Phillip Vuchetich

Question: I have an older relative whose Google account is compromised (phishing email from a known person whose account was also compromised, entered google password in a popup window). I walked them through going to the Google account page to change the password, but Google is preventing password reset for up to 72 hours, and won't even allow "forgot password" process to work. The actor appears to be actively emailing contacts with the same phishing email and replying to inbound emails. Any idea how to secure a personal google account when it won't let you change the password?

Separately, what is the recommended password manager for an iPhone for a non-techie person? I don't have an iPhone, so I can't directly evaluate the options.

May 20 at 12:03amWeb
Show threadPhillip VuchetichMay 20
Update: she was able to change her password at 4 am (about 12 hours after calling me). Plan is to leave computer off until I can reinstall windows. Switching operating system is not a likely option, but I'll ask.
Show threadPhillip VuchetichMay 21
If anyone is interested, her resolution is to switch from MS Windows and Gmail to Apple, getting a MacBook Neo since she mostly uses an iPhone, and the pc is for office type uses. Passwords will all be reset and synced with default apple tools.
Show threadUbergeekMay 20
@philvuchetich the built in manager for apple is good on its own.
Show threadZimmieMay 20

@philvuchetich Not sure on the Google account front.

On the password manager topic, it depends on what they need to sync with. For storing passwords locally and syncing to Macs, Apple’s included password manager is good.

Show threadQuixoticgeekMay 20
@philvuchetich what happens if you add a 2fa code to the account and then force log out ?
Show threadPhillip VuchetichMay 20

@quixoticgeek Thanks - This was one of the frustrating steps. She was logged in to the account, went to account management, password settings, was prompted to enter password, entered the password, entered the 2FA SMS code, then it gave a message that account recovery is locked for 72 hours. She wasn't specifically selecting account recovery at that time, and the only links are "why is recovery delayed" and "learn more...".

I am traveling, so this was all via her screen sharing. There is the possibility (IMHO likely) that malware is on the PC - the only active sessions were Windows 11 in the correct geographic location and iPhone (so the plan is to reinstall from Windows 11 USB when I am in town tomorrow). I didn't have her specifically end all sessions. Maybe if she can do that from the iphone and leave the PC off in case of malware.

Show threadlucasMay 20
@philvuchetich For a non-techie on the Apple ecosystem, the Passwords app from Apple would probably be best. It will work pretty out of the box with most Apple stuff.
Show threadBeefGriller is antifaMay 20
@philvuchetich I myself use Bitwarden. Not only is it an app, but also an extension for Firefox, Chrome, and their derivatives.
Show threadButtered JortsMay 20
@philvuchetich non-techie? Use Passwords, the one that ships with iOS. It’ll do what they need it to, and integrate well. There are plenty of better password managers, but none worth the effort IMO.
Show threadPuppetheadMay 20
@philvuchetich I recommend using the built-in Apple password manager, it'll be a lot less friction for the user and is just as good as any third-party option, maybe with fewer power user features.
Show thread🆘Bill Cole 🇺🇦May 20

@philvuchetich The greasy cat is correct…

On iOS, the integrated Passwords app is all you need. In fact, if all you need is secure passwords shared between Apple devices running a recent OS version, there’s no need to supplement it.
Unless you have very specific requirements for features that very few people ever use, there’s no reason to add the attack surface of a 3rd-party password manager.

https://infosec.exchange/@ajn142/116604444879349215

Buttered Jorts (@[email protected])

@[email protected] non-techie? Use Passwords, the one that ships with iOS. It’ll do what they need it to, and integrate well. There are plenty of better password managers, but none worth the effort IMO.

Infosec Exchange