These new "security" "features" are absolutely infuriating

[MaximRecoil]

This is an arcade forum, not NORAD or the Pentagon. Logging in tonight, which should have taken 10 seconds, turned out to be a 45-minute project. When I put in my email address and password, instead of logging me in like it should have, it complained that I haven't logged in in over 3 months. So what? What does that have to do with anything? So it required email verification. Why? That's a complete non sequitur, i.e., an email verification requirement doesn't logically follow from not logging in for 3 months; not even close. It's like requiring an email verification specifically because you ate a ham sandwich for lunch.

I did the email verification and tried to log in again. Now it said that my password has been compromised; it's on some list at some website. Unless it's actually associated with my username or email address on that website, who cares? Because of that I was required to change my password. Forced password changes are one of the most annoying aspects of the modern internet, especially in cases of something like an internet forum (rather than, e.g., an online banking account where there's actually something tangible at risk).

I clicked the required link to reset the password, but the system got confused. It refused to email me a link to reset the password (despite requiring me to reset my password) because it had recently emailed me an email validation link. And even though an email validation link is different than a password reset link, it conflated the two and said it couldn't send me "another" one for 30 minutes.

After 30 minutes I tried it again and after resetting my password I figured this Monty Python skit was finally over, but of course it wasn't. When I tried to log in I got a page telling me I hadn't updated my profile since 2021. Again, who cares? What does that have to do with anything? And there doesn't seem to be any way around it. Who ever heard of a forced profile update?

Finally I was logged in, but it was at the main site, and the forums, inexplicably, have a separate login.

My "security" is my own concern, nobody else's. How did this modern trend of forcing "security" on people "for their own good" ever take off anyway, and how did it manage to infect this site?

I've been registered here for over 20 years, and my coming here has always been sporadic, just as it is with every other online forum I go to, because my interests are cyclical and always have been. I don't intend to jump through hoops again just to log in to an internet forum, merely because I haven't logged in for 3 months or more. I'll just close the window instead and forget about it, like I did the last time I tried to log into Skype (Skype also, laughably, thinks that not logging in for a while demands that some hoops be jumped through).

 

[rod90]

There has been a rash of dormant accounts being compromised. Those compromised accounts have been scamming people through the "for sale" section. This site is also going through a forum "upgrade" that has been awkward.

 

[Hoppy2021]

This is an arcade forum, not NORAD or the Pentagon. Logging in tonight, which should have taken 10 seconds, turned out to be a 45-minute project. When I put in my email address and password, instead of logging me in like it should have, it complained that I haven't logged in in over 3 months. So what? What does that have to do with anything? So it required email verification. Why? That's a complete non sequitur, i.e., an email verification requirement doesn't logically follow from not logging in for 3 months; not even close. It's like requiring an email verification specifically because you ate a ham sandwich for lunch.

I did the email verification and tried to log in again. Now it said that my password has been compromised; it's on some list at some website. Unless it's actually associated with my username or email address on that website, who cares? Because of that I was required to change my password. Forced password changes are one of the most annoying aspects of the modern internet, especially in cases of something like an internet forum (rather than, e.g., an online banking account where there's actually something tangible at risk).

I clicked the required link to reset the password, but the system got confused. It refused to email me a link to reset the password (despite requiring me to reset my password) because it had recently emailed me an email validation link. And even though an email validation link is different than a password reset link, it conflated the two and said it couldn't send me "another" one for 30 minutes.

After 30 minutes I tried it again and after resetting my password I figured this Monty Python skit was finally over, but of course it wasn't. When I tried to log in I got a page telling me I hadn't updated my profile since 2021. Again, who cares? What does that have to do with anything? And there doesn't seem to be any way around it. Who ever heard of a forced profile update?

Finally I was logged in, but it was at the main site, and the forums, inexplicably, have a separate login.

My "security" is my own concern, nobody else's. How did this modern trend of forcing "security" on people "for their own good" ever take off anyway, and how did it manage to infect this site?

I've been registered here for over 20 years, and my coming here has always been sporadic, just as it is with every other online forum I go to, because my interests are cyclical and always have been. I don't intend to jump through hoops again just to log in to an internet forum, merely because I haven't logged in for 3 months or more. I'll just close the window instead and forget about it, like I did the last time I tried to log into Skype (Skype also, laughably, thinks that not logging in for a while demands that some hoops be jumped through).

It's done now. Log in every 2.5 months and yer good.

 

[conrad]

Now it said that my password has been compromised; it's on some list at some website. Unless it's actually associated with my username or email address on that website, who cares?

There are two reasons for this:

• You are using the same password on multiple sites
• You are using a dumb/simple password that other people are using

Assuming either are true: you should stop doing this. There is a huge cost to account compromise. Not only to you (when your accounts get hijacked), but also to the sites that host your accounts. And often to other users of those sites who end up getting scammed. Read this thread for more information.

I don't intend to jump through hoops again just to log in to an internet forum, merely because I haven't logged in for 3 months or more.

Then don't.

 

[MaximRecoil]

There are two reasons for this:

• You are using the same password on multiple sites
• You are using a dumb/simple password that other people are using

Assuming either are true: you should stop doing this. There is a huge cost to account compromise. Not only to you (when your accounts get hijacked), but also to the sites that host your accounts. And often to other users of those sites who end up getting scammed. Read this thread for more information.

Everyone has their own responsibility to watch out for scams. The only way you can imagine that there's a "huge cost to account compromise" on an internet forum that isn't tied to financial information/accounts is if you have a "pass the buck" mentality.

In the ~24 years that I've been using the internet on a regular basis, I've never had a forum account compromised that I know of. No one is going to guess effectively random strings of characters that don't even form a word of any kind, and if a site is breached, it doesn't matter how strong your password is anyway, because they have access to the passwords.

Then don't.

I already said as much. It's not as if I've ever had anything important to say here. It's a place that has discussions about one of my interests, but if it turns into "serious business" just to log in from time to time, I can do without the headache.

 

[bobbyb13]

Sure it takes effort but everthing costs something.

I got kicked out since this morning apparently and had to change my password because I couldn't remember it and never bothered to write it down anywhere.

Mildly irritating of course, but not wall of text kind of big deal.

 

[Hoppy2021]

Sure it takes effort but everthing costs something.

I got kicked out since this morning apparently and had to change my password because I couldn't remember it and never bothered to write it down anywhere.

Mildly irritating of course, but not wall of text kind of big deal.

How could you forget "wearingagrassskirt dontmakemegay" ??

 

[MaximRecoil]

I got kicked out since this morning apparently and had to change my password because I couldn't remember it and never bothered to write it down anywhere.

Mildly irritating of course, but not wall of text kind of big deal.

That's one thing. When I tried to log in it was a lot more than one thing, including a broken aspect of the system that resulted in a half-hour wait time. Again:

I clicked the required link to reset the password, but the system got confused. It refused to email me a link to reset the password (despite requiring me to reset my password) because it had recently emailed me an email validation link. And even though an email validation link is different than a password reset link, it conflated the two and said it couldn't send me "another" one for 30 minutes.

As for "wall of text," this is an example of one:

https://blog.prototyp.digital/content/images/2020/03/text-2.png

Notice the lack of paragraph breaks. That's why it's called a "wall," no breaks, like a wall. There are six paragraph breaks in my post. If "wall of text" meant what you think it means then every page of every non-children's book ever written would be a wall of text.

 

[demogo]

That's one thing. When I tried to log in it was a lot more than one thing, including a broken aspect of the system that resulted in a half-hour wait time. Again:



As for "wall of text," this is an example of one:

https://blog.prototyp.digital/content/images/2020/03/text-2.png

Notice the lack of paragraph breaks. That's why it's called a "wall," no breaks, like a wall. There are six paragraph breaks in my post. If "wall of text" meant what you think it means then every page of every non-children's book ever written would be a wall of text.

