Google ‘security hold’ can be hard to take
If you forget your password, manage it or write it down
Forgetting any important account password can induce instant anxiety. But when it’s your Google account – and Google then says it won’t let you back in for, maybe, three to five days – you could have a formula for existential dread.
And until July 19, Google didn’t document that “security hold” phase in its account-recovery process. Users stuck in this password purgatory could only compare notes on its techsupport forums – something they’ve been doing since at least March 2018.
Google posted a tech-support note explaining security holds on July 19, after two days of USA TODAY inquiries had yielded only generic responses pointing to older support articles with basic account-recovery instructions and supplemental tips, neither of which described a security hold.
This new note, however, still leaves much to the imagination. Calling a security hold “a delay between when a request to recover your account is made and when the account recovery claim is processed,” that article says this can happen if Google sees “something unusual about your recovery request.”
A conversation with the Google user whose travails set off this inquiry, novelist Linnea Hartsuyker, did not reveal many more clues. She reported that after forgetting the password a few weeks after having changed it, Google texted a confirmation code to her phone – but after she provided that, Google then asked her to answer a round of security questions.
She correctly fielded all but the one asking the month and year she opened her account. Google then rejected an attempt to reset the password using the recovery e-mail address she’d designated, finally reporting that her account had “been placed into a security hold,” with a potential resolution in three to five days.
Hartsuyker was, however, still able to use Gmail on an older computer, allowing her to set it to forward messages to an alternate email account.
“It was strange that even when my account went on a 3-5 day security hold, Google did not force log me out of all my sign-ins,” she wrote in an email. “I’m glad they didn’t, but it does make me wonder how secure that security hold is.”
Google restored Hartsuyker’s account access about eight hours after I provided her username to a company publicist, so it’s possible that USA TODAY’s thumb on the scale resolved things instead of whatever Google was doing inside this security hold.
But a few things do seem clear:
❚ Do not leave your Google password stored only in your memory.
If your browser’s password manager won’t save it (as was the case with Hartsuyker), at least write it down on a slip of paper and store that somewhere safe at home.
❚ You’re better off using a password-manager service to store all your passwords securely. LastPass’s free service should suffice for most people, although if you use only Apple devices, its free iCloud Keychain also works well.
❚ After making sure you have a current recovery email and phone number saved in your Google account, further secure your account with Google’s Authenticator app, which will let you confirm it with a number generated by that smartphone app.
This step also will have you print out recovery codes to employ if you lose your phone.
❚ Better yet, spend $10 or so on a USB security key that you can associate with your account and others, then stash in a drawer and have it keep working even if your recovery phone number and email change.
“It was strange that even when my account went on a 3-5 day security hold, Google did not force log me out of all my sign-ins.” Linnea Hartsuyker