Your email account is valuable and can be a gateway to others.
Maybe.
And that should worry you.
No. Let me say that differently. It shouldn’t worry you; it should strengthen your resolve to properly secure all your accounts.
Become a Patron of Ask Leo! and go ad-free!
Getting into other accounts
If a hacker gains access to the account you use as a recovery account elsewhere, they can use the “forgot password” system to change passwords and gain access to those other accounts as well. Setting account recovery information is critical, so it’s important that the account used for recovery is appropriately secured.
Getting into your Gmail account
All accounts are under more-or-less constant attack via various mechanisms. Gmail accounts, because of their popularity, are a common target.
If one of those methods succeeds — say you fell victim to a phishing attack and entered your credentials on what turns out to be a fake, hacker-controlled website — then you’ve handed over your username and password to someone who can then sign into your account.
With Gmail, of course, it’s not really a Gmail-only account; they now have access to all the Google services you use. They have access to your Google account.
But they can often leverage this as a foot in the door to hack into some of your other accounts as well.
Password reuse
I wasn’t going to mention this, but so many people do it that it’s worth emphasizing.
If a hacker learns your Gmail password — or any of your passwords — and you use that same password with other accounts, then yes, hackers are likely to eventually gain access to those accounts as well.
Don’t do that. Never re-use passwords.
Getting into more
It’s not uncommon to have one email account — often the account you use daily — as the backup or “alternate email address” for many of your other accounts. That’s called a recovery account because if you lose access to your account, the service may send a temporary password to that recovery account. If either account is hacked, you need to take action quickly.
The issue is pretty simple:
- The hacker can can see from the email in your account what other services you use.
- They can then visit those services and perform a “forgot password” account recovery, specifying the Gmail account as the recovery address.
- With access to your Gmail account, they can reset the password on these other accounts and hack in.
Your recovery account can act as a gateway to all the other accounts associated with it.
Do this
It’s critical that you still set up alternate or recovery accounts whenever possible.
But it’s also critical that whatever account you use be properly secured.
- That account needs its recovery information set up properly and kept up to date.
- Enable two-factor authentication on any account you’re using as the recovery account for others to make it more secure.
Your recovery account might be the most important account you have. Secure it properly.
Staying on top of things is important too. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
have an authenticator installed on my computer. i use it for a couple of sites. but gmail doesn`t have an option to use it.
Which authenticator?
Dude! Google has its own Authenticator!
So, naturally, GMail does have an option for using it.
“The hacker can see from the email in your account what other services you use.” Yes, and additionally, they might try your email address to log into popular websites such as social media and e-commerce accounts.
Just to your comment Mark. I agree.
Also, I really dislike that some sites use your email address instead of a user name that you get to choose.
To me, keeping both user name and password different on all your accounts is doubly helpful against hackers, and a user name should not show on emails.
Having said that,. we can never really relax, can we?
it says chrome authenticator but i don`t see a way to use it on gmail.
https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai
Go into you Google Account security settings and set up two-factor authentication, choosing the authenticator as your method. The authenticator you’ve linked to above is unknown to me, and NOT from Google. I recommend you use the official authenticator from Google, or the Authy authenticator. There are some worthwhile third-party tools, but the one you link to is unknown to me, and I would not use it myself.
the authenticator i linked to was the one that facebook foisted on me to “protect my account” users had no choice but to add it. it produces a code users have to enter in order to sign in.