I Just Forgot my Email Password that I Created/Changed Today

[kyphysics]

I suck. I NEVER write down my email passwords for fear of them getting stolen.

I created a new password for one of my email accounts today. Already, I've forgotten it. I know very generally what it's "like," but cannot nail down the letters. Worse is that I didn't enter a recovery method (e.g., phone number) for this account.

Has this happened to you before? It's happened to me at least 5 times in the past 10 years.

 

[FactChecker]

Five times in 10 years! If I were you, I would rethink your policy and at least have a recovery method.

 

[Wrichik Basu]

Has this happened to you before?

Yes, but not at the rate you mentioned. Basically all of my email passwords are saved in Chrome. I can't remember them, simply because they are a combination of random letters, numbers and special characters, and quite long. I don't care if they are stolen because I have two-step verification enabled in all of my accounts.

 

[sysprog]

I suck. I NEVER write down my email passwords for fear of them getting stolen.

I created a new password for one of my email accounts today. Already, I've forgotten it. I know very generally what it's "like," but cannot nail down the letters. Worse is that I didn't enter a recovery method (e.g., phone number) for this account.

Has this happened to you before? It's happened to me at least 5 times in the past 10 years.

Do you want to recover the email account? If you do, please ask us about that, instead of just asking whether it's happened to us before. What did you do when this happened before? Have you contacted a live human being who works in a technical or clerical capacity for the email provider ?

 

[anorlunda]

It is highly personal. Some people have no trouble remembering, others do.

I'm the admin for several web sites. I get notifications whenever someone asks for a password reset. I see that some people forget their passwords 100% of the time, but most people don't forget. That doesn't mean that they use good passwords. I just read yesterday that researchers found 475 million people using 123456.

If memory is your problem, I recommend a password manager program. They offer many benefits.

By the way, IMO the best protection is to change all your passwords on all sites every 30 days. That way, even if your password is stolen or hacked, the risk expires within 30 days. But that makes it even harder to remember, so a password manager is more necessary.

 

[Mark44]

I NEVER write down my email passwords for fear of them getting stolen.

I have about 50 different accounts that require passwords, way too many to rely on memory alone. Several of them require me to make new passwords periodically. To help me keep them straight, I have them all listed on an Excel spreadsheet, which I save to a couple zip drives, and also print out.
When I add new accounts, I update the spreadsheet and print out a new paper copy.

If you've forgotten 5 passwords in the past 10 years, and have forgotten one you created yesterday, I'd say it's time to consider doing something different.

 

[kyphysics]

Yes, but not at the rate you mentioned. Basically all of my email passwords are saved in Chrome. I can't remember them, simply because they are a combination of random letters, numbers and special characters, and quite long. I don't care if they are stolen because I have two-step verification enabled in all of my accounts.

I don't think my rate is that high, given so many accounts. I'm including:

Facebook
Gmail (I have ...seven accounts, I think)
10 different forums (some academic, some hobby, some religious, etc.)
Hotmail
Yahoo Mail
alumni mail
work email
Amazon
Target
Walmart . . . .

The list goes on...I probably have 50 active accounts - many being unimportant and where I also don't care as much if stuff gets stolen in them. There was only ONE that hurt me a great deal. It was an old college email account. I saved lots of interesting emails in there that I'd like access to, but I'll never see again now.

But, yeah, 5 accounts ...out of 100's? ...over 10 years isn't as bad as it might first sound. What WAS extremely bad was forgetting it literally 12 hours later.

On a positive note: I worked through maybe 75 or so variations and FINALLY figured out my password!

 

[Vanadium 50]

I have them all listed on an Excel spreadsheet

Password protected, I hope.

Strong passwords in an encrypted file with an innocuous name is probably good enough to stop random criminals, even if they steal your PC.

 

[Evo]

I don't think my rate is that high, given so many accounts. I'm including:

Facebook
Gmail (I have ...seven accounts, I think)
10 different forums (some academic, some hobby, some religious, etc.)
Hotmail
Yahoo Mail
alumni mail
work email
Amazon
Target
Walmart . . . .

The list goes on...I probably have 50 active accounts - many being unimportant and where I also don't care as much if stuff gets stolen in them. There was only ONE that hurt me a great deal. It was an old college email account. I saved lots of interesting emails in there that I'd like access to, but I'll never see again now.

But, yeah, 5 accounts ...out of 100's? ...over 10 years isn't as bad as it might first sound. What WAS extremely bad was forgetting it literally 12 hours later.

