The New Account Security question

[Lindy]

Was this here or the client area?

[Sonya*]

I was locked out here in forum as well... for 10 days (see screenshot)

Have managed to reset my password however prior to waiting for 10 days. Have got a new one per email (what ist not very secure ) and logged in without any additional questions...

[Lindy]

Sonya, was this yesterday or just now? There was an issue that was resolved. Since yesterday afternoon, nobody should be receiving passwords by e-mail and the lockout issue has been fixed as well. If that is not the case and this just happened, please PM me further details so I can investigate further. Thanks.

[Dylan Riggs]

Same here for me Lindy.

I tried to login last night sometime and it just said that my account was locked and would be unlocked in 15min and I went to sleep scratching my head thinking "It's saved on my browser??"

Woke up with a busy day and tried in and out and received "Your Account will be unlocked in 1min" tried over and over. This was only through the Forum End - I reset my password through the forum end and did the same thing (1min till it's automatically unlocked)

I then read something about passwords being changed since the "big site" compromises which I totally understand now I couldn't login, but did not expect that it wouldn't work on the forum end vs's the client end.

That being said - I understand that a lot of people didn't get that email (including me) and people were frustrated with it, could you by chance post an Announcement on the forum to let everyone know? Due to how busy some threads are, I didn't notice that until I had down time to investigate. I would have thought that changing my password through the forums would fix the issue as well.

[steve00]

Personally, I appreciate IPS thinking of its customers in this way

As customers we do not see what happens on IPS side of things and as it has been explained regarding the 'compromising of accounts' then we should all be thankful IPS are taking steps to help prevent the problem, after all, if it can take them maybe 20 - 30 minutes to sort the problem out by checking if you are the account holder or not then that is 20 - 30 minutes that someone is not able to help with maybe support ticket or even working on next release of IPB or something along those lines and we all know how a lot of members complained on the time it is taking for IPB 4 to be released.

I am member of another site and they tell you to change your password every month, yep now that is a pain but I can see why so what would you think if IPS decided to do that ?

I for one am glad IPS are doing this and ask them to continue to add security in whatever way they may seem fit (maybe not everyone would agree) I would not want to lose my account/licenses so anything that helps I am for it

to IPS

[Lindy]

Thank you for chiming in, Steve00.

Some think we're in our ivory tower sipping scotch laughing at all the ways we can cause inconvenience, like *gasp* trying to protect customer accounts. :) In reality, by the end of the day, we're ready for a well padded room for some alone time after the abuse we take in (some self-inflicted, some not).... then I get to go home to a wife, three kids 10 and under (two of them being special needs) and start it all over again!

That said, I wouldn't trade it for anything. Maybe just a little more medication. :)

Thanks again, Steve.

[Dylan Riggs]

I posted this in another thread. But could this be posted as an announcement? w

Also, I never got asked the security questions when I reset the password through the forum page, it allowed me to log into the client area and I never got asked any questions and was logged in here.

EDIT: Nevermind on the announcement Lindy, seen your reply 2min later :-)

[Lindy]

Same here for me Lindy.

I tried to login last night sometime and it just said that my account was locked and would be unlocked in 15min and I went to sleep scratching my head thinking "It's saved on my browser??"

Woke up with a busy day and tried in and out and received "Your Account will be unlocked in 1min" tried over and over. This was only through the Forum End - I reset my password through the forum end and did the same thing (1min till it's automatically unlocked)

I then read something about passwords being changed since the "big site" compromises which I totally understand now I couldn't login, but did not expect that it wouldn't work on the forum end vs's the client end.

That being said - I understand that a lot of people didn't get that email (including me) and people were frustrated with it, could you by chance post an Announcement on the forum to let everyone know? Due to how busy some threads are, I didn't notice that until I had down time to investigate. I would have thought that changing my password through the forums would fix the issue as well.

Yes, I can do that. :)

[Dylan Riggs]

Yes, I can do that.

Thank you much. You're alright no matter what we/they/I say about you ;)

[.Ian]

Would be nice if these changes could be rolled into Nexus / core including the possible over-ride of emails being sent, although one would think this might be in conflict with any privacy statement or agreement, so they might need updating.

We would not really benefit, but I am sure some sites would.

Also maybe it would be a good time to introduce a strength factor on passwords - currently IPB allows the most basic of passwords including ones for admins. Would be nice for admins to be able to say that passwords must be stronger, with perhaps a level for staff that was a level higher.

[Sonya*]

Sonya, was this yesterday or just now? There was an issue that was resolved. Since yesterday afternoon, nobody should be receiving passwords by e-mail and the lockout issue has been fixed as well. If that is not the case and this just happened, please PM me further details so I can investigate further. Thanks.

It was yesterday ;) I had to login today again, browser saved password did not work. And I still cannot see any "security questions" people talk about here ;)

[steve00]

Thank you for chiming in, Steve00.

