Through a series of bad (horrible, really) interactions between Google Chrome and LastPass, LastPass thinks my wife's Google password is her LastPass master password. What a nightmare! Our first attempt at account recovery failed, but Google encouraged her to try again.

Before we swing and miss again, I'm wondering if other people here have experience with the Google account recovery process. Last time they asked one terrible obscure question: what month and year did you create the account. At the time I just guessed, but in retrospect, I can get a better estimate of the age of the account by locating the oldest mail in her saved mail mesages (date:YYYY seems to work reasonably well). Also, we had recovery-related communication sent to my Gmail address (skip.montanaro@gmail.com, hers starts with "ellen.m..."). She does have a second Google account she used for some other online activity. I wonder if we should use that instead?

For the moment, she still has access to Gmail on her Android phone, but I suspect it's only a matter of time before she's prompted for a password there and loses that gateway. Any other things we should know or try to improve the chance of success the second time around?

Can you just change the password of the email inside of the email app??? some can do that. Then remove google off the encryption software?

My password management system is a carboard that is hidden and even if you find it you might now know which stuff belongs to what.

With passwords the best thing is going old school, one mistake in the password management software and you could get off everything really quick.

Sorry, I knew I would forget some key bits of information. I am running on fumes today, up since about 2AM, in part with this issue. (I briefly considered taking a personal day and just going for a ride. I guess I should have.)

We were trying to take strong passwords seriously (hence the purchase of a LastPass license). Ellen created a new, strong password for her Google account, let LastPass manage it, then between Google Chrome, the LastPass extension, and probably a smidgen of pilot error, that new, strong password was overwritten by the LastPass master password.

I went through a couple rounds with Google help and LastPass support. In the end, I did the following:


disabled password management and auto-fill altogether in Chrome
deleted the LastPass extension
uninstalled Chrome
installed Chrome
installed LastPass again
verified that nothing was screwed up


Everything was fine for a couple days, then Chrome started auto-filling again! Eventually, Ellen failed to notice (or noticed and poked the wrong user interface button) and accidentally saved the master password as her Google password.

This being a computer, Google and LastPass have each pointed at the other as the culprit. Fat chance getting either one to admit they had a hand in the problem. I suspect they are both to blame. Once turned off, Chrome's password manager and auto-fill bits shouldn't magically turn themselves back on. I suspect something LP is doing might reanimate the zombie auto-fill. Also, the LastPass major color is red, probably a bad choice on their part. Their "Save" button is colored red, just like a stop sign. I'm guessing that Ellen clicked it thinking it meant "stop" or "cancel" without looking closely. Every time I've exported her passwords from LastPass to a CSV file, a couple have been overwritten with the master password. Most of the time they were passwords for less important sites. This time it was the Big Kahuna of her website universe.

As for storing passwords in a cardboard box, we've been there, done that. Before LastPass, Ellen was writing passwords on little scraps of paper, reusing the same password on multiple sites, you know, all the stuff you're not supposed to do. We've solved that problem (sort of - we still need to rely on written/printed passwords for now, and there are scraps of paper all over the houe), but created at least one other (maybe more). Despite my profession (35+ years as a software engineer), I'm not much better. I was saving my passwords in Dropbox for a long while. I at least have a decent password generator.

If you have access to your email on your phone, you should be able to reset your password through the phone client. Something like this (https://www.technipages.com/change-google-password-android). Also, I would assume Google asked you to setup 2FA with the phone number, so it should be straightforward to reset password. If not, set it up.

I've never used LastPass, I use KeePass and KeePassXC on mac. I have different files for home and work. Sounds pretty silly if you can change the masterpassword that easily.

If you have access to your email on your phone, you should be able to reset your password through the phone client. Something like this (https://www.technipages.com/change-google-password-android). Also, I would assume Google asked you to setup 2FA with the phone number, so it should be straightforward to reset password. If not, set it up.

I've never used LastPass, I use KeePass and KeePassXC on mac. I have different files for home and work. Sounds pretty silly if you can change the masterpassword that easily.

Thanks for the pointer. I just walked through the steps on my phone (most of the way). It looks fairly straightforward. We'll see if that works on Ellen's phone.

As for changing the master password, that's not what happened. Ellen created a strong password for her Google account, thinking LastPass would do all the heavy remembering/lifting. She also has a strong LastPass master password. At some point in the not-too-distant past, it seems Chrome remembered that master password and decided it was appropriate to auto-fill it in every password field on the LastPass site (it also auto-filled the username, btw).

With that damaging behavior in place (lastpass.com was in the "never save passwords" list, *and* auto-fill was turned off *and* the password manager was disabled), she opened the vault entry for her Google account. Either LastPass itself or Google's auto-fill then overwrote her password with her LastPass master password. Since passwords are generally not shown, it just looks like any old series of dots. Auto-fill does color the text field's background yellow, however, that may not always trigger recognition of a problem, especially if you have used auto-fill regularly in the past. In addition, the LastPass GUI then colors the Save button red (which means to me, "stop! don't do that!"). In my mind, the most obvious choice should be to discard changes, not make them.

At any rate, I'm sure there is blame to spread all around. Right now my main concern is restoring account access for Ellen. While in the grand scheme of things, losing your Google account (and all that email) isn't the end of the world, it's clearly not fun either.

After you recover your password. Print out your 10 recovery codes and put them in your safe deposit box.

https://support.google.com/accounts/answer/1187538?hl=en