So the choice is for them to permanently lose access to their email?
Homeless people aren't stupid and strong password don't have to be incredibly hard to remember. I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
There is literally nothing more important than your email. Even stuff like your bank account has secondary means of recovery, whereas if you lose access to your email you're pretty much fucked.
> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
When your account is stolen the attacker changes your password. You lose access to your email forever and lose access to all of the services that use your email as a recovery platform.
Who's to say that your email account getting hacked is less dire than losing access to it? Attackers can easily search your inbox for 'verify your email', visit any website of value, and use their access to change the account away from your email to an address that they own, effectively removing your access to your third-party website accounts entirely.
I don't know that it is less dire, but I do think it's less likely. Are homeless people's email accounts getting hacked three times per year?
Also... maybe getting hacked is worse, or maybe loosing access is worse, but the user should have the right to make that decision! Google can set the default, but the user knows his or her own life.
Because you can still use an account everybody knows the password of.
It's a terrible place to be in, but isn't nowhere as bad as being a homeless person with no access to HN and Twitter, having Google delete your account and nowhere to complain about. Because that is even worse.
> So the choice is for them to permanently lose access to their email?
If an attacker breaks in and changes your password, you already do very likely permanently lose access to your email. Account recovery from that point is a hairy process even for people who have a place to safely store important documents, let alone those who don't.
> Even stuff like your bank account has secondary means of recovery
Those rely on forms of identification that the unhoused disproportionately lack (for the same reasons that they are more prone to lose access to phone numbers). This is also among the reasons why being unhoused tends to correlate with being unbanked.
> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
This is functionally the outcome of getting hacked, if you want any kind of decent security measures.
Any way that Google can give you access back on a password-only account is going to be rife with bad actors using social engineering to gain control of accounts. As long as that form/page exists, it is a threat vector.
What you're asking is for the password to be the only proof that someone owns an account, which means a hacker can demonstrate ownership just as much as you can.
Banks have more options for account recovery because we're willing to give them a lot more info. They can force me to come in to a branch and compare my ID to my face, or ask for my SSN, or any number of things we're not comfortable handing over to Google (especially over the web).
I would rank a home as more important than email; I'd certainly rather lose access to my email than my home.
But by definition, the homeless have already lost a home (assuming they weren't born homeless) - and I've forgotten passwords before. So "the stupid homeless just need to memorize their password" isn't a solution.
Except that they're already losing access to email, forever. A small chance of it happening because of a hacker is better than a statistical guarantee of it happening from phone theft.
Th GGP was speaking in the first person. I personally have had hackers try to break into my account before, but have never lost my phone number. Furthermore, notwithstanding the policies of the "obamaphone" program, I would be able to recover my phone number if I lost my phone. So, speaking for the vast majority of people, it would be preferable to have losing my phone number lock me out of my account than having my password leaked lock me out of my account. If that is the dichotomy, and if we still care about the welfare of the average person, the correct choice is incredibly clear.
Is it though? Just because a password leaked doesn’t mean it will actually be abused. A homeless person without a credit card in their Google account is naturally limited in the amount of damage that can be done.
Security questions are probably enough, at least for people who can’t handle 2FA.