It's good to see you back. You're one of the real old timers here.

But in your absence a number of old accounts were compromised and used in scamming attempts here, and some were successful.

I completely understand why Greg changed things to protect the users here.

I suspect that will be a one-time problem for you, even if you go away for more than 3 months again, because your password will no longer match your compromised password at many other sites.

 

[ReWrite]

In the ~24 years that I've been using the internet on a regular basis, I've never had a forum account compromised that I know of. No one is going to guess effectively random strings of characters that don't even form a word of any kind, and if a site is breached, it doesn't matter how strong your password is anyway, because they have access to the passwords.

But they don't have to guess a random string of characters now. Because you used the password/email or password/username combo elsewhere where it WAS compromised. Now they just log in here with that info. That's the point.

 

[MaximRecoil]

But they don't have to guess a random string of characters now. Because you used the password/email or password/username combo elsewhere where it WAS compromised. Now they just log in here with that info.

Not necessarily. First, it could have been someone else who used that same string of characters, and second, the password would have to be associated with my username or email address in order for it to be of any use to anyone. The administrator post that was linked to above said:

On the main site's account settings page, whenever someone changes their password, the system checks the password against a database of nearly 12 billion breached accounts from 603 web sites. If it finds the password in the database, it rejects it. Note: It's not looking for whether the password and email address our found together, but just the password. It isn't checking if our member had used the password on another site that was breached, but checking if anyone in the world used the password on a site that was breached.

The biggest irritation was the 30-minute wait time due to the software being confused, which turned it into something akin to a Monty Python skit.

 

[MitchO]

I had almost th same experience last week. Except I have been active almost daily and had been logged in less than 24 hours previously.

I understand the need for security but the process is not ideal.

Mitch

 

[mclemore]

...

I clicked the required link to reset the password, but the system got confused. It refused to email me a link to reset the password (despite requiring me to reset my password) because it had recently emailed me an email validation link. And even though an email validation link is different than a password reset link, it conflated the two and said it couldn't send me "another" one for 30 minutes.

Scammers are not only using breached credential sets from other sites on forums all over the internet, but they are also making assumptions based on similar site themes. So credential sets from another arcade or videogame site are more likely to be tried here, than say, those from a sewing site.

And hackers are trying random email addresses from databases with random passwords too from the databases looking for hits. So it isn't just an issues of whether you used a poor password, but whether anyone did. We don't have a way of checking a email/password pair in the large databases... only the password. So we couldn't limit the error checking if we wanted to. But this makes sense. Responsible databases of breached passwords don't want to be giving out credential sets, nor asking for them. [We don't even share non-breached passwords externally... it's all done with partial hash lookups to download and then we compare.]

We don't save any one's valid passwords, so I have no way of knowing what anyone's password is. That said, if someone has an existing password on the breached list, it forces the user to change the password and it temporarily saves me a copy of the (old) breached password. We used this to help troubleshoot some false positives on the breached password check. In a review of this temp list, let's just say that 90% of them are really stupid passwords that people should have stopped using 20-25 years ago.

Breached accounts started getting more common a year or two ago, and by earlier this year we had multiple such breaches happening every week -- everyone of them because people used dumb passwords. One hacker in particular seemed focused on these forums and kept asking for people to paypal him (and some did).

We are continuing to roll-in additional security measures as you have noticed and it's already making a huge difference.

As far as the 30 minute issue above...that was noted in another thread. I learned of it yesterday and it was fixed this morning. Sorry for the trouble.

... When I tried to log in I got a page telling me I hadn't updated my profile since 2021. Again, who cares? What does that have to do with anything? And there doesn't seem to be any way around it. Who ever heard of a forced profile update?

I assume you are talking about your VAPS profile. You don't have to change anything, you just have to save to confirm it is updated. In short, we prefer not to have people listing games they sold 10 years ago. Although we will require something like that on general account information too. VAPS for years required email re-verification every 6 months or it would auto-delete your VAPS entry. Then this wasn't enforced for years. Now are are working towards a working balance.

