Jump to content

The New Account Security question


steve00

Recommended Posts

  • Management

I could have never envisioned helping to further protect accounts going so dramatically. Wow! smile.png

Passwords are encrypted, we have no way of verifying whether they're strong or weak. What we do know is while no part of IPS has been compromised, over the past several months, we've had dozens -- not a few -- dozens of customer service requests that all start the same way "I can't access my account." After 30 minutes of investigation, we locate the original account to find that it has been compromised. After verifying the identity of the account holder and following other processes which take another 20-30 minutes, we confirm that the original account holder either: had their e-mail account hacked or used the same password on <insert big site here> and their e-mail address and password were in a database that attackers were using to get access to other sites, including IPS.

Neither of these are "IPS' problem" but it's becoming a significant inconvenience to customers and we are expending an unnecessary amount of time recovering accounts, determining if they should be recovered (some legitimate customers sell licenses, then try to take them back) etc. This was the best way, short of 2FA (which REALLY would have caused confusion) to add an extra layer of protection to accounts.

It's mind boggling that you wouldn't want that protection, but if you don't, just enter "no" to three random questions and call it a day. Know that if your account is compromised, there may be little we can do for you if you can't help us, help you.

I'm sorry this didn't go smoother, obviously there's a lot of moving pieces and in spite thorough testing and vetting, a few issues cropped up. Those issues have been resolved, the answers are not case sensitive and we've added over a dozen questions... you should have no problem finding a question you're able to answer. smile.png Personally, I use Lastpass and turn questions/answers into second and third passwords. It is not international law that you have to answer the questions with accuracy, it's just a good idea to be able to answer them in the future. smile.png

Link to comment
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Not sure if it's been said previously, but here is my experience today.

1) Attempted to log in only to find that my password suddenly doesn't work. No email received to notify me of any changes to my account that would have resulted in this. I assumed a possible hacking, so I took it upon myself to reset my password via the Forgot Password link on the login screen

2) I get an email to verify I wanted to reset my password, I confirm via the link provided in the email.

3) I get a second email after clicking the link mentioned above with a password included in it. I attempt to log in with this password and get an error stating my account would be unlocked in 15 minutes

4) I return 15 minutes later to get an error message indicating my account will be unlocked in 1 minute. I return 30 min, 60 min, etc later and get the same error message indicating my account will be unlocked in 1 minute.

5) I assume something is jacked up, so I click the Forgot Password link again to reset it.

6) This time I get an email with a link to a form to set my own password this time. I set it to something complex, attempt to log in, and still get the same error message indicating my account will be unlocked in 1 minute.

7) I log into the Client Area to open a ticket and get prompted with Three Security Questions to fill out. I fill them out and am then able to log into the Client Area and the Forums.

Bottom line, there was little information delivered via email ahead of time or during the actual process of this password update (i.e. the login screen with the infinite 1 minute unlocking error message) that would guide me through the correct steps to perform. Had I not logged into the Client Area, I would have never known the Three Security Questions even existed, nor that they were coupled as a dependency to logging into the forum.

Just my experience...FWIW.

Link to comment
Share on other sites

I'm not even sure how to respond to this other than I'm deeply sorry we tried to better protect your account for you when you clearly believe you had it well under control.

I'd note: 1. This doesn't replace passwords. 2. You can change your password. 3. We can work on the questions. Really not the end of the world. smile.png

An alternate response that would provide a little humor for this topic :)

0l7v1r.jpg

Link to comment
Share on other sites

My experience

1. Received email notifying me of the changes. Actually read it carefully, and made sure I was happy that the source was genuine

2. Clicked the change password link, and received the new one

3. Logged in to the Client Area using the new password and was prompted to complete the Q&A's. These were the limited ones first set up, so not ideal for a UK based user but usable nonetheless

4. Then went back in to setting and changed the password back to the unique one I use on here, answering the new Q&A as part of the process

Took two minutes, and I now log in exactly the same as I have always done

We have all come across web site security changes, and I am sure they vary considerably in their inconvenience, but for me at least this one was without stress

Link to comment
Share on other sites

The questions were bad. Mother's maiden name? Really? That's something my bank needs to know, not IPB. Worse yet, what if IPB gets hacked and the answers to my security questions are compromised? Sounds like a social engineering nightmare. That said, I simply didn't answer truthfully. I'm not as pissed as Steve apparently is, but I definitely felt the required security questions were unnecessary and a bit too intrusive for a software company.

Link to comment
Share on other sites

I couldn't answer 9 out of 10 honestly, which results in telling (hopefully memorable) lies.

Several are similar to a bank account so they're not getting true answers and many are presumptive (Who said I can cook anything? Have I ever had a pet? Did I have a favourite book/singer?)

I still haven't set my answers because I don't know what lies to tell smile.png

Link to comment
Share on other sites

Why do I need to change my password to login via the forget password procedure and why do I have to add 'security' questions? This almost seems there has been a leak. Is there something IPS is not telling me?

