Why Can't Blogger Just Tell Me The Email Address?

We see the pain, in Blogger Help Forum: Something Is Broken, of blog owners who do not understand the need for keeping the name of their Blogger account a secret.

I forgot the email address that I was using. Why can't Blogger just tell me the address??

and some ask

How did this unknown person "xxxxx xxxxx" get control of my blog?

Years ago, the local police would have to convince home owners

Please, stop leaving a spare key under a rock, near the door!

Both many blog owners (today) - like some home owners (years ago) - had the same basic problem - naivete.

Like the home owners of years ago, who kept a spare key under a rock near the front door, for emergencies, blog owners will use tricks to remember their password.

Don't - please don't - use a guessable password!

One favourite technique, for remembering the password, is so obvious.

Pick a password based upon something that you can remember.

For a blog owner who is married, the answer is obvious.

What is my spouse's name?

and there's your password. If you forget that, you have worse problems, that cannot be addressed here.

If the name of one's spouse was a secret, using the name would not be a problem. But knowing that many blogs either contain the name (and picture, maybe) of the whole family - or lead to a Profile page or website (FaceBook, Instagram, Twitter, ...) with similarly useful information - how secret is the password going to be?

Hackers love blogs with guessable passwords.

Knowing both the Blogger account name (email address) that owns any blog of interest, and the URL of the blog, any hacker has a simple enough task.

1. Scrape blog content, into a text analyzer.
2. Extract a few hundred details (spouse's name, and others) from the blog content, as analysed.
3. Run the known details through a password generation program.
4. Now, the hacker has a database, containing "10,000 good possible passwords", specifically relevant to this blog.
5. Go to "www.blogger.com", plug in the account name, and try out the 10,000 passwords, one by one.
6. That's a simple brute force password attack.
7. Sit back, and watch any botnet, controlled by the hacker, go to work.
8. Given enough time, the hacker very likely gets access to the Blogger account, and to the blogs owned by the account.

Steps 1 - 8, for any experienced hacker, will be summed into one step.

Plug in the URL of the blog.

Everything needed is just more coding - and a nice robust botnet or two.

The hacker, of course, will be targeting thousands of different blogs, simultaneously. So what if he (she) fails to find what details she (he) needs, to steal your blog? He'll (she'll) gladly settle for another - while the botnet works on yours.

Besides using a "strong" password (which carries it's own risks such as forgetting the password - and now we're here, again), the best way to prevent a brute force attack is by preventing step 5.

Keep the account name / email address a secret.

Additionally, if you have a blog and a business - or otherwise exchange email with strangers, separate your Blogger / Google account and your email account. Use two separate email addresses, for Blogger and email.

Learn to appreciate efforts made, by Google, keeping your account and blogs safe.

If you need to recover access to your Blogger account, don't expect to use the Blogger "Forgot?" wizard, plug in your blog URL, and get a reply

Email was sent to your address xxxxxxx@yyyyy.zzz

And, if you post in the forum.

Please email me advice, to "xxxxxxx@yyyyy.zzz"!

expect to get a stern warning

Please, do not post Blogger account names, or email addresses, in the forum.

People objecting to the recent Blogger policy of masking email addresses, in Blogger commenting and similar services, as "no-reply @ blogger . com", may also need to consider this very real issue. Possibly, even use Google+, instead of Blogger commenting, for networking with ones peers.

Google tries to identify brute force attacks, and takes action when possible.

And, if your Blogger / GMail / Google account is disabled - and you get a mysterious notice about

Suspicious / Unusual activity on your account

this could well be the other side of a brute force attack against your account, intercepted by Google.

Don't be offended by the various precautions.

• The unpopular "24 to 48 hour" waiting period, which you endure after getting the account enabled.
• The painful diagnosis of "hacking detected" against your account (aka "suspicious" / "unusual" activity).
• The annoying inability to access your Blogger account, when traveling.

If you find the precautions and problems to be unacceptable, consider using Google 2-step verification, to protect your account against brute force hacking.

This is not fiction here - it's all very real.

None of this is fiction or paranoia - it's based on some very real, recent events, and even involves a recent National Scandal - and leads to some very real conundrums.

Similarly, we have a very distasteful answer, to a seemingly worthy need. And another apparently "ceremonial" but necessary answer, to somebody in need of understanding and support, that can't be provided.

You have to make the effort, to maintain and protect your blog.

You will get no sympathy, when you complain how unsupportive Blogger is.

You have to make some effort - and remember some basic information - if you are going to maintain a Blogger blog. And, encourage your friends to keep their accounts and blogs safe.