I have a YouTube channel which is under a different Google account to my normal one. I have a secure password with it, and an alternate e-mail address set up, but I thought I’d see how secure the password recovery feature was and whether I could gain access with hardly any information.
It took me 10 minutes and I had full access. They sent a password reset link to an e-mail address I entered that has never been associated with my account in any way. They also never sent me an e-mail at the actual address associated with the account to tell me that the password had been changed by someone else, so if someone else had gained control of the account I wouldn’t even have been notified of it!
This is all I had to do to get access:
- Enter the YouTube username.
- Click Verify identity.
- Enter an e-mail address that they would later send a reset link to if they liked my answers.
- Answer about 20 questions.
The first one was this:
I entered a completely random word.
Most of the rest of the questions are optional and can be figured out really easily by actually viewing the info on the YouTube channel. For example,
- What date (roughly) did you join Google?
- Select from this list the Google products you use and when you started using them.
At the end it said that it could take a day for someone to review the answers, but the e-mail with the reset link came through in the next few minutes.
In my opinion this is appalling and I don’t understand how they could have made such a mess of it. I don’t use two-factor authentication but I would hope that this would make some difference.
When you change your password they force it to be of a certain standard, and they even block you from using previous passwords. This is all good but completely pointless if it can be bypassed by anyone so easily.
On the subject of the ‘last password you remember’
Does this mean that Google is storing account passwords in clear text? If they were creating hashes then don’t understand how an answer to this question would be of any use to them as they’d have no idea how similar the one entered was to the actual one in the database.
Here’s my actual question!
Is there a way of either disabling the whole password recovery system altogether? Or is there a way of just disabling the ‘Verify your identity’ bit, which in my opinion shouldn’t even exist in the first place? It should at least be an opt-in feature.
I also think they should allow you to disable the option ‘Receive via: an automated phone call’ because anyone can answer the phone and get the confirmation code really easily. If the number you’ve got set is your mobile you will probably have a lock screen so random people can’t read your messages, but anyone could answer a phone call even if it is locked. I know that some phones show a preview of new texts so you have to be careful of that as well (but that’s not Google’s problem).
I realise as well that they might have used the fact that the requests were from the usual IP address, but I still don’t think this is anywhere near enough info to unlock the account for someone.