We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Independent email service - Where to go/how
Comments
-
Jivesinger wrote: »I was more thinking that you could use the phone to change the password by using the password Recovery process..
Gawd, I'd not thought of that as a serious risk: I'd assumed everyone knew that the secondary factor for password reset needs to be kept well away from the account it unlocks, as otherwise all bets are off, but I suspect that might not be obvious (and looking at the Google documentation, they don't make it clear).0 -
I think it's worse than that, as when you sign up for a new account, both Microsoft and GMail ask for a phone number or an alternative email address to verify your account setup and to make your account more secure.securityguy wrote: »Gawd, I'd not thought of that as a serious risk: I'd assumed everyone knew that the secondary factor for password reset needs to be kept well away from the account it unlocks, as otherwise all bets are off, but I suspect that might not be obvious (and looking at the Google documentation, they don't make it clear).
Both sites have arranged the phone number field to appear first on the signup website; and I suspect many people will enter their one-and-only phone number. And then you get encouraged (certainly by Microsoft) to setup 2-step verification on your smartphone.
So many people will have been positively encouraged to have their phone number appearing as an option for password recovery- there doesn't seem to be any control over whether you want a phone number or email to be used. Using an authenticator app won't really help the scenario when a malicious person has a phone which is (somehow) unlocked.0 -
Have you got a source for that claim? I think other free email providers like GMX are pretty good on the security front, but it would be interesting to see some evidence either way.
I'm not sure I'd want to hand over the content of all my emails to Gmail, anyway, given the ubiquitousness of Google's search engine, and the amount of information that Google will already know about you...
The point is gmail is so widespread, why would they be interested in your email specifically over and above their other customers.
See https://twofactorauth.org/ for a source, gmail provides more 2fa options than any other major email provider (and for free). And it is applied across other google services (so they provide more options under many of the other services too).
According to that list gmx don't provide 2FA.
(And of course with iphone you can find/wipe your phone remotely from any computer if you feel it necessary).
There is little that will stop a determined, advanced, persistant attack on a focussed target (e.g. for nation state secrets, commercially sensitive information) - but this stuff is pretty good for general personal use.0 -
Jivesinger wrote: »So many people will have been positively encouraged to have their phone number appearing as an option for password recovery- there doesn't seem to be any control over whether you want a phone number or email to be used. Using an authenticator app won't really help the scenario when a malicious person has a phone which is (somehow) unlocked.
That's nasty. The risk analysis of that isn't straightforward. If the authentication is via an SMS, then if the user notices that their phone has been stolen and kills it with their mobile provider that kills the ability of the attacker to change the password, and as soon as the user arranges to have the number delivered to a new SIM they get the account back. But the attacker can, if they move fast, change the phone number to point to a phone they control, at which point all bets are off.
The very, very careful user will keep a PAYG phone at home whose number has the resets pointed to it. But thinking that through and getting it right is tricky.
However, I suspect that most phone thieves don't attempt to attack the contents, and in any event the PIN stops them. PIN. PIN. PIN.0 -
As others say, use two step verification then as well as guess your account pw a hacker would need to get hold of your phone and guess your pin/pw (Though if you use an iPhone make sure your don't have message previews enabled!).
Also, for account security questions (for pw resets etc), make up answers that a hacker can't find out. Eg you can have town of birth as your security q, but have your answer as a totally different town or even the name of your favourite film etc. it doesn't have to be true, you just need to know it.0 -
Also, set up your smartphone access to your email account using an app password, that way you can delete the app password if you misplace your phone, keeping the primary one secure.0
-
AlecEiffel wrote: »Also, set up your smartphone access to your email account using an app password, that way you can delete the app password if you misplace your phone, keeping the primary one secure.
I've got GMail (business apps and free) and Outlook.com. All have two factor which is a good safety net. Most of the people who have Gmail and Outlook hacked are the ones that use the same password across multiple sites or who get their credentials phished.
I have been tempted to move to hosted exchange but given that you are monitored and recorded wherever you go, if someone really wants your data and are determined then what can you do!
Android phones don't use an app password anymore but you can still remove address to your Google account from the security section if required.0 -
Ouch I'd not thought of that... my Windows Phone (old Windows Phone 7.8) 'helpfully' shows the first few words of text messages while still locked.AlecEiffel wrote: »(Though if you use an iPhone make sure your don't have message previews enabled!)
For Outlook.com it means you can read the code while locked. GMail helpfully uses a wordier message so only the 1st 4 digits of the code are visible.
Anyone know how to disable SMS message preview (while locked) on an old Windows Phone 7.8...?0 -
Jivesinger wrote: »I'm interested in doing the same thing as the OP.
My understanding is that if you buy a domain through a domain registration company, you may still need to do something to create a mailbox somewhere in your domain name to initially 'catch' the emails, which you can then redirect to an ISP address.
Or maybe Plusnet allow you to host your own domain address directly?
If so then I suspect this is easier with Plusnet and might be harder to achieve with other ISPs such as BT?
No you don't need to create an email account in the domain or host your own address directly. No hosting is required and it works with any ISP who supplies you with an email address.
This is how I've always done (been through various ISPs including BT).
Purchase your own domain name.
Login to the control panel for your domain name (details will be supplied when you purchase) and change the catch all forwarding address to the address supplied by your current ISP.
Any emails to your domain name will then be sent to you via your ISP supplied address.
I use outlook as my email client so have put in the POP3 settings for plusnet and all emails to my personal domain name come through in outlook.
If you change ISP all you need to do is go back to the control panel and change the catch all forwarding address to the one supplied by your new ISP.
Debbie0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards