EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 4 Dec 2013, 04:41 PM   #1
Lesslame
Junior Member
 
Join Date: Aug 2007
Posts: 9
Security in family accounts

hi,

if a normal user has "admin rights" for the family account, i.e. he is able to manage the masteruser_account from his own account, this normal user can actually reset the password for the masteruser-account --> effectively taking over the complete family with all email accounts! I tried to avoid this by making the masteruser_account "private", but that seems to be broken? I tried different ways but it seems impossible to make the masteruser "private". Even if it would work: I am afraid the "reset password" option would still be available...?

For a while I tried to get around this problem by using alternative logins with restricted access for my normal user, but then I cannot delete attachments from emails (which I do regularly), so that is not an option for me. If I log into my normal user with an alternative login with full access, I can manage the family and the security problem mentioned above is real.

The only workaround right now: I decided to remove "admin rights" from all normal accounts, now I can only "manage" the family by explicitely logging in with my masteruser-account (and I am using an alternative login with full access here as well to protect my real (very complicated) masteruser_password).

Basically this means that the "admin rights" feature, which allows normal users to manage the family, is too dangerous to use.

Or am I missing something?
Lesslame is offline   Reply With Quote

Old 4 Dec 2013, 11:55 PM   #2
cyberpear
Member
 
Join Date: Nov 2012
Posts: 40
I completely agree with your assessment. The "admin rights" feature is too dangerous to use.

Making an account "private" only means that an admin can't see what is inside that account or change its settings without first changing the password and logging into the account as the user.
cyberpear is offline   Reply With Quote
Old 9 Dec 2013, 03:16 PM   #3
Lesslame
Junior Member
 
Join Date: Aug 2007
Posts: 9
Lightbulb

But it should be easy to fix:
Fastmail should remove the possibility to "reset password" for those users that arrive via "admin rights"! Either remove it only for the superuser-account (still somewhat dangerous) or remove it for all accounts.
At least in my family account I need to reset passwords only once a year on average, so this would be a big improvement and allow me to use the "admin rights" feature again.
I guess the security problem is the same in business packages?
Cheers,
Lesslame
Lesslame is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 08:00 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy