random string is not.
posted by richb at 2:02 AM on June 18, 2010
The answer to your secret question is in fact a password, and there's no reason why you need to make it less secure than any other password.
Change both your Gmail account password and your secret answer to something nice and strong, then sleep easy.
My own first teacher's name was not dMBDMq84a2FS. But it could have been!
posted by flabdablet at 2:16 AM on June 18, 2010 [3 favorites]
Change both your Gmail account password and your secret answer to something nice and strong, then sleep easy.
My own first teacher's name was not dMBDMq84a2FS. But it could have been!
posted by flabdablet at 2:16 AM on June 18, 2010 [3 favorites]
Incidentally, though random.org's password generator does in fact generate very strong passwords, I have seen bank websites reject them for being too weak. Although they are pretty much uncrackable as they stand provided they're longer than about 10 characters, you might want to insert a few punctuation marks to appease clueless password strength evaluators.
Google's password strength evaluator is also rubbish. I have seen ordinary dictionary words with a single $ sign appended rated as "strong" by a Google password edit page.
posted by flabdablet at 2:24 AM on June 18, 2010
Google's password strength evaluator is also rubbish. I have seen ordinary dictionary words with a single $ sign appended rated as "strong" by a Google password edit page.
posted by flabdablet at 2:24 AM on June 18, 2010
This happens to me at least once a month, where I get a ton of SMS messages about someone trying to access my gmail account. I hate it, and it sucks, but I know it's because i have a real word as my username (I will never make that mistake again).
My secret answer is an actual answer run through the online Rot13 translator, which seems secure enough and easy to actually do.
posted by gemmy at 8:59 AM on June 18, 2010
My secret answer is an actual answer run through the online Rot13 translator, which seems secure enough and easy to actually do.
posted by gemmy at 8:59 AM on June 18, 2010
Rinku's answer is awesome. I would never have thought of doing that.
posted by Vorteks at 9:59 AM on June 18, 2010
posted by Vorteks at 9:59 AM on June 18, 2010
Is your email something like joesmith? Could it just be Joe Smith after Joe Smith after Joe Smith attempting to access their account but forgetting they are joe.smith or joe.s.smith?
posted by geek anachronism
Just a small note, gmail handles the addresses joesmith@gmail and joe.smith@gmail as being the same address, you can put a period anywhere in your address and it resolves the same and the email will go through.
posted by haveanicesummer at 11:49 AM on June 18, 2010
posted by geek anachronism
Just a small note, gmail handles the addresses joesmith@gmail and joe.smith@gmail as being the same address, you can put a period anywhere in your address and it resolves the same and the email will go through.
posted by haveanicesummer at 11:49 AM on June 18, 2010
If you feel the random gibberish password is potentially unworkable for some reason, another possibility is to pick a lyric or line that you'll remember but that isn't some obvious phrase (i.e., not "the quick brown fox jumped over the lazy dog"), and convert it to the first letter of each word. (Bonus if there's a number or a word in there that you can convert to a numeral.) So, for example, if you happened to memorize Emily Dickinson's "Because I could not stop for Death, He kindly stopped for me; The carriage held but just ourselves -- and Immortality" you could convert it to BIcns4DhksfmTchbjoaI. Add a punctuation mark in there somewhere and you're set (unless you're being pursued by a very poetic thief).
posted by scody at 11:58 AM on June 18, 2010 [2 favorites]
posted by scody at 11:58 AM on June 18, 2010 [2 favorites]
This thread is closed to new comments.
posted by geek anachronism at 12:01 AM on June 18, 2010