EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 12 Oct 2006, 06:27 AM   #1
PhilC
Junior Member
 
Join Date: Oct 2006
Posts: 1
Security

Email security for travellers

Hi,

I would like to suggest an important security item for people who use to access their email from internet cafes or other insecure computers.

This idea developed from a bad experience I had a couple of years ago; I previously used a supposedly very secure email system (Hushmail), but once while I was travelling and used to access my email in internet cafes, I found that somebody got my passphrase and accessed all my mail.
How? Very simple: the sophisticated supposedly unbreakable Hushmail system had been defeated by a tiny keylogger program. Laughable, isn't it?

So my point is that, however secure an email system is, it can be easily broken in by some small spyware program.

How to check keyloggers? I thought quite a bit about it, and a few ideas came up:

1) Many banks nowadays, after spending huge amounts of money to find a simple and efficient way to solve the spyware problem, came up with a small security device that constantly produces new passwords. Each user
needs two passwords to access his email: the first one is the one chosen by him, the second one is automatically & randomly created by the security device. I don't know how costly it is to set up such a system - it may not be possible for an email provider.

2) Many banks also came up with a similar idea, but cheaper to implement: the bank sends each user a set of 100 passwords of 4 digits each, and each password can be used only once. Again each user needs two passwords: a password chosen by him, and then a second password, which is asked like that: "please enter password No 76".

When the 100 passwords have all been used, the bank sends another 100 4 digits passwords to the user.

3) Optional virtual keyboard with RANDOMLY DISPOSED KEYS: when accessing the web site, it is possible to
a. either just enter one's password "normally", if one is confident that the computer he is using is secure
b. click somewhere on the web page to make a virtual keyboard with randomly disposed keys appear. Then one enters his password by clicking the randomly disposed keys.

For an email provider option 3) might be the easiest one to set up. I would also suggest that, once the password has been entered and the email system is opened, ANOTHER OPTIONAL VIRTUAL KEYBOARD with randomly disposed keys be available to securely type confidential information.
For example, suppose I want to send by email my credit card number to a person also using Fastmail.fm. In principle it is safe to do so if I use secure login (SSL encryption), but if there is a keylogger program on the computer, then the info can be stolen. With this system, a user could therefore type his email using the normal keyboard, but when he wants to enter his credit card number, he can use the virtual keyboard.

Thank you
PhilC is offline   Reply With Quote

Old 31 Oct 2006, 04:15 AM   #2
mentiro
Member
 
Join Date: Apr 2002
Posts: 37
Good ideas - but I can't imagine any e-mail provider implementing any of these...
mentiro is offline   Reply With Quote
Old 31 Oct 2006, 05:46 PM   #3
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,507
Sending a credit card number in unencrypted email isn't safe. The fact that you access the webmail server using https doesn't mean the email is encrypted. It is sent as clear text, and the recipient might fetch the email using an unencrypted connection in an unsafe environment (internet cafe, infected PC at home etc.)

Some of the login ideas you suggested or variant of them have been suggested in the past.

Having a second password that is good only for browsing and not changing anything can be good enough for accasional use in unsafe places. being able to have several passwords each associated with a set of permissions would be better for people that regularly access email from public places. There is one place that I would like to access FastMail from but I don't since I don't think it is safe enough (tested by instaling software. If I can install then anyone else can, and the computer lab is open to the public).
hadaso is offline   Reply With Quote
Old 31 Oct 2006, 06:11 PM   #4
ewal
Master of the @
 
Join Date: Apr 2002
Location: London, UK
Posts: 1,323
PhilC

Good ideas. I don't think that Fastmail would be in a position to implement or even consider options 1 or 2 due to the complexity and costs involved.

Option 3, or rather a similar method, was proposed and both Rob and Jeremy indicated their interest in implementing something like this. What was proposed is to have a dual password function with users being able to enable the secondary password function (say, just before undertaking a journey) with the default login process being as it is now.

After entry of the primary (default) password, the secondary password would be entered via 3 drop down combo boxes with the user being prompted to enter selected characters from their secondary password. So, for example if the secondary password was, say, 'fastmail1' then at each time a user wants to log into their system they would click on the relevant place in their password. For example the system, via 3 drop down combo boxes the user is prompted for the 2nd, 4th and 9th characters, s/he would select a, t and 1 to gain access to their account. The placement that the system prompts would be random, so the next time, say, the 1st, 3rd and 7th characters would be prompted for.

It sounds complicated but in practice is very easy to use (and probably to implement as well). It is the system that my bank uses and if one does the maths (26 alpha plus 10 numerical chars multiplied by 3) it would be very difficult for someone with a keylogging or sreen grabbing software to be able to guess the secondary password. The Fastmail user would have to enter (via the combo boxes) their secondary password several times at the same sitting before anyone could begin to guess what the password may be.

At the request of Rob and Jeremy I sent them screen shots on how this works. I guess it is on a list of 'to-dos' somewhere.

Ed
ewal is offline   Reply With Quote
Old 1 Nov 2006, 05:42 AM   #5
Si1
Cornerstone of the Community
 
Join Date: Apr 2002
Location: UK
Posts: 590
Quote:
Originally posted by ewal
For example the system, via 3 drop down combo boxes the user is prompted for the 2nd, 4th and 9th characters
This would be my preferred system. It would even be effective with a primary password. It works very well with all my Internet banking services. It's easy to implement, too.
Si1 is offline   Reply With Quote
Old 19 Nov 2006, 12:00 PM   #6
MagicDavid
Senior Member
 
Join Date: Aug 2005
Location: England, UK
Posts: 164
How about this proposal from some time back:

http://www.emaildiscussions.com/...threadid=37205
MagicDavid is offline   Reply With Quote
Old 19 Nov 2006, 01:05 PM   #7
acid
Member
 
Join Date: Jun 2005
Location: USA
Posts: 47
Or as a secondary login you can use a basic picture matrix and select say....1 pic out of each of 5 rows of (animals / cars / whatever). The pictures of course being randomized within the row each time.

This could be cookie based so it doesnt have to be done every single time you login, just only after a certain time or when using another computer. Then optionally the cookie can be deleted within the interface (or automatically when secure login is chcecked).
acid is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 06:17 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy