Password strength and account recovery options

Wednesday, July 15, 2009 11:54 AM



There's been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we're highly invested in providing a high level of security in our products. While we can't discuss individual user or customer cases, we thought we'd try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure.

One of the more common requests for assistance that we receive from regular Gmail users is to help them regain access to their accounts after they have misplaced or forgotten their password. We know that it can be frustrating when you can't access your account, and we've worked hard to come up with a system designed to help our users regain access to their accounts as smoothly as possible while taking appropriate precautions to protect their account security. When you select a password as you create an account, we recommend that you also choose a security question and provide a secondary email address. Recently, we also added a field where you can input a mobile phone number to assist with later account recovery. We regularly provide tips about how you can choose good passwords and security questions, and we also share our best ideas for what to do when you can't access your account. It's important to keep your password, security question, and secondary email address up to date. It's not enough to just tell us your email address to try to change your password. The security question helps us identify you, but if you want to initiate a password reset, we'll only send that information to the secondary address or the mobile phone number you provide.

We handle password recovery differently for our Google Apps customers. There is no password recovery process for individual Google Apps users. Instead, users must communicate directly with their domain administrator to initiate password changes on their individual accounts. Earlier this year we added new password security tools for Google Apps that allow administrators to set password length requirements and view password strength indicators to identify sufficiently long passwords that may still not be strong enough. For businesses that desire additional authentication security, since 2006 we have supported SAML Single Sign On, a protocol that allows organizations to use two factor authentication solutions such as certificates, smartcards, biometrics, one time password devices, and other stronger tokens.

If you're a regular Gmail user and you haven't updated your account information in a while, we recommend you do so by visiting your Google Account settings page now.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

24 comments:

FilterJoe said...

Thanks for opening up a conversation about this subject. One thought I've had recently is that it is in the best interest of Google and all vendors of web apps to have a high level of security. If free Google Apps accounts and/or Google accounts are getting routinely broken into, it is bad for Google in several ways:

* Trust for Google decreases

* Fear of trusting data to the cloud increases

* Spam increases (spam bots get contacts)

* Expense for Google increases (support requests to help users recover compromised accounts)

On the other hand, if Google can enable a user experience which makes data MORE secure than desktop data, then it will help secure more corporate customers.

Given these incentives, I think it is in Google's best interests to trickle down some of the features from Premier Apps down to Free Apps and Google Accounts. Specifically (for free accounts):

* SAML SSO enabling two factor authentication

* Allow administrators to set password length requirements

* Make it possible for a Google Apps administrator to remove administrative rights from any user (including the one that established the Google Apps account - if this ends up as a frequently used account, then it is more likely to get compromised than a rarely used account that is only used to administer Google Apps)

I certainly understand that Google needs to differentiate between Premier and free versions of Google Apps. And I think the free version of Google Apps is an incredible product. But adding just a couple of extra security features to the free version could be of great help to both users and to Google.

Aniruddh D said...

I thin Google should allow to add up security tokens with the Google apps account so people able to do the check. as you know that ATM cards works only with the combination of pin and card..if both things not matched then nothing gonna happen..

same thing should be here..a Google apps password and a security card like an ATM without the combination no access to Google Apps..and Google should not put security as a feature..all premium level security feature should get in all Google Apps account weather its free or paid..

If possible attach Google apps authentication system with fingerprint reader ...that would be much accurate than the password security..

i think all companies should think beyond passwords..web 2 has come so I think in security it's time to implement new level of protocols..password is old thing now..

George said...

Security has always been our major concern in this online world. Almost everybody is maintaining accounts online like emails, on purchasing products, online game subscriptions and a lot more. You may also want to check this article about online safety: http://www.articlesbase.com/video-games-articles/safety-in-the-world-of-warcraft-1014729.html

Nick Owen said...

IMO, most small companies see a net increase in security by outsourcing their IT. It is just too hard to keep up with patches, attacks etc while maintaining valued services for employees.

That being said, if you rely on a basket of web-based apps, you should watch that basket.

Here's a tutorial I wrote on how to use the open-source version of WiKID Strong Authentication with Google Apps Enterprise for those interested in adding two-factor to Google Apps.

Crimsonwar said...

I do like the idea of having an authenticator that can be used for apps or email.

This way the password could be different every time you log-in.

World of Warcraft does this as someone already posted, and that is for a game.

The app could be made for Pre, Iphone, or other smart phone devices or as a device you buy for say 5-10 dollars.

A pretty low price to pay for more security.

Carl said...

Protecting my personal gmail account is something I take seriously, I really wish that Google would enable me, a personal free email account user, to purchase and use a 2 factor token. For me there is no problem coming up with 20 bucks for a token like I did for Paypal. The cloud is here to stay and that means much more exposure to risk for everyone. Corporations (like Google) can fend for themselves and protect their assets with 2 factor authentication. It hurts know that Google will not offer their customers a way to protect themselves, even if they are willing to bear the cost. Please make 2 factor authentication available for the all users.

Josh Turmel said...

