- Forgotten Password - Well, to begin, in order to recover a forgotten password, just getting to the form was a hassle. You click on "I cannot access my account." Then you are taken to a help page, where you click on a couple of things to say you lost your password. It then gives you the link to the Forgotten Password page, as if they could not have just put the link on the login page. After that, you enter your email address. Then it comes up saying it sent an email to ****@gmail.com with instructions. How exactly can I follow those instructions if I cannot get to the email account? Anyway, they do offer an alternative. If you wait 24 hours, you can instead answer a security question. This is the part that really bothers me. Both the instructions in the email AND the security question method of recovering a forgotten password are generally insecure, but the security question is much worse considering a person just has to know your maiden name or whatever question you may have entered. What is the point of putting both methods in the same service, if a hacker can just wait for the security question and take the easy way out?
Solution: The solution to this first would to be to stop hassling users and put the Forgotten Password link on the login page. Next, require users to enter an alternate email address, so there will always be another way to access the account. If not that, then Google will have to come up with some novel way to give somebody their password if they lose it.
- OpenID: Most people do not realize that Google offers some type of federated login/OpenID thing. I am not exactly sure because the way it seems is that if you want to log in to an OpenID site with your Google account, the site has to be programmed to Google's needs. I mean, the only other way of doing it is to go to some third party, associate your Google account with another OpenID, and it gets all crazy from there.
Solution: Google should just make themselves a regular OpenID provider, where users could use their profile or something as their identity page (for those who don't know, you can set your profile page to your username for easy access). I would use Google as my main OpenID provider if they did that. But as of now I am sticking with myopenid.com.
- Password Logins: This is less of an annoying problem, but I really just wanted to voice my opinion. The only way you can login to Google is with your password. The least they could do is offer some more secure alternatives. I mean there are dozens: Client SSL certificates (a.k.a. X.509 certificates), Information Cards (used by Windows Cardspace and Linux's DigitalMe), GPG keys (this is not as easy because I think this is only possible with a certain Firefox add-on), heck even hardware tokens for all I care. Anything other than passwords. Some websites even let you get rid of your password completely for more safety.
Solution: I think the solution was pretty self-explanatory.
- Customer Service: Well, I have sent some feature suggestions to Google and so on. Let's just say I have not had the greatest experience with Google listening to my suggestions. I do understand they get feedback up the wazoo everyday, but it would be nice if they could at least tell us what they are up to in the deep dark catacombs of their programming division.
Saturday, June 20, 2009
I must admit that I am a big fan of Google, and that I would not give up Gmail for any other email service. But there are just some really big deficiencies, so to say, that really annoy me. I mean, they are the kind of things that the everyday user would not notice or care about, but that someone who has spent time with computers will.