Best secure email to use instead of gmail?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
dharma student
Posts: 25
Joined: Mon Jan 13, 2014 3:22 pm

Re: Best secure email to use instead of gmail?

Post by dharma student » Sat Aug 17, 2019 2:29 pm

For privacy use startmail.com

User avatar
c.coyle
Posts: 177
Joined: Thu Aug 03, 2017 5:10 pm
Location: Eastern Pa.

Re: Best secure email to use instead of gmail?

Post by c.coyle » Sat Aug 17, 2019 7:14 pm

VTSAX - 40%, VTIAX - 10%, VBTLX - 50%

bac
Posts: 60
Joined: Sun Apr 01, 2018 6:19 pm

Re: Best secure email to use instead of gmail?

Post by bac » Wed Aug 21, 2019 7:32 pm


User avatar
Rowan Oak
Posts: 382
Joined: Mon May 09, 2016 2:11 pm
Location: Yoknapatawpha

Re: Best secure email to use instead of gmail?

Post by Rowan Oak » Wed Aug 21, 2019 7:59 pm

JoMoney wrote:
Fri Aug 16, 2019 8:15 am
jebmke wrote:
Fri Aug 16, 2019 8:12 am
... Sometimes people throw out the term "security" when they are really more concerned about privacy.
I would think saying "security" includes confidentiality/privacy.
I agree and it should.

With gmail/goolge since you are the product there's just not going to be privacy between you and google, but if you accept that, the next concern are any third party apps/accounts that you have given access to your gmail account. This is a major problem with gmail/google privacy and many users are unaware or have forgotten that they set this up.

Follow these steps to check if you've given any 3rd party apps/accounts access to your gmail account:
How to remove third party access from Gmail?
Remove site or app access
Go to your Google Account.
On the left navigation panel, select Security.
On the Third-party apps with account access panel, select Manage third-party access.
Select the site or app you want to remove.
Select Remove Access.
https://support.google.com/accounts/ans ... 6521?hl=en
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger

RubyTuesday
Posts: 223
Joined: Fri Oct 19, 2012 11:24 am

Re: Best secure email to use instead of gmail?

Post by RubyTuesday » Sun Nov 03, 2019 9:04 am

ARoseByAnyOtherName wrote:
Fri Aug 16, 2019 9:27 pm
- set up two factor authentication on all sites that allow it. Despite the temptation do NOT use your password manager as a 2FA/OTP app also. Use a dedicated third party app such as Authy.
Thanks for the great list... I’m In the process of setting all of this up.

Question about the quoted bullet above... not sure what this means. Could you elaborate? FWIW, I use a keepass (locked with long random string) and drop box as my password management approach, but keepass isn’t used as a 2fa or OTP app. Not sure what you’re suggesting I need authy for assuming I’ve setup Yubikey 2fa for Gmail/google voice etc.

ARoseByAnyOtherName
Posts: 247
Joined: Wed Apr 26, 2017 12:03 am

Re: Best secure email to use instead of gmail?

Post by ARoseByAnyOtherName » Sun Nov 03, 2019 4:03 pm

RubyTuesday wrote:
Sun Nov 03, 2019 9:04 am
ARoseByAnyOtherName wrote:
Fri Aug 16, 2019 9:27 pm
- set up two factor authentication on all sites that allow it. Despite the temptation do NOT use your password manager as a 2FA/OTP app also. Use a dedicated third party app such as Authy.
Thanks for the great list... I’m In the process of setting all of this up.

Question about the quoted bullet above... not sure what this means. Could you elaborate? FWIW, I use a keepass (locked with long random string) and drop box as my password management approach, but keepass isn’t used as a 2fa or OTP app. Not sure what you’re suggesting I need authy for assuming I’ve setup Yubikey 2fa for Gmail/google voice etc.
Glad you find it helpful!

Regarding the quote, the short answer is if you're using Keepass for password management, and using a separate app (not Keepass) for OTP/2FA, then you're fine. You're doing it right.

