There was an interesting article recently in The New York Times about getting locked out of a Gmail account.
In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.
For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk to a human being to resolve a problem with their account. Talking to person at Google requires a subscription to Google Apps Premier Edition for $50 a year. Microsoft and Yahoo similarly offer telephone support only to "premium" customers.
If you care about a Web mail account, then some homework may be in order.
Alternate e-mail address
One thing Web mail users should have associated with their account is an alternate e-mail address. This is typically optional, but it can be critical, should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail e-mail address as the alternate for a Gmail account. Too many eggs in one basket.
If you're like me, with no recollection or notes about the alternate e-mail address associated with your Web mail account, here's how to check (after first logging in to your account):
Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.
Classic Hotmail: Click on "Options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.
Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2." Yahoo supports two alternate e-mail addresses, a great safety net, since our e-mail providers change over time.
Secure connections
Gmail, Hotmail, and Yahoo Mail all offer secure connections when you initially log on and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing e-mail. Highly recommended.
To enable this feature, Gmail users should click on "Settings" in the top-right corner, then on the default "General" tab, scroll to the bottom of the page, and turn on the radio button to "Always use https."
Truthiness
Web mail may be one of those places where little white lies are acceptable. The governor of Alaska, who recently had her Yahoo e-mail exposed to the world, set herself up for failure by truthfully answering some questions.
Every Web mail system asks for personal information as a means of identification, should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.
Yahoo and Hotmail limit their secret questions to a handful of preselected questions. The straw that broke the camel's back for the governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking that person was the governor. There were some other canned questions too, but they were also easy to answer using public information.
Public figure or not, there is no reason to answer Web mail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.
So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.
Gmail is the most flexible of the major providers. It lets you choose your own secret question, thus giving you a fighting chance of picking a question to which no one else knows the answer. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.
To review your security question in Gmail, click on the "Settings" link in the top-right corner, then go to the "Accounts" tab, and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question." You will have to re-enter your Gmail password.
Users of the classic Hotmail system can review their security question by clicking on "options" in the top-right corner, then clicking on "View and edit your personal information."
Yahoo e-mail users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.
Does someone already know your password?
If someone learned your Web mail password, would you know? It's one thing to have your e-mail read, but it's another to have it read over and over, day after day, by someone who knows your password and is smart enough not to tip their hat by changing it.
Potentially, there is much that Web mail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.
When Gmail users first log in, they should scroll down to the bottom of the initial page and look for a message such as:
Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details
If you didn't last log in to your Gmail account when the message indicates, then someone knows your password.
Internet Protocol addresses can be linked to both an Internet service provider and a country, for sure, and maybe even to a city within the country. For more on this, see my earlier posting "What does your IP address say about you?"
Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person log in to a Gmail account simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this, too, can alert you that someone knows your password.
Information about the most recent Gmail account activity is presented on the bottom of every Gmail Web page. For more, see Last account activity in the Gmail Help.
Test password recovery
Anyone involved in backing up computer files knows the importance of testing the recovery process, and the same applies with Web mail. The best way to ensure that you can recover or reset your password is to try it.
Yahoo password recovery (thanks to the governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence, and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office, or a prior residence or prior work location.
Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail." If you go the first route and answer the questions correctly, you get to choose a new password.
The location information is the same as Yahoo's--country, state, and ZIP code. If you go the second route, an e-mail message is sent to the alternate e-mail account with two links, one for confirming the request and resetting the password and another for doing nothing.
Gmail error handling isn't limited to just password recovery; they deal with a whole host of problems accessing your account, including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem
If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the user ID and get in through a Captcha. At this point, there are no options. Google sends an e-mail to the alternate e-mail address. It doesn't display the entire alternate e-mail address (Hotmail, in contrast, does); just the domain name.
I tested this using a Yahoo.com e-mail address as the alternate to a Gmail account. Word to the wise: don't do this. The message from Gmail was treated as spam by Yahoo. The message includes a link that, when clicked, takes you to a Web page where you can enter a new password.
If you no longer have access to the alternate e-mail address, Google advises you to "...try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."
Web mail accounts may start out as toys or curiosities, but for many people, they end up being important. A little homework now may save a ton of grief later.
See a summary of all my Defensive Computing postings.
Previously I suggested not letting children receive email from Gmail because they hide the source IP address making it easier for bad guys to hide. In contrast, the free webmail services from Yahoo and Hotmail do not hide the source IP address.
In response, Google pointed me to an item at the Gmail help center called Harassment from a Gmail user. Below is what Google has to say regarding harassing emails from a Gmail user.
"... if you feel that you are in danger, we suggest contacting your local authorities.
Because message headers and senders can be spoofed using a variety of means, we're unable to take action on any user without further verification. In accordance with state and federal law, it is Google's policy only to provide information about a specific Gmail user pursuant to a valid third party subpoena or other appropriate legal process.
We apologize for any inconvenience, and we're sorry that you're receiving such messages."
Google won't take complaints directly from harassment victims and they omit contact information for law enforcement agencies. Not particularly comforting.
Judge for yourself, but I think this validates my prior suggestion not to let children receive email from Gmail users. The source IP address can not directly identify someone, (for more about this see What does your IP address say about you?) but victims of harassment are far better off with it than without it.
See a summary of all my Defensive Computing postings.
When it comes to the question of whether an IP address is personal or not, Google seems to swing both ways.
In February, Google software engineer Alma Whitten wrote Are IP addresses personal? on the Google Public Policy blog. In the posting she said "... in most cases, an IP address without additional information cannot [identify you]."
But someone commenting on the posting pointed out that Gmail goes out of its way to hide the IP address of the sender of a Gmail-originated message. The item User IP addresses from the Gmail help says:
"Protecting our users' privacy is something we take very seriously. Personal information, including someone's exact location, can be gathered from someone's IP address, so Gmail doesn't reveal this information in outgoing mail headers. This prevents recipients from being able to track our users, or uncover what may be potentially sensitive personal information."
I verified this by examining the headers of a Gmail-originated message. The source IP address was 74.125.46.31 which, according to ip-adress.com is Google in Mountain View, California. In other places the email header identified the source computer as yw-out-2324.google.com. Nothing pointed to the actual IP address of the sender.
As someone pointed out, this anonymity makes Gmail a haven for bad guys. Anyone interested in sending threatening email messages or perhaps inappropriate messages to children, can hide behind Gmail.
If I was the parent of a small child, I wouldn't want them to receive any email from Gmail. Period.
Earthlink, my ISP, does let their customers define spam filters that can reject all messages from a domain such as gmail.com or google.com.
Yahoo Mail does not hide the originating IP address. If and when I do, I'll update this posting.
Someone I know in New York City recently said they were going on a trip to Switzerland. After a few days, they sent a Yahoo email message claiming to be from Switzerland. I had no reason to doubt them, but just for fun, I looked into the email header, got the source IP address and ran it through the services I wrote about last time. Sure enough, the message came from Switzerland.
I didn't test if Hotmail hides the true source IP address. If and when I do, I'll update this posting.
Update. September 16, 2008: According to Leo Notenboom Hotmail is inconsistent when it comes to including the source IP address, sometimes it does, sometimes it doesn't. He was nice enough to test it again today (thanks Leo) and reported that the true source IP address did appear in the email header of a message that originated from Hotmail.
Update. September 16, 2008: For more on this topic, see Harassment from a Gmail user.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
