It happens a lot.
That’s a synthesis of the comments I get frequently on some of my most viewed content: my articles and videos on account recovery.
Folks are often pissed at me because the process doesn’t work — even though I usually start by saying, “This process might not work.”
Call this “tough love” if you like: I hate to harp on it, but there’s really no one to blame but yourself, no matter how many “thumbs down” you give me. Instead, learn from the situation and take the steps you should have taken to begin with to make sure this never happens again.
Become a Patron of Ask Leo! and go ad-free!
Getting your account back
If you’ve lost access to an online account and the account recovery or “lost password” processes don’t work, it’s likely you’ve lost the account forever. It’s critical that you keep your account secure to begin with and that you keep recovery information set and up-to-date in the event you need to prove you are the rightful account holder.
When account recovery fails
Account recovery fails for one and only one reason: you are unable to prove that you are the legitimate account holder and should be allowed access to the account.
Online services are in a constant battle with hackers and others attempting to gain access to accounts they shouldn’t be allowed to access, so the services establish processes that only the actual account holders can complete to prove they are who they say they are. If you cannot complete that process successfully, the service has no way to know you’re not some hacker trying to break in.
Frustrating as hell, I get it, but that’s the bottom line.
There are several ways this can happen.
Failure #1: Incorrect or missing account recovery info
The most common reason people lose access to their accounts is because they failed to set up account recovery information, or they let that account recovery information fall out of date.
Account recovery information includes things like alternate email addresses, phone numbers, or recovery codes. Setting up each of those when you create the account or while you have access to the account allows you to prove to the service you are the account owner if and when you need to recover the account.
If you can receive a code at an alternate email address or text message that you set up, then you must be you. It’s as simple as that.
If you can’t — perhaps the email address no longer works or you changed your phone number without updating the account — then you have no way to prove your identity.
Lesson #1: Set and maintain account recovery information for all your accounts.
Failure #2: Changed info
A very common complaint I hear is, “I entered what I absolutely know to be the correct password, and it failed.”
If the password fails and everything else is correct (the username is correct, you’re signing into the real site and not a fake phishing site, etc.), then no, your password is not the correct password. Chances are someone hacked into your account and changed it. Your password is not your password any more.
But it can get worse.
Once hackers gain access to your account, on some services it’s possible for them to go in and change all that recovery information we talked about to prevent you from being able to recover the account. Most services will notify you using the old recovery information, but a) not all do, and b) if you’re also suffering from failure #1 above, you might never get the message.
The password’s been changed, the recovery information’s been changed, and you have no way left to prove you are the legitimate account holder. It’s not your account any more.
Lesson #2: Do everything you can to prevent your account getting hacked. Use a password manager, long, strong, unique passwords, and two-factor authentication wherever possible.
Failure #3: Expecting customer service
Oh, my, do people get angry at this point. They’ve lost access to their account and they want to reach out to the service’s customer support options for help recovering the account.
Except there are no customer support options.
Free is free, and you get what you paid for. Even so-called “online chats” or “give us the last password you remember and a few message subject lines and we’ll get back to you” options are typically completely automated, and often fail with zero recourse. There is no person to call, there is no person to email, and there is no person to talk to.
You’re on your own.
Lesson #3: Understand what you’re (not) getting. Switch providers if you need more.
Do this
Like I said above, I really hate to harp on this stuff — I’m as tired of it as you are. But I continue to see it so often that I can only hope my constant reminders will help you either:
- Learn from your mistakes and avoid having this happen to you again.
- Learn from the mistakes of others and avoid this terrible experience.
Want tips on keeping your account secure? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
New Years resolution… every new year check that all your alternate email addresses, phone numbers etc. are correct.
Thanks Leo, this reminder is timely. As you write in Lesson #1 … maintain account recovery information. It really is NOT once and done, we have to keep at it.
Happy New Year to Leo, Mark and all the readers.
Some times email gets hacked and someone else gets your password. Going forward, that email address now _usually_ belongs to the hacker and they also have access to all your old email; sent and received. I guess that is one reason why I never leave my email on the email server. I download incoming email to MY computer and it is deleted from the email server. While that won’t help if my email address is “stolen” and a recovery code for some other service is sent to my “stolen” email address, at least the hacker will not be privy to my old email. I only use one device. If you share devices for reading email, downloading your email will usually prevent accessing your saved email on other devices.
I have two email accounts, and I have secured both with a strong password (stored in my password vault) and 2FA so even if some miscreant discovers the password to one of my email accounts (or both), they will not be able to make any changes to any of my profile information/account settings (password, alternate recovery email address, et-al) without the device from which I access my authenticator app.
On a side note, regarding password security, I saw this item (https://www.codeproject.com/Articles/5348966/No-need-to-Store-Encrypt-or-Memorize-Passwords) that I’m considering testing to replace my password vault. The concept looks very interesting to me. What do you think Leo?
Ernie
If I understand it, it’s still storing SOMETHING, that’s then use algorithmically to reconstruct the password. I’m not seeing a huge difference between that and encrypted passwords. In either case if the master password and algorithm is known, then the passwords — remembered or generated — would be fetchable. I could be wrong, but that’s what I take away from it.
I recently learned about a DuckduckGo.com service for email that promises to strip trackers that are invisible in the email body before the email is delivered to your email mailbox.
It seems like a legitimate layer of security which could prevent hacking too. Using this “alias”, allows the user to insulate his/her destination email address from anyone you do not fully trust. It also offers the use of disposable addresses too.
I’d love to hear what you think of this DuckDuckGo.com service. Legitimate claims or false hope.