[HN Gopher] Gmail account security is insane
___________________________________________________________________
Gmail account security is insane
I have a gmail account that I rarely use, but I know the password.
I enter it correctly and get the following message: You're trying
to sign in on a device Google doesn't recognize, and we don't have
enough information to verify that it's you. For your protection,
you can't sign in here right now. Try again from a device or
location where you've signed in before. Even if I get the code
from the recovery email account, it won't work. Is this the AI hell
Google throws you into if you get a new phone and computer in the
same year? Has anyone else on HN run into this and found a
solution?
Author : caseyf7
Score : 86 points
Date : 2022-01-23 22:15 UTC (44 minutes ago)
| Andrew_nenakhov wrote:
| Had this. It was telling me to try again 'later'. Ok, i did 'try
| later' every day for three weeks, and they didn't let me in.
| Using the very same IP address as I used to always access it, no
| less.
|
| Then, I gave up, moved all my services to another email account,
| and after 2 or 3 months tried logging in, and it suddenly allowed
| me to log in.
|
| Needless to say, I will never again use gmail for critically
| important things.
| abider wrote:
| > Needless to say, I will never again use gmail for critically
| important things.
|
| That's a hot take. If it was critically important, you'd have
| 2FA and a recovery phone number associated with it - which
| would have prevented you from getting stuck in a trust-fail
| situation to begin with.
|
| Use whatever service you want, but your takeaway from this
| situation is a bit absurd.
| ethanbond wrote:
| Something can be critically important for a person to access
| on-demand and _not_ be something they're especially concerned
| about an attacker accessing. Two completely unrelated
| dimensions of access needs.
| PaulHoule wrote:
| With Google's nonexistent customer service I'd be afraid of
| being locked out for any arbitrary reason and having no
| recourse no matter what recovery procedures I prepared for.
|
| Contrast that to my bank where I can go to the branch, show
| ID, and get problems logging in resolved.
| Andrew_nenakhov wrote:
| Actually, I specifically declined setting up a recovery phone
| number because I accessed it from the location where
| receiving codes would be impossible on my phones. I _always_
| accessed it from the same IP using my own VPN server, entered
| the correct password, and still Google decided that they are
| 'not sure that it is not really me, try again later'. No
| thanks.
| nathias wrote:
| I just accepted I can't get to that account anymore...
| ahnick wrote:
| So in theory if someone was to ever accidentally or intentionally
| reset the location info for where all gmail accounts have logged
| in from, then effectively everyone would be unable to access
| their gmail account?
| brazzy wrote:
| If that were to happen it would take about 5 minutes until this
| security feature would be deactivated.
| josephcsible wrote:
| If it happens to everyone then yes. But now imagine it
| happens to just you.
| ipaddr wrote:
| Worse, one day it just doesn't work.
| fuzzy2 wrote:
| Just out of curiosity, do you have two-factor authentication set
| up? Or the Gmail app on a mobile device? Or do you really just
| have the recovery account?
| reactspa wrote:
| Previously on HN: https://news.ycombinator.com/item?id=29801850
| akkartik wrote:
| From 3 days ago:
| https://merveilles.town/@akkartik/107656797631193281
|
| One less risk to worry about.
| secondaryacct wrote:
| I always use the 2FA and whatever happens it seems to allow me
| back in. I would think this happens with a phone number too.
| golem14 wrote:
| That doesn't help OP now, but I found it helpful to enable 2FA
| with Google Authenticator, and keep emergency backup codes in a
| safe place. It's slightly more hassle, but there are less 'soft
| AI' barriers between you and your successful login.
|
| I'd also suggest not to rely on a phone number as 2nd factor,
| it's not that super safe.
| anter wrote:
| I'd suggest not to rely on google for anything you wouldn't
| want to lose.
| jumelles wrote:
| I'd recommend a non-Google 2FA app. Microsoft has one, and
| Authy is popular. Personally I'm happy with OTP Auth. Some
| password managers can also handle 2FA, e.g. Strongbox.
