Anybody like me with email providers? - Page 2

pjroutledge · 4 Nov 2025, 08:30 AM

Yeah, I realise that emails are unlikely to be encrypted on my correspondents' services. I value keeping my end of the conversation private, so I was really - and perhaps incorrectly - referring to encryption (that I have the keys for) at my end, ie end to end between me and Fastmail's servers.

And I understand and agree with the trade-offs that Fastmail lists, particularly the full text search issue, which is the only one that affected me when using Proton Mail.

Anyway, as mentioned, I'm not a person who has a significant threat risk and, as rscaramelo said up front "I usually default back to Fastmail because it feels like the most complete smooth service ..."

TenFour · 5 Nov 2025, 12:08 AM

Quote:

I value keeping my end of the conversation private, so I was really - and perhaps incorrectly - referring to encryption (that I have the keys for) at my end, ie end to end between me and Fastmail's servers.

Not sure what you mean "I value keeping my end of the conversation private." If it is a "conversation" than you are communicating with another party, and if their end of things isn't encrypted the entire conversation is not encrypted. Fastmail does keep your data encrypted when at rest.

Quote:

Fastmail helps you keep it private and secure, with robust encryption of your data both in transit and at rest. All data is stored encrypted on disks inside locked racks in our highly secure data centers.

My bottom line is that I highly value the security of my data, but I have no expectations that my emails can't be read if a state actor wants to get ahold of them. My main concern would be hackers tricking me into giving up my credentials via a phishing or malware attack, and once they have those nothing will prevent them from reading my email. Even then the worst problem is they can use the email to try to gain access to financial accounts, which is their goal. Otherwise, my emails contain nothing of any value to anyone but me. So, I think the most important security and privacy concern is how well your email credentials are protected and the track record of the company you are dealing with. FM has a pretty good track record, but many newer and smaller providers do not.

janusz · 5 Nov 2025, 12:28 AM

Quote:

Originally Posted by TenFour

My main concern would be hackers tricking me into giving up my credentials via a phishing or malware attack, and once they have those nothing will prevent them from reading my email. [...]. So, I think the most important security and privacy concern is how well your email credentials are protected and the track record of the company you are dealing with

If you are tricked into revealing your password, the amount of security at the email company is totally irrelevant.
If the credentials (encrypted passwords) are stolen, the more difficult they are to crack by brute force of some sort, the better. It's up to the users to make passwords long and complicated.

TenFour · 5 Nov 2025, 12:35 AM

Quote:

Originally Posted by janusz

If you are tricked into revealing your password, the amount of security at the email company is totally irrelevant.
If the credentials (encrypted passwords) are stolen, the more difficult they are to crack by brute force of some sort, the better. It's up to the users to make passwords long and complicated.

Something like 80-90% of all "hacks" these days are due to phishing attacks. A high percentage of the rest are due to password databases being stolen and password reuse--your password was used on multiple sites. Doesn't matter how uncrackable it is. It is pretty rare that thieves spend any time and effort trying to crack encrypted passwords unless they know for certain it is a high value target.

SideshowBob · 5 Nov 2025, 09:14 AM

Quote:

Originally Posted by TenFour

... A high percentage of the rest are due to password databases being stolen and password reuse--your password was used on multiple sites. Doesn't matter how uncrackable it is. It is pretty rare that thieves spend any time and effort trying to crack encrypted passwords unless they know for certain it is a high value target.

My understanding is that most sites don't store passwords in plaintext. They are typically stored as salted hashes, so the effort to extract a password from a stolen database does depend on how strong it. Usually individual users are not targeted for special attention, the dictionary or brute force attack is run across the entire database and the weaker passwords are discovered. So a strong password could protect you even if a password database is stolen and the password is used on other sites. I wouldn't recommend reuse though.

dryoldlime · 5 Nov 2025, 10:25 AM

Quote:

Originally Posted by SideshowBob

My understanding is that most sites don't store passwords in plaintext. They are typically stored as salted hashes, so the effort to extract a password from a stolen database does depend on how strong it. Usually individual users are not targeted for special attention, the dictionary or brute force attack is run across the entire database and the weaker passwords are discovered. So a strong password could protect you even if a password database is stolen and the password is used on other sites. I wouldn't recommend reuse though.

Hard to follow but I must assume that what you said is interesting.

Any real problem for a person who uses a method or formula or system for creating a password? But to just not tell anyone what it is?

TenFour · 5 Nov 2025, 08:24 PM

Quote:

Originally Posted by dryoldlime

Hard to follow but I must assume that what you said is interesting.

Any real problem for a person who uses a method or formula or system for creating a password? But to just not tell anyone what it is?

The problem with using a formula is that if the formula is cracked then your passwords on other sites could also be cracked. Someone once said that if you can memorize your password or how to create your password it is a bad password. That's why the best passwords are machine created randomly using letters, numbers, and symbols and stored in a password manager. Length is more important than variety of characters. Random passwords of say 20 characters or so would take too long to crack once they are salted and hashed. However, there is always the need to be able to memorize at least the password to your password manager, and probably the password to your main email account. In those cases a long passphrase works well. Add two-factor authentication and you are quite safe. Here's a pretty good article explaining some of this: https://markilott.medium.com/passwor...s-2aa9e1586f98

Still, most people are hacked due to phished passwords and login information. Humans are the weakest factor. Even Troy Hunt, the guy who runs the Have I Been Pwned website, was hacked. https://www.troyhunt.com/a-sneaky-ph...-mailing-list/

4 Nov 2025, 08:30 AM	#16
pjroutledge Senior Member Join Date: Jan 2010 Location: Melbourne, Oz Posts: 167	Yeah, I realise that emails are unlikely to be encrypted on my correspondents' services. I value keeping my end of the conversation private, so I was really - and perhaps incorrectly - referring to encryption (that I have the keys for) at my end, ie end to end between me and Fastmail's servers. And I understand and agree with the trade-offs that Fastmail lists, particularly the full text search issue, which is the only one that affected me when using Proton Mail. Anyway, as mentioned, I'm not a person who has a significant threat risk and, as rscaramelo said up front "I usually default back to Fastmail because it feels like the most complete smooth service ..."