'An Example of a Very Sad Google Account Recovery Failure and Its Effects' - Sla...
source link: https://tech.slashdot.org/story/23/05/21/1757233/an-example-of-a-very-sad-google-account-recovery-failure-and-its-effects
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
'An Example of a Very Sad Google Account Recovery Failure and Its Effects'
Time magazine once described Lauren Weinstein as an internet-policy expert and privacy advocate. Also a long-time Slashdot reader, he now brings this cautionary blog post "to share with you an example of what Google account recovery failure means to the people involved..."
In this case it's a 90-year-old woman who "For at least the last decade... was just using the stored password to login and check her email," according to an email Weinstein received:
When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn't remember the password in order to login.... I don't know if you've ever attempted to contact a human being at google tech support, but it's pretty much impossible. They also don't seem to have an exception mechanism for cases like this. So she had to abandon hopes of viewing the google photos of her (now deceased) beloved pet, her contacts, her email subscriptions, reminders, calendar entries, etc... [I]t's difficult to know what to say to someone like this when she asks "what can we do now" and there are no options... It's tough to explain that your treasured photos can't be retrieved because you're not the sort of user that Google had in mind. Weinstein adds "this is by no means the worst such case I've seen — not even close, unfortunately." I've been discussing these issues with Google for many years. I've suggested "ombudspeople", account escalation and appeal procedures that ordinary people could understand, and many other concepts. They've all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such "edge" cases. Here's Google's page for providing an alternate recovery email address and phone number. Unfortunately, the 90-year-old woman's account "was created so long ago that she didn't need to provide any 'recovery' contacts at that time," according to the email, "or she may have used a landline phone number that's long been cancelled now..."
›
I am not blaming this woman for her problems. This falls squarely on Google. That said, everyone needs to write down their passwords for every account they have and store them in multiple places. And by writing them down I mean both on paper and digitally.
Forget password managers or relying on your browser to store your information. Write them down.
-
-
I know you don’t care but this will stick out like a sore thumb in a data dump and if it’s a conglomeration of dumps it’ll reveal that all the accounts probably belong to you. One of the first things I look for along with gov and mil addresses are passwords with profanity just because they’re often funny.
-
She's 90. She can't remember a whole lot anymore.
If you make it to 90, it is quite likely you won't remember your complex pass phrase, either.
What then?
-
-
And preferably lock the list in a fireproof box.
In other words, the opposite of what the security experts have screamed for the last 30 years. I find it hard to blame users who didn't take that important precaution.
-
... the opposite of what the security experts have screamed for the last 30 years.
Not really:
"And when people say don't write your password down. Nonsense. Write it down on a little piece of paper and keep it with all the other small bits of paper you value - in your wallet."
Bruce Schneier - 2010 [schneier.com]
Microsoft's Jesper Johansson urged [cnet.com] people to write down their passwords.
This is good advice, and I've been saying it for years.
Bruce Schneier - 2005 [schneier.com]
-
So when someone steals my wallet they get my passwords, too?
No. Write them down and store them in a safe or bank box or with a trusted family member or whatever.
But definitely not your wallet.
-
Work passwords in wallet unless you have a gold key to the kingdom. Personal passwords in lockbox.
-
-
Yes, in the mid aughties 10 or more years after the bad advice came out. And many in IT missed that memo for a long time. Some still haven't seen it apparently.
-
-
"Don't write your password down" is good advice for an accountant working in a busy office, being tempted to put a sticky note on their monitor. In 1993 that was the only scenario where someone would even have a password. Except maybe a PIN number for a bank card, and it's not a good idea to write that on the back of the card either.
I never really saw anyone advising against keeping passwords locked in a safe inside their own home.
-
The sticky note thing is right enough (that's how someone I knew in the early '80s got access to the school systems grade databases), but I can tell you I got a LOT of funny sideways looks when I advised people in the late '90s to write their work passwords down and keep it in their wallet (not in their desk drawer or 'cleverly' taped under the keyboard).
Naturally the PIN for a bank card should not be kept with the card. That stays home in a locked box.
-
-
Bruce Schneier, the archetypal [schneierfacts.com] security expert and author of one of the earliest open source password managers has been recommending writing down passwords since at least 2005 [schneier.com]. The people who are telling you to rotate your password every two months whilst having it contain one number,symbol,capital and lower case letter, but no space, quote or backslash whilst being at least six characters but no more than 8 and not having any letters in common with your email address* are not security "experts". They are c
-
Sadly, I believe it, I have seen way too much real world proof not to.
Perhaps I should have put expert in quotes.
-
-
-
Your digital life is *your* responsibility, not Google's.
All hardware devices eventually fail. Online services fail too. Nothing can be individually trusted in the long term.
Make redundant backups of all data you care about, including passwords.
And also, don't trust Google for anything at all. Since their offerings are free, their priority is not you. Paid email will give you much better customer service and won't be trying to make an extra buck off of your data.