On a positive note: I worked through maybe 75 or so variations and FINALLY figured out my password!

You didn't have the possibility to go to your account section and request a new password/reset password?

 

[sysprog]

There was only ONE that hurt me a great deal. It was an old college email account. I saved lots of interesting emails in there that I'd like access to, but I'll never see again now.

Assuming that you remember the email address, you could try sending a test email to it, and see whether it gets flagged as undeliverable. If it doesn't, then you should be able to go through the 'forgot password' protocol to recover the account. Otherwise, whether the old emails can be recovered will depend on the relevant archival and retention policies and practices. You could contact a technical support person at the college to find out about that.

 

[epenguin]

Glad this came up as I had been wondering where best to ask about this: is it only me or only my mostly UK web frequentation or has there been a general and accelerating security tightening up in the last month or two?

Which is obviously a Good Thing, except for some slight disadvantages like not being able to get into or operate your own bank accounts.

Other at least irritating things noticed have been:

I am every few days asked for the password to my e-Mail account. I have had this account for 15+ years and was never asked for it before two or three weeks ago, but now am asked frequently;

I am almost every day asked whether I am human. However this may beep I am sure it has not changed recently but I have to do a captcha and recognise a bus or traffic lights etc. in a small fuzzy picture. More recently it asks but then just takes my word for it without these visual tests. It says it has noticed unusual traffic. I don't know what this could be, but then a click leads to the explanation of someone or something extraneous something something my IP address. I find that weird, shouldn't I? because I am using mostly a VPN so my visible IP address is usually recently changed is that right?

OTPs are coming in quite a lot. OK security, but they slow you down. And mean you are dependent on TWO devices working, not one. There is one execrable new bank one that depends on voice recognition and doesn't recognise my voice!

Positive are a number of accounts that now work with fingerprint recognition freeing me from the nightmare of passwords. But in the back of my mind is, this works as long as it works... but the day it doesn't...

 

[kyphysics]

Assuming that you remember the email address, you could try sending a test email to it, and see whether it gets flagged as undeliverable. If it doesn't, then you should be able to go through the 'forgot password' protocol to recover the account. Otherwise, whether the old emails can be recovered will depend on the relevant archival and retention policies and practices. You could contact a technical support person at the college to find out about that.

It was a Hotmail account I used for college purposes. I've tried their recovery process, but cannot get through. Like many email recovery processes, you had to enter in a bunch of stuff accurately:

-folders
-recent emails (addresses sent from/to and/or subject title lines
-dates (when the account was created)
-contacts

I was able to recall some, but not all of the info. That's often been the case with other locked out email accounts too. I just have too many. I don't always remember all the little details of each one. But, to recover, you have to get all the questions right.

 

[kyphysics]

You didn't have the possibility to go to your account section and request a new password/reset password?

You can, but you have to verify your account first. I cannot get through the security/recover questions.

In writing this thread/post, I realize I just need to use recovery methods. E.g., phone number.

I was trying to be superman and remember everything over the years, but also didn't want to write down my stuff or use recovery methods. I had paranoid reasons for that (some good, some unreasonable), but realize now that it's not worth it.

 

[sysprog]

It was a Hotmail account I used for college purposes. I've tried their recovery process, but cannot get through. Like many email recovery processes, you had to enter in a bunch of stuff accurately:

-folders
-recent emails (addresses sent from/to and/or subject title lines
-dates (when the account was created)
-contacts

I was able to recall some, but not all of the info. That's often been the case with other locked out email accounts too. I just have too many. I don't always remember all the little details of each one. But, to recover, you have to get all the questions right.

The fact that the questions are posed to you is a strong indication that your account is still there, wherefore it's probable that some or all of your old emails are still there$-$ when you have enough time, you might try contacting MS Hotmail technical support $-$ I think that if you can prove to them that you're really you, then you'll have pretty good prospects of getting your account and its emails back.

 

[Wrichik Basu]

because I am using mostly a VPN so my visible IP address is usually recently changed is that right?

That could exactly be the reason why you are seeing those captchas asking you to verify that you are a human being. When you are using a VPN, it hides your IP address and gives you the IP of one of the many servers hosted by the VPN company. And you are not being given a unique address — many other users are being given the same IP. That is why the websites are seeing unusually high traffic from that particular IP address and suspecting that a bot is using it.

Opera browser has a similar VPN, and it also allows you to set your location to different parts of the world. When I used that some months back and set my location to the Asia, Google said that there is unusual traffic from that IP and asked me to verify whether I am a human. You are facing pretty much the same.

