Mick
My feedback
11 results found
-
20 votes
An error occurred while saving the comment -
38 votesMick
supported this idea
·
-
113 votesMick
supported this idea
·
-
380 votesMick
supported this idea
·
-
643 votesMick
supported this idea
·
-
43 votes
An error occurred while saving the comment Mick
commented
Do they not already support Yubikey? I swear they did when I bought mine a few years ago.
Mick
supported this idea
·
-
917 votes
An error occurred while saving the comment Mick
commented
Are there any decent alternatives to ProtonMail in case they don't sort this out? I've heard AtomicMail are quite good?
An error occurred while saving the comment Mick
commented
Does anybody at ProtonMail actually read these?
I notice a couple of people on page 2 saying "this is finally under review". Where did you find that? Do you have a link, please?
An error occurred while saving the comment Mick
commented
Does anybody at ProtonMail actually read these?
An error occurred while saving the comment Mick
commented
I have a website which I shut down two years ago due to a massive cyberattack which went on for three days. Every now and again, while I figure out what to do with it (it was a creative thing), I log on, and there are STILL people regularly trying drive-by attacks on all the previous usernames which the version of WordPress I was using back then allowed them to enumerate easily. I automatically divert them to people like the NSA and GCHQ on the off-chance that it catches out some eejits, but the fact remains that even 3-4 years after I effectively closed that account, people are still attempting on a very regular basis to log into my site based on accounts which have been released into the wild. It's fully protected, but my point is that they still try, and there is absolutely no reason to increase your attack surface tenfold for no benefit.
An error occurred while saving the comment Mick
commented
I've just come here to point out how absolutely ludicrous a security hole this is, especially as I've spent over 5 hours this weekend contacting nearly 200 people about yet another data breach, one of which has recent credentials in it.
If I had the slightest idea when I signed up that all the additional emails could also be used to log in using the same password, then there was no way I would have done it in the first place. And no I didn't know about aliases or SimpleLogin or whatever because I had just signed up and it was 4 years ago.
Yes, obviously you need a strong password and 2FA, but as many other people have pointed out, how is it possibly not LESS safe having 15x as many attack vectors.
As everyone else has said, you should be able to use your default to log in and not give it out to anybody, thus considerably increasing the effort required to break in. As someone who signed up here off the back of three genuinely life-altering cybersecurity incidents, I am astonished that this hole is still there. It really is as bad as WordPress being able to be brute forced out of the box. Though I am heartened that they seem to have finally fixed that.
Mick
supported this idea
·
-
560 votes
An error occurred while saving the comment Mick
commented
What K said. I regularly have drive-by attacks on my old website using usernames which haven't been in use for years, yet are still in a database somewhere. Knowing that they're bots, I like to send them to funny places, but the point stands. Hugely increased attack surface for no reason.
An error occurred while saving the comment Mick
commented
How on earth has this not been fixed yet? My subscription is up in September.
Having been on the receiving end of three life-altering cyberattacks since 2002, I am extremely disappointed that a company which prides itself on security and privacy above all else, fails to mention when offering to set up aliases that they can ALL then be used to log in, using the same password (and this is also true if you connect your own domain to it), vastly increasing the available attack surface. I simply can't believe this hasn't been fixed yet.
As I say, I'm looking into options for other providers, in case this still hasn't been resolved by September, which I expect it won't be. I am reluctant to pay for another two years with such a glaring vulnerability like that in situ.
Which is a pity, because I really like the system and their ethos in general.
An error occurred while saving the comment Mick
commented
I have a website which I shut down two years ago due to a massive cyberattack which went on for three days.
Every now and again, while I figure out what to do with it (it was a creative thing), I log on, and there are STILL people regularly trying drive-by attacks on all the previous usernames which the version of WordPress I was using back then allowed them to enumerate easily.
I automatically divert them to people like the NSA and GCHQ on the off-chance that it catches out some eejits, but the fact remains that even 3-4 years after I effectively closed that account, people are still attempting on a very regular basis to log into my site based on accounts which have been released into the wild.
It's fully protected, but my point is that they still try, and there is absolutely no reason to increase your attack surface tenfold for no benefit.
