If you use Gmail, and also use Facebook, it can be very easy for someone to determine your Gmail password, and access your Gmail account using Gmail’s lost password retrieval feature. This is because Gmail’s password recovery feature allows anybody to guess the answer to your password reset security question. And if the answer to your forgotten password reset security question happens to be information easily gleaned from your Facebook account (or some other social network information), then password cracking your Gmail account is as easy as typing in that password protection answer. (And we use the term “password protection” loosely.)
Here’s how it works:
At the Gmail login, there is a link that says “Can’t access your account?” and this is where you go if you have forgotten your password.
If you click on that link, it takes you to a page where Gmail asks you why you can’t access your account. Maybe you forgot your username. Or, maybe you forgot your password:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
If you click “I forgot my password” you are taken to this link, inviting you to “Visit our password recovery page.”
This is where Gmail has you tell them the username associated with the account whose password you wish to recover. In other words, this is where the password hacker will put your username.
At this point you will be presented with a CAPTCHA, to ensure that you are not an automated hacker.
Once you successfully solve the CAPTCHA, Gmail sends a password reset link to the secondary email address associated with the Gmail account, saying:
“To initiate the password reset process, please follow the instructions sent to your ******@*****.com email address. If you don’t have an alternate email address, or if you no longer have access to that account, please try to reset your password again after 24 hours. At that point, you’ll be able to reset your password by answering the security question you provided when you created your account.“ {Emphasis added by us.}
And this is the weak link. Because if that link is not clicked on within 24 hours anybody who has the answer to your security question has the keys to the kingdom.
After waiting 24 hours, the hacker simply visits the “reset password” link again, enters the account name again, and this time, because 24 hours have passed, they are presented with the security question.
Now, people use all sorts of things that are easy for them to remember as their security question.
“What is my birthday?”
“What is my anniversary?”
“What is my favorite color?”
“Where was I born?”
“So what?” you may be asking – the hacker would need to know this information in order to get into the Gmail account, right?
Well, first, if the person is someone who knows you, then they probably do know the answer to some of these basic personal questions.
But more to the point is that the answer to each of these questions – and many more – are easily found in many people’s Facebook profiles.
Here is a real example. In our actual test hack, this was the security question (now shared with permission of the person to whose account it was attached):
Now, anybody having this person’s Gmail username would be able to find them very easily on Facebook. And, of course, their father is one of their Facebook friends.
Do you see how this works?
And how trivial it is to hack a Gmail account with just a minimal amount of effort, if the account-holder is active in the social networking world?
Don’t feel badly if you in fact do have an easily-guessed security question ‘protecting’ your Gmail account. You’re in good company. In fact, the recent hacking of Twitter founder EV’s account, and an earlier hack into Sara Palin’s account, were likely both accomplished, at least in part, with this method.
Don’t feel badly – but do heed the warnings here! Make sure that the answer to your password reset security question is unguessable and unconnected to any personal information available about you online. And make sure that your secondary email account is one that you actually monitor.
So, what actions will you be taking as a result of reading this article?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
my friend created my gmail account.i just using facebook with this account..but i don’t know any security qustion about my gmail.i know my all information about my facebook account..plz help me to recover my gmail account informations.
Facebook is good for social networking and having fun but not for privacy.
Facebook sucks in terms of privacy..
:(
I have been receiving calls on my cell at least twice per day for the last month with the “phone number” 000-000-0000. I’ve not answered it. If anyone else has, what have they found?
I frequently get annoyed by sites that lock you in to a predetermined set of questions, none of which are suitable.
Sometimes the questions are useless because you have never had the experience (what was the name of your first pet?), are easily guessed or public records (mother’s maiden name – hyphenated into your last name), or transient (favorite musician – varies depending on my mood. I don’t have a single favorite. Ditto for color).
I much prefer to be able to define hints, which may be as simple as a single letter, or a code that acts as a memory key. For instance, a+## might tell me to use my “a” password with two digits appended..
Sites that require me to change my password every XX days, and won’t allow me to reuse a password are especially annoying.. These are frequently the ones that provide a password reset, but no hints, and require a special format, but don’t tell you the password requirements until you go to reset it. I know which password family I used, but without the hint, I sometimes forget the specific variant.
Aaaaaaaaaaaaaccccckkk! I am SO glad you pointed this out. My father’s middle name is pretty obscure, but there are still plenty of people who know it, and could have easily hacked my Gmail account using this method. So what about the other questions Google suggests? My library card number? Well the LIBRARIAN knows that, and they also have my email address. Ack! My frequent flyer number? Well SOMEONE at Expedia or my airline know that, and again they also have my Gmail address. Bottom line: You *MUST* create your own security question.