| thadk wrote:
| Would be good but on my accounts which didn't have 2FA, they
| seemed to have removed Authenticator as an option: only phone
| numbers available now.
| tptacek wrote:
| I'm having a hard time getting my head wrapped around the idea of
| relying on Gmail (or any other online identity provider)
| _without_ enabling 2-factor authentication. The best way to avoid
| this kind of "AI hell" is just to take control of your own
| account security and set up some additional factors.
| rdtwo wrote:
| Google will still lock you out with 2fa. It's pretty bad
| m-p-3 wrote:
| Even with a FIDO2/U2F/WebAuthn key?
|
| If so, yeah that's pretty bad..
| rdtwo wrote:
| Yeah I got locked out dispite having printed codes and
| authy setup. Lasted a day or so
| bawolff wrote:
| Recently i wanted to setup a shared gmail account with some
| people.
|
| Even with 2FA setup, correct password correct TOTP, it did not
| let them in because it was suspicious. I also checked "it was
| me" in all their security alerts. It would only let the person
| in with sms based 2fa, which was a pain.
| caseyf7 wrote:
| Except Google does not honor the recovery account. Even with
| access to the recovery code, Gmail just ignores it.
| 2bitencryption wrote:
| Oh god, have you had the M.C. Escher-esque experience of trying
| to sign in to an email account, and it hits you with a two-
| factor-auth prompt that sent the code to _another_ email address?
|
| Imagine the insanity if the email account that received the code
| in turn asks for a code sent a code to the first one.
| zamadatix wrote:
| Having 2 logins is still 1 factor, the situation is not
| insanity it's the designed intent of MFA.
| PaulHoule wrote:
| Escher or Kafka?
|
| So far as I can tell, 2FA in a low touch environment means it
| is a matter of when not if you will be locked out without
| recourse.
| blibble wrote:
| I had this exact same problem... I was logging in on the same IP
| address I've used for 10 years
|
| I only managed to solve it by digging out an old phone that was
| still signed into the Google account... if I had factory reset
| that then I suspect I would have lost it forever
|
| this experience is one of the many reasons I've dumped Google
| wherever possible
| pettycashstash2 wrote:
| I once forgot my gmail password. There was no way for me to
| recover it. Eventually I found it after 6 months, but it was a
| very difficult 6 months. bank emails, work emails, etc were in
| the google 7th circle of hell, and there was nothing I could do.
| I don't have any good advice for you really except is there a way
| you could vpn to a location closer to where you typically access
| gmail?
| bigiain wrote:
| I have one of the old gsuite free accounts with a personal
| domain, so my backup plan for that for the last ~15 years has
| always been "if google graveyard gmail, at least I can but mail
| service elsewhere and update my MX records".
|
| Now they're going to start charging me for that, I'm
| considering which non-google mail option I will choose instead,
| I've been sticking with gmail against all my privacy and
| ethical objections, because it works so well and is free. It's
| no longer going to be free soon, and I'm pretty sure their
| competitors work as well as they do (or very close to), so I
| can _finally_ get over the inertia that's made me feel _almost_
| bad enough to leave gmail but not quite bad enough to pay money
| or do the work required. Right now, it looks like Fastmail or
| Protonmail are going to get my money.
| anter wrote:
| Yep, have had that issue for over a year now, I am completely
| unable to access my old gmail account despite having the
| password, recovery email and everything else.
|
| Just says "you can't sign in" and that's it:
| https://i.imgur.com/4YrElkJ.png
| davemtl wrote:
| Once again this shows that we're at the mercy of the giant AI
| machine. For fear of having my data locked into Google, I
| migrated to my own domain and e-mail hosting elsewhere. I'm still
| at the mercy of the hosting and domain registrar at that point,
| but at least they have phone numbers I can call to get support
| and talk to a human.
|
| Offline backups is a must at this point.
| cinntaile wrote:
| It's especially annoying that you can't turn this nonsense off. I
| had this happen to me when I was abroad, obviously with no way to
| recover when I was abroad and I needed access to certain mails.
| Nice feature.
| gitowiec wrote:
| Some similar thing happen to me. Gmail login page says that I
| need to acknowledge that me is me and it forces me to change
| password... I occasionally get this message on screen when I
| change countries with VPN. I need to use VPN different countries
| because this is required by my work (development of streaming
| services). I get so much annoyed. Recently I spent Christmas in
| Norway (not the country of my origin) and that happened again. I
| had to access Gmail to check in the flight so I was forced to
| change the password. This is ridiculous!
| ajdoingnothing wrote:
| If there is one Google service I'd happily pay 10 bucks a month
| for (given that they would then provide proper support), it'd be
| gmail.... My nightmare is having my account blocked for no
| particular reason. This post is reminding me to look for
| alternatives.
| EamonnMR wrote:
| They're trying to deter you from using Gmail anonymously/as a
| burner email.
| 5ESS wrote:
| Try to login from a device that you used previously to login to
| other different accounts that you touched from the same device
| that was used to login previously.
| 3np wrote:
| Happened to my grandma, who have had the same address for over 10
| years. Was quite the ordeal to have her change over to a new
| adress once we decided it was meaningless to hope to regain
| access.
| coldtea wrote:
| The faster we move from location/PINs sent to mobile, and other
| BS forms of 2FA the better...
| calltrak wrote:
| newsbinator wrote:
| This happened to me. It was impossible to access my gMail
| account, knowing my username/password/recovery email/all recovery
| codes... until I returned to my home country / home address. Then
| gMail let me in.
| ncann wrote:
| Same here, I got an email to my main mail account saying Google
| has blocked a login attempt to another old Gmail account of mine
| that I haven't used for a long time (the old account has the new
| account listed as the recovery email). So I tried to log in to
| that old account, and got the same message to "try again later".
| I tried a few more times over the next few weeks but always the
| same message. So even with the correct password and access to the
| recovery email I still can't log in to the old account, and
| there's no way to get around it. I just gave up.
| floatingatoll wrote:
| Try in Chrome with all extensions disabled?
| NoPie wrote:
| I stopped using gmail. I pay for my own domain (approx $10 per
| year and subscribe a hosting service that costs about $4/month).
| The total cost is not much different from a paid google email
| which is about $50/year.
|
| If I happened to forget/lose all passwords (lost laptop, burned
| house etc.), I would probably need to deal with the hosting
| company who would try to identify me with my credit card or some
| other way (phone number, mailing a letter to my physical address
| on file). Nothing is absolutely secure but I think it is secure
| enough for me while I also have fair good chances to recover my
| lost access. I am not a big target to scammers anyway.
| judge2020 wrote:
| BTW A paid Google email via Workspace (previously G Suite) has
| gone up to $6/month/user, so $72 USD a year for a single user
| setup.
| exolymph wrote:
| Wasn't aware of this, but can't say I'm surprised.
|
| Personally, I'm still happy with Fastmail, which uses customer
| subscriptions fees to fund a professional support department, as
| well as contributing to email-related FOSS. (Among other things,
| obviously.)
| emerongi wrote:
| Fastmail's UI is just faster too.
| bamboozled wrote:
| I actually enjoy watching it tender at light speed!
| ipaddr wrote:
| Do they offer an api?
| blibble wrote:
| yes, and it makes the gmail API look like a toy
|
| https://fastmail.blog/open-technologies/jmap-new-email-
| open-...
| wirelesspotat wrote:
| 1password have an interesting article about integrating
| with FastMail using JMAP:
| https://blog.1password.com/making-masked-email-with-jmap/
| austhrow743 wrote:
| Have you used Fastmail's support?
| PaulHoule wrote:
| Yes. It's great!
| julianwachholz wrote:
| Last week's news gave a lot of people the nudge they needed to
| finally migrate away from their legacy free GSuite accounts to
| something more reliable.
| devb wrote:
| Can I ask which news? I'm already a happy Fastmail customer,
| just curious.
| baobabKoodaa wrote:
| I'm also a happy customer of Fastmail. Can recommend.
___________________________________________________________________
(page generated 2022-01-23 23:00 UTC)