PUBLIC SERVICE ANNOUNCEMENT: 2FA NOW MANDATORY - YOU DON'T NEED A PHONE NUMBER FFS

[KörangarTheMighty]

My choice would be either limit post deletion to something like 2 hours... Any legit need for post deletion could be asked of the mods by using the report post function.

Do it.

 

[tommy heavenly6]

In theory yes, i should have a different password for everything i use, ideally some 12+ letter strong with symbols and caps and everything.

In practice? Maybe i’m just a retard but i struggle memorizing more then a handful of passwords and every time there was some bs forcing me to come up with new ones i end up forgetting it, necessiting me to have to write it down somewhere.
This is especially true for passwords i barely use.

This all ends up creating a far bigger security concern:the risk of misplacing where i store my password hoard, a far more likely scenario for me then getting hacked. Forcing me to come up with an even worst solution which is what i ended up doin with the codex codes: storing them on my email along with a helpful “codex codes” headline because otherwise i will forget dowh the line which codes access what.

Does this sound secure? Storing all my eggs in one basket like this where if anyone figured out my email they will get access to most of my passwords used for everything? This is why i loathe 2fa so much, it does not help secure my accounts at all, it just busts my balls for 0 gain.

Ooh but just use a password manager! Ok and what if something happens to my device? I’ve had my computer die on me and my hard drive getting wiped, losing every program and file on it. So no i do not trust relying on an external program managing my passwords because if something happens to that program i will be even more fucked then it someone figures out my email password.

It’s great you are able to juggle multiple individual passwords for everything you use, but if i remember the studies on this topic, the overwhelming majority of people are going to be like me unfortunately.

Make 2fa optional , if someone goes around deleting my posts i don’t think it would be that big a loss and i’ve never been one to care about post counts. I‘ll just shrug and make a new account at worst.

You only need to memorize your email passwords. Note them on a sheet of paper if you have many. I don't even bother with memorizing passwords from sites, the browser does, and if for some reason I lose all the data and I don't remember shit, I can set a new password using the email recovering option. Which is why all the effort needs to go to your email stuff.

 

[Sherry]

Hi.

security! Security! SECURITY!

Gosh that was with 2fa just checked and thankfs the DEADFIRE discussion thread there still okay? Okay!"

Thanks,
Sherry

 

[Lady Error]

Thanks Sherry for your valuable input.

 

[Melcar]

If someone bothers to hack you and mess up your account it means you are an important person of interest for them. You should feel loved and special. Therefore, by not wanting to protect your account with extra security features, it says that you want to be hacked. Stop exposing yourself like a whore. Goddamn whores.

 

[EccentricLecher]

It's an inconvenience to go use your email every time to login. But I'm sure everyone will forget about it soon enough as the website goes even further down the drain!

 

[Peachcurl]

Couldn't the administration/technical staff just check each user's password if it's easily compromised (there exist lists of top common passwords the internet, or something like it - you can calculate hash from them and compare to the one stored in the user database)

The attacker is likely using leaked (email, password) or (username, password) pairs rather than going by the 1000 most common passwords or anything like that.

You can verify your own passwords using a password manager or Google's password manager for leaked or repeated passwords. But if everyone did that, there'd be nothing to talk about.

Is the administration able to notice when an unusual number of login attempts are made? Or to at least verify that it happened after the fact?

(also: does xenforo really REALLY hash passwords? )

 

[darkpatriot]

Wouldn't that solve the whole issue? Make it like one post deletion per hour.

Not limited like that, limited the same as post edits can be limited, i.e. how far back you can go when editing posts. E.g. a week, a month, 3 months, etc. Anything else would require custom development and is unlikely.

I think most of the valid reasons to delete would be covered by a time limit, it could even be generous such as a few weeks. Unless a few weeks of posts is still enough to cause mass deletion bugs.

Stuff like accidental double posting, accidentally posting before the post was finished, realizing the quoting/formatting is all fucked up, realizing that something you posted was already posted in the thread, etc... Those deletions would only need a few hours time window in most case, maybe a day or two if you went to sleep after posting and didn't return for a while to catch the mistake.

Same with editing, although there are probably a few more valid reasons to edit old posts. Like if you start a thread and the first post was meant to be updated. Such as the first post of a lets play style thread where the first post was meant to be edited to have future episodes be linked to it. If there was a way to make first posts in threads exempt from any editing time limit, that would cover that case.

I would vote for that over 2FA any day of the week.

 

[darkpatriot]

Which browsers in 2023 don't have an integrated pass manager / login saving that you all need to store them separately? Firefox has even had a function to generate unique strong passwords for individual logins for years now, which takes all the legwork out of it.

As a person who once worked tech support, I have a developed loathing of the save password feature in browsers.

That was the cause of 95% of the cases of users who were locking themselves out of accounts, or needing password resets done because they could no longer remember their passwords.

Actual third party password managers seemed to cause fewer issues. I'm not sure if it was because they were less common, if the people who used them were more technologically savvy, or both.

 

[Skinwalker]

Which browsers in 2023 don't have an integrated pass manager / login saving that you all need to store them separately? Firefox has even had a function to generate unique strong passwords for individual logins for years now, which takes all the legwork out of it.

As a person who once worked tech support, I have a developed loathing of the save password feature in browsers.

That was the cause of 95% of the cases of users who were locking themselves out of accounts, or needing password resets done because they could no longer remember their passwords.

Actual third party password managers seemed to cause fewer issues. I'm not sure if it was because they were less common, if the people who used them were more technologically savvy, or both.

Tough words for a guy who just got hacked by a vatnik.

 

[darkpatriot]

Which browsers in 2023 don't have an integrated pass manager / login saving that you all need to store them separately? Firefox has even had a function to generate unique strong passwords for individual logins for years now, which takes all the legwork out of it.

As a person who once worked tech support, I have a developed loathing of the save password feature in browsers.

That was the cause of 95% of the cases of users who were locking themselves out of accounts, or needing password resets done because they could no longer remember their passwords.

Actual third party password managers seemed to cause fewer issues. I'm not sure if it was because they were less common, if the people who used them were more technologically savvy, or both.

Tough words for a guy who just got hacked by a vatnik.

I'm not too worried. I finally updated my Codex password to the new stronger password I use everywhere else.

 

[Skinwalker]

You added !@# to the end of your previous password, didn't you?

 

[Roguey]

Same with editing, although there are probably a few more valid reasons to edit long posts. Like if you start a thread and the first post was meant to be updated. Such as the first post of a lets play style thread where the first post was meant to be edited to have future episodes be linked to it. If there was a way to make first posts in threads exempt from any editing time limit, that would cover that case.

I should be able to edit any of my posts whenever I want (additional info, fixing broken images/links).

 

[Maxie]

Same with editing, although there are probably a few more valid reasons to edit long posts. Like if you start a thread and the first post was meant to be updated. Such as the first post of a lets play style thread where the first post was meant to be edited to have future episodes be linked to it. If there was a way to make first posts in threads exempt from any editing time limit, that would cover that case.

I should be able to edit any of my posts whenever I want (additional info, fixing broken images/links).

I should be able to edit any of Roguey's posts whenever I want

 

[ds]

Same with editing, although there are probably a few more valid reasons to edit long posts. Like if you start a thread and the first post was meant to be updated. Such as the first post of a lets play style thread where the first post was meant to be edited to have future episodes be linked to it. If there was a way to make first posts in threads exempt from any editing time limit, that would cover that case.

I should be able to edit any of my posts whenever I want (additional info, fixing broken images/links).

I should be able to edit any of Roguey's posts whenever I want

CruduxCruo should be able to delete your posts whenever he wants.

 

[Melcar]

I really hate those boards that set a time limit on edits, or even limit how many edits you can make. Fuck that.

 

[Radiane]

Now: You can use your phone number. But you don't really need to, but it does have certain benefits if you do etc.
Next: You can use your ID number. But you don't really neet to, but it does have certain benefits if you do etc.
Soon: You can use your home adress. But you don't really need to, but it does have certain benefits if you do etc.
Eventually: You can use your barcode on your forehead. But you don't really neet to, but it does have certain benefits if you do etc.

 

[Jenkem]

DarkUnderlord how much is Larry Fink paying you?

 

[Napalm]

Instead of troubling people with this 2FA shit in a gaming forum, maybe you could start a bit smaller and simply upgrade your password rules from 1994 times when 4 lower-case letters alone was considered good enough? Could even go a step further and force users to change their pw in every half a decade or whatnot. Or just disable the fucking delete button when a post is over 24 hours old.

 

[lukaszek]

DU already was on track of solving this issue. He made every post anonymous, remove login altogether and there wont be any deletes by design

 

[Taluntain]

Is the administration able to notice when an unusual number of login attempts are made? Or to at least verify that it happened after the fact?

XF automatically locks you out for a while after a few failed login attempts. Nobody's brute-forcing passwords there unless they're literally like "password" or "12345".

 

[Hirato]

It's been 48 hours since I last got asked to do a 2FA.
I guess the regular 2FA prompt's 30 days button works, but the one right after "congrats on activating 2FA!" doesn't.


As for the edit/delete debate.
I don't see much value in being able to delete posts around here at all.
Editing is another matter, it's extremely useful and even necessary, especially for threads that open with an index like the average Let's Play around here.
EDIT: I suppose Delete does at least make it easy to notice hacked accounts when they delete posts en masse...

 

[The Brazilian Slaughter]

What is the urgency?

Growing number of exploited user accounts with script kiddies mass-deleting their posts, requiring staff cleanup. We could be at this all day every day with the number of reused exploited logins readily available in online databases that are starting to get exploited now.

This seems to be confirmation that the only reason this situation was even possible is that some (prolific) Codexers use the same password with the same username on compromised sites.

Good thing that Codex is likely the last place I ever used the password I had here.

 

[King Crispy]

unless they're literally like "password" or "12345".

darkpatriot, The Brazilian Slaughter, Konjad

?????

 

[King Crispy]

The other thing we're starting to lose sight of here is the impetus for the "hack" in the first place: the Ukraine thread. It's safe to assume that the actions taken were the result of the perpetrator being so upset with the content that (the above) users contributed that this person decided to go to extreme measures to... belittle those people? To make some sort of point? Intimidation, I guess?

So, logic dictates, since this kind of attack on Codex hasn't otherwise happened in a long time, that if the Ukraine thread were no longer such a lightning rod for such behavior, it wouldn't happen again.

Therefore, come on, Ukraine, let's wrap this thing up so we can go ahead and Retardo the thread!

Spoiler