If you guys really value security you should look at Two-step Authentication (eg. Google Authenticator) . It is very easy to integrate in your website and it is actually an extra layer of security because somone actually has to fysical steal a device from you such as your phone or token generator and have to know your password to login. This is very unlikely.

What is likely someone guessing or just Google'ing or check your Facebook for the 'security' answers. It is really easy to find stuff as which movie I like (is on my Facebook) and what my mothers name is. That's why I use fake questions and fake answers and just write them on a piece of paper (also not that secure).

I hope IPS really take a second look at the security. All those horror stories about peoples there Apple/Paypal or Twitter account being hacked has been done thanks to social engineering and just simply Google'ing the answers to security questions. I really think security questions give a false sense of security!

post-82470-0-83455800-1412376075_thumb.p

Link to comment
Share on other sites

Just to note that when using the lost password feature, you are promoted to create your own password. A random password is no longer emailed to you.

Not true. I just reset my password via IP.Board not even 3 hours ago and I was emailed a password. If you want me to open a ticket with the screenshot of the email I have with the password y'all emailed to me, I can.

Link to comment
Share on other sites

Please forget about the settings on the community and use the client area. http://www.invisionpower.com/clients/ Make your password changes there. The e-mail mentioned nothing of the community and linked to the client area.

No it did not. I clicked the link for forgot password (I don't remember if it was here or in the client area) and I was directed to enter my username or my email and fill out reCAPTCHA and then it sent me an email with my password inside.

Not sure why I was forced to change my password when the one I had was good enough. That was annoying. Why wasn't there a mass "we are going to force you to reset your password next time you login for reasons a, b, & c" email sent out?

Link to comment
Share on other sites

Uhm, hey!

I just was offering a little 'bit of feedback on the forum accounts. I am unable to use my main account due to an automatic lock. (I forgot my password and it locked me out for 15 minutes and has said 1 minute remaining for several hours.)

So the feedback is that the auto-restriction needs a tune up. Hope this helps. :)

Link to comment
Share on other sites

  • Management

No it did not. I clicked the link for forgot password (I don't remember if it was here or in the client area) and I was directed to enter my username or my email and fill out reCAPTCHA and then it sent me an email with my password inside.

Not sure why I was forced to change my password when the one I had was good enough. That was annoying. Why wasn't there a mass "we are going to force you to reset your password next time you login for reasons a, b, & c" email sent out?

It seems you used the forums to reset your password instead of the client area. The forums was set to e-mail a random password rather than allowing you to choose your own. My deepest apologies for this. It's been corrected and NOBODY should receive a password by e-mail now. Please let us know if that is not the case.

There was a mass e-mail sent out in tandem with this change. Unfortunately, not everyone received it - we are investigating as to why with Mandrill. Sorry for the inconvenience.

Finally, after a lot of dicking around I'm able to log back into the forums.

I thought many of the questions were ridiculous. So why not let me decide what the questions are?

There's over a dozen questions - you only need three. I think you can make it work. smile.png Choosing your own questions just adds an unnecessary layer of complication. I've never come across the ability to do that personally. They are always pre-defined.

I didn't get an email. Couldn't log in and thought my account was compromised. I had to reset my password myself.

Strange. poke.gif

We're sorry about that, it seems not everyone got the e-mail. We're working on that.

Deeply sorry for any inconvenience this has caused. We thought we were doing a good thing here by being proactive and helping to protect your investment against a new wave of attacks. Perhaps we need an opt-out of such things in the future, so people who think their passwords are "good enough" and request no further safeguards can just wing it without obligation to IPS.

Link to comment
Share on other sites

  • Management

To follow up on this quickly, I've looked at all the reports here from those that said they didn't receive the e-mail and confirmed the e-mail was not sent to you. This was because you disabled mail notifications/unsubscribed from us. We will look into ways we can override that for critical notifications in the future, but really, we don't send that much e-mail -- perhaps the occasional newsletter -- if you want to ensure you receive all relevant e-mails, you may wish to turn notifications back on. Sorry for the confusion on that one.

As an additional side, the team are working, as we speak on an opt-out of the new security features. You can avoid using the questions / answers, but if you do so and your account is compromised, IPS will not assist you in regaining access. I never expected anyone to be upset about an additional layer of security to safeguard their purchase, but clearly some don't see the need, so we're fine with letting you avoid it so long as you understand we can't give it both ways: less security and the expectation that IPS is going to spend an hour or more tracking down where your license went, verifying identities and reclaiming it for you. There will be a disclaimer if you select "I don't want to answer these questions."