The slightly longer answer: some password management apps such as 1Password offer the ability to generate OTP codes as well as storing your passwords. If you do that you remove most or all of the added security you get by using OTP. Best practice is to use an app for password management, and have a separate app for OTP/2FA, which it sounds like you're doing. I used Authy as an example OTP/2FA app but there are many others of course.

Gray
Posts: 678
Joined: Sat Apr 16, 2011 5:33 am

Re: Best secure email to use instead of gmail?

Post by Gray » Sun Nov 03, 2019 4:11 pm

Gmail and Outlook can both be relatively secure, but you need to add all the other security configurations to truly protect yourself. This includes device-based MFA, location monitoring (to prevent impossible logins—force validation), generation of one time passwords to keep in your safe if you are ever locked out.

I don’t integrate my email with social networking features offered by email providers. I pay for premium email services if offered, and use security integrations.

inbox788
Posts: 6605
Joined: Thu Mar 15, 2012 5:24 pm

Re: Best secure email to use instead of gmail?

Post by inbox788 » Sun Nov 03, 2019 11:10 pm

I’ve been updating beneficiary info for my accounts to make sure POD and TOD are appropriate. So far, only Gmail and Outlook have Inactive Account Management settings that I could find. This is becoming an important just in case feature for me. Are there other email providers with this ability? I’m thinking of using a separate new email just for this purpose. I think either is adequately secure, though I plan additional security such as 2 factor authorization at the account logins.

User avatar
Ged
Posts: 3823
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Best secure email to use instead of gmail?

Post by Ged » Mon Nov 04, 2019 12:04 am

JoMoney wrote:
Fri Aug 16, 2019 8:09 am
I would vote Protonmail for anyone who doesn't want to setup their own mail server and encryption (and is concerned about security)
Because of my IT experience I opted to set up my own email server. It has been an interesting journey. It offers some unique advantages but also some unique problems.

t3xn
Posts: 13
Joined: Tue Mar 03, 2015 1:15 pm

Re: Best secure email to use instead of gmail?

Post by t3xn » Mon Nov 04, 2019 12:31 am

You can buy your own domain for around $10 a year and host with a provider like namecheap.com. I've been hosting my own for 20 years back when hotmail/aol/yahoo were the only email hosts. My most recent renewal was $106 for 3 years.

User avatar
ariyan
Posts: 3
Joined: Mon Nov 04, 2019 10:03 am
Location: Denmark

Re: Best secure email to use instead of gmail?

Post by ariyan » Mon Nov 04, 2019 10:14 am

I use ProtonMail, but I found this link with other suggestions, which might help: https://www.lifewire.com/best-secure-em ... es-4136763

cbeck
Posts: 283
Joined: Sun Jun 24, 2012 1:28 am

Re: Best secure email to use instead of gmail?

Post by cbeck » Sat Nov 09, 2019 12:31 am

ARoseByAnyOtherName wrote:
Sun Nov 03, 2019 4:03 pm
RubyTuesday wrote:
Sun Nov 03, 2019 9:04 am
ARoseByAnyOtherName wrote:
Fri Aug 16, 2019 9:27 pm
- set up two factor authentication on all sites that allow it. Despite the temptation do NOT use your password manager as a 2FA/OTP app also. Use a dedicated third party app such as Authy.
Thanks for the great list... I’m In the process of setting all of this up.

Question about the quoted bullet above... not sure what this means. Could you elaborate? FWIW, I use a keepass (locked with long random string) and drop box as my password management approach, but keepass isn’t used as a 2fa or OTP app. Not sure what you’re suggesting I need authy for assuming I’ve setup Yubikey 2fa for Gmail/google voice etc.
Glad you find it helpful!

Regarding the quote, the short answer is if you're using Keepass for password management, and using a separate app (not Keepass) for OTP/2FA, then you're fine. You're doing it right.

