113 comments

[ 3.0 ms ] story [ 179 ms ] thread
I think there are two lessons:

1) Use Incognito when using other machines, or

2) Don't trust Google with precious things.

Use Incognito is definetely the way to go when you borrow someone else computer
I'm always paranoid that they'll have keyloggers/malware installed. I only log in to things from my phone, otherwise I don't log in.
Two factor authentication can easily solve that problem. I used to feel uneasy about logging in on other systems, but now I don't mind using incognito and google authenticator.
That's true, I have two-factor auth enabled, but I still don't like how other computers can easily steal my password. Besides, between my laptop and phone, I haven't had to log in on another computer in a long time.
My biggest concern is not that they will get your email credentials, but the fact that they may have your email and a password to start tinkering with on banking sites, social media, etc.
How does it solve anything when there's a checkbox right there to permanently authorize the computer to not need the second factor?
s/permanently/trust for 30 days/

Still not great, but it's not permanent.

You can also log out other sessions in google apps, not sure if that resets the dont-do-2factor-auth bit though.

You have to reenter the password in thirty days but you never need the second factor ever again (at least in some cases, which in security terms might as well be all cases). The important part is in fact permanent. I'm rather skeptical on the security offered.

Edit: I'm still looking for some kind of documentation for it, but I know this firsthand. I set up two factor authentication several months ago and chrome has not asked for anything other than the password since. I can even go into the two factor settings with only my password, which gives me complete control to make unlimited single-use codes, or authenticate a different phone, or turn the whole thing off.

There is no way for you to read the one time passwords. You can only disable them from dashboard or make new ones. The parent comment was about keyloggers, and the don't-require-two-factor-auth checkbox is for browser cookie session only. So there is no way for a keylogger to exploit the checkbox. The attacker can only know your email and password, not your browser's cookie data.
I was not talking about application-specific passwords. I was talking about the ability to make 'backup verification codes' which can be used anywhere a second factor is needed. Once they have your first login they have a permanent all-powerful backdoor to your account unless you go in and hit the button that resets all logins.

But more importantly, your threat model is rather urealistic. Why would you trust an infected and keylogged computer to not be able to steal something as unprotected as cookies? You're right that in some kind of situation with a 'pure' keylogger you're safe, but you could get the same level of safety by doing something silly like log in with an on-screen keyboard. I think such a narrow threat model is misleading.

Also, LOG OUT.
If you're using incognito mode, your session is gone when you close the window anyway.
3) Don't let friends log into your laptop on your account. That's why guest accounts exist.
I don't really understand how this process works. I use multiple accounts from the same machine every day. I'm usually signed into more than one at the same time. But there's no indication that the accounts have been "merged" to any degree, or there being a primary account.

Can someone shed some more light?

Same here. And I login regularly (with several of these accounts) in my girlfriend's laptop, in classes, etc.

I guess there's something more behind this story (probably PEBCAK).

The OP checked the "stay signed in" option when logging in to his or her Google account on another computer and all of the accounts that were logged in were listed in one menu. He thought Google had merged the accounts and ended up deleting his account.

The solution is simple, just click the sign out button and Google signs out all accounts that are configured to "stay signed in." Alternatively, he could have cleared his cookies or waited for them to expire.

Some people have been saying this is because of bad UX on Google's part. Google is kind of in a catch-22 situation here. They want to upgrade how multiple users check their Gmail on one browser but no one wants to learn how use their new system (I got frustrated when they introduced their new UI to compose emails and had to show a tutorial on how to use it.)

Here is a thought - why don't they use the email address and password to distinguish between users....
They do... The problem is a possibly confusing UI for multiple sign-ins (distinct email addresses and passwords). Most sites don't have this as a feature so there's not a standard UI for it [yet].
The "primary" will have a /u/0/ in the address. It's the one you logged into first if all accounts were logged out. It's the one it defaults to if you go to other google services (plus, youtube, etc).

Nothing exclusive about it, except that you logged into it first sequentially.

This is not something that "normal" people will pick up on.
Possible id10t error? I've shared G logins on a few machines with others for years and no one has ever thought that their accounts were "merged" and deleted them in the effort to "unmerge" them.
Ah perils of storing important documents on a free service. It's good only as long as it lasts. And since you are not a customer for the service, expecting them to do do anything to bring it back is too much to ask for.
With most paid services a user could also inadvertently delete their data irretrievably.