Regarding the password changes - there was little point in executing the extra level of protection if someone could login and set the questions/answers before the actual account holder could get to the account. Once again, this was done because many customers are losing their accounts due to using the same e-mail addresses/passwords that have been used on other sites that were compromised. Databases exist where people can reference these details, then go to various websites such as IPS and try to login using those details. If we'd warned of our plans, the attackers would have expedited their plans to get as many accounts as possible. The forums and SSO added an unexpected layer of complexity here that we'll be more keenly aware of for next time -- if there's a next time. :)

Link to comment
Share on other sites

To follow up on this quickly, I've looked at all the reports here from those that said they didn't receive the e-mail and confirmed the e-mail was not sent to you. This was because you disabled mail notifications/unsubscribed from us. We will look into ways we can override that for critical notifications in the future, but really, we don't send that much e-mail -- perhaps the occasional newsletter -- if you want to ensure you receive all relevant e-mails, you may wish to turn notifications back on. Sorry for the confusion on that one.

As an additional side, the team are working, as we speak on an opt-out of the new security features. You can avoid using the questions / answers, but if you do so and your account is compromised, IPS will not assist you in regaining access. I never expected anyone to be upset about an additional layer of security to safeguard their purchase, but clearly some don't see the need, so we're fine with letting you avoid it so long as you understand you can't have it both ways: less security and expect IPS to spend an hour or more tracking down where your license went, verifying identities and reclaiming it for you. There will be a disclaimer if you select "I don't want to answer these questions."

Well, thanks for the update! It's appreciated! :)

Link to comment
Share on other sites

To follow up on this quickly, I've looked at all the reports here from those that said they didn't receive the e-mail and confirmed the e-mail was not sent to you. This was because you disabled mail notifications/unsubscribed from us. We will look into ways we can override that for critical notifications in the future, but really, we don't send that much e-mail -- perhaps the occasional newsletter -- if you want to ensure you receive all relevant e-mails, you may wish to turn notifications back on. Sorry for the confusion on that one.

As an additional side, the team are working, as we speak on an opt-out of the new security features. You can avoid using the questions / answers, but if you do so and your account is compromised, IPS will not assist you in regaining access. I never expected anyone to be upset about an additional layer of security to safeguard their purchase, but clearly some don't see the need, so we're fine with letting you avoid it so long as you understand we can't give it both ways: less security and the expectation that IPS is going to spend an hour or more tracking down where your license went, verifying identities and reclaiming it for you. There will be a disclaimer if you select "I don't want to answer these questions."

Regarding the password changes - there was little point in executing the extra level of protection if someone could login and set the questions/answers before the actual account holder could get to the account. Once again, this was done because many customers are losing their accounts due to using the same e-mail addresses/passwords that have been used on other sites that were compromised. Databases exist where people can reference these details, then go to various websites such as IPS and try to login using those details. If we'd warned of our plans, the attackers would have expedited their plans to get as many accounts as possible. The forums and SSO added an unexpected layer of complexity here that we'll be more keenly aware of for next time -- if there's a next time. smile.png

I turned it back on.

I just don't want to be notified of product updates etc... so perhaps have an notification option for Security Updates, separate from the News and Information stuff. smile.png

Link to comment
Share on other sites

  • Management

I turned it back on.

I just don't want to be notified of product updates etc... so perhaps have an notification option for Security Updates, separate from the News and Information stuff. smile.png

I agree. We'll look into that, thanks. :)

Link to comment
Share on other sites

I agree. We'll look into that, thanks. smile.png

a lot of those questions are very generic and that information could easily be contained in the public record about you (like mothers maiden name/fathers middle name, etc) but then again, that would be some one personally targeting you to bother to go thru that much trouble.

The exact opposite happened for me, i received the email, read it and told my self "will do this later", then when i came here i couldn't log in and thought the worst lol, so i did a password reset thru the forum, and then when i went to the client area it was asking me the security questions and i was like "okay now i remember".

I appreciate the extra step, so thankyou.

Link to comment
Share on other sites

a lot of those questions are very generic and that information could easily be contained in the public record about you (like mothers maiden name/fathers middle name, etc) but then again, that would be some one personally targeting you to bother to go thru that much trouble.

The exact opposite happened for me, i received the email, read it and told my self "will do this later", then when i came here i couldn't log in and thought the worst lol, so i did a password reset thru the forum, and then when i went to the client area it was asking me the security questions and i was like "okay now i remember".

I appreciate the extra step, so thankyou.

They have added 20 or so questions to suite everyone's needs, if you want to take an extra step above and beyond this, use a password manager like lastpass, record your answers, don't make them correct for you, make them all random etc, but make sure you record them, without them, there is no recovery.

Link to comment
Share on other sites

They have added 20 or so questions to suite everyone's needs, if you want to take an extra step above and beyond this, use a password manager like lastpass, record your answers, don't make them correct for you, make them all random etc, but make sure you record them, without them, there is no recovery.

yeah i use lastpass already :) actually have a premium account with them offered by one of the sites i moderate for :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...