The slightly longer answer: some password management apps such as 1Password offer the ability to generate OTP codes as well as storing your passwords. If you do that you remove most or all of the added security you get by using OTP. Best practice is to use an app for password management, and have a separate app for OTP/2FA, which it sounds like you're doing. I used Authy as an example OTP/2FA app but there are many others of course.
Not true actually. Using the 1Password software token prevents access to a bank account, say, if my password for that bank account were compromised. I would only lose all protection if my 1Password master password itself were compromised.

Moreover, since my 1Password account is accessible from any of my devices, if I were using the 1Password OTP feature and lost my cell phone I could still get to my financial accounts using 1Password on my laptop. However, if I were to use a separate software token app on my cell phone and then lost the cellphone, how would I get access to the bank account?

User avatar
whodidntante
Posts: 6558
Joined: Thu Jan 21, 2016 11:11 pm
Location: outside the echo chamber

Re: Best secure email to use instead of gmail?

Post by whodidntante » Sat Nov 09, 2019 1:41 am

t3xn wrote:
Mon Nov 04, 2019 12:31 am
You can buy your own domain for around $10 a year and host with a provider like namecheap.com. I've been hosting my own for 20 years back when hotmail/aol/yahoo were the only email hosts. My most recent renewal was $106 for 3 years.
$106 divided by three is not $10. :happy

t3xn
Posts: 13
Joined: Tue Mar 03, 2015 1:15 pm

Re: Best secure email to use instead of gmail?

Post by t3xn » Sat Nov 09, 2019 1:51 am

whodidntante wrote:
Sat Nov 09, 2019 1:41 am

$106 divided by three is not $10. :happy
the domain name is $10, the hosting cost is around $30-$40 a year..

ARoseByAnyOtherName
Posts: 247
Joined: Wed Apr 26, 2017 12:03 am

Re: Best secure email to use instead of gmail?

Post by ARoseByAnyOtherName » Sat Nov 09, 2019 1:12 pm

cbeck wrote:
Sat Nov 09, 2019 12:31 am
ARoseByAnyOtherName wrote:
Sun Nov 03, 2019 4:03 pm
RubyTuesday wrote:
Sun Nov 03, 2019 9:04 am
ARoseByAnyOtherName wrote:
Fri Aug 16, 2019 9:27 pm
- set up two factor authentication on all sites that allow it. Despite the temptation do NOT use your password manager as a 2FA/OTP app also. Use a dedicated third party app such as Authy.
Thanks for the great list... I’m In the process of setting all of this up.

Question about the quoted bullet above... not sure what this means. Could you elaborate? FWIW, I use a keepass (locked with long random string) and drop box as my password management approach, but keepass isn’t used as a 2fa or OTP app. Not sure what you’re suggesting I need authy for assuming I’ve setup Yubikey 2fa for Gmail/google voice etc.
Glad you find it helpful!

Regarding the quote, the short answer is if you're using Keepass for password management, and using a separate app (not Keepass) for OTP/2FA, then you're fine. You're doing it right.

The slightly longer answer: some password management apps such as 1Password offer the ability to generate OTP codes as well as storing your passwords. If you do that you remove most or all of the added security you get by using OTP. Best practice is to use an app for password management, and have a separate app for OTP/2FA, which it sounds like you're doing. I used Authy as an example OTP/2FA app but there are many others of course.
Not true actually.
What part of what I wrote is not true? Be specific.
cbeck wrote:
Sat Nov 09, 2019 12:31 am
Using the 1Password software token prevents access to a bank account, say, if my password for that bank account were compromised.
If the bank account password was compromised you can't trust your OTP code either. Storing them together in 1Password does not help in this scenario.
cbeck wrote:
Sat Nov 09, 2019 12:31 am
I would only lose all protection if my 1Password master password itself were compromised.
Yes, and this is the scenario that is protected against when you have your 2FA codes generated by a separate app.
cbeck wrote:
Sat Nov 09, 2019 12:31 am
Moreover, since my 1Password account is accessible from any of my devices, if I were using the 1Password OTP feature and lost my cell phone I could still get to my financial accounts using 1Password on my laptop. However, if I were to use a separate software token app on my cell phone and then lost the cellphone, how would I get access to the bank account?
You would either restore your 2FA codes to a new device if the app you're using allows secure, encrypted backups, as Authy and I believe others do. Or you would get access via recovery codes or whatever restore process your bank provides.

