Please update your FastMail password
Post categories
Founder & CTO
We’ve just sent the following announcement email to all FastMail users.
Dear FastMail User
You may have heard of a recent security bug in the OpenSSL library (that has been called ‘Heartbleed’) used by two-thirds of the Internet including ourselves and other major sites like Amazon, Google, Yahoo, etc. FastMail was quick to update its servers to fix this bug and issue new SSL certificates as soon as we were made aware of it.
We have no reason to believe any of our servers were targeted or exploited by this security flaw, but given the nature of the flaw it’s impossible to know if this bug was being exploited before it was announced.
Because of this, we are recommending that all FastMail users logout of all existing sessions and change their account passwords.
Again, there’s no evidence our servers or your password have been compromised, but we’re recommending this as a precautionary measure.
If you hate remembering passwords, we recommend you use a password manager program to remember them for you. Most modern browsers (e.g. Firefox, Chrome, etc) have a password manager built in and will offer to remember your passwords for you. LastPass and 1Password are also popular choices.
When you choose a new password, it’s important that you do not use the same password elsewhere and choose a password with reasonable complexity.
Your email is often the key to your online world. Many sites let you reset your password by sending a reset code to your email address. When you reuse your FastMail password at other sites, you’re making it much easier for attackers to potentially break in to your email account. Other sites often don’t have the same high security measures as FastMail (such as compulsory HTTPS, locked-down servers, etc.), which makes them much easier for criminals to break in to. If they hold your email address and the same password that you use for FastMail, the attacker can then access your email account and get into everything else you use online.
If you’re using alternative logins already, we recommend you delete and re-add them with any base password changed.
To change your password and log out of all existing sessions, you can use these steps.
Change password in current interface
- Log in to your FastMail account using the web interface
- From the menu at the top left, select ‘Password & Security’
- Enter your existing password where directed
- Enter your new password where directed. Re-enter again to make sure
we got it right - In the ‘Logged in Sessions’ section, click ‘Log out’ next to each
existing session - Click ‘Done’ to dismiss the panel
- From the menu at the top left, select ‘Log out’
- Now log in to your account again with your new password. This is
often useful as a password manager will now prompt you to remember
your password at this point.
Change password in ‘classic’ interface
- Log in to your FastMail account using the web interface
- Select the ‘Account’ item at the top right
- Select the ‘Password/Security Settings’ item
- Enter your new password where directed. Re-enter again to make sure
we got it right - Enter your existing password where directed
- Click ‘Update Password’
- Click ‘Logged In Sessions’ in the sidebar on the left
- Click ‘Delete’ next to each existing session
- Click ‘Log out’ at the top right
- Now log in to your account again with your new password. This is
often useful as a password manager will now prompt you to remember
your password at this point.
Again, this is a highly precautionary measure. FastMail is extremely concerned about security and has always tried to be highly pro-active with keeping our customer’s accounts and data as secure as possible.
- Secure only webmail since
2012 - Secure only IMAP/POP/SMTP since
2012 - Perfect forward secrecy since 2012, for all possible platforms
since
2013 - Secure only LDAP and DAV this
year - Extra webmail content security this
year
Regards,
The FastMail Team