Today I woke up early, even though I got to sleep late. No inclination to sleep more though... During the day a call for help came, and I answered.
The case was interesting, the only working version of a Gmail account was the one on an iPad. The written down password didn't work. No phone or mail set up. A quick search showed that this should be end of the line.
Now when I used to do Microsoft support I always recommended to add a mail address and phone number to the account information. Why? Because this drastically increases security. Now you could argue that this adds another possible vector of attack, but this is actually not really the case.
I always explain that there are two kinds of security we need to take care of: the security that other people cannot access your data, and the security that you actually DO have access to your stuff when you need to. I barely know ANY "security expert" that takes this second one into account, and ignoring this is a recipe for disaster, because most people are very bad in remembering passwords. No, a password manager DOESN'T solve this for most people. You need to think of alternative access options, and adding a phone number basically solves this with most mayor online service providers.
Also, Google and Microsoft, and possibly others, have a protection system that locks the account from brute force when malice is recognized. Except this basically only works when alternative account information is available like a phone number. If no alternative information is available, they err on the side of the second kind of security (well, more or less) and mostly won't lock you out of your account, which means that with a simple password a brute force is simple to do.
So with the account on the iPad I figured out when the account was set up (much earlier than she thought!) and with the notes in the note book about the password I tried my first reset. It didn't identify. So with John the Ripper I created a password list based on the Single rules and the password that she had noted down, brute forced this from my VPS on Gmail with hydra and after a few false starts I had a pretty short list, in about 5 minutes I had a match: the password with one preceding character. This one didn't log in immediately, but it did work with the password reset option.
I was shaking. I don't ever do things like password cracking, because there is usually no good use for it, but here it worked, and it gravely saved this lady's main mail account. So now I set this account up for continued common usage:
- Change password
- Note password down
- Add phone number to account (this should usually be enough to enable Google to trigger suspicious activity notifications, for heavier duty enable 2 factor authentication, which I use for my own account)
- Add backup mail account
So, that was an interesting day. Luckily because of an unsuccessful attempt earlier to open a lost bitcoin wallet I got acquainted with John the Ripper, and the rest was easy enough to google to it. I hope this article will help you to think better about all factors of security, also the access part, and I eagerly wait for your comments and questions.