Workable Goblin
Posts: 68
Joined: Fri Mar 01, 2019 8:37 pm
Location: Honolulu, HI

Re: Best secure email to use instead of gmail?

Post by Workable Goblin » Sat Nov 09, 2019 4:16 pm

ARoseByAnyOtherName wrote:
Sat Nov 09, 2019 1:12 pm
If the bank account password was compromised you can't trust your OTP code either. Storing them together in 1Password does not help in this scenario.
It depends on how the bank account password was compromised. If it was compromised because, say, the bank stored it in plaintext or a weak hash, then the OTP in 1Password still prevents it from being useful (at least in theory--although if the bank screwed up so badly with passwords, I wouldn't rate their 2FA process). If it was compromised because they managed to get in the middle and capture the password and OTP as they were passed, then storing them together neither helped nor hurt. If it was compromised because the attackers cracked your master password, then the OTP in 1Password is useless, yes.

What this proves is that you should have a very strong master password, which should reduce the risk of the final attack to almost zero relative to the other two possibilities. I recommend a long (6-7 word minimum) diceware passphrase. That should be functionally uncrackable unless 1Password really screwed something up, while being relatively easy to remember.
cbeck wrote:
Sat Nov 09, 2019 12:31 am
Yes, and this is the scenario that is protected against when you have your 2FA codes generated by a separate app.
Of course, depending on your threat model and the strength of the master password you may not consider this a particularly serious danger.

(In fact I do use a separate authenticator app in addition to 1Password, which I have secured with a strong diceware passphrase)

jumbopapa
Posts: 59
Joined: Thu Aug 30, 2018 7:56 am

Re: Best secure email to use instead of gmail?

Post by jumbopapa » Sat Nov 09, 2019 6:15 pm

I am using Fastmail and it works perfectly. They are committed to not selling my information, so there is much more peace of mind than when using Google services. It additionally includes calendar, file storage, and notes. All of this has been great because it has further decoupled me from Google. I also get to use my own domain which is nice because it makes your email very portable. If Fastmail does something I don't like, well then I can just change what email provider I have configured on my domain and no sites that use my email address even know/care that it changed.

Side note: I use DuckDuckGo for all searches now. I even wrote a little script that replaces the Google search bar on Bogleheads to a DuckDuckGo one! I plan on packaging that up and allowing other users to use it soon. :happy

ARoseByAnyOtherName
Posts: 247
Joined: Wed Apr 26, 2017 12:03 am

Re: Best secure email to use instead of gmail?

Post by ARoseByAnyOtherName » Sat Nov 09, 2019 7:31 pm

Workable Goblin wrote:
Sat Nov 09, 2019 4:16 pm
ARoseByAnyOtherName wrote:
Sat Nov 09, 2019 1:12 pm
If the bank account password was compromised you can't trust your OTP code either. Storing them together in 1Password does not help in this scenario.
It depends on how the bank account password was compromised. If it was compromised because, say, the bank stored it in plaintext or a weak hash, then the OTP in 1Password still prevents it from being useful (at least in theory--although if the bank screwed up so badly with passwords, I wouldn't rate their 2FA process).
The way TOTP works is that a secret key is stored on the server (and the client app), and that secret key is used to generate the 2FA code at a particular point in time. (See https://en.wikipedia.org/wiki/Time-base ... _algorithm for more info).

If your bank password was compromised due to a breach at the bank then you must assume that the OTP secret key was compromised as well.

