New features to keep your FastMail account even more secure

[rharha]

There is a good article on Wikipedia about password strength: https://en.wikipedia.org/wiki/Password_strength

I always use random 14 char case sensitive alphanumeric.

[Terry]

Quote:

Originally Posted by BritTim

This whole thread confirms something I have believed for some time now. Fastmail staff are smart, but many of them also believe they know user requirements without any consultation. This leads to user dissatisfaction when features are removed or changed without any prior discussion. Fastmail was not always like this. One of the things that attracted me to the service in the Jeremy Howard era was its recognition of the value of partnering with its users rather than dictating what they should have.

I really enjoyed the old days, now I have a UI that is so different and to be honest I can't stand it, but I use it because of other features.

I really need to find something that I would enjoy using, but my stumbling block is sieve script as not may companies offer it and if they do you can't manually adjust it.

Fastmail has become another gmail....with a few extra bells and whistles

[gardenweed]

Quote:

Originally Posted by rharha

There is a good article on Wikipedia about password strength: https://en.wikipedia.org/wiki/Password_strength

I always use random 14 char case sensitive alphanumeric.

Doesn't sound very memorable to me.
Isn't the 1st factor supposed to be something you can easily recall?

[rharha]

Quote:

Originally Posted by gardenweed

Doesn't sound very memorable to me.
Isn't the 1st factor supposed to be something you can easily recall?

It isn't very memorable. I keep all pws in a password manager, backed up in multiple locations on- and offline, and only remember the pw to unlock that one (18 char random case sensitive alphanumeric). Also have that password printed out, though. You never know...

[FredOnline]

Quote:

Originally Posted by rharha

Of course it doesn't stop attempts but attempts will likely remain attempts. A phisher can only get your pw but not your phone.

That's assuming one has the 2FA enabled, of course.

But how many users don't or won't?

Quite a few I'll wager.

[Terry]

75% -80% wont ?

[glass]

Quote:

Originally Posted by nighthawk700

(and it looks like the new security features won't work for me anyway... in my workplace I can't bring in a cell phone, nor insert a USB device. The parking lot is too far to run in and jump on my computer in the 60 second or so window discussed.)

Back to the drawing board. PROGRESS!! ;-)

This is my problem too. I currently use an OTP list, but that's going to stop working in about 24 hours.

As far as I can tell, the only way around this is to change the master password to something memorable and remove 2FA.

If I'm going to to have to do that anyway I might try and essentially "fake" 2FA, by having half of my password memorable and half of it complex and random, and have the complex part written on a piece of paper. That's something I know (the memorable part of the password) and something I have (the printed piece of paper). Real 2FA usually doesn't produce codes that can be reused like this can though.

[Glendon CDN]

I can't wait for the howls of outrage when the change comes into effect on Jul 24; Jul 25 in Australia! Or will it?

But if it in any way reduces the number of complaints about the demise of the"classic" web interface it will be worth the minor inconvenience. Though there seem to be some who still lament the demise of Windows 3 in light of the dangfangled Windsor'95.

It's technology folks - expect changes and adapt. FWIW, the changes seem eminently reasonable and are not all that difficult to comprehend. I go notices via Twitter, email and the blog [which appears in my newsreader] and its' clear I don’t NEED to do anything for at least a month.

[ioneja]

Quote:

Originally Posted by nighthawk700

Well, this will kill the reason I got my kids Fastmail accounts in a family account. I set up filters in their accounts so I get a copy of every email they send and receive so I can monitor their usage, then give them the restrictive password while I keep the master so they can't monkey around with the filters. I chose to do that rather than one of the "kids email services" since it seemed to be about the same functionality at a better cost and hey, they get to use my email domain name too. Sounds like after Aug I'll have to give them the master password to the account, and will have to trust they won't monkey around with the filters. (they are pretty bright about things like that).