-
-
90 years old means she was in her early 60s when the Web was popularized. But that's not going to be the case forever.
When you have your first major tech failure, you learn to make backups. For me it was a dead 360K floppy circa 1987.
When you have your first backup failure, you learn to make redundant backups. For me that would have been about 1996.
I just don't see Gen X making it to 90 without learning that the cloud will screw you over.-
It's very easy to forget there are people in this world who don't have our IT knowledge, nor do they need it. They are used to being able to talk to someone face-to-face, or at most via a phone, if something is wrong with one of the services they use.
Could be this person is at their first tech failure, ever. Could be that there have been tech failures in the past, but she had a tech savvy relative who passed away.
We don't know.
We are, however, focusing on the wrong thing. For quite a few years, giant corpor
-
-
Getting old is brutal. Mother nature is not kind. This, however, changes none of the facts. The world we live in today requires some technical street-smarts in order to thrive. Those who do not have such smarts will suffer.
I am not any more happy about this than you are. But that still doesn't change the facts. Google is a free service, they don't care about the end-users because they have no reason to, they are notorious for terminating accounts for terms-of-service violations which were in fact comp
-
Um, yeah.
1. Nobody mentioned "thriving". Rather, it's about being able to use technology which, for years, has become easier and easier to use.
2. Sure, but corps have made it so their services are easily and effortlessly available to non-techies. This should be accompanied by easily and effortlessly having access to human-backed support when needed. Even paid support would be okay. But nothing at all? Well, that's the core issue here.
-
-
-
If it was some small hosting company, not Google, you could contact them (or go to their office), provide your ID and your password would be reset.
Trying to get Google support to do anything, well, in the past I joked that the easiest way would be to call Putin and ask him to threaten Google with a nuke, but now it seems that even this would not work.
-
-
I disagree with the idea that Google did anything wrong here. Any well designed system should not be able to give access to someone without the appropriate password. If they *were* able to recover such an account, that would indicate a major security hole.
-
That's nonsense. If you forgot the password to your bank account, would you just wave goodbye to your money? No, you'd go to your bank and prove your identity through another means, and they would reset your password.
Your Google identity is very important. A person might be using it to log into dozens of sites. There are reasons your password could be lost which have nothing to do with your memory, like your account getting hacked and your password changed. There should be a mechanism for regaining access t
-
Nah. You wrong dude.
-
Any well designed system should have an account recovery mechanism that works.
Countless other companies manage that but Google won't bother.
-
maintaining a mechanism for exceptions like this (and not compromising security) is expensive.
Sure, it's sad, but people this old often experience even sadder consequences of their decline...
-
-
-
I also agree with you, but I think it goes far beyond simply "remember/record your passwords". The main problem here is that Google has built a product for which they cannot (or will not) scale support for, which I find unacceptable - people using the service will likely need some level of human support at some point, and should be able to get it without so much difficulty.
Imagine if there was a popular insurance company that provided really, really cheap rates, but made it super difficult/nearly impossible
-
Mod up. Like nearly all big companies, Google never takes customer support seriously until it affects enough people to make the front page of the New York Times.
Above a certain size, in the absence of strong leadership demanding it, large companies inherently behave in an anti-consumer fashion even if the company is trying to do the right thing, because there is no one who is both responsible for seeing these sorts of critical problems that affect specific individual users and simultaneously has the author
-
-
-
Yes it is google's fault. I can go into a bank with photo ID and get stupid shit passwords reset.
What's the Google street address for in person picture ID verification?
-
so you expect Google to run a network of branches to support their services.
How dense should the network be? You know, people in their 90s typically can't drive...
Globally, it'd be in thousands.
I'm wondering, would you expect those services to be still free?
-
-
Yes. I can go into any bank branch, show my identification, and get the password reset.
No, but even after forgetting to do so, I can walk into a DMV office and get it renewed. I don't permanently lose the ability to drive. Heck, most states even provide a grace period for renewal during which you'll just pay a small penalty, but won't have to take the driving test again.
They are, of course, still backed up in iCloud as part of the cloud keychain. So this means that the person either also lost access to
-
-
We're in a token world [wikipedia.org] now, whether we like it, hate it or it kills us.
In short - lose your phone, kiss your life goodbye. Social life, business life, educational... you might experience a mental health crisis. [mayoclinic.org] Or several.Or at least, say goodbye to all your data associated to your Google account - from phone numbers, emails (contacts as well as messages), logins to websites and apps, your data on said sites and apps, "backups" you've made, apps you've bought, real life services you registered to contact yo
-
And I might add, always always ALWAYS have your data (including passwords!) backed up somewhere else, either locally or on removable media, or both.
Moral of the story: Never trust Google to help you in a time of need, because they won't. Google services are great, right up until the moment they're not.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK