Being smart about Web mail

There was an interesting article recently in The New York Times about getting locked out of a Gmail account.

In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.

For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk to a human being to resolve a problem with their account. Talking to person at Google requires a subscription to Google Apps Premier Edition for $50 a year. Microsoft and Yahoo similarly offer telephone support only to "premium" customers.

If you care about a Web mail account, then some homework may be in order.

Alternate e-mail address

One thing Web mail users should have associated with their account is an alternate e-mail address. This is typically optional, but it can be critical, should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail e-mail address as the alternate for a Gmail account. Too many eggs in one basket.

If you're like me, with no recollection or notes about the alternate e-mail address associated with your Web mail account, here's how to check (after first logging in to your account):

Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.

Classic Hotmail: Click on "Options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.

Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2." Yahoo supports two alternate e-mail addresses, a great safety net, since our e-mail providers change over time.

Secure connections

Gmail, Hotmail, and Yahoo Mail all offer secure connections when you initially log on and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing e-mail. Highly recommended.

To enable this feature, Gmail users should click on "Settings" in the top-right corner, then on the default "General" tab, scroll to the bottom of the page, and turn on the radio button to "Always use https."

Truthiness

Web mail may be one of those places where little white lies are acceptable. The governor of Alaska, who recently had her Yahoo e-mail exposed to the world, set herself up for failure by truthfully answering some questions.

Every Web mail system asks for personal information as a means of identification, should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.

Yahoo and Hotmail limit their secret questions to a handful of preselected questions. The straw that broke the camel's back for the governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking that person was the governor. There were some other canned questions too, but they were also easy to answer using public information.

Public figure or not, there is no reason to answer Web mail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.

So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.

Gmail is the most flexible of the major providers. It lets you choose your own secret question, thus giving you a fighting chance of picking a question to which no one else knows the answer. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.

To review your security question in Gmail, click on the "Settings" link in the top-right corner, then go to the "Accounts" tab, and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question." You will have to re-enter your Gmail password.

Users of the classic Hotmail system can review their security question by clicking on "options" in the top-right corner, then clicking on "View and edit your personal information."

Yahoo e-mail users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.

Does someone already know your password?

If someone learned your Web mail password, would you know? It's one thing to have your e-mail read, but it's another to have it read over and over, day after day, by someone who knows your password and is smart enough not to tip their hat by changing it.

Potentially, there is much that Web mail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.

When Gmail users first log in, they should scroll down to the bottom of the initial page and look for a message such as:

Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details

If you didn't last log in to your Gmail account when the message indicates, then someone knows your password.

Internet Protocol addresses can be linked to both an Internet service provider and a country, for sure, and maybe even to a city within the country. For more on this, see my earlier posting "What does your IP address say about you?"

Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person log in to a Gmail account simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this, too, can alert you that someone knows your password.

Information about the most recent Gmail account activity is presented on the bottom of every Gmail Web page. For more, see Last account activity in the Gmail Help.

Test password recovery

Anyone involved in backing up computer files knows the importance of testing the recovery process, and the same applies with Web mail. The best way to ensure that you can recover or reset your password is to try it.

Yahoo password recovery (thanks to the governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence, and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office, or a prior residence or prior work location.

Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail." If you go the first route and answer the questions correctly, you get to choose a new password.

The location information is the same as Yahoo's--country, state, and ZIP code. If you go the second route, an e-mail message is sent to the alternate e-mail account with two links, one for confirming the request and resetting the password and another for doing nothing.

Gmail error handling isn't limited to just password recovery; they deal with a whole host of problems accessing your account, including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem

If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the user ID and get in through a Captcha. At this point, there are no options. Google sends an e-mail to the alternate e-mail address. It doesn't display the entire alternate e-mail address (Hotmail, in contrast, does); just the domain name.

I tested this using a Yahoo.com e-mail address as the alternate to a Gmail account. Word to the wise: don't do this. The message from Gmail was treated as spam by Yahoo. The message includes a link that, when clicked, takes you to a Web page where you can enter a new password.

If you no longer have access to the alternate e-mail address, Google advises you to "...try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."

Web mail accounts may start out as toys or curiosities, but for many people, they end up being important. A little homework now may save a ton of grief later.

See a summary of all my Defensive Computing postings.

[Subito_Piano]

Excellent article, as one would expect from CNet. Thanks for a well-written, clear essay that is easy to point others to. The only thing i would add is to have at least two accounts, one being a throwaway account for all those businesses and online forms one is required to provide an e-mail address for, when the business has not yet earned your trust.

[besidec]

very interesting. as expected, no mention of fastmail. fastmail has permanent https connection if wanted, information about the most recent login on the front page in clear view and extra password protection techniques, but as usual doesn't get a mention.

[mhinnewyork]

I took a look at fastmail.com and it has nothing to do with email, that I can see. Michael Horowitz

[skillingssucks]

Nobody cares about "Fastmail".

[skillingssucks]

Horowitz, surely you can't be that clueless? http://www.fastmail.fm/

[SpoonMoon]

Rather than keeping a dedicated account for website registrations etc. as Subito_Piano suggests, try using mailinator.com for throwaway email accounts.<br /><br />Just sign up using anything you like @mailinator.com then visit mailinator.com, type in your choice of username and collect the email with no password and no setup required. The signup emails and any spam which follows them will be deleted automatically every few hours.

[umbrae]

I hope someone forwarded this to Mcain and Palin...

[trescrepu]

...in walks cloud computing.

[Dango517]

Please don't send me those E-mails with a long list of "exposed" E-mail addresses. When you forward E-mails to more then one person please use the BCC (Blind Carbon Copy) feature. Do not add my name to these lists. Have you ever considered what would happen if these fell into the hands of the bad guys? Yes, I know, the smart bad guys will work around BCC but not the dumb ones. Your assistance in keeping, Spam and the bad guys off my computer would be appreciated. Yes, let's be smart out there,

[john55440]

What about downloading and/or saving e-mail on your local computer? That's safer than storing your e-mail in a "cloud".

[flokovats]

Is a 26 character password secure enough?