Friday, June 19, 2009

Blogger Accounts, And Non Existent Email Addresses

Most web services, when you setup a new account, require you to provide an existing email address, for backdoor access.

After you finish providing all of your personal details, and hit "Create my account" or whatever, you'll then see
Check your email now, and reply to the message from us, so we can activate your account!
You open your email, reply to the message or click on a link in the email, and you then see
Congratulations, and welcome to our service!

By verifying your email address, you're ensuring that, one day when you forget your password, you simply click on a link "I forgot my password!", and they email you a hint, or maybe let you reset the password from a link in the email. Since you verified the email address originally, you know that you will be getting the "forgot password" email in your inbox.

Blogger and Google simplify the account setup process.

If you have a GMail account, you simply sign in to any Google service using your GMail account and password - no verifying account name or password. Google lets you use your GMail account name to use any Google product.

If you don't want to use a GMail account, you can use any email address you wish as an account name - just enter the email address and a password, and you're good to go.

This makes setting up a Blogger account simple. Enter an existing email address which is yours, and you're good to go. With an account not based on GMail, there's no verification that the email address entered actually is yours, and that is a major problem.


So, I'll setup an account based on "nitecruzr@ficticious-domain.com".



And now, I have a Blogger account!



There are several problems here.
  • Without these pictures, I have no record of the email address I just used. Here, I used "nitecruzr@ficticious-domain.com". What would happen if I had entered "niitecruzr@ficticious-domain.com" or "nitecruzr@ficticiousdomain.com"?
  • If somebody else has actually registered "nitecruzr@ficticious-domain.com" with the owners of "ficticious-domain.com", they'll never be able to use that address as a Google account, since I just used it.
  • One day, when I forget my password, I'll be unable to get it reset, since I don't actually own the email address "nitecruzr@ficticious-domain.com".


The latter problem is especially relevant, to someone who has forgotten the account name or password of the account. The email address provides an essential backdoor access to the account. People who made mistakes entering the email address learn of their mistake when they try to use the backdoor, and it doesn't work.

Even if I assign myself a Google account that's based upon a non GMail email account that I do own, there will be several challenges.
  • For your convenience, Google will allow you to change an account name from a non GMail address to a GMail address. If you have a GMail based Google account, the account name is unchangeable.
  • If you change the password on the non GMail email account, don't expect for the password on the Google account to change, automatically.
  • If you forget the password, and have the non GMail email account reset (by whatever backdoor is provided by the non GMail account provider), you'll next have to reset the password on the Google account, using the non GMail email account - if you wish for both passwords to remain synchronised.
  • An account based upon GMail can be entered, when you authenticate, as just the account name. If I enter "myname" when logging in to Blogger, GMail, or Google in general, Google interprets this as the Google account "myname@gmail.com". A non GMail account name, on the other hand, must be entered in its entirety, for instance "myname@mynongmail.com". If you are accustomed to entering "myname" when logging in to the "mynongmail.com" account, this may be confusing.


(Update 2009/10/13): Under the theory that once is never enough, I repeated this exercise. And after additional musings, discovered more consequences.

>> Top

1 comment:

Kyle and Svet Keeton said...

But if you forgot your gmail password you would loose all together gmail and your blogs... :(

One of my readers has such problem!

Yes, you are right: it would be much better if they verified the address first!

Svet and Kyle