That means private browsing has to be turned off and I would much rather keep my history safe than a Minecraft forum account. I honestly don't understand why it is a required feature now. The owner who responded to me earlier said it was because he was fed up with retrieving compromised accounts, which is understandable but regardless, he doesn't have to do it. If people are dumb enough to reuse passwords or use common / simple ones, then they deserve it. If their accounts get compromised, then it's their fault.If you check the "Trust this device for 30 days" option, yes it adds up to 10 seconds a month.
Using complicated passwords and not running shady programs won't help you if you are involved in a password leak. You don't understand how ridiculously easy it is to get your hands on a password leak; much easier than trying to install a RAT on someone else's computer or bruteforcing their password.
You don't know what you're talking about. When logging in using 2FA there's an option to trust a device for 30 days. Here, I'll show you:
2 step verification required?
- Thread starter Reversi
- Start date
- Status
You must have missed the part where he said that it's a pain to have hackers on the forums all the time, and that the problem is not that people deserve it, but that staff have to deal with hackers. Even if it's "their fault", we have to deal with it.
And if you want to use private browsing, that's your own choice. Not that I'm sure why you'd care about MCM being in your history, but hey, not my business.
So far, the only valid reasons to disable forced 2FA rightaway have been personal circumstances/choice. I'll see if I can inquire when it will be removed, but it's not likely to be removed rightaway just because a handful of people can't make use of the 30 days option.
The point I'm making is: Those who deem it as an inconvenience and unnecessary should be able to choose whether or not they want the extra security or not. If they choose not to have it then they shouldn't expect anyone to retrieve their accounts for them. Also, it's not the MCM in my history that I care about, not sure where you got that from as I said I would rather keep my history safe than a Minecraft forum account. Not trying to start anything, just wanting to contribute my opinion.
So basically, you want to keep your history safe by browsing MCM privately.. kthen.
well, to each their own.
As for people choosing to, that's great and all, but too many people are too lazy to choose for it, have a shitty password, then get hacked and that means staff constantly has to track down and ban compromised accounts, especially if they're not the loud type.
I've not seen it happen yet, but it's perfectly possible for one of those accounts that gets compromised to be controlled by a scammer who uses a reputable member's account to scam others, redirecting them to another skype etc etc.
Even if they alert us about it, the damage may already be done before we can ban them.
All in all, the "it's their own fault" argument is invalid, since a compromised account is a problem for the entire forums, not just that user.
As I said, I'll take a look when it may stop being enforced. This may be in a few days or a few weeks at most.
But until every single member learns the details of password security or Bebosny has found a way to force the fools into it, it won't be disabled easily.
My personal suggestion, btw, would be that the version of 2FA that's enforced is required every time the Ip that a user accesses from is changed, and not otherwise.
This won't solve reversi's problem, I assume, since they're traveling and thus constantly changing IP. but it would solve the problem for a lot of others.
well, to each their own.
As for people choosing to, that's great and all, but too many people are too lazy to choose for it, have a shitty password, then get hacked and that means staff constantly has to track down and ban compromised accounts, especially if they're not the loud type.
I've not seen it happen yet, but it's perfectly possible for one of those accounts that gets compromised to be controlled by a scammer who uses a reputable member's account to scam others, redirecting them to another skype etc etc.
Even if they alert us about it, the damage may already be done before we can ban them.
All in all, the "it's their own fault" argument is invalid, since a compromised account is a problem for the entire forums, not just that user.
As I said, I'll take a look when it may stop being enforced. This may be in a few days or a few weeks at most.
But until every single member learns the details of password security or Bebosny has found a way to force the fools into it, it won't be disabled easily.
My personal suggestion, btw, would be that the version of 2FA that's enforced is required every time the Ip that a user accesses from is changed, and not otherwise.
This won't solve reversi's problem, I assume, since they're traveling and thus constantly changing IP. but it would solve the problem for a lot of others.
Well, first of all, let me rephrase the history part. I CARE more about my other browsing than what takes place on a Minecraft Forum. And having to switch is just an inconvenience as you said previously. Glad we can agree on something.
Users choosing passwords that are shitty, making them easy to hack wouldn't be an issue if the actual registration / password change of the accounts on this site required an advanced password, such as symbols etc etc (You get the idea). I too think that it should only be enforced if the account is being logged into from another IP. Also, I don't see how the "it's their own fault" argument is invalid at all. Accounts are only easy to compromise if they are made easy to compromise and only that user has the ability to make their account secure. Therefore, if they decide to not use 2FA or a secure password, then it is indeed their fault and they don't deserve to have someone to rely on and pick up the pieces, Now, obviously if you do have some user with a respectable account that could easily be used to perform scams on compromised, then it wouldn't be an issue if the F2A only requested a code upon login from a new IP.
Overall you have changed my opinion on having the option to disable it entirely, but it does have to be changed. I +1 your suggestion.
We don't want accounts to be hacked, it's that simple on the 'it's their own fault. We don't want hackers on here compromising the accounts of neither reputable nor new members. Even if said members are too stupid to make something more than 1234 their password, we simply dont want it, regardless of whether or not they even get their account back.
Also, the password requirements is a feature that is either already implemented or is still going to be.
Also, the password requirements is a feature that is either already implemented or is still going to be.
Whether or not it's going to be, I don't know. But the required secure password doesn't seem to request too good of a secure password. Even just requesting that the user includes a symbol in their password will make a huge difference.
Then its not implemented yet, because that's one of the basic things it was supposed to implement.
I still think the issue is them being involved in a leak. If you're worried about passwords being brute forced, you should limit the number of login attempts per IP.
2FA on xenforo uses cookies, not IPs. Of you verify yourself on a device and change IPs, you are still verified. This is so you can switch from mobile to WiFi networks and back without issue. I think that there should be an option to permanently trust a device, I'm surprised xenforo hasn't implemented this feature.
I know I sound like a broken record, but I seriously think most passwords were stolen from leaks, not brute forced. Thus, stronger passwords would not help.
There have been no leaks that were verified from MCM, and the xenforo hasing is quite strong, so I doubt a casual would break it.
It was most likely from password reuse of people that were in a different leak.
No, I'm not saying MCM was hacked at all. A bunch of popular sites like 000webhost and Neopets were hacked with plain text passwords. Password reuse is definitely the issue here, which is why I suggested a forced reset. I doubt many of the "hackers" on here have the ability to crack any hashes, especially properly hashed + salted ones. Plus, if someone were to get in to your server, there would be much bigger consequences
ah yes, that's what you meant. And yeah, that works I guess, but still, a password reset alone isn't gonna cut it, not if they simply change from 1 re-used password to another.
That's what I used to do, have a bunch of premade passwords and reuse them. even though they're quite strong, if I reuse them they're pointless. Now I've got a password manager though, so no biggie.
That's what I used to do, have a bunch of premade passwords and reuse them. even though they're quite strong, if I reuse them they're pointless. Now I've got a password manager though, so no biggie.
- Status