(and it looks like the new security features won't work for me anyway... in my workplace I can't bring in a cell phone, nor insert a USB device. The parking lot is too far to run in and jump on my computer in the 60 second or so window discussed.)

Back to the drawing board. PROGRESS!! ;-)

Re: Kid's accounts -- I have something similar set up, but recognize that any smart kid can get around whatever limitations I set up -- not to mention, easily figure out a way to set up a Gmail account, thus blowing up any supervision I can have... so while I do have filters set up to forward email like you, as admin in a family account, I can always go into their account if needed and see what's going on. Yes, they could disable filters, send emails, delete evidence, re-enable filters... so they can get around this, but there's also an element of trust. I hope my relationship with them isn't distilled down to a game of trying to catch them. If that's the case, I think I'd have bigger issues at play. If they really want to get around my protections for them, they'll figure out a way anyway. So my focus is building a strong relationship with them, while still having a decent level of parental access if needed. Theoretically, if you had to have total retention, you could upgrade the whole family to a business account and use their tamper-proof business email retention service...

Re: office limitations of this new 2FA, technically, there is a way around your situation, which would be to use the old-style Yubikey, which doesn't have an expiration on the code... the issued authentication code technically only expires once the next code is issued. So you could use the old Yubikey method out in your car... then copy that manually once you get into your office... it would be a big hassle since it's a long code to copy down, but at least it would be feasible.

[gardenweed]

Quote:

Originally Posted by robn

No. We're wearing the cost on this one. Being locked out of your account because you didn't have any SMS credit would not be cool.

I just tried setting up a 2F p/w with base + SMS.
When I tried to login I entered the base password.
The response was :
"ERROR sending SMS: Insufficient credits to send SMS"

So when using SMS for 2F, do we need to pay for these?

Edit - meh

[gardenweed]

Quote:

Originally Posted by robn

Ok, here's my attempt to clarify everything. This is all in the new documentation and you'll be guided through it in the UI, so no need to memorise this.

You have a "master" password. Just one. It's what you use to access your account via the web. It's a "full access" login (there's no such thng as "restricted" logins anymore, except during the transition period where existing "Alternative Logins" continue to work. I've written more about restricted logins below).

From the web interface, you can access the new "Password & Security" screen. This asks for your password before you can make any changes (the "master" password - you only have one).

Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number. This will be used to help you recover your account should you ever lose access to it (lost password and/or second factors).

Has this gone live?
I'm not seeing any option to add SMS as a recovery method?

[Terry]

Its there just click a little box alternative log ins it takes you to another page....

Perhaps it's not set up yet as I thought we wre getting alternative logins and our current ones would not work.

[gardenweed]

Quote:

Originally Posted by Terry

Its there just click a little box alternative log ins it takes you to another page....

Perhaps it's not set up yet as I thought we wre getting alternative logins and our current ones would not work.

No. That's for Alternative logins, not Recovery.

Read Rob's post again for yourself.
It says:

Quote:

"From the web interface, you can access the new "Password & Security" screen. This asks for your password before you can make any changes (the "master" password - you only have one).

Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number. This will be used to help you recover your account should you ever lose access to it (lost password and/or second factors)."

Then try it for yourself.
It doesn't work as described.
When you log into the Security section, where Rob says "Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number".
In that screen, there is only the option to add an email address - there is no option to add a number for Recovery assistance via SMS.

In the next screen that you describe - which is for Alternative Logins - there is a field for entering a phone number for 2F SMS.
This is not Recovery, this is 2F login. Different things.

[robn]

It's not live yet. We're looking to start in around six hours, doing it late night US time ready for Monday morning.

[Terry]

Quote:

Originally Posted by gardenweed

No. That's for Alternative logins, not Recovery.

In the next screen that you describe - which is for Alternative Logins - there is a field for entering a phone number for 2F SMS.
This is not Recovery, this is 2F login. Different things.

Oh Ok.....sorry I don't go in that section much so I don't really know what's new, I just thought you had missed the little button....

Anyway it's not live yet.