Sign up to save your podcasts
Or
Share LW - How Likely is Losing a Google Account? by jefftk
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
LW - How Likely is Losing a Google Account? by jefftk
Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: How Likely is Losing a Google Account?, published by jefftk on January 30, 2023 on LessWrong.
Let's say you use a Google account as the root of your online identity: Gmail, Fi, "Sign in with Google", Google's password manager, etc. How much should you be worried that you'll suddenly find yourself unable to get into everything? Should you do something else instead?
To get a sense of how common lockouts are and how they happen I looked through lockout reports on Hacker News by searching for
[google blocked account] and [google locked out]. I looked at top-level stories and the comments on them for cases where people were entirely locked out of an account; I didn't include cases where people lost access to only some Google services (Payments, AdWords, etc) or where they did get back in on their own. I did count cases where it took making a lot of noise on
HN or Twitter, though.
There are two reasons people seem to get locked out:
Security lockouts: they're not convinced you're you, and are trying to prevent an attacker from getting into your account.
Policy lockouts: they don't like you. They've flagged your account as abusive, enough that they completely suspend your account.
I found 32 cases (sheet), going back to 2008. I found 22 security lockouts, 7 policy lockouts, and 3 with too few details to tell. I think this likely majorly undercounts security lockouts relative to policy ones: reading the comments, a lot of the security ones were like "that happened to me too" while the policy ones got mainstream news articles. [1]
With the security lockouts, in cases where you could tell what had happened the most common reason was that someone had configured a backup method (phone number, recovery email, 2FA) but no longer had access. The second most common were cases where someone hadn't configured any backup methods and Google was considering their login to be suspicious.
Security lockouts are a tricky situation because failures in either direction are very bad. All of the above are false positives: people who should have been let back into their accounts but weren't. But there are also false negatives: cases where an attacker was let into someone's account.
There is a question of whether Google should be flagging suspicious logins at all, though. If my account were protected only by a password and someone else got it, maybe Google should just let them in? The problem is that this would mean lots of hacked accounts: it's common for passwords to get revealed through phishing or cross-site password reuse. Using other aspects of your login, like your country, device, activity pattern, etc. as a kind of pseudo-2FA probably does make things better for users overall: if my username and password suddenly appeared from a new device in Russia there really is a good chance that it's someone trying to hack me. Luckily, users have a better option: opting into tighter security by setting up good 2FA. The more ways you can demonstrate that you are actually you, the lower the risk both of hacks and lockouts.
After going through these, it seems to me that the likelihood of a security lockout is low enough not to worry about if you:
In addition to memorizing your password, write it down and store it in a safe place. This is also worth doing if there's someone you want to have access to the account immediately if something happens to you (the Inactive Account
Manager is also good, but it reasonably has a substantial delay).
Configure backup methods (phone, email).
Update backup methods promptly when they change. You can see what you have configured at myaccount.google.com/security.
Ideally, set up security keys for two-factor authentication, and if you do set up three
(work, home, keychain or phone).
What about the policy lockouts, though? I think the risk there is also very low: these are ...
View all episodes
By The Nonlinear Fund
4.6
88 ratings
Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: How Likely is Losing a Google Account?, published by jefftk on January 30, 2023 on LessWrong.
Let's say you use a Google account as the root of your online identity: Gmail, Fi, "Sign in with Google", Google's password manager, etc. How much should you be worried that you'll suddenly find yourself unable to get into everything? Should you do something else instead?
To get a sense of how common lockouts are and how they happen I looked through lockout reports on Hacker News by searching for
[google blocked account] and [google locked out]. I looked at top-level stories and the comments on them for cases where people were entirely locked out of an account; I didn't include cases where people lost access to only some Google services (Payments, AdWords, etc) or where they did get back in on their own. I did count cases where it took making a lot of noise on
HN or Twitter, though.
There are two reasons people seem to get locked out:
Security lockouts: they're not convinced you're you, and are trying to prevent an attacker from getting into your account.
Policy lockouts: they don't like you. They've flagged your account as abusive, enough that they completely suspend your account.
I found 32 cases (sheet), going back to 2008. I found 22 security lockouts, 7 policy lockouts, and 3 with too few details to tell. I think this likely majorly undercounts security lockouts relative to policy ones: reading the comments, a lot of the security ones were like "that happened to me too" while the policy ones got mainstream news articles. [1]
With the security lockouts, in cases where you could tell what had happened the most common reason was that someone had configured a backup method (phone number, recovery email, 2FA) but no longer had access. The second most common were cases where someone hadn't configured any backup methods and Google was considering their login to be suspicious.
Security lockouts are a tricky situation because failures in either direction are very bad. All of the above are false positives: people who should have been let back into their accounts but weren't. But there are also false negatives: cases where an attacker was let into someone's account.
There is a question of whether Google should be flagging suspicious logins at all, though. If my account were protected only by a password and someone else got it, maybe Google should just let them in? The problem is that this would mean lots of hacked accounts: it's common for passwords to get revealed through phishing or cross-site password reuse. Using other aspects of your login, like your country, device, activity pattern, etc. as a kind of pseudo-2FA probably does make things better for users overall: if my username and password suddenly appeared from a new device in Russia there really is a good chance that it's someone trying to hack me. Luckily, users have a better option: opting into tighter security by setting up good 2FA. The more ways you can demonstrate that you are actually you, the lower the risk both of hacks and lockouts.
After going through these, it seems to me that the likelihood of a security lockout is low enough not to worry about if you:
In addition to memorizing your password, write it down and store it in a safe place. This is also worth doing if there's someone you want to have access to the account immediately if something happens to you (the Inactive Account
Manager is also good, but it reasonably has a substantial delay).
Configure backup methods (phone, email).
Update backup methods promptly when they change. You can see what you have configured at myaccount.google.com/security.
Ideally, set up security keys for two-factor authentication, and if you do set up three
(work, home, keychain or phone).
What about the policy lockouts, though? I think the risk there is also very low: these are ...