EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 8 Aug 2016, 10:43 AM   #241
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 212
Quote:
Originally Posted by NumberSix View Post
The idea of using my master password with my 2FA token on a daily basis makes me very uncomfortable. To begin with, it means I will change it to be much shorter, because I don't want to type something long and complex each time I login.

For me, having a short p/w to use with the token, and a very long, complex master p/w, which can be used alone, which I've memorized, and which is only used for settings changes and the rare case when I've gone to work forgetting my token at home, is the ideal way to organize my security.
Well said. Definitely agree here.
DumbGuy is offline   Reply With Quote
Old 9 Aug 2016, 09:03 AM   #242
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by BritTim View Post
......
  • Being security conscious, I require 2-factor authentication for web log ins. This protects me well when an attacker is kind enough not to use IMAP.
  • My master password is compromised (not too surprising when I am required to use it everywhere on a daily basis).
  • An attacker can now just set up an IMAP connection using mail.messagingengine.com and my master password with no second factor required for access.
Once 2FA has been selected on an account, this is not possible is it - logging in via IMAP using only the master p/w?

Quote:
One solution to this would be to insist that application passwords always be used by everyone for IMAP access. .
Isn't this the current (new) situation once 2FA has been selected on an account?
If you want to set up an IMAP client you will need an App password.
Eg I tested this trying to set up an account on Thunderbird, but I could not log in using only my master p/w. I had to create an App p/w.
gardenweed is offline   Reply With Quote
Old 9 Aug 2016, 10:22 AM   #243
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by gardenweed View Post
Once 2FA has been selected on an account, this is not possible is it - logging in via IMAP using only the master p/w?
That's right. If 2FA is enabled, all uses of your master password for login will require a second factor, and since you can't provide a second factor via non-web logins, you can only use it with web logins.
robn is offline   Reply With Quote
Old 20 Aug 2016, 11:05 PM   #244
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Found this post on Facebook

Posted by Matt Garlinghouse on July 23rd this year:

One of your support representatives changed my password recovery email this morning at the request of a stranger. That stranger then changed my password and immediately began using my email as an attack vector. (and presumably mine my email history for other opportunities). I can see from their ticket that it took them only 36 minutes to change my password, but now after an hour, I'm "waiting for support to take" the ticket.

FM replied the next day:

I have responded to your support ticket.

Worrying that this should happen, but FM's rather blunt response to the post doesn't seem very friendly.

Hopefully this guy got his account back safe and sound.

Edit:

Amended Matt Garlinghouse link.

Here's a link to a screencap from FM's Facebook page, to the post quoted:

https://s4.postimg.org/bfgidr2kd/Clipboard01.png

Last edited by FredOnline : 20 Aug 2016 at 11:19 PM. Reason: Amended Matt Garlinghouse link and added link to screencap
FredOnline is offline   Reply With Quote
Old 28 Aug 2016, 12:12 PM   #245
Prognathous
Master of the @
 
Join Date: Aug 2002
Location: Israel
Posts: 1,060
Quote:
Originally Posted by amoebob View Post
I have a strong master password that I only type into a trusted computer. From less trusted computers, I login to the website using an alternative password with second-factor that provides only limited account access.

After August, how do I login from untrusted computers without having to type my master password and without full access? The blog mentions alternative passwords for apps and protocols but not how I can obtain limited user access to the web interface.

Isn't this sounding less secure for web users?
Quote:
Originally Posted by nighthawk700 View Post
Well, this will kill the reason I got my kids Fastmail accounts in a family account. I set up filters in their accounts so I get a copy of every email they send and receive so I can monitor their usage, then give them the restrictive password while I keep the master so they can't monkey around with the filters. I chose to do that rather than one of the "kids email services" since it seemed to be about the same functionality at a better cost and hey, they get to use my email domain name too. Sounds like after Aug I'll have to give them the master password to the account, and will have to trust they won't monkey around with the filters. (they are pretty bright about things like that).

(and it looks like the new security features won't work for me anyway... in my workplace I can't bring in a cell phone, nor insert a USB device. The parking lot is too far to run in and jump on my computer in the 60 second or so window discussed.)

Back to the drawing board. PROGRESS!! ;-)
Both are very valid use cases for restricted logins. Have you guys found an alternative solution?
Prognathous is offline   Reply With Quote
Old 29 Aug 2016, 07:30 AM   #246
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Remote log out?

App specific password is set, IMAP-only scope.

From Password & Security screen / App Passwords section:

If you ever lose your device, you can come back here to immediately remove access.

But, after I removed the specific app password, an active IMAP connection continued active, receiving new mail, until logged out on the device.

