EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 17 Oct 2024, 11:30 PM   #1
Chet
Junior Member
 
Join Date: Mar 2012
Posts: 5
Hacking attempts - long passwords, 2FA & passkeys

I have had 5x failed logon attempts over the past 2 years. The 15 minute lockout after five tries is great as is notification of them. I have had 2FA enabled for a very long time, but it is now past time to go to passkeys. Syncing it to other devices is coming but it would be great if Fastmail could be an early adopter of syncing passkeys to other deices as I sign on from many devices.
Chet is offline   Reply With Quote

Old 18 Oct 2024, 12:38 AM   #2
trikotret
Member
 
Join Date: Nov 2021
Posts: 97
Quote:
Originally Posted by Chet View Post
I have had 5x failed logon attempts over the past 2 years. The 15 minute lockout after five tries is great as is notification of them. I have had 2FA enabled for a very long time, but it is now past time to go to passkeys. Syncing it to other devices is coming but it would be great if Fastmail could be an early adopter of syncing passkeys to other deices as I sign on from many devices.
I use a FM username that I never give out to login. Non one will ever be able to try logging in unless its an inside job.
trikotret is offline   Reply With Quote
Old 18 Oct 2024, 10:39 PM   #3
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,866
Quote:
I use a FM username that I never give out to login. Non one will ever be able to try logging in unless its an inside job.
The biggest threat to all of us is a phishing attack that tricks you into entering your username and password into a fake login page. 2FA should prevent that attack from being successful, but there are also ways that hackers can get around that too.
TenFour is offline   Reply With Quote
Old 19 Oct 2024, 01:30 AM   #4
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 322
Quote:
Originally Posted by TenFour View Post
The biggest threat to all of us is a phishing attack that tricks you into entering your username and password into a fake login page. 2FA should prevent that attack from being successful, but there are also ways that hackers can get around that too.
2FA doesn't prevent that because the second factor typically goes through the fake website too. This is the reason that passkeys are being pushed at the moment.
SideshowBob is offline   Reply With Quote
Old 2 Nov 2024, 12:07 PM   #5
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 219
Quote:
Originally Posted by trikotret View Post
I use a FM username that I never give out to login. Non one will ever be able to try logging in unless its an inside job.

I do this as well. A very underrated security feature of FM that more people should learn about.
DumbGuy is offline   Reply With Quote
Old 2 Nov 2024, 11:50 PM   #6
chrisjj
Cornerstone of the Community
 
Join Date: Jul 2003
Posts: 783
Quote:
Originally Posted by trikotret View Post
I use a FM username that I never give out to login. Non one will ever be able to try logging in unless its an inside job.
... or a malware keylogger.
chrisjj is offline   Reply With Quote
Old 3 Nov 2024, 07:44 AM   #7
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 9,017
I do not understand why a dictionary type random search for your login name would not be just as successful as such a search for your password. All someone has to do is to try sending emails to random Fastmail email addresses and when one does not bounce it must be an existing login address. To my knowledge, you can’t turn off accepting emails sent to your login address. The only way to prevent this is to use a very long and unlikely to guess login address. I have some Fastmail accounts with short usernames, but I have very long and hard to guess unique passwords on those accounts.

Bill
n5bb is offline   Reply With Quote
Old 3 Nov 2024, 07:55 AM   #8
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 219
Quote:
Originally Posted by n5bb View Post
The only way to prevent this is to use a very long and unlikely to guess login address.

Yes, that's my situation/strategy. And I have a couple of FM email aliases I do use for sending email, and a few domain names I own and have connected to FM as well, and have many email addresses for those domains.


I get very little spam in general, so I'm able to quick-check the ones I do get and note the destination email addresses being used. In my 15+ years with FM, I've never received spam to my FM-login email address (that I've never used for actual email) because it's sorta long and sorta unique. Fingers-crossed!
DumbGuy is offline   Reply With Quote
Old 3 Nov 2024, 08:16 AM   #9
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 9,017
A search indicates that except for Fastmail staff and support messages, I have only sent or received one pair of messages using my main login address. That was an accidental message sent to a friend, who replied to the From address. There could have been random spam messages, but I don’t remember them and in any case didn’t save any such emails.

Bill
n5bb is offline   Reply With Quote
Old 4 Nov 2024, 02:52 AM   #10
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 750
Quote:
Originally Posted by Chet View Post
Syncing it to other devices is coming but it would be great if Fastmail could be an early adopter of syncing passkeys to other deices as I sign on from many devices.
Could you elaborate on what you mean by this? I don't see why Fastmail would have anything to do with the syncing of passkeys among your devices.
placebo is offline   Reply With Quote
Old 4 Nov 2024, 03:25 AM   #11
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 322
Bear in mind that passwords need to be long to be secure against an offline attack, but in that case the length of the username is irrelevant. Online attacks against passwords are impractical for all but the simplest cases. No one is getting into your account that way unless there has been reuse from another site.

The chief thing with usernames is to pick one that hasn't been reused, it doesn't have to be particularly long or complex - my username is a simple dictionary word and I've never seen any spam on it.
SideshowBob is offline   Reply With Quote
Old 4 Nov 2024, 05:20 AM   #12
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,866
Back to the OP's original question.
Quote:
Syncing it to other devices is coming but it would be great if Fastmail could be an early adopter of syncing passkeys to other deices as I sign on from many devices.
Doesn't the "syncing to other devices" happen in your password manager not within FM or other applications? And, isn't that being done already with major password managers?
Google says this about passkeys:
Quote:
Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.
https://security.googleblog.com/2023...than-ever.html
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:57 AM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy