Cyber security experts from Princeton University are warning people of a browser security flaw involving autofill logins. Buzz60’s Tony Spitz has the details.
Forgetting any important account password can induce instant anxiety. But when it’s your Google account – and Google then says it won’t let you back in for, maybe, three to five days – you could have a formula for existential dread.
And until last Friday, Google didn’t document that “security hold” phase in its account-recovery process. Users stuck in this password purgatory could only compare notes on its tech-support forums – something they’ve been doing since at least March 2018.
Google posted a tech-support note explaining security holds on July 19, after two days of USA TODAY inquiries had yielded only generic responses pointing to older support articles with basic account-recovery instructions and supplemental tips, neither of which described a security hold.
This new note, however, still leaves much to the imagination. Calling a security hold “a delay between when a request to recover your account is made and when the account recovery claim is processed,” that article says this can happen if Google sees “something unusual about your recovery request.”
A conversation with the Google user whose travails set off this inquiry, novelist Linnea Hartsuyker, did not reveal many more clues. She reported that after forgetting the password a few weeks after having changed it, Google texted a confirmation code to her phone – but after she provided that, Google then asked her to answer a round of security questions.
Search tips: 7 things you didn’t know Google could do until now
She correctly fielded all but the one asking the month and year she opened her account. Google then rejected an attempt to reset the password using the recovery e-mail address she’d designated, finally reporting that her account had “been placed into a security hold,” with a potential resolution in three to five days.
Hartsuyker was, however, still able to use Gmail on an older computer, allowing her to set it to forward messages to an alternate email account.
“It was strange that even when my account went on a 3-5 day security hold, Google did not force log me out of all my sign-ins,” she wrote in an email. “I’m glad they didn’t, but it does make me wonder how secure that security hold is.”
Google restored Hartsuyker’s account access about eight hours after I provided her username to a company publicist, so it’s possible that USA TODAY’s thumb on the scale resolved things instead of whatever Google was doing inside this security hold.
More tech tips: 7 digital privacy tricks you’ll wish you knew before now
But a few things do seem clear:
● Do not leave your Google password stored only in your memory. If your browser’s password manager won’t save it (as was the case with Hartsuyker), at least write it down on a slip of paper and store that somewhere safe at home.
● You’re better off using a password-manager service to store all your passwords securely. LastPass’s free service should suffice for most people, although if you only use Apple devices, its free iCloud Keychain also works well.
● After making sure you’ve got a current recovery email and phone number saved in your Google account, further secure your account with Google’s Authenticator app, which will let you confirm it with a number generated by that smartphone app. This step will also have you print out recovery codes to employ if you lose your phone.
● Better yet, spend $10 or so on a USB security key that you can associate with your account and others, then stash in a drawer and have it keep working even if your recovery phone number and email change.
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at email@example.com. Follow him on Twitter at @robpegoraro.
Read or Share this story: https://www.usatoday.com/story/tech/columnist/2019/07/25/google-security-hold-forgotten-password-account-recovery/1829571001/