Positive are a number of accounts that now work with fingerprint recognition freeing me from the nightmare of passwords. But in the back of my mind is, this works as long as it works... but the day it doesn't...

My laptop has a fingerprint sensor, but truth be told, I have never been able to use it properly. I set up a fingerprint for Windows, and the next time I wanted to log in, it was not recognizing the fingerprint. Maybe I was putting my finger at a different angle. Anyway, I am okay with a password and removed the fingerprint.

 

[epenguin]

That could exactly be the reason why you are seeing those captchas asking you to verify that you are a human being. When you are using a VPN, it hides your IP address and gives you the IP of one of the many servers hosted by the VPN company. And you are not being given a unique address — many other users are being given the same IP. That is why the websites are seeing unusually high traffic from that particular IP address and suspecting that a bot is using it.

Opera browser has a similar VPN, and it also allows you to set your location to different parts of the world. When I used that some months back and set my location to the Asia, Google said that there is unusual traffic from that IP and asked me to verify whether I am a human. You are facing pretty much the same.


My laptop has a fingerprint sensor, but truth be told, I have never been able to use it properly. I set up a fingerprint for Windows, and the next time I wanted to log in, it was not recognizing the fingerprint. Maybe I was putting my finger at a different angle. Anyway, I am okay with a password and removed the fingerprint.

That explains it, thank you, and is reassuring. It seems to me this has been a lot increasing. May have to do with at first I was choosing which server to connect to and more lately letting it happen automatically, I will experiment a bit.

I am almost chuffed something works for me and not for everyone as usually it is the other way round. Are you sure you are using the same finger you set it up with? I remember mine was done in the shop where I bought my I pad and I think it involved putting the finger in various positions. If this is Apple there is something about that here https://support.apple.com/en-gb/HT201371
Also if you can take it into an Apple shop they might help you do it. I am finding it invaluabl, e,g, there are a couple of accounts where for various reasons it is better I check often, which I would do less often if it were a tedious password procedur.

 

[fluidistic]

By the way, IMO the best protection is to change all your passwords on all sites every 30 days. That way, even if your password is stolen or hacked, the risk expires within 30 days. But that makes it even harder to remember, so a password manager is more necessary.

Just so everyone knows, this is not a recommended practice anymore: https://security.stackexchange.com/questions/186780/how-often-should-i-change-my-passwords.
Personally I would use gigantic/almost impossible passwords to crack generated and stored by an open source password manager. My time is more precious doing other things than changing such passwords, as they'd never get cracked by any known algorithm on any existing hardware.

 

[sysprog]

[I've never been an Apple guy; however, I gratefully acknowledge that the Apple Store people were very gracious and courteous to me when I wanted to resolve a technical problem, and they allowed me to make gentle use of their equipment, even though I told them in advance that the technical problem had nothing to do with any Apple equipment.]

they'd never get cracked by any known algorithm on any existing hardware.

I think that modern encryption is not likely to be breakable, by other than giant organizations, but please don't be too sure that the NSA can't decrypt whatever they want to.

 

[Frodo]

Just do a web search for password manager - you will find lots for PCs and mobile phones including those which synch between devices.

I have hundreds of passwords all of the form "*J&r8rH%35Cti\5YwNxA" stored in a password manager and I don't have to remember any of them. When I go to a website I activate the password manager, give it my master password and it types in the username and password for me.

I don't use the password manager in a browser. My password manager issues virtual keystrokes so no website knows that I use a password manager - it thinks I type in my password.

 

[Vanadium 50]

I think that modern encryption is not likely to be breakable, by other than giant organizations, but please don't be too sure that the NSA can't decrypt whatever they want to.

I have my Quicken data encrypted. Is it to keep the NSA out? Nope. If the US government wants to know my financial transactions, they can subpoena my bank. I'm more worried that my laptop will get stolen, the criminals get my financial information, and then go on an identity-theft-fueled spree. It is more effective for me to take steps to reduce the likelihood that the laptop will be stolen than to strengthen the encryption.

 

[Wrichik Basu]

Are you sure you are using the same finger you set it up with?

Yes, I am pretty sure. The problem is that once Windows denies the fingerprint during sign in, it seems it will continue to do so every time from then on unless I manually deleted the biometric file, and added my fingerprint again. It would go smoothly again for a few days, and then again start denying the fingerprint. Maybe a Windows issue, but I found it irritating to re-enroll the fingerprint every week. Besides, my laptop stays at home most of the time (actually about 100% of the time), so I don't have a problem if I keep it unlocked.

