Suggestion: Better account security

lexireek

lexireek

Well-Known Member
FCN Regular
Hi everyone,

This thread will be outlining (potential) security issues and this thread is not supposed to bring down this site, but rather help it.

I feel as if my account is in danger. Not because I think y'all will be hacking it, but because if a targeted hack occurs on a specific account, then the account is most likely going to get wrecked, and slapped with a permanent ban when the hackers post crap on the forums.

I need to acknowledge that a good security measure has already been taken, which is the option to use 2FA.

But that just doesn't feel like enough to me. If someone knows your email's password and you use email 2FA, you're screwed. How about phone 2FA? Sounds neat to me, but if you get locked out because your phone broke, you're even more screwed.

I haven't tried either honestly. Mainly because I don't have the option to use phone 2FA. This is a personal issue and nothing that FCN can do about it. But rather serves as a reason to implement the following suggestions.

I suggest adding back-up 2FA codes (phone 2FA), which can be used to sign in. You can view them using your password, and re-generate them any time. Up to 8 backup codes, and each can only be used once.

And I suggest adding a PIN code that you can put on your account. This code is required to sign in to chat, and required to alter any account settings, as well as to make 1 post. Once the code is entered correctly, you will only be prompted once every time you log in. This should be ip-based. So say you're logged in and (somehow?) your IP changes, you'll be prompted again.

I also suggest adding a "Sign out of other devices" button. Say you're actually being hacked, you'll have a chance to kick them out and quickly add the above mentioned security measures.

Thanks,
LR x
 
lexireek said:
OK then I'll sign in through 149 devices ;)
Click to expand...

That would be an irresponsible manner of managing your privacy.

On a serious note, sad to see this NOT being implemented. But okay. Thanks for your response.
Click to expand...

Service is free and you receive services at an appropriate level.
You store no financial information here.
Account registration requires no verification of personally identifiable information—not even your name, therefore there's no risk.
There's no security issue.

Additionally:

https://www.freechatnow.com/forum/threads/internet-safety-and-privacy-101.19268/
 
Stanthropical said:
That would be an irresponsible manner of managing your privacy.



Service is free and you receive services at an appropriate level.
You store no financial information here.
Account registration requires no verification of personally identifiable information—not even your name, therefore there's no risk.
There's no security issue.

Additionally:

https://www.freechatnow.com/forum/threads/internet-safety-and-privacy-101.19268/
Click to expand...
Again, the first part you quoted was a joke. I tried to make that clear.
Still, thank you. I understand. It was merely just a request.
 
You forgot to use the joke icon, because it appeared to look like something completely else as a response to my recommendations.
 
Stanthropical said:
You forgot to use the joke icon, because it appeared to look like something completely else as a response to my recommendations.
Click to expand...
I used a wink, which I hoped would let you know that it was a joke. I'm not stupid enough to login on 149 devices.
 
Jokes and/or sarcasm are the wurst way to communicate a "seriously" concern. Js
 
You indicated that part of your reply was a joke and that's what I was responding to.
 
Why can't you use 2FA on your phone? Ok, I'm presuming you have a phone and that it's either an iPhone or Android variant. Google make a free authenticator app which only takes a few seconds to setup and then a few seconds more to setup here. Is there a specific reason you can't or won't use that?
 
Barbelith said:
Why can't you use 2FA on your phone? Ok, I'm presuming you have a phone and that it's either an iPhone or Android variant. Google make a free authenticator app which only takes a few seconds to setup and then a few seconds more to setup here. Is there a specific reason you can't or won't use that?
Click to expand...
There are reasons outside of FCNs control as to why I can't use such methods. For that reason, I made this thread to add more features.
 
That type of 2FA is very secure and is pretty much accepted as being a solid option to enhance your account security on platforms like this. It is perhaps, dare I say, unreasonable of you to dismiss this option based on your own unique set of circumstances and ask for something else from what is essentially a free service.
 
Barbelith said:
That type of 2FA is very secure and is pretty much accepted as being a solid option to enhance your account security on platforms like this. It is perhaps, dare I say, unreasonable of you to dismiss this option based on your own unique set of circumstances and ask for something else from what is essentially a free service.
Click to expand...
What you are saying is utter bullshit. Yes, this is a free service, but that doesn't mean I can suggest new features to be added. It's up to the webmaster whether or not my suggestions get added.
Additionally, whilst these suggestions come forth based on my own circumstances, they benefit everyone. So it's not just something for myself. Everyone will benefit.
I find it rude of you to assume that I dismiss the existing options because I want to - I am only suggesting more web based security options (i.e that pin code). Again, this will benefit everyone.
I am not dismissing existing features, rather building onto them. I'm dismissing them in use-case for MYSELF only. - Not because I want to, but I have to.
 
Calm down.

Seriously, calm down.

PIN codes and text messages etc are all not as secure as 2FA - which you are already offered.

This forum runs on open source software, which may have a free module to add a pin code, but it's likely that the webmaster would have to stage the whole forum to another server before installing, then testing the module.

All to install a feature which isn't as secure as the one you're already offered.

Please do not forget that this forum is (most likely) run by volunteers. Maybe you should ask to get involved? I bet this forum is PHP based, with a mySQL backend. So, if you have experience with either of those - ask to get involved.
 
Barbelith said:
Calm down.

Seriously, calm down.

PIN codes and text messages etc are all not as secure as 2FA - which you are already offered.

This forum runs on open source software, which may have a free module to add a pin code, but it's likely that the webmaster would have to stage the whole forum to another server before installing, then testing the module.

All to install a feature which isn't as secure as the one you're already offered.

Please do not forget that this forum is (most likely) run by volunteers. Maybe you should ask to get involved? I bet this forum is PHP based, with a mySQL backend. So, if you have experience with either of those - ask to get involved.
Click to expand...
I do know that a PIN would be less secure than phone 2FA, but it can help preventing you from being locked out of your account, because the PIN would obviously be required to make changes to an account.

Secondly, I was semi-aware about that. There are other sites that look really similar to this site. But then again, source code could've been leaked. So I wasn't very sure. Now that I know it's open source, it's a different story. Yes, a PIN could still be added, if the staff are experienced with coding. And I am not.

As for testing, that could be a real pain in the ass and I can understand that. Then again, this is merely a suggestion and I'm NOT demanding that my suggestions get implemented. If it is simply not possible to do so in a timely manner or is too hard to do, then I can understand that.

I myself have had seen LUA coders struggle in live action as they tried to add new modules to their script. I can roughly estimate how much effort it would take.
 
You must log in or register to reply here.
Back
Top