I still think my idea of Google sending you a verification code to your phone, which you must then insert to change your password and recovery options, is the best. The positives of this are:
+ it's a natural extension of SMS verification codes already in place + this would be very easy to use + you can have confidence that if for some reason your account gets hacked, you can easily get it back + the likelihood that hacker that got into your account also stole your cell phone is practically zero + it's optional, so if you don't like it, you don't have to use this extra line of security The only negative I can think of is if you are dumb enough to make your Google Account phone number your Google Voice number instead of your REAL phone number (since a hacker would have access to your text messages) On Jan 24, 4:01 am, Yuliy Pisetsky <[email protected]> wrote: > This is continuing to move more off topic, but what's to stop someone > from phishing for the secondary password? > > Imagine this: "To protect your account from suspected hacking > attempts, we've locked your account. Please log in to the secure site > at google-hackers.com and change your password" > > > > On Sun, Jan 24, 2010 at 1:46 AM, oba <[email protected]> wrote: > > there should be a two tier password scheme, like what rapidshare.com > > employs. one general password to access the mail and services, and > > another (forced to be different from the general one), to change > > preferences. this is the best compromise on user friendly/higher > > security, in my opinion. in this way - when a hacker phishes for a > > password, or cracks one - he cannot take control over the account, and > > if he tries to crack the secondary password - Google can detect this.