Server had been updated to imap.fastmail.com.

Is this intended behavior?
pjwalsh is offline   Reply With Quote
Old 29 Aug 2016, 07:33 AM   #247
JamesHenderson
Cornerstone of the Community
 
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
Quote:
Originally Posted by pjwalsh View Post
App specific password is set, IMAP-only scope.

From Password & Security screen / App passwords:

If you ever lose your device, you can come back here to immediately remove access.

But, after I removed the specific app password, an active IMAP connection continued active, receiving new mail, until logged out on the device.

Server had been updated to imap.fastmail.com.

Is this intended behavior?

...I hope not. Have you raised a support ticket?
JamesHenderson is offline   Reply With Quote
Old 30 Aug 2016, 03:00 AM   #248
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Quote:
Originally Posted by pjwalsh View Post
App specific password is set, IMAP-only scope.

From Password & Security screen / App Passwords section:

If you ever lose your device, you can come back here to immediately remove access.

But, after I removed the specific app password, an active IMAP connection continued active, receiving new mail, until logged out on the device.
per Neil, fixed this morning. Tested, works now.
pjwalsh is offline   Reply With Quote
Old 30 Aug 2016, 04:02 AM   #249
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
You would think (and hope) that major bugs like this (to do with account access) would be discovered before they were released (during beta testing) .....
David is offline   Reply With Quote
Old 30 Aug 2016, 07:48 AM   #250
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Quote:
Originally Posted by robn View Post
That's right. If 2FA is enabled, all uses of your master password for login will require a second factor..
I changed my account password, enabled 2FA, and set up app-specific passwords for all my clients. But I can still log into the website with a restricted password, without being prompted for a 2FA factor.

Possibly that ability will remain until I either remove the restricted password or FM disables all alternative logins, but I was surprised.

Last edited by pjwalsh : 30 Aug 2016 at 09:03 AM.
pjwalsh is offline   Reply With Quote
Old 30 Aug 2016, 09:26 AM   #251
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by pjwalsh View Post
Possibly that ability will remain until I either remove the restricted password or FM disables all alternative logins, but I was surprised.
Yes, both these cases. We don't remove or disable the old altlogins because we have no way of knowing if they're still be used somewhere.

If you're done with your altlogins, delete them.

Last edited by robn : 30 Aug 2016 at 09:33 AM.
robn is offline   Reply With Quote
Old 30 Aug 2016, 12:03 PM   #252
dgcom
Junior Member
 
Join Date: Jan 2010
Location: US, New Jersey
Posts: 22
Quote:
Originally Posted by robn View Post
We don't remove or disable the old altlogins because we have no way of knowing if they're still be used somewhere.
Very strange statement. Of course, you know if alternative logins are being used somewhere - if people log in with them.
If no one is logging in with particular login for specified time period, it can be considered for decommission. You just need to establish that period and let every customer know...
dgcom is offline   Reply With Quote
Old 30 Aug 2016, 12:24 PM   #253
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by dgcom View Post
Very strange statement. Of course, you know if alternative logins are being used somewhere - if people log in with them.
If no one is logging in with particular login for specified time period, it can be considered for decommission. You just need to establish that period and let every customer know...
No, you don't know if someone printed out an old alternative login as a backup and is relying in it for backup purposes. Perfectly logical. You don't know if people still use it, because they are only used in emergency most times.
ChinaLamb is offline   Reply With Quote
Old 30 Aug 2016, 12:31 PM   #254
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by dgcom View Post
Very strange statement. Of course, you know if alternative logins are being used somewhere - if people log in with them.
If no one is logging in with particular login for specified time period, it can be considered for decommission. You just need to establish that period and let every customer know...
Fastmail have done this.

Fastmail sent an email on 22-July with info about Alternative Logins and saying clearly:
Quote:
After 31st August, these alternative logins will also stop working.

Also, Fastmail advised via their Blog that alternative logins will cease to work after 31-Aug (tomorrow).

Quote from Fastmail blog....

Quote:
If you were using our alternative logins system
The new combination of two-step verification and app passwords is replacing alternative logins. You will need to migrate over to the new system by the 31st August, when all remaining alternative logins will be removed.
gardenweed is offline   Reply With Quote
Old 30 Aug 2016, 12:36 PM   #255
dgcom
Junior Member
 
Join Date: Jan 2010
Location: US, New Jersey
Posts: 22
Quote:
Originally Posted by gardenweed View Post
Fastmail have done this.
Which makes that statement even stranger... Raises the question about the advice given in the post...
dgcom is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 10:30 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy