|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
17 Oct 2024, 11:30 PM | #1 |
Junior Member
Join Date: Mar 2012
Posts: 5
|
Hacking attempts - long passwords, 2FA & passkeys
I have had 5x failed logon attempts over the past 2 years. The 15 minute lockout after five tries is great as is notification of them. I have had 2FA enabled for a very long time, but it is now past time to go to passkeys. Syncing it to other devices is coming but it would be great if Fastmail could be an early adopter of syncing passkeys to other deices as I sign on from many devices.
|
18 Oct 2024, 12:38 AM | #2 | |
Member
Join Date: Nov 2021
Posts: 97
|
Quote:
|
|
18 Oct 2024, 10:39 PM | #3 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,866
|
Quote:
|
|
19 Oct 2024, 01:30 AM | #4 |
Essential Contributor
Join Date: Jan 2017
Posts: 322
|
2FA doesn't prevent that because the second factor typically goes through the fake website too. This is the reason that passkeys are being pushed at the moment.
|
2 Nov 2024, 12:07 PM | #5 |
Essential Contributor
Join Date: Oct 2008
Posts: 219
|
|
2 Nov 2024, 11:50 PM | #6 |
Cornerstone of the Community
Join Date: Jul 2003
Posts: 783
|
|
3 Nov 2024, 07:44 AM | #7 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 9,017
|
I do not understand why a dictionary type random search for your login name would not be just as successful as such a search for your password. All someone has to do is to try sending emails to random Fastmail email addresses and when one does not bounce it must be an existing login address. To my knowledge, you can’t turn off accepting emails sent to your login address. The only way to prevent this is to use a very long and unlikely to guess login address. I have some Fastmail accounts with short usernames, but I have very long and hard to guess unique passwords on those accounts.
Bill |
3 Nov 2024, 07:55 AM | #8 | |
Essential Contributor
Join Date: Oct 2008
Posts: 219
|
Quote:
Yes, that's my situation/strategy. And I have a couple of FM email aliases I do use for sending email, and a few domain names I own and have connected to FM as well, and have many email addresses for those domains. I get very little spam in general, so I'm able to quick-check the ones I do get and note the destination email addresses being used. In my 15+ years with FM, I've never received spam to my FM-login email address (that I've never used for actual email) because it's sorta long and sorta unique. Fingers-crossed! |
|
3 Nov 2024, 08:16 AM | #9 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 9,017
|
A search indicates that except for Fastmail staff and support messages, I have only sent or received one pair of messages using my main login address. That was an accidental message sent to a friend, who replied to the From address. There could have been random spam messages, but I don’t remember them and in any case didn’t save any such emails.
Bill |
4 Nov 2024, 02:52 AM | #10 |
Cornerstone of the Community
Join Date: Jun 2004
Posts: 750
|
Could you elaborate on what you mean by this? I don't see why Fastmail would have anything to do with the syncing of passkeys among your devices.
|
4 Nov 2024, 03:25 AM | #11 |
Essential Contributor
Join Date: Jan 2017
Posts: 322
|
Bear in mind that passwords need to be long to be secure against an offline attack, but in that case the length of the username is irrelevant. Online attacks against passwords are impractical for all but the simplest cases. No one is getting into your account that way unless there has been reuse from another site.
The chief thing with usernames is to pick one that hasn't been reused, it doesn't have to be particularly long or complex - my username is a simple dictionary word and I've never seen any spam on it. |
4 Nov 2024, 05:20 AM | #12 | ||
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,866
|
Back to the OP's original question.
Quote:
Google says this about passkeys: Quote:
|
||
Thread Tools | |
|
|