Finally I was logged in, but it was at the main site, and the forums, inexplicably, have a separate login.

They are separate systems. It is scheduled for us to figure out how to tie the logins together better, but it hasn't happened yet. Things take time on a free site, and we are spending much more $ on upgrading systems now than $ coming in.

My "security" is my own concern, nobody else's. How did this modern trend of forcing "security" on people "for their own good" ever take off anyway, and how did it manage to infect this site?

Your security becomes everyone's problem if someone logs in with your account and starts scamming people out of money.

There has been a rash of dormant accounts being compromised. Those compromised accounts have been scamming people through the "for sale" section. This site is also going through a forum "upgrade" that has been awkward.

yup

Not necessarily. First, it could have been someone else who used that same string of characters, and second, the password would have to be associated with my username or email address in order for it to be of any use to anyone. The administrator post that was linked to above said:

It's largely script driven now. Scammers will hits sites, with every attempt coming from a different IP address. It's why more and more sites are moving towards 2FA.

--

This year we made it so the site now emails you if your account logged in from a suspect geographic location, or haven't logged in for over 30 days, or upon change of account information, and likely in the near future on other criteria. We've already had a user report an account breach because of receiving one of these emails, and we were able to deal with it before any trouble ensued.

And for forcing an email re-verification... here are some things that trigger that (subject to change) a force re-verify:

1. Account inactive for 90 days (may increase in the future). If someone doesn't log in regularly, yes, we will get them to re-verify every time they come back. It's better when breached accounts are noticed by the users, and inactive accounts don't get noticed quickly. The majority of breached accounts were for users that hadn't logged for years. This simple change stopped > 90% of the trouble.

2.No re-verification in over 7 years (down from 10, 9, 8). This will probably end up at something like 180 days, so I'll keep reducing the time until we get there. Because some people can't manage to keep a current email address on file, we've been rolling this in relatively gently. A key benefit of this is to allow someone to change an email address after they know they are getting rid of it, but before they actually do.

3. Existing password shows up in the breached database. This is quiet down pretty quickly though, as active users stop using passwords like '58239' or 'galaga' or 'atari' or bad words or adult words (yup, people do).

Now likely tomorrow or the next day, we'll add features on the account page to allow someone to voluntarily re-verify their email (or secondary email) if they haven't done so for 90 days. This mainly benefits users that are active (since inactive ones can get trapped above). This allows someone to reverify at their own timing, before risking getting suddenly locked out of their account at a 7 year (or 180 day) mark.

 

[parodier]

I just had a similar experience.
Verified my email, then I was able to log on the website, but the forum kept telling me I had to verify my email.
Turns out I needed to change my password, but nothing was telling me anywhere I needed to.
It's just by googling that I found this topic and finally took the hint.

 

[demogo]

@mclemore

Hi Greg, please see above.

 

[mclemore]

I just had a similar experience.
Verified my email, then I was able to log on the website, but the forum kept telling me I had to verify my email.
Turns out I needed to change my password, but nothing was telling me anywhere I needed to.
It's just by googling that I found this topic and finally took the hint.

@parodier
If you haven't logged in during the last 90 days, the system will force you to reverify your email address (and the forums will keep you from logging in and point you to the main site). In your case, you try logging onto the main site, and the system stopped you to reverify your email address (so that didn't count as a login). So you clicked on the verification link in the email, which verified your email, but you didn't log in on the main site. And you tried logging onto the forums, but it stopped you again since you hadn't logged in for over 90 days. So you logged onto the main site which solved the problem (changing your password wasn't actually the key).

I have some thoughts on changing the logic a bit to maintain security while increasing the user experience a bit...

 

[mclemore]

On the main site, we changed the logic so it now checks for a breached password in the DB before it checks for inactivity. A breached password match causes a password reset link to be emailed, which when clicked on, counts as an email verification. Before it would then ask for another email verification if your account wasn't active (no long in during last 90 days). Now it doesn't need to ask you to verify twice in 5 minutes.