I noticed earlier that my subscription for Mail Plus is up in September. With a heavy heart, I will be reluctant to continue if this still hasn't been sorted by then. I still can't believe we're still complaining about this.
Does anybody actually read these pages at all?
An error occurred while saving the comment Mick
commented
I have a website which I shut down two years ago due to a massive cyberattack which went on for three days. Every now and again, while I figure out what to do with it (it was a creative thing), I log on, and there are STILL people regularly trying drive-by attacks on all the previous usernames which the version of WordPress I was using back then allowed them to enumerate easily. I automatically divert them to people like the NSA and GCHQ on the off-chance that it catches out some eejits, but the fact remains that even 3-4 years after I effectively closed that account, people are still attempting on a very regular basis to log into my site based on accounts which have been released into the wild. It's fully protected, but my point is that they still try, and there is absolutely no reason to increase your attack surface tenfold for no benefit.
An error occurred while saving the comment Mick
commented
I've just been for a walk and had a think about this, and I actually had to take a day off work today due to the stress of a possible system intrusion over the weekend.
The way I see it, there needs to be, at an absolute minimum a CLEAR WARNING before creating them that these will be effectively used as additional log-ins, using the same password. That way, if that's what the user wants, then fair enough. I think it's clear from the fact that there are 4 separate threads about this precise matter with over a thousand upvotes on them then it's clearly a significant community issue, and if it hasn't been fixed by the time my subscription ends, then I'll have to find somewhere else, especially with the inability to delete said emails. I think that's such a glaring omission for a company which markets itself on world-leading security and privacy, that I simply can't beleive it's been left standing for a decade. I can't subject myself to the likes of LastPass or anything similar yet again. It will break me. That's what I have to say about that. Which is a pity because you saved me from the **** of what gmail put me through.
An error occurred while saving the comment Mick
commented
I also notice that you can only delete one email address a year.
I've just gone in and ticked the "disable" button next to all but two of them and received this message. If, despite rendering it unusable, it can STILL be used to log in, then that's even more preposterous than I thought.
"By disabling this address you will no longer be able to send or receive emails using this address and all the linked Proton products will be disabled.
Are you sure you want to disable this address?
Mick
supported this idea
·
-
49 votes
An error occurred while saving the comment Mick
commented
It's essential in case you lose your phone. I have moved away from Authy precisely because they discontinued their desktop app for no good reason.
Mick
supported this idea
·
-
173 votes
An error occurred while saving the comment Mick
commented
I briefly used Google Authenticator but got locked out of it for some reason. I was very happy with Authy for a while until they inexplicably closed down support for their desktop app, which is annoying (what if you lose your phone, etc)? Plus work insist I use Authy for logging into some systems which is irritating, so I am probably going to have to keep it around.
Then Proton Authenticator came along and I'm very happy with it. I still haven't gotten around to migrating everything over to it, but it seems like a nice bit of kit, and I haven't had any problems, so far. Long may that continue.
-
23 votes
An error occurred while saving the comment Mick
commented
Hold on, are you saying you can't even change the recovery address, now? Christ on a pogo stick.
An error occurred while saving the comment Mick
commented
Absolutely critical, as with all the other threads talking about the alternative emails being usable as logins thing. I've got an ancient email address I used from the mid-90s, and in any breach report, it is rare if it's anything other than that one which turns up. If I stayed with Proton for long enough, this would become the same situation ultimately with my "primary" email here. There were a lot of recent and scarily current credentials in this latest one, which was unusual, and I had to inform my friend who writes music FX software, that somehow, someone has got hold of the account details for his shop which I have never written down except quite recently in my PW manager and now that's on the darkweb too, with all the rest of it. Unless he's had a breach he didn't know about, I haven't the slightest clue how that ended up in a report from NordVPN, and yet that's just some of the nonsense I've been dealing with this weekend.
I concur with everything the original poster says.
Mick
supported this idea
·
I must admit, my favourite thing about Gmail is being able to have four separate windows on screen, which I have separated by an extremely elaborate system of rules... one is anything from my family and other important stuff; one is anything to do with my website, security; one is anything to do with music, and the other is for general stuff. And it's all heavily colour-coded and flagged. :)