We’ve previously mentioned the importance of having a secure password for your FastMail account. Let’s have a closer look at keeping your passwords safe online.
Passwords are everywhere. From something as relatively trivial as your shopping loyalty cards, through online shopping services, up to highly sensitive accounts with your bank, domain registration or email account.
Passwords get reused. There are so many places which require passwords and much as we’d like to have one highly secure password per site (even with the help of a password manager), the reality is that we all use the same password in more than one place.
Why is this bad? If one website is hacked and a database of passwords and matching email usernames is obtained by an attacker, then it’s likely that the same username and password combination will work on other websites.
If your Pokemon Go account username and password is discovered, you might shed a tear for all those Pokemon you’ve collected. But you might not realise that an attacker will continue to try your username and password against other commonly used websites such as eBay, PayPal, banks, and email services.
Email passwords are critical (mostly). You will have at least one email account that forms your online identity. It is a gateway to every other service. If an attacker has access to your email account: they can request password resets on websites as if they were you. This lets the attacker hijack your other accounts and locks you out.
We say ‘mostly’, because not all email accounts are equal. You may have a disposable email account registered to let you post funny cat pictures on the internet. If this is compromised, no problem. Our focus on email password security is for the email accounts that hold information you care about, or are tied to sites you rely on.
Help me, FastMail: you’re my only hope. If you can’t reuse a password but there’s too many passwords to remember them all, what’s to be done? Two-step verification to the rescue! Two-step verification (also known as two-factor authentication or 2FA) protects your password because your password alone can’t be used to log in: you need a second piece of information which is usually something physical you carry with you. This can be either a security key that plugs into your computer, or a code generated by an app on your phone.
Even if an attacker guesses your password, or obtains it from another site, they still can’t log in to an account protected by two-step verification because they don’t have the second piece of information!
[![FastMail’s U2F veriog/content/images/assets/advent16-fm-u2f.png)
FastMail’s security system. We want you to keep your account safe. But we also want to make it easy for you to protect your account.
I don’t think I need two-step verification. You might think you don’t need to bother with 2FA if you only ever access your email from a desktop client like Mail on Mac OSX or Outlook on Windows. Just remember: attackers will be using the web login to try to gain access to your account. You still want to lock up your password with 2FA. (It’s no use locking up the side door to your house if your front door is left unlocked!)
Interested in a brief history of passwords? Our lovely Rob N gave a talk this year at CompCon Australia 2016, covering such topics as: "Passwords are terrible", and "Passwords have always been terrible"; "Keeping passwords secret" and finally "Making passwords useless".
Got any security questions or recommendations? Tweet us @FastMail using the hashtag #securitymatters.
You may still be tracked even while using a “private” window like Incognito or VPN. Here are the best private browsers to protect your privacy.
Introducing nine privacy-friendly tools to control more of the information you are sharing with third parties.