Putting the 'role' back in role-playing games since 2002.
Donate to Codex
Good Old Games
  • Welcome to rpgcodex.net, a site dedicated to discussing computer based role-playing games in a free and open fashion. We're less strict than other forums, but please refer to the rules.

    "This message is awaiting moderator approval": All new users must pass through our moderation queue before they will be able to post normally. Until your account has "passed" your posts will only be visible to yourself (and moderators) until they are approved. Give us a week to get around to approving / deleting / ignoring your mundane opinion on crap before hassling us about it. Once you have passed the moderation period (think of it as a test), you will be able to post normally, just like all the other retards.

PUBLIC SERVICE ANNOUNCEMENT: 2FA NOW MANDATORY - YOU DON'T NEED A PHONE NUMBER FFS

Taluntain

Most Frabjous
Staff Member
Joined
Oct 7, 2003
Messages
5,504
Location
Your Mind
Wouldn't that solve the whole issue? Make it like one post deletion per hour.
Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.
That would work too, no?
Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.
 
Joined
May 11, 2007
Messages
1,854,412
Location
Belém do Pará, Império do Brasil
I wrote a guide to help you guys setup 2FA without a phone, happy to help as always!
https://rpghq.org/forums/viewtopic....-a-phone-rusty-s-recommended-password-manager
mind your own goddamn website, schizo

his website doesn't have these problems
dont quote me i dont like sexual minorities

Cut him some slack, the rumour floating around is that Jenkem recently got addicted to wellbutrin and that's why he's even more unstable than usual.
i dont even know what is that

It's an antidepressant often given to smokers to help them quit.

The rumour I heard is Jenkem got dependent on it whilst trying to quit smoking.
'often'
in my part of the world what makes smokers quit is poverty
Doesn't work in mine, they just start buying dodgy contraband cigs smuggled from Paraguay
 

Derringer

Prophet
Joined
Jan 28, 2020
Messages
1,934
Sides, if the problem was cookie retention, we wouldn't even be able to login.
Well, we would, but the cookie would get deleted instantly, giving the appearance that we can't.
You have to whitelist it since it doesn't work.
 

Alex

Arcane
Joined
Jun 14, 2007
Messages
9,213
Location
São Paulo - Brasil
Wouldn't that solve the whole issue? Make it like one post deletion per hour.
Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.
That would work too, no?
Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.

I find this whole thing just plain annoying. If the problem is that deleting posts can mess with forum infrastructure; why don't you change the delete button to something that just edit the post to a single gif saying "this post has been deleted" instead?
 

rezaf

Cipher
Joined
Jan 26, 2015
Messages
665
It's been 24 hours, and I've had to enter another 2FA code to access the forum today.
Did you guys fuck with the settings, or is the checked by default 'Trust device for 30 days' thing just buggy?

I can see a cdx_tfa_trust cookie that's not supposed to expire until July 19th (that's a bit more than 30 days, but whatever), which I assume has to do with 2fa, but that doesn't appear to be blocked by anything.

This happened to myself also, and besides F2A really being only a vehicle to better profile people's internet activities (some WILL put in their mobile number or main email), this part really emphasises how, as BosanskiSeljak so eloquently put it, this change is incredibly gay.
 

ds

Cipher
Patron
Joined
Jul 17, 2013
Messages
2,503
Location
here
I find this whole thing just plain annoying. If the problem is that deleting posts can mess with forum infrastructure; why don't you change the delete button to something that just edit the post to a single gif saying "this post has been deleted" instead?
This would also fix the problem of deleting old posts breaking links that include the page number even if pagination doesn't get messed up completely.
 

Joggerino

Arcane
Patron
Vatnik
Joined
Oct 28, 2020
Messages
4,588
Had to login and enter the code again this morning and I didn't even close the codex browser tab let alone change any other settings. Before this change I would stay logged in indefinitely so it's not the cookies. No security addons but using brave browser.
 

Peachcurl

Arcane
Joined
Jan 3, 2020
Messages
10,641
Location
(╯°□°)╯︵ ┻━┻
i suppose anyone who receives a new ip from their isp on a daily basis will have to do the 2fa thingy daily as well... unless they start using a vpn that provides a fixed ip.

in my opinion this should better be limited to entirely new logins, as proposed by spectacle above
 

Tacgnol

Shitlord
Patron
Joined
Oct 12, 2010
Messages
1,871,883
Codex 2016 - The Age of Grimoire Grab the Codex by the pussy RPG Wokedex Strap Yourselves In Codex Year of the Donut Shadorwun: Hong Kong Divinity: Original Sin 2 Steve gets a Kidney but I don't even get a tag. Pathfinder: Wrath I helped put crap in Monomyth
Regardless of the 2fa debate, I would question the value of allowing post-deletion after a couple of days anyway. To me, it should be a short-term thing for correcting duplicate/erroneous posts rather than being able to go back and purge tons of old posts.
i suppose anyone who receives a new ip from their isp on a daily basis will have to do the 2fa thingy daily as well... unless they start using a vpn that provides a fixed ip.

in my opinion this should better be limited to entirely new logins, as proposed by spectacle above

Nope. It's device not IP based. Otherwise, I would have to re-do it daily due to auto-selecting and connecting the fastest proton VPN node.

