All accounts last logged in before 2022-Apr-27 deactivated

[Rachael]

Recently spam bots have decided to start taking over old, abandoned accounts, so in an effort to curb this I've deactivated accounts that last logged in before July of this year.

Also - all accounts that have had 0 posts and created before May 2021 of this year have been deleted completely.

Please see this post for info on how to get your account reactivated.

[Rachael]

Some of the account requests recently have been asking how often you have to be active in order to prevent your account from being marked inactive.

Generally, making a post at least once a month is sufficient to prevent inactivity lockouts. But it's very important to state that this is not something that is enforced nor it is a rule.

The reason for the lockout was because of older accounts being compromised. The best way, as a community as a whole, to prevent this kind of thing from occurring is to use strong passwords. This only became a problem (several times now) because there are still people who utterly refuse to strengthen their passwords even at least a little bit.

You don't need a bunch of symbols and gibberish that are impossible to memorize to have a good password. The best way to protect yourself is to get a password manager. "LessPass" seems to be one of the best because it generates a password on the fly that does not even have to be stored - it simply uses a seed that ensures it can re-create the same password later, which is different for every site. One of my friends also swears by "LastPass" - but be careful using anything that is commercial, even if it is free. You do not know what is being done with your data (and I am not talking about your actual passwords - I'm talking about things like your email and browsing habits).

So - I hope this helps you.

If you don't want to use a password manager - remember that "pass phrases" are far more secure than gibberish passwords. For example: "My brother Joe makes excellent Doom mods" would be a great password - if I didn't actually state it in this post. But it is an example of the kind of thing you can remember, that is quite secure, and should reduce the chances of you forgetting your password as well as account compromise quite dramatically.

[Graf Zahl]

If you don't want to use a password manager - remember that "pass phrases" are far more secure than gibberish passwords.

Please tell this to my employer's clients. No, they hand out gibberish passwords so you can imagine how many of them lie around as paper notes on the desks because nobody can remember that shit, and some of the software being used has no "remember password" function...

So, I can only second that these passwords are not secure. It is inevitable that they have to be written down somewhere where they eventually can be retrieved.

[Enjay]

It is now pretty well established that, for the reasons outlined and more, pass phrases are more secure. Yet I think all of the logins that I use at work (and I have quite a lot) still demand the "must be at least eight characters long, contain a special character, upper and lower case letters and at least 1 digit" thing. Some even actually reject passwords if they contain recognised real words.

So, yup, you can find post-it notes with things like !DeRp_54321@ written down all over the place, and often with the name of the program or website right beside it.

[Rachael]

One of the primary core tenants of security that is most overlooked is availability. By definition something that is unavailable (even if due to inaccessibility) is *insecure*. So yeah, requiring these utterly ridiculous gibberish passwords and outright rejecting dictionary words (even if they are contained within a full sentence intended to be used as a password) is hurting your end-users' security, not helping it. And those post-it notes are simultaneously the cause, symptom, and consequence of such insecurity, proving in multiple ways a point more than any other single point ever could.

If what I said doesn't make sense - then this will help clear it up: https://www.securicy.com/blog/3-princip ... cia-triad/

[Rachael]

The password requirements have been raised today. This last reset has made one thing painfully clear: Accounts with weak passwords have been our biggest problem lately with our battle against the bots.

Old: 6 Characters Minimum, New: 15
Old: 30 Characters Maximum, New: 120
Old: No complexity requirements, New: Must be mixed case at least (only one letter needs capitalized to meet this requirement)

The most secure passwords are actually a sentence that is meaningful to you.

---

https://explainxkcd.com/wiki/index.php/ ... d_Strength

[Valken]

Thank you team. Is there way to setup something like psuedo 2FA with Discord for example? Your team fixed my account but I figure it would be worth asking one day.

[wildweasel]

Not with the current forum software, to my knowledge. We would probably need to find a plug-in for it, and honestly, I'm not sure that I would trust a third party plug-in with that.

[Player701]

Speaking not as an information security specialist but purely from a common-sense point of view, one of the more secure 2FA methods seems to be FIDO U2F, which relies on a physical device as the second factor. I own a couple of these (primary + backup) and use them with every service that supports U2F. It looks like there are plugins for phpBB too, although I understand that for this forum's maintenance team it would probably be too much effort for too little gain.

[Rachael]

The problem with that is, it will effectively prevent us from moving to a new forum software unless the exact same plugin is written the exact same way for the new target forum software.

And I don't want my options there to be locked to phpBB, either.

Right now 2FA is completely out of the question.

[Rachael]

All accounts last active before 2022-04-27 have been deactivated. Getting spam attacks from compromised accounts, again. If this keeps up I will be forcing a password reset for the entire board and upping password requirements - which means everyone will have to recover their account and set a new password - it sucks to have to do that, but if people keep getting hacked, that's what will be necessary.

Obviously - this means keep your email up to date if you don't want to lose access to your account. Please also change your password to avoid being a victim of a hack.

[Apeirogon]

You don't need a bunch of symbols and gibberish that are impossible to memorize to have a good password. The best way to protect yourself is to get a password manager. "LessPass" seems to be one of the best because it generates a password on the fly that does not even have to be stored - it simply uses a seed that ensures it can re-create the same password later, which is different for every site. One of my friends also swears by "LastPass" - but be careful using anything that is commercial, even if it is free. You do not know what is being done with your data (and I am not talking about your actual passwords - I'm talking about things like your email and browsing habits).

So - I hope this helps you.

If you don't want to use a password manager - remember that "pass phrases" are far more secure than gibberish passwords. For example: "My brother Joe makes excellent Doom mods" would be a great password - if I didn't actually state it in this post. But it is an example of the kind of thing you can remember, that is quite secure, and should reduce the chances of you forgetting your password as well as account compromise quite dramatically.

Same things but in video form

[wildweasel]

A reminder from ZDoom Forum Administration, since this has come up a few times:

Even though you're submitting your Account Reactivation form as a "new topic," absolutely no personal details you post will be publicly viewable by anybody except Administrators.

I repeat: ONLY THE ADMINS CAN SEE WHAT YOU POST TO ACCOUNT RECOVERY.

This is because these posts end up in the Moderation Queue, which normal users cannot see. So to the non-zero amount of users who have requested their accounts back, but refuse to tell us your email addresses (information that we already have on file and use to verify that you are who you say you are)... please just rip off the band-aid and get it over with. You want your account back. We want you to get your account back on the first try.

Thank you.

[openroadracer]

Question: Would it be possible to include a censored example/template on the page for posting your account recovery request? Might help to give people an idea of what they need to put in the request.

I do recall having sent an account recovery myself once. I presume I got everything about it right, since I'm currently using the account I sent the recovery request for.

[Rachael]

Name: [name here]
Email: [email for verification]

That's literally all you need.

If you don't remember your account email you have other options, like ISP/location at the time of registration or of recent posts. It just has to be stuff that no one has access to publicly.

If you lost access to your registration email address, you will have to supply a new one since a code will be sent.