Login Log shows attempted access
 

I was looking at my Logon Log and saw that on Wed 21 between 7AM and 2:30PM there were 97 failed IMAP login attempts from IP's that were from all over the world, all single attempts. I created a FM ticket asking them if this kind of probing is a common experience with FM user accounts. Their response was "yes".

For added safety I've since changed my account password, app password, and recovery code. But I was wondering what the opinions of anyone here are on this? Have you also seen this kind of behavior with FM?

These issues with criminals trying to log into accounts have nothing specifically to do with Fastmail. This affects all accounts which have internet access (such as bank accounts). I have seen these attempts at breaking into my Fastmail accounts in the past, but currently don't see any such attacks in the last couple of weeks. These attacks are random and may start and stop unpredictably.

Because of these issues, it's important that you use a long complex password for each account (including your Fastmail account) which is not used at any other account.

You can also use two factor authentication to improve your security. Even if someone was somehow able to guess or steal your password, they still can't access your account, since they don't have the other factor. I find the easiest and most flexible method is to use a TOTP authentication tool. You can allow devices you have physical control over to be "trusted devices" so you don't have to use the two factor authentication every time you log in.

For more information on two factor authentication, see:
https://www.fastmail.com/help/account/2fa.html

Bill

That's what I figured. I just wanted some confirmation.:)

Thanks.

I've been using this site to test password strength although I don't know how reliable it is. But for my account password it says "one thousand trillion years" to crack and 446 trillion years to crack the app password.

I prefer not to use these.

How long is long?

There is no simple answer to that question, since it depends on the character set and randomness of your choice. See these guidelines:
https://en.wikipedia.org/wiki/Passwo...mon_guidelines

I would suggest a 6 character minimum length if you use random letters and numbers, or 12 characters in other cases. But it depends on how you create your password. For example, passwords such as "pass12345" are easy to guess.

If you use two-factor authentication you are much more secure. Someone would need to both hack your password and get access to your mobile device containing the authentication generator.

Bill

Thank you. That's a really interesting article. I've not come across the term 'information entropy' before, but it is a useful concept.