All accounts last logged in before 2021-07-01 deactivated

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

[Tap Here for Mobile-Friendly Forums]

Moderator: GZDoom Developers

All accounts last logged in before 2021-07-01 deactivated

Postby Rachael » Tue Nov 09, 2021 9:58 am

Recently spam bots have decided to start taking over old, abandoned accounts, so in an effort to curb this I've deactivated accounts that last logged in before July of this year.

Also - all accounts that have had 0 posts and created before May 2021 of this year have been deleted completely.

Please see this post for info on how to get your account reactivated.
User avatar
Rachael
^ walking stack of unfinished projects ^
Admin
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Rachael » Sat Dec 11, 2021 11:32 am

Some of the account requests recently have been asking how often you have to be active in order to prevent your account from being marked inactive.

Generally, making a post at least once a month is sufficient to prevent inactivity lockouts. But it's very important to state that this is not something that is enforced nor it is a rule.

The reason for the lockout was because of older accounts being compromised. The best way, as a community as a whole, to prevent this kind of thing from occurring is to use strong passwords. This only became a problem (several times now) because there are still people who utterly refuse to strengthen their passwords even at least a little bit.

You don't need a bunch of symbols and gibberish that are impossible to memorize to have a good password. The best way to protect yourself is to get a password manager. "LessPass" seems to be one of the best because it generates a password on the fly that does not even have to be stored - it simply uses a seed that ensures it can re-create the same password later, which is different for every site. One of my friends also swears by "LastPass" - but be careful using anything that is commercial, even if it is free. You do not know what is being done with your data (and I am not talking about your actual passwords - I'm talking about things like your email and browsing habits).

So - I hope this helps you.

If you don't want to use a password manager - remember that "pass phrases" are far more secure than gibberish passwords. For example: "My brother Joe makes excellent Doom mods" would be a great password - if I didn't actually state it in this post. But it is an example of the kind of thing you can remember, that is quite secure, and should reduce the chances of you forgetting your password as well as account compromise quite dramatically.
User avatar
Rachael
^ walking stack of unfinished projects ^
Admin
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Graf Zahl » Sat Dec 11, 2021 12:11 pm

Rachael wrote:If you don't want to use a password manager - remember that "pass phrases" are far more secure than gibberish passwords.


Please tell this to my employer's clients. No, they hand out gibberish passwords so you can imagine how many of them lie around as paper notes on the desks because nobody can remember that shit, and some of the software being used has no "remember password" function... :?

So, I can only second that these passwords are not secure. It is inevitable that they have to be written down somewhere where they eventually can be retrieved.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Enjay » Sat Dec 11, 2021 1:28 pm

It is now pretty well established that, for the reasons outlined and more, pass phrases are more secure. Yet I think all of the logins that I use at work (and I have quite a lot) still demand the "must be at least eight characters long, contain a special character, upper and lower case letters and at least 1 digit" thing. Some even actually reject passwords if they contain recognised real words.

So, yup, you can find post-it notes with things like !DeRp_54321@ written down all over the place, and often with the name of the program or website right beside it.
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Rachael » Sat Dec 11, 2021 2:45 pm

One of the primary core tenants of security that is most overlooked is availability. By definition something that is unavailable (even if due to inaccessibility) is *insecure*. So yeah, requiring these utterly ridiculous gibberish passwords and outright rejecting dictionary words (even if they are contained within a full sentence intended to be used as a password) is hurting your end-users' security, not helping it. And those post-it notes are simultaneously the cause, symptom, and consequence of such insecurity, proving in multiple ways a point more than any other single point ever could.

If what I said doesn't make sense - then this will help clear it up: https://www.securicy.com/blog/3-princip ... cia-triad/
User avatar
Rachael
^ walking stack of unfinished projects ^
Admin
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Rachael » Thu Jan 06, 2022 3:58 pm

The password requirements have been raised today. This last reset has made one thing painfully clear: Accounts with weak passwords have been our biggest problem lately with our battle against the bots.

Old: 6 Characters Minimum, New: 15
Old: 30 Characters Maximum, New: 120
Old: No complexity requirements, New: Must be mixed case at least (only one letter needs capitalized to meet this requirement)

The most secure passwords are actually a sentence that is meaningful to you.

Spoiler:
User avatar
Rachael
^ walking stack of unfinished projects ^
Admin
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Valken » Fri Jan 07, 2022 3:29 am

Thank you team. Is there way to setup something like psuedo 2FA with Discord for example? Your team fixed my account but I figure it would be worth asking one day.
Valken
 
Joined: 08 Jun 2015

Re: All accounts last logged in before 2021-07-01 deactivate

Postby wildweasel » Fri Jan 07, 2022 10:00 am

Not with the current forum software, to my knowledge. We would probably need to find a plug-in for it, and honestly, I'm not sure that I would trust a third party plug-in with that.
User avatar
wildweasel
from a different perspective.
Moderator Team Lead
 
Joined: 15 Jul 2003

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Player701 » Tue Jan 11, 2022 5:47 am

Speaking not as an information security specialist but purely from a common-sense point of view, one of the more secure 2FA methods seems to be FIDO U2F, which relies on a physical device as the second factor. I own a couple of these (primary + backup) and use them with every service that supports U2F. It looks like there are plugins for phpBB too, although I understand that for this forum's maintenance team it would probably be too much effort for too little gain.
User avatar
Player701
 
 
 
Joined: 13 May 2009
Location: Russia
Discord: Player701#8214
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: nVidia with Vulkan support

Re: All accounts last logged in before 2021-07-01 deactivate

Postby Rachael » Tue Jan 11, 2022 6:53 am

The problem with that is, it will effectively prevent us from moving to a new forum software unless the exact same plugin is written the exact same way for the new target forum software.

And I don't want my options there to be locked to phpBB, either.

Right now 2FA is completely out of the question.
User avatar
Rachael
^ walking stack of unfinished projects ^
Admin
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle


Return to ZDoom (and related) News

Who is online

Users browsing this forum: No registered users and 1 guest