Hacker News new | ask | show | jobs
by fauigerzigerk 5185 days ago
That's not the best thing to do, that's the most unimaginative thing to do.

I would do it this way:

1) Make sure that only the legitimate owner has access to the account by using previously entered contact data to ask him/her change the password.

2) Check if the suspicious behavior stops, which it will in most cases.

3) If it doesn't stop, put the account in read-only mode. If the kind of behavior may be an honest mistake, explain to the user what happened. Just take that risk, it's going to be worth it.

4) If it's a statistically active user with lots of regular looking data, let a human sort things out.

5) If the issue remains unclear, tell the user to download any data he wants to keep and notify him/her that the account will be closed.
1 comments
andreasvc 5185 days ago
Yes, that would be better for the user, but this is a free service, and Google has not much too gain from making the process more complicated (imaginative) and thus more error-prone. As a user you have the responsibility of keeping your password absolutely safe, if you do that (and better yet use 2-factor auth), nothing should go wrong.

Your option 1) boils down to adding more "passwords" by which the user can authenticate itself, so it's not a fundamentally better protection as they can be guessed by an attacker as well. Requiring a text message confirmation for password changes might be a better idea.

link
fauigerzigerk 5185 days ago
All steps on my list are either fully automated or optional, so it doesn't cost them more.

Google has a lot to gain from people entrusting them with their data, that's why they provide a free email service in the first place.

It would be a mistake to think that trust is linear. You can't just treat a few people very badly without risking a major backlash against your business model.

link