Password strength and account recovery options

Posted by Macduff Hughes, Engineering Director

There's been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we're highly invested in providing a high level of security in our products. While we can't discuss individual user or customer cases, we thought we'd try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure.

One of the more common requests for assistance that we receive from regular Gmail users is to help them regain access to their accounts after they have misplaced or forgotten their password. We know that it can be frustrating when you can't access your account, and we've worked hard to come up with a system designed to help our users regain access to their accounts as smoothly as possible while taking appropriate precautions to protect their account security. When you select a password as you create an account, we recommend that you also choose a security question and provide a secondary email address. Recently, we also added a field where you can input a mobile phone number to assist with later account recovery. We regularly provide tips about how you can choose good passwords and security questions, and we also share our best ideas for what to do when you can't access your account. It's important to keep your password, security question, and secondary email address up to date. It's not enough to just tell us your email address to try to change your password. The security question helps us identify you, but if you want to initiate a password reset, we'll only send that information to the secondary address or the mobile phone number you provide.

We handle password recovery differently for our Google Apps customers. There is no password recovery process for individual Google Apps users. Instead, users must communicate directly with their domain administrator to initiate password changes on their individual accounts. Earlier this year we added new password security tools for Google Apps that allow administrators to set password length requirements and view password strength indicators to identify sufficiently long passwords that may still not be strong enough. For businesses that desire additional authentication security, since 2006 we have supported SAML Single Sign On, a protocol that allows organizations to use two factor authentication solutions such as certificates, smartcards, biometrics, one time password devices, and other stronger tokens.

If you're a regular Gmail user and you haven't updated your account information in a while, we recommend you do so by visiting your Google Account settings page now.