A must read

[thompson42]

Please make two factor authentication a priority.

Please don't limit it to webmail. We IMAP users want it too. I understand you may wish to roll it out in stages, but don't forget us!

[tomhab]

Quote:

Originally Posted by thompson42

Please don't limit it to webmail. We IMAP users want it too. I understand you may wish to roll it out in stages, but don't forget us!

How would you get 2FA to work with IMAP? You can't expect to have to type in something from a dongle into your iPhone every time you check your mail... Let's be realistic about what Runbox can and can't do.

Google uses 2FA for web logins, but not IMAP. They'll assign each device its own long (~30 character), random and complex password that can be cancelled from the web login at any time. Also you could restrict access for the password (only has access to the IMAP, not webmail, nor FTP). That could be a solution that runbox could implement, but you can't consider it to match 2FA...

[dbowdley]

I was going to reply saying what tomhab said but I was beaten to it

IMAP, SMTP and POP do not support 2FA. The Google method is plausible for Runbox, but that remains to be decided.

The vast majority of compromised accounts that we get are due to very poor passwords that could be easily guessed by a computer running a dictionary attack. The next most common reason is poor computer hygiene with regards to malware and viruses, and using computers on public wifi without using encryption.

I can't remember the last time I saw an account compromised that had a good password. Using a username that is not part of your Runbox address is also effective (i.e. use an alias as your public email address).

2FA really only provides security when the username and password are compromised, and can be a significant inconvenience to the user (as some people have pointed out elsewhere on this forum). Of course, when it does come in to play, we are all glad that 2FA was there for us.

[FredOnline]

Quote:

Originally Posted by dbowdley

The vast majority of compromised accounts that we get are due to very poor passwords that could be easily guessed by a computer running a dictionary attack. The next most common reason is poor computer hygiene with regards to malware and viruses, and using computers on public wifi without using encryption.

I can't remember the last time I saw an account compromised that had a good password. Using a username that is not part of your Runbox address is also effective (i.e. use an alias as your public email address).

In the real world, people do have poor passwords/computer hygiene etc.

That's why it's so important to me to have 2FA implemented in Runbox webmail asap.

Yes, please - 2FA on webmail FIRST - then think about IMAP, etc.

I have multiple accounts with Runbox - and other providers that do currently offer 2FA.

I sincerely like the Runbox product, but would have to seriously consider my loyalty when time comes to renew accounts.

And if you want any beta testers for 2FA, do PM me - and soon?

[emebrs]

Quote:

Originally Posted by dbowdley

I can't remember the last time I saw an account compromised that had a good password.

Common sense protects all the mails!!!

[dbowdley]

Quote:

Originally Posted by emebrs

Common sense protects all the mails!!!

Of course

Going off topic a little, but one issue is getting people to understand what makes a good password.

Whilst this is a strong password, 3TytYOBOh2zAo1u the one featured in this XKCD cartoon is arguably better http://xkcd.com/936/ and easier to remember.

However, it isn't immediately obvious to everyone why these are secure, and both are secure for slightly different reasons.

As mentioned before, 2FA protects against a different issue as well, that your password is compromised by malware on your computer, or some kind of hacking. That in itself is a reason why us implementing 2FA is important.

[emebrs]

Quote:

Originally Posted by dbowdley

I can't remember the last time I saw an account compromised that had a good password.

I wonder if Runbox users tend not to access from public libraries and unsafe Windows XP machines.

[jl66]

We must know that sooner or later we could get malware in our computers, and today it´s easier than ever, even browsing some websites. So even with a good password our email can be compromised. We need 2FA asap.