Is there a reason you can't adjust the password length requirements on Google Apps standard edition? I know that's the free version, but isn't security just as important, free or not?

Just wondering.

Chris said...

One word: Gtoken (2-factor authentication). Where is it? Should be a paid upgrade for Gmail and Google Apps.

Raman said...

2-3 weeks back my wife's gmail account got compromised and her pwd got changed. She changed it 3-4 times and everytime she changed it should to get hacked or god knows what the next day.

There is no way to get access back to the gmail account. The password recovery form asks questions like date/month and year of account creation, how does google think that an individual will remember such things. It has all these questions with months and dates that it is next to impossible to get your account back.

There is no way to write to google for help, there is just no email or contact form. You just keep going round and round and eventually land at the same place.

Can you pls help us out.

david said...

perhaps someone here could help.

I've been a huge gmail/blogger fan for the last five years. i've misplaced my pw and can only read my mobile gmail on my iphone and can no longer log into google to blog - www.fixbuffalo.blogspot.com - and no nolonger have access to my secondary email to do the pw recovery routine.

Any work arounds? Thanks in advance for your help.

david torke @ gmail.com

Jan Zawadzki (Cloudbreak) said...

The reality is that relative risk is much higher if the account is a corporate one, and a whole lot of information is suddenly exposed.

The reality also is that this is easy to guard against, and that any enterprise users should use two-factor authentication for Google Apps, SFDC or any other cloud platform.

Two-factor btw means that in addition to the username and password the system requires another unique bit of information. We normally use a phone-based app for this: when coming in from the "outside" you get asked for your username, password, and the magic number displayed by our app on your phone. Most people have their phone within reach at most times, so it's easy.

Adding this level of control to your Google domain takes a day. There is no excuse not to, if your information is valuable enough. This isn't rocket science.

J

K800 said...

Has there been any thought to supporting the use of client digital certicates to strengthen authentication to google apps / gmail?

ie as available from entrust, verisign, thawte etc

Craig Leppan.
leppan.craig@gmail.com

soni said...

nice blog. i liked it!
Web Design India

Ellithy said...

I really use a lot of ways to make my pass stronger
1- using numbers
2- using alternating capital and small letters
3- using symbols : & * $

this password would never be guesed by any program in million years

Ellithy said...

I really use a lot of ways to make my pass stronger
1- using numbers
2- using alternating capital and small letters
3- using symbols : & * $

this password would never be guesed by any program in million years

andika said...

I've been getting some wrong email notification, due to new user mistakenly put my email address as his/her secondary. Then I can takeover that account by sending a 'password forgotten' request.

I believe GMail must add extra steps to verify secondary account ownership, to prevent this kind of attack.

RayTMercer said...

Macduff: I am the admin of a Google Apps Education domain (student.columbustech.edu). I spend more time resetting forgotten passwords than any other job I do. Is there a way to add the password recovery feature to a domain? My LMS and SIS have that feature, but we do not have a SSO system.

easysecured said...

I have developed a way to address this issue and on my way to setting up a business around it.

founder, easysecured.com

Vijay said...

Here's a way to add strong authentication including Free Verisign VIP mobile tokens (yes, the same you use for accessing Paypal, etc) to your Google Apps.
You do need to be a Google Apps Premier customer. Offered by www.myonelogin.com in partnership with Verisign.
To signup go to: http://www.myonelogin.com/googleapps/

easysecured said...

The way to go is password less user authentication which my company has developed.

Here the user does not require to define or enter a password or remember it. The password is generated by the unique identity of the users computer or device and is not stored anywhere thus making it inherently more secured.

Imagine an online database on a server such as google's where there is no password field.

you can head to easysecured.com to know more about this technology.

MakeSafePassword said...

To automatically generate a password that will fit with google (and other's) password strength requirements, use the tool at http://makesafepassword.com

(tip: set it to also use punctuation for sites that allow it, for extra security.)

brownandwhitecup said...

There should be a simple way, when creating a new Google account, to simply turn the whole darn password recovery thing off. Not the default, but there in a tiny checkbox for those who really need it.

Password recovery is a CONVENIENCE that compromises SECURITY. Some of us would rather be inconvenienced by having to actually create a rock solid way of remembering our passwords than have the extra complexity and risk of the password recovery apparatus.

Problems with password recovery:

o The recovery email is sent unencrypted; a sophisticated attacker
could read it in transit.
o If the secondary email is hacked,
your ENTIRE Google account is hacked (doubles the attack surface)
o You have to make sure the recovery
email is always active (some emails will be deactivated if unused for a period of time)
o I have to think about all these various scenarios, rather than just remembering the darn password!

PLEASE GIVE US THE ABILITY TO OPT OUT OF PASSWORD RECOVERY AT ACCOUNT CREATION TIME!!!

Ali Hamdar said...

A security policy includes different requirements: password length, complexity, age, sharing, disclosure etc...

This article describes in details about password policies.

newmania said...

I would happily pay for a Google security token, similar to the Paypal security key. I keep my whole life on your server so I'd like to keep access secured!