So I'm not sure you're drawing the correct conclusion here. It's more about whether there is a flaw in the specific UI around this functionality or insufficient warnings around irreversible actions. Without knowing what the user did it's a difficult call.

With paid services I can typically get some sort of customer support and have them restore from their archives.

Google couldn't give half a damn about their users.

Google telling her that the files were gone and that there was nothing they could do translates to "why should we bother getting your files back for you?" (Obviously they can do it, but it would take a highly salaried person some time, so, no.)
I'm not sure about anyone else but if my Gmail account were to vanish I'd be willing to pay a significant amount of money to get it back.

Which reminds me I should probably start keeping backups of my Google services.

But it would be even worse PR for Google to offer data recovery for money, because that would be admitting that it's possible, but that unless you pay you're not getting your files back. Much better story to claim that the files are just "gone".
(comment deleted)
Yes, Google really should let you restore a recently deleted account. Also, they should offer some kind of "search" service to help people find out about restoring deleted accounts.

https://support.google.com/accounts/answer/1212172?hl=en&...

You are implying that Google services are infallible when in reality it's completely the opposite.

When things go wrong it's nice to be able to get in touch with someone who can actually fix it.

No, I'm really not. Please don't exaggerate like that.

I'm saying they have a way of restoring your account (and it's worth noting that this person claims to have gotten in touch with a "representative").

I think the problem here is with Google's Multi Sign In[1], which makes it look like all accounts that are loged in are related, when in fact they are not, it just gives you an "easy" way of switching between accounts across Google services.

Both Molly and Amy (in the OT) have gotten confused and assumed that the accounts had been merged indefinitely (who can blame them? This is as much PEBKAC as horrible UI) so they attempted to "unmerge" them, ending up deleting one of the accounts.

The way to "unmerge" them is to log out of Google. Then, next time somebody logs in, there will only be one account.

This UI is horrible, I had a similar uncomfortable moment trying to log one account but not the other, even though I knew that they had not gotten merged, it sure seemed like it. The intention was good, the execution lacking (my guess is that there were lots of technical reasons this couldn't be done cleaner).

As soon as Chrome introduced Multiple Users[2], I started using that and it's much better, with less mental overhead to check which account is loged in (I use a black theme for one account, a white theme for the other). For other people/accounts, I just use Incognito mode. For most end users, this is still too much overhead for them, but in that case the only solution I could see is autologout, which has its own problems.

1: https://support.google.com/accounts/answer/1721977?hl=en

2: https://support.google.com/chrome/answer/2364824?hl=en

you're right. it's a UI bug
Multi Sign In is more useful to me though (now that I'm used to the UI). I really value having my first four tabs look like this: http://i.imgur.com/cnSZtTW.png (ignore the favicon inconsistency...it's a known and frustrating bug in Chrome).

With Multiple Users, there's a bit more overhead with seeing you received a new email/chat and switching to the appropriate tab.

You mean the unread message count in the favicon? That's a labs feature you have to turn on for each account.
It's turned on in all four accounts. At times all of the unread counts show, currently none of them do, sometimes refreshing helps, sometimes it doesn't.

It's a known issue. So far I haven't found a good solution or explanation.

https://code.google.com/p/chromium/issues/detail?id=167717

https://code.google.com/p/chromium/issues/detail?id=179822

http://productforums.google.com/forum/#!topic/gmail/FCcFN2N9...

This is such an annoying bug - it works perfectly on my home computer; but only works for 2 out of 3 on my work machine - I've tried everything and the third one never works - thankfully, it's not a high priority mail box and I don't count on it for work. Glad to know I'm not the only one.
I use the multi sign it for the same reason as you but I have to admin the UI is clunky as hell and the level of support greatly differ between Google Product; I often have to manually edit urls by hands.
"admin the UI"

This is just like how I type "server" instead of "serve" all the time. (In fact, I just made this mistake while typing serve and had to concentrate not to do it that time too.)

I agree on the Multiple Users being very useful. I have a user for my private browsing, one for company related user accounts and more.

The benefit for me is that this does not only work for for Google related products (gmail/analytics), but also for other products you use. In our case Outlook Web Access, but also for example Trello and GitHub.

Just to offer a counter-point, I find the UI for multiple users excellent. Of course I don't share account contexts with other people, nor should anyone else, so the various accounts are all my own.
If it actually worked, I wouldn't have a problem with it. But a good portion of the time I am unable to actually access the account I have signed in with. I also randomly see mysterious "d098d983@gmailtemp.com" accounts on there, as well as other users on our google apps domain that I have never signed in as.
The UI is not so bad, it's the behaviour which is awful.