Some think we're in our ivory tower sipping scotch laughing at all the ways we can cause inconvenience, like *gasp* trying to protect customer accounts. In reality, by the end of the day, we're ready for a well padded room for some alone time after the abuse we take in (some self-inflicted, some not).... then I get to go home to a wife, three kids 10 and under (two of them being special needs) and start it all over again!

That said, I wouldn't trade it for anything. Maybe just a little more medication.

Thanks again, Steve.

Even though we may not have agreed with some things in the past in this matter you are definitely on the right side (in my opinion anyway)

Like the humour in your reply, nice.

If you do ever start sipping scotch then please invite me as well (or any strong drink will suffice) .. not interested in the padded room though .... not yet anyway ... lol

[3ventic]

The problems I have with this system are

1) other people close to me know the answers to these questions better than I do myself and

2) the answers will simply end up being 3 new passwords for me to remember here, or I'm going to end up using the same answer to all them.

Security questions are not the way to go and I'm very surprised you added them and forced us to use them while other services I know to use them have them as an option for their clients to use and/or are switching to better alternatives, such as two-step authentication. As it stands, this does not benefit my account's security at all. If anything, it compromises my own access to my account like such questions already did on another service.

I'm sorry, but my past experiences with security questions are simply so bad that I won't be setting them up here, and if it means I lose access to download the software I paid for and request support (you don't even allow emailing your support without starting a ticket in the client area(!)), I'm going to be changing to something else.

I appreciate that you're trying to make my account more secure, but this is not the way to do it.

[Hexsplosions]

This topic made me laugh. I needed that this morning. Thank you.

The below graphic sums this topic up.

Every security conscious company out there will come up with ways to improve the security of their systems and customer accounts. They will all do it slightly differently and there is no single best way to do it. Somebody will always object to what is being done, the method in which it is being done, etc. You cannot please everybody.

I came to the website and entered my password twice, it declining to give me access twice. I grabbed a hold of my ear lobes and proceeded with my anger management techniques...

Then I calmy reset my password, answered the 3 best questions I could and proceeded along my merry way.

:)

[Mark Round]

I think the key thing to remember about these questions is the answers dont need to be "true" as long as you know the answers for example name our first job, president of the united states as long as YOU know the answer it is all good what im saying here is the answers do not need to be true facts you could even go the extra mile and do this whats you mothers maiden name S29b32H7?14sD%2 .These are just examples please do not use the exact passwords i put here lol

[lordi]

just get those email yesterday,

no big problem, done in less than 5 minutes,

[TwistedMerlin]

Lindy, regarding the questions. wouldn't it be simpler to have open text fields rather than preset questions? that way people can choose their own unique Q/A

[Aizriel]

It happened yesterday for me as well.

[3DKiwi]

Lindy, regarding the questions. wouldn't it be simpler to have open text fields rather than preset questions? that way people can choose their own unique Q/A

I agree and this was my point. My mother's maiden name is hardly a secure question to ask.

[Aizriel]

I think the key thing to remember about these questions is the answers dont need to be "true" as long as you know the answers for example name our first job, president of the united states as long as YOU know the answer it is all good what im saying here is the answers do not need to be true facts you could even go the extra mile and do this whats you mothers maiden name S29b32H7?14sD%2 .These are just examples please do not use the exact passwords i put here lol

Just going to add on to this.

If you are ever worried about losing said information, write it down and keep it somewhere safe. Having ALL of your information for your account is always helpful.

[Rhett]

I agree and this was my point. My mother's maiden name is hardly a secure question to ask.

There are over 20 questions now, I'm sure you can find three that are suitable, for info, that question above is probably the most common security questions ever.

[Lindy]

The topics have been merged and as the bulk of the issues have been resolved, I'm going to close this to prevent further confusion. I'm sorry this has caused any inconvenience - we're just taking precautions to protect you and your account. Some have, for whatever reason, found these measures unnecessary and as such, we've incorporated an opt-out in the client area. You may check a box and avoid answering the security questions, leaving your account protected by password only. As noted on that page, you assume all responsibility for your account should you choose not to accept the extra layer of protection -- this means in the event your account is compromised, IPS may not be able to assist you in regaining access.

Some have asked for the ability to create their own questions. We do not feel this is necessary at this time as there are nearly two dozen questions to choose from. It is also worth noting that the answers do not have to be accurate or factual. Personally, I treat security questions/answers like additional passwords and make use of a password manager such as Lastpass. This also solves the challenge of using unique passwords on every site.

We will be placing notifications on the login forms as some customers did not receive the mass e-mail due to having opted out of receiving e-mails from us - we apologize for this and will look into tiered notifications (ie: promotional, critical) in the future.

If you have any further questions or concerns, please feel free to open a customer service ticket, or contact us via http://www.invisionpower.com/contact

Thank you for your cooperation!