I am wondering if the people having issues are primarily using the email rather than the smartphone option, though I don't see why that would affect the remember option from a technical perspective.
 

whydoibother

Arcane
Patron
Joined
May 2, 2018
Messages
17,406
Location
bulgaristan
Codex Year of the Donut
$0.20 to edit a post, $1 to delete a post.
Editing within 5 minutes of posting is free.
rcBrS527_400x400.jpg
 

Haba

Harbinger of Decline
Patron
Joined
Dec 24, 2008
Messages
1,872,090
Location
Land of Rape & Honey ❤️
Codex 2012 MCA Divinity: Original Sin Project: Eternity Torment: Tides of Numenera Wasteland 2
Had to login and enter the code again this morning and I didn't even close the codex browser tab let alone change any other settings. Before this change I would stay logged in indefinitely so it's not the cookies. No security addons but using brave browser.
Here is my experience with MFA during the last six months or so.

Linux, Firefox. No issues, login every 30 days.
Windoze 10, Firefox, everything blocked, has to be manually allowed. No issues, login every 30 days.
Android tablet, Opera, traveling around the globe. No issues, login every 30 days.

Wouldn't that solve the whole issue? Make it like one post deletion per hour.
Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc.
That would work too, no?
Would depend on how often someone posts. We've got users who can make literally hundreds of posts in a couple of weeks. Would either have to limit deletion to a very short time window, or disable it altogether.
How about limiting the number of ratings one can give during the day...
 

Taluntain

Most Frabjous
Staff Member
Joined
Oct 7, 2003
Messages
5,504
Location
Your Mind
There's no such addon
https://xenforo.com/community/resources/flood-permissions.6800/
Provides user group permissions for the following post rate limiting options:
Delete - General rate limiting - delay between [deleting] posts in seconds


I don't understand how any of this shit works in the first place so apologies if I'm being a nuisance rather than helpful (j/k I've never been helpful in my life) but this kinda sounds like such addon
Congrats, looks like you found one. But even with deletion instances time limited, someone with a script could still play the long game and delete a lot of posts over a longer period and be even harder to notice. So it wouldn't solve the problem, it'd just extend it over a longer period. My choice would be either limit post deletion to something like 2 hours, or disable it altogether. Any legit need for post deletion could be asked of the mods by using the report post function. Probably half of the deleted posts here are basically people who instead of editing their post, just delete it and make a new one with the same contents.
 

Twiglard

Poland Stronk
Patron
Staff Member
Joined
Aug 6, 2014
Messages
7,509
Location
Poland
Strap Yourselves In Codex Year of the Donut
Is there any issue with mitigating the mass deletion attacks the way it was done for Konjad's account? That is, undelete posts keeping threads intact even if it breaks the post count in the userbox. I don't think it caused the same pagination issues as my manual undelete for darkpatriot's account.

Letting things happen and cleaning up afterwards is the most pro-status-quo solution that doesn't take away any user rights.
 

Konjad

Patron
Joined
Nov 3, 2007
Messages
5,371
Location
Strap Yourselves In Codex Year of the Donut Codex+ Now Streaming! Torment: Tides of Numenera Wasteland 2 Steve gets a Kidney but I don't even get a tag.
Is there any issue with mitigating the mass deletion attacks the way it was done for Konjad's account? That is, undelete posts keeping threads intact even if it breaks the post count in the userbox. I don't think it caused the same pagination issues as my manual undelete for darkpatriot's account.

Letting things happen and cleaning up afterwards is the most pro-status-quo solution that doesn't take away any user rights.
Except my post count being wrong, which isn't an issue, there's also inability to search my old posts (only ones that are counted in my post count are found, but not other), which is a minor issue, I guess.

For example, you can search for user Konjad and query
"he was French"

It will not find you this post

Overall, I think it's an acceptable solution.
 

Tse Tse Fly

Savant
Joined
Dec 26, 2017
Messages
708
The current 2FA doesn't work properly for me; today I had to do it again despite checking the 'remember this device for 30 days' option yesterday.

Couldn't the administration/technical staff just check each user's password if it's easily compromised (there exist lists of top common passwords the internet, or something like it - you can calculate hash from them and compare to the one stored in the user database), and then require 2FA only for those users (additionally could limit the selection only to those users whose post count is in the thousands), UNTIL they change their password to a more secure one? I guess the issue was that the administration had to respond quickly, but even if it's the case, you still could just temporarily disable the forum (and put a notice about the issue on the front page), until this shit is sorted out.
 

Twiglard

Poland Stronk
Patron
Staff Member
Joined
Aug 6, 2014
Messages
7,509
Location
Poland
Strap Yourselves In Codex Year of the Donut
Couldn't the administration/technical staff just check each user's password if it's easily compromised (there exist lists of top common passwords the internet, or something like it - you can calculate hash from them and compare to the one stored in the user database)
The attacker is likely using leaked (email, password) or (username, password) pairs rather than going by the 1000 most common passwords or anything like that.

You can verify your own passwords using a password manager or Google's password manager for leaked or repeated passwords. But if everyone did that, there'd be nothing to talk about.
 

AwesomeButton

Proud owner of BG 3: Day of Swen's Tentacle
Patron
Joined
Nov 23, 2014
Messages
17,069
Location
At large
PC RPG Website of the Year, 2015 Make the Codex Great Again! Grab the Codex by the pussy Insert Title Here RPG Wokedex Divinity: Original Sin 2 A Beautifully Desolate Campaign Pillars of Eternity 2: Deadfire Steve gets a Kidney but I don't even get a tag. Pathfinder: Wrath
I spent a week honestly convinced that the forum was in maintenance and the message about 2FA is the usual Dark Underlord trolling meant to induce users to fiddle in their profile settings looking for a 2FA option that doesn't exist.

Very smart, DU, I thought, but you won't catch me with this bait.

What tipped me off was that I kept getting new notifications, which means that other people are accessing the forum. Only then I discovered there actually is a 2FA option and the administration wasn't joking. Ridiculous.
 
Last edited:

As an Amazon Associate, rpgcodex.net earns from qualifying purchases.
Back
Top Bottom