I'm constantly finding myself logged into YouTube with my work account after logging into Google Drive to see a document shared to me by the coworker. Except after clicking on the link in the 'so-and-so shared a…' I just get a regular 401 'You're not allowed to access this content', because I'm logged in as a different account, but not provided an option to change accounts.

I have three google accounts: work, 'Google-related stuff' (gmail, calendar, other google services), and YouTube, and I'm constantly logged into the wrong one. Google seems to assume that everyone has a Google account, and only one, and they're always logged into only that. As soon as you break those assumptions, things start behaving in unfortunate, unpredictable, and inconvenient ways. Even with their new ability to change between profiles, it doesn't work all the time, and when it fails it's overly confusing and arbitrary.

The multi sign-in UI is one of the worst bits of UI fail I've ever encountered. I had to struggle with it for three long years (my university used a Google-based e-mail, plus I had my personal gmail). Why the hell can't I just see multiple inboxes on the left hand side, like every e-mail app for oh the last 15 years or so.
And that's why I use two separate browsers.

Ugly, but it works

A less ugly alternative, which I much prefer, is to use multiple Chrome profiles -- keeps the worlds separate and the end-result is much cleaner!
I do this at home. Chrome is for me and Firefox is for my wife and kids. It's partly for historical reasons though. Originally we all used Firefox, but when I switched to Chrome they didn't. The benefits to them, versus having to learn a different UI, wasn't there.
Because browser "apps" are not.
Then why would one want to use them? :|
They are web pages with some heroic contortions to maintain a facade of a stateful application. Web pages that connect you to useful information (and perhaps even, your useful information) are certainly very useful things. But they've never been anywhere near the power and flexibility of native apps on any platform (at the time) and never will be.

In this particular case, the best email "app" on the web still struggles to match the functionality of 15 year old native applications in the same category.

That's one way to get to inbox zero. ;)

I would move away from Gmail completely but it's great for the search capabilities and Google Drive is really nice for a good enough doc suite.

One of these days when I get enough time I will download all my messages and just use Gmail / Drive as a container for archived info I want to be able to access from anywhere and use the Gmail search capabilities.

To the other suggestions, I would add that you should get your own domain name for your email to go to. That way you can switch the back-end service at any time.

If I know ahead of time that I might have to use a Windows computer that I don't own, I carry around a USB drive with Portable Apps and everything encrypted with TrueCrypt. I have been able to put together a pretty decent dev environment on a USB stick (except that USB sticks are slow.)

That's probably still asking for trouble though. You never know what someone might have installed on their computer. A separate browser as a portable app won't protect you from key loggers.

(comment deleted)
Or always use an incognito window at least.
Well hindsight is always 20/20, but I don't think it's fair to just say "should have done x" at this point. It happened. It's done. Now where do you go from here?

This is the one thing in Facebook's favor (you can criticize privacy, but it's still a good feature IMO). There's an "undo" for deletes available for a short period.

Also, I have a habit of keeping a secondary email where I forward a copy of all incoming messages. It's a bit of a hassle, but that's another free provider so in the unlikely event one gets nuked, I can quickly grab my things via POP on the secondary (and leave a copy there). So that's 3 places I keep attachments etc... for the future.

You always sacrifice independence and self-sufficiency for a bit of convenience, whether it's accounts or milk. Not quite ready to keep my own cow yet, but I'm counting on my neighbor's one for my daily supply for now.

This should be talked about more. I see no reason (privacy or otherwise) that they can't put deleted accounts 'on ice' for some time before permanently deleting the contents.

Give the poor souls with fat fingers a chance to recover.

Google already does this, evidently the user also managed to wait a while before realizing that the big red "Delete Account" button deleted their account.
Here's the thing, Google already does this (https://support.google.com/accounts/answer/32046?hl=en). Also, I think it would be fair to say that the user shouldn't have accidentally deleted their account. Maybe the UI for multiple sign on isn't that great but account deletion is spot on. The page details exactly what account deletion will do and you even have to click a checkbox that says "Required: I understand that deleting this service can't be undone and the data I delete can't be restored." before continuing.

It baffles me to think that there are people out there that manage to do this "by accident" and then manage to wait long enough to be unable to restore their account "by accident".

If you suspect malicious intent, then never do this. A key logger will reveal your password immediately, and a rouge browser will save your session even though it will tell you that you signed out.

