Alternate Email Address

One thing Webmail users should have associated with their account is an alternate email address. This is typically optional, but can be critical should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail email address as the alternate for a Gmail account. Too many eggs in one basket.

If you're like me, with no recollection or notes about the alternate email address associated with your Webmail account, here's how to check (after first logging in to your account):

Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.

Classic Hotmail: Click on "options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.

Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2". Yahoo supports two alternate email addresses, a great safety net, since our email providers change over time.

Secure Connections

Gmail, Hotmail and Yahoo mail all offer secure connections when you initially logon and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing email. Highly recommended. To enable this feature, Gmail users should click on "Settings" in the top right corner, then on the default "General" tab, scroll to the bottom of the page and turn on the radio button to "Always use https".

Truthiness

Webmail may be one of the those places where little white lies are acceptable. The Governor of Alaska, who recently had her Yahoo email exposed to the world, set herself up for failure by truthfully answering some questions.

Every Webmail system asks for personal information as a means of identification should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.

Yahoo and Hotmail limit their secret questions to a handful of pre-selected questions. The straw that broke the camel's back for the Governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking they were the Governor. There were some other canned questions too, but they were also easy to answer using public information.

Public figure or not, there is no reason to answer Webmail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.

So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.

Gmail is the most flexible of the major providers. They let you chose your own secret question, thus giving you a fighting chance of picking a question that no one else knows the answer to. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.

To review your security question in Gmail, click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question". You will have to re-enter your Gmail password.

Users of the classic Hotmail system can review their security question by clicking on "options" in the top right corner, then clicking on "View and edit your personal information".

Yahoo email users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.

Does Someone Already Know Your Password?

If someone learned your Webmail password, would you know? It's one thing to have your email read, but another to have it read over and over, day after day, by someone that knows your password and is smart enough not to tip their hat by changing it.

Potentially, there is much that Webmail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.

When Gmail users first login, they should scroll down the bottom of the initial page and look for a message such as:

Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details

If you didn't last login to your Gmail account when the message indicates, then someone knows your password.

IP addresses can be linked to both an ISP and a country for sure, and maybe even to a city within the country. For more on this see my earlier posting What does your IP address say about you?

Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person login to a Gmail simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this too can alert you that someone knows your password.

Information about the most recent Gmail account activity is presented on the bottom of every Gmail web page. For more, see Last account activity in the Gmail Help.

Test Password Recovery

Anyone involved in backing up computer files knows the importance of testing the recovery process and the same applies with Webmail. The best way to insure that you can recover or reset your password is try it.

Yahoo password recovery (thanks to the Governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office or a prior residence or prior work location.

Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail". If you go the first route and answer the questions correctly, you get to chose a new password. The location information is the same as Yahoo's - country, state and zip code. If you go the second route, an email message is sent to the alternate email account with two links, one for confirming the request and resetting the password and another for doing nothing.

Gmail error handling isn't limited to just password recovery, they deal with a whole host of problems accessing your account including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem

If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the userid and get through a captcha. At this point there are no options, Google sends an email to the alternate email address. They don't tell you the alternate email address (Hotmail, in contrast, does), but they do report the domain name.

If you no longer have access to the alternate email address, Google advises you to "... try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."