I 100% stand behind the statement I made above: "Some password management apps such as 1Password offer the ability to generate OTP codes as well as storing your passwords. If you do that you remove most or all of the added security you get by using OTP. "

1Password offers OTP functionality as a convenience. Which is fine, but there's no way to argue that's a best practice... as it seems you know since you're using a separate app :sharebeer

ARoseByAnyOtherName
Posts: 247
Joined: Wed Apr 26, 2017 12:03 am

Re: Best secure email to use instead of gmail?

Post by ARoseByAnyOtherName » Sat Nov 09, 2019 7:35 pm

jumbopapa wrote:
Sat Nov 09, 2019 6:15 pm
I am using Fastmail and it works perfectly. They are committed to not selling my information, so there is much more peace of mind than when using Google services. It additionally includes calendar, file storage, and notes. All of this has been great because it has further decoupled me from Google. I also get to use my own domain which is nice because it makes your email very portable. If Fastmail does something I don't like, well then I can just change what email provider I have configured on my domain and no sites that use my email address even know/care that it changed.
I also use Fastmail with my own domain for my email and am extremely happy with this setup. Been doing this for maybe 5 years or so. Highly recommended if you're interested in a Gmail alternative.

cbeck
Posts: 283
Joined: Sun Jun 24, 2012 1:28 am

Re: Best secure email to use instead of gmail?

Post by cbeck » Sun Nov 10, 2019 1:33 am

Workable Goblin wrote:
Sat Nov 09, 2019 4:16 pm
ARoseByAnyOtherName wrote:
Sat Nov 09, 2019 1:12 pm
If the bank account password was compromised you can't trust your OTP code either. Storing them together in 1Password does not help in this scenario.
It depends on how the bank account password was compromised. If it was compromised because, say, the bank stored it in plaintext or a weak hash, then the OTP in 1Password still prevents it from being useful (at least in theory--although if the bank screwed up so badly with passwords, I wouldn't rate their 2FA process). If it was compromised because they managed to get in the middle and capture the password and OTP as they were passed, then storing them together neither helped nor hurt. If it was compromised because the attackers cracked your master password, then the OTP in 1Password is useless, yes.

What this proves is that you should have a very strong master password, which should reduce the risk of the final attack to almost zero relative to the other two possibilities. I recommend a long (6-7 word minimum) diceware passphrase. That should be functionally uncrackable unless 1Password really screwed something up, while being relatively easy to remember.
Actually even if the 1Password master password is compromised the attacker cannot gain access to your 1Password store without the additional "secret key" that 1Password generated when you created your account and which is not transmitted. The secret key is stored on the user's devices though, so if the attacker had both the 1Password master password and the device, he could gain access.

User avatar
thatwhichisgood
Posts: 83
Joined: Fri Sep 19, 2008 9:55 pm
Location: Laid off 2007, RV 2007, Desert 2009
Contact:

Re: Best secure email to use instead of gmail?

Post by thatwhichisgood » Sun Nov 10, 2019 2:21 am

I have used Gmail for a number of years. Up until about 2 years ago I would say it was secure too. I started getting emails in both French and German and once in awhile in English... they go to my first and last name at gmail.com with or without period between the first last name.

I have tried to send examples and discuss it with Google multiple times. I get no response. I have seen the Google help page that explains why all those emails really are me and what they do with punctuation.... Except it appears they are wrong. I get both some personal emails as well as many commercial ones. I also get notifications that someone's trying to reset the password from a wide variety of sites. Just recently I've gotten 3 emails from Google to verify I'm trying to get back into a my account which of course I reply no.

I haven't quit using it but I use it judiciously. I know I need to abandon it. If I get another Gmail account associated with a name I will use an additional number or arbitrary word. It's crazy to see. I have dozens and dozens of emails although I also deleted many, blocked some too. :annoyed.

I read something a long time ago as I recall...about a theory that there was a window of time where Google sign up authentication software failed on certain types of servers I think maybe internationally but I don't really quite remember.

That's my experience on Gmail and security.

Post Reply