However, for 99.999% of the cases, just use incognito mode and close the window after you are done. Next!

Did you even read the article? It's not about security...
I did, and the underlying issue is security. Don't let others have access to your session and you won't experience what the author experienced.
Anyone else think the title is a bit too linkbaity? Only the Sith deal in absolutes...

("Never log into a Google account on a friend's machine", in case it gets changed later.)

I upvoted you and I'm the OP. I couldn't think of a better title that didn't span an entire line.

("Use Incognito Mode when using a friend's machine or risk having your accounts stuck together"? Or maybe "Don't log into a Google account on a friend's machine without using Incognito"? It's a bit too late for me to edit, unfortunately.)

Google backup service seems like a valuable proposition. I assume someone's already implemented that.
You mean people commonly use Google Docs without keeping their own backups? That sounds crazy.
Using a different browser than the one used by the friend would prevent this from occurring.
Yikes, this is a nasty bug!
Letting your friend use your machine?

If it's a one-minute look-up, open an incognito window for him. If longer, log off of your google account. And other accounts, preferably.

It's best to switch the desktop user to 'guest', it's easy under most OSes now.

+1 for ⇧⌘N. I do it for them.
Agree with the general sentiment here. Multi-account support is an awful experience. I use Chrome profiles.
In addition to this, Gmail puts message's subject in page title. Someone can check History and read your subjects. These can be quite revealing, for example when you're into some kinky kind of sex. I don't fancy censoring the subject each time I write a message.
But you let this person on your machine. They could install a keylogger as well. Presumably if you're so paranoid you'd not let others user the machine. :)
I generally won't let others use my computers, since there's all kinds of stuff they could do. It's not uncommon (though not especially common) for someone to take offense; it really makes me wonder whether they realize what computers can do, or how much information about you is stamped into one you've been using for a while. My computer and yours are not interchangeable.
Keyloggers generally require root. Also if I'm watching them use the computer they won't be able to install anything but they'll certainly be able to see history while typing in the address bar.
My biggesT beef with multiple signin is dealing with google analytics/the other products that don't support it yet.
There is certainly something broken with google's multiple sign-ons. Here is what happened yesterday:

- My wife was logged into her Gmail account.

- I then logged into my wife's Picassa web account to share pictures with someone. I needed some information (an email address) from my own gmail. So for so good.

- So I logged my wife out of her gmail while keeping her signed in to Picassa web.

- Then I logged into my Gmail and got the info I needed.

_ I came back to my wife's picassa web acciount and when I tried to share an album with someone by entering the email address, whoops I get a 403 FOrbidden error. WTF!!

After a few mins of thinking, I thought why not log me out of Gmail and login back as my wife suspecting that google might be confused b/w 2 logins ? Bingo!! It worked. WTF google. Seriously!!

This isn't that surprising. I've always assumed that logging out of any Google service will log me out of any other Google services I'm logged into (with that account).

I do think they could make it more obvious what is going on behind the scenes, so that in your case, Picasa would have noticed the account was no longer logged in before it let you share the album.

> This isn't that surprising. I've always assumed that logging out of any Google service will log me out of any other Google services I'm logged into (with that account).

Why on earth would a normal person assume that?

If I have two tabs open to my bank, and hit "logout" in one, I'd assume my session was dead for both tabs.
Right, but if I'm logged onto my checking account and my auto loan, I don't expect logging out of one to log me out of the other just because both are owned by the same company.
In a banking context, I'd expect the bank to do the most conservative thing possible.
Because if you sign into one, you expect to be signed into the others. If you're signed into all of them, you don't want to have to go to every Google service and log out of them.
At the least, don't give me crap 403 Forbidden. just tell me to login again which even though annoying, will at least let me get the shit done that i intended to do.
How are these people deleting their friends accounts without a password? Does Google not confirm your password a second time when deleting your entire account? Seems silly if they don't.
People think I'm weird for logging into Gmail with IMAP from Thunderbird. Not mucking with browser sign-ins is one of my reasons for it.
The title of this post is horribly misleading. It's perfectly safe to log into your Google account on a friend's machine.
Right, title should read: "I deleted my account, and now my files are gone"
What if you go to GMail and then go to the bottom right which says "Last account activity"? Click on the "Details" option and then "Sign out all other sessions". Does that help?
I would never let alone log in under one of my logins on any machine, or log in under someone else's login, on a system which supports multiple logins. I mean, even on the shared home theater box, I have separate logins. Too many keys, dotfiles, etc.