

Why does not Google Password Reset include the originator IP address? - hasanove

Sorry to post it here, but I have thought may be this way I can bring some attention to what seems to be Google Apps account (and probably any gmail account) security issue.<p>Today somebody tried to retrieve a password from my Google Apps domain admin account and apparently same person tried doing the same for domain of my colleague.<p>Stuff like that is expected to happen from time to time of course, when your website is a potential target for attacks, but what surprised me was the fact, there was no any information on Google Password Reset email (which naturally arrived to my inbox) about the requester. So, I have no other means of tracking potential attacker, but to seat and wait for next attempts.<p>Granted, IP address could be spoofed, but is there any reason why Google would not want to include this in the notification email?..
======
sweis
The problem with this is that people inadvertently send password resets when
they forget their account name. This happens all the time. It is a pain
because the recipients freak out that someone is trying to break into their
account.

If that reset message contained the IP address, people who inadvertently sent
it to a stranger would complain about the privacy violation.

You might catch up some dumb attackers, but in most cases it'll be from a
compromised machine or through a proxy.

~~~
hasanove
Fair point, although it is less applicable for Google Apps account, since it
is not on @gmail.com and likelihood of sending password request to a stranger
is much smaller.

------
tapiwa
Another vote for including the IP address.

Facebook too. In fact, I think all apps should start displaying the IP
addresses of the last FIXNUM attempts to log-in, successful or not.

------
Rodyland
I've had the same recurring issue with my gmail account, and I wholeheartedly
agree that the originating IP of the request should be provided.