 

[Frodo]

I'm more worried that my laptop will get stolen, the criminals get my financial information, and then go on an identity-theft-fueled spree. It is more effective for me to take steps to reduce the likelihood that the laptop will be stolen than to strengthen the encryption.

My phone and my tablet were stolen while I was on holiday abroad and my password managers were on both.

I did a quick estimate that it would take thousand and thousands of years for a hacker to work out my master password as I have configured the password manager to perform many millions of hashes of the master password so only one attempt can be made per second.

I relaxed and waited till I got home before changing my passwords.

 

[sysprog]

My phone and my tablet were stolen while I was on holiday abroad and my password managers were on both.

I did a quick estimate that it would take thousand and thousands of years for a hacker to work out my master password as I have configured the password manager to perform many millions of hashes of the master password so only one attempt can be made per second.

I relaxed and waited till I got home before changing my passwords.

I'm sorry that your machines were stolen, and I think that it's extremely unlikely that any illicit recipient could pose a serious risk of getting past a robust password protection system; however, an adversary wouldn't necessarily have to mimic your many millions of hashings to get your password.

 

[Frodo]

an adversary wouldn't necessarily have to mimic your many millions of hashings to get your password.

Oh yes he would!

When I enter the master password into my password manager the password manager hashes the password I type millions and millions of times, taking about one second on a PC. The password manager then uses the final hash to do the decryption and open the password manager.

So, any hacker has to wait one second after each guess to see if the guess is correct. That means only 86,000 attempts per CPU per 24 hours. My master password has well over 10^20 combinations so they are not going to get far.

 

[Vanadium 50]

I think sysprog's point is that other exploits might work better than brute force. Tricking you into installing a keylogger, for example. Or tricking you into installing a program that scans memory looking for an unencrypted password. Or kidnapping your family and making you give them the master password.

If brute force attacks have a probability of 10^-15 of succeeding, bad actors are going to try things that are more likely than 10^-15.

 

[berkeman]

My master password has well over 10^20 combinations so they are not going to get far.

You probably should not be posting that number on a public forum...

 

[Vanadium 50]

It is common that passwords are required to have at least one uppercase letter, one lower case letter, one numeral and one special character. 40% of all such passwords are one upper case letter, five lower case letters, one numeral and an exclamation point. That is only as secure as a well-crafted 6 character password.

 

[MikeeMiracle]

I can't recommend a password manager enough here, preferably with it's data backed up to a cloud storage provider that way you can never lose your data. Make the password to that password manager super strong and then your fine. My password to my password manager / computer is 30 characters long. When I created it I wrote it down on a piece of paper in my wallet. After having to enter it 2/3 times a day for 3 months you WILL rememeber it off by heart and can throw away that piece of paper. Also don't use your big name cloud providers like Dropbox, Google Drive etc. Use one which the owners can't get to your data. For example my cloud provider does end point encryption. The encryption/decryption takes place on my computer and only encrypted data is sent to the provider and back. The provider can see the 1's and 0's if you like of my data and how much space they are taking up but has no means of decrypting it even if the security services come knocking.

 

[Keith_McClary]

Basically all of my email passwords are saved in Chrome.

What if your hard drive crashes?

 

[sysprog]

What if your hard drive crashes?

If you let a major browser such as Chrome of Firefox save your passwords, they are stored on servers $-$ you can retrieve them on a different machine.

 

[dlgoff]

To help me keep them straight, I have them all listed on an Excel spreadsheet, ...

Same for me but with a word processor file.

 

[sysprog]

Same for me but with a word processor file.

Both of you guys (@Mark44 and @dlgoff) are better than I am about that.

 

[darth boozer]

I keep all my passwords written in a small book, which I keep in my pocket. The probability of the book being stolen is so small as to be insignificant, since any thief would be targeting my wallet and/or phone, rather than a book.

 

[sysprog]

I keep all my passwords written in a small book, which I keep in my pocket. The probability of the book being stolen is so small as to be insignificant, since any thief would be targeting my wallet and/or phone, rather than a book.

I think that you can't rightly be sure of that.

 

[Wrichik Basu]

I keep all my passwords written in a small book, which I keep in my pocket. The probability of the book being stolen is so small as to be insignificant, since any thief would be targeting my wallet and/or phone, rather than a book.

The thief will take anything he finds in your pocket. And if that is your notebook,...