I locked myself out of my Gmail account a few days ago and needed to have the password reset. That’s when I found out that Google has implemented a system that can prevent somebody who knows the answers to your security question from hijacking / stealing your account.
Google now sends an email to the secondary email address you have on file with them (I’ll show you how to check this in a moment). This email has a link you can click on to reset your password. They will not allow you to reset your password using your security question for at least 24 hours after you submit your request.
This not only prevents somebody from resetting your password right away (and effectively stealing your account), it also warns you that somebody is trying to reset your password — assuming that you monitor your secondary email account on a daily basis.
While I only tested Gmail, I think the same basic procedure applies to any other accounts you have with Google.
Here’s what you need to do to set or change your secondary email address within Gmail:
- From the main Gmail page in your web browser, click on the “Settings” link (NOTE: If you have a different default language set, you can temporarily set your default language to “English” to make it easier to follow these instructions, if you want).
- Click on the “Accounts and Import” link.
- Click on the “Google Account Settings” link at the bottom of the page. The Account Settings page will open in a new browser window (NOTE: You may need to enter your Google password to gain access to the page or any subsequent pages. This is a security measure).
- Under “Personal Settings”, click on the “Change Password Recovery Options” link in the “Security” section.
- Under the “Email” section, ensure that you have a secondary email address entered. Also ensure that you can easily access this email account.
The next time you need a password reset, Google will send instructions to this account and will not allow you to reset your password using your security question for at least 24 hours after the request is made. If you check this account daily, you’ll be able to tell if somebody is trying to hack into your account and can take steps to stop it (I recommend contacting Google to let them know that somebody has requested a password reset for your account).
You can use any account for this. I recommend that you get another web-based email account for this. Just make sure that you use a different, hard-to-guess password for that account. In general, you should not use the same password for accounts that contain sensitive information.
In my case, my backup email address was on one of my domains — and that domain does not have web based email because I choose not to install it (there’s no point in installing applications that you don’t need; it’s just one more thing that you have to protect). Since I was on the road at the time, I had to wait until I got home before I could open that email and click on the link. While it was an inconvenience to not have my Gmail available for several hours, it was much better than the possible alternative.
Please note that the information in this blog is subject to change and readers should do their own research prior to relying on the information in this blog post.
