Jump to content

Photo

Important Security Update to our User Portal


  • This topic is locked This topic is locked
408 replies to this topic

#1
Pickysaurus

Pickysaurus

    Community Manager

  • Admin
  • 12,319 posts
We have just released an important upgrade to our user and login services. This will change how you log in to your account and manage your security settings. As part of the roll-out, all users are required to update their passwords. Please make sure your email address is up to date, and - optionally - that you (re-)enable 2FA in the new user portal.

Note: If you are currently logged in, you can still use the site without having to update your password just now, however, towards the end of November 2019†all users will be logged out at which point everyone will be required to update their passwords.


What's happening?

Our new user portal includes vital security updates to our login, registration, password reset, Two-Factor Authentication and account recovery processes. As part of the upgrade, users will be required to log out and update their passwords to be at least 12 characters long - including at least one capital, at least one lowercase letter, as well as a number. Updated passwords in the new user portal will be secured with new, stronger encryption algorithms. This is a necessary upgrade to reinforce the security of your account data.

We have completely reworked our registration process to make it a cleaner and more straight forward process for new users. Our new registration system no longer makes use of the Invision Board forum registration system (though your logins, whether "old" or new, will still work on the forums). This change is something anyone who registered on the site within the past 6 years will know was needed, very much.


Why are we making this change?

Over the last few years, our developers have been dedicating a lot of time and resources to reducing our reliance on the Invision Board forum which was the foundation of our user service. It has now reached a point where the only way we can be confident in the security of our user data is to build a bespoke, modern user portal.

Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards.

We understand that this may cause inconveniences for some of you, but we are convinced that this is a necessary step that will ultimately benefit the vast majority of our current and future users.


What does this mean for me?

As part of the roll-out, all users will have to update their passwords, either now, or towards the end of November 2019 when all users will be logged out.†

If you do not remember your password, you will be able to reset it via the new user portal that will send an email with further instructions to the email address linked to your Nexus Mods account.

Because it is our main way of identifying that you are the owner of your account, the email address that is linked with your Nexus Mods account is of paramount importance. Unfortunately, rolling out the new user service will mean that users who do not remember their passwords and - at the same time - no longer have access to the email linked to their account will lose access to their accounts. In this event, we will only be able to restore your account if you have purchased Supporter or Premium Membership in the past and send us the receipt for the purchase to [email protected] If you are unable to recover your account due to this, you are more than welcome to register a new one.

Posted Image


Re-enable Two-Factor Authentication

Because the new user system comes with an upgraded 2FA system making use of authentication apps such as Google Authenticator and Authy, all users who were previously using our old 2FA system will have to re-enable it on the new user system in order to secure their accounts.†

We highly recommend enabling 2FA for added account security, especially for mod authors with mods and/or Donation Points attached to their accounts.

That being said - if you arenít already - please consider following best practices for online security such as using a password manager, not reusing the same password across multiple sites, and always keeping your login credentials and emails up to date.


Foundations

Moving forward, the new user portal will be expanded upon to handle our Supporter and Premium Membership systems, along with other user-related services.

Once the team are confident that the launch has gone smoothly and the dust has settled a little, work will begin on improving the checkout, payment and management sections for Premium Members as well as the support and contact systems for users trying to reach us, the staff.

We have been thoroughly testing the new portal for weeks leading up to the release, but it's always possible we missed something. If you encounter a problem, please let us know on our bug tracker or by emailing [email protected]

#2
JimmyRJump

JimmyRJump

    MoralMinority

  • Premium Member
  • 10,804 posts
Upgrading security by using Google Authenticator? Sure. I feel safe now...

#3
JimmyRJump

JimmyRJump

    MoralMinority

  • Premium Member
  • 10,804 posts
Well, problems right off the bat: I reset my password after the first comment and upon logging in with the new password I got the message I needed to upgrade my password and had to add a new password once more. Plus, there's a ton of gateway errors (I had six trying to add the second new password), probably because you're tinkering with the site and/or too many people are fiddling with their log-in at once...

Reported it chez GitHUB.

Edited by JimmyRJump, 20 November 2019 - 09:57 AM.


#4
Zaldiir

Zaldiir

    Moderator

  • Staff
  • PipPipPipPipPip
  • 10,630 posts
In response to post #75019023. #75019413, #75019418 are all replies on the same post.


Spoiler

You can use Microsoft Authenticator if that feels more secure. I prefer to use alternatives to Google when I can, so I'm using the Microsoft alternative for 2FA.

Edited by Zaldiir, 20 November 2019 - 09:48 AM.


#5
BlasterMasterCaster

BlasterMasterCaster

    Old hand

  • Members
  • PipPipPip
  • 543 posts
I got confused there for some minutes trying to understand what the "Reset" password window was asking from me.

There are forums around that in order to reset a password they ask you to re-enter the old password again, so I was confused there for a second.

Perhaps lines above or under those to boxes that say: "Write NEW password" and "Confirm NEW password" could help avoid this confusion.

#6
erri120

erri120

    Enthusiast

  • Premium Member
  • 125 posts
Any plans on removing reCAPTCHA? I'm not talking about completely removing the means to protect a form submission but to change solutions. Why am I asking this? Because Google sucks *insert profanity word*. reCAPTCHA has by far the worst UX and discriminates based on browser and installed extensions. Just compare login in with Chrome, Firefox and Tor (also Firefox) and test with stuff like uBlock, NoScript and Privacy Badger installed. There are a good amount of alternatives, most open source, available on the interweb.
I know that the login form should be top secured against bots but please, do users a favor and change/remove reCAPTCHA.

#7
Dazaster

Dazaster

    Resident poster

  • Premium Member
  • 8,181 posts
OK, panic over. Reset my password. Bad gateway. Got email. Logged out. Couldn't log in on sites or forum.
5th try, got this:
Posted Image
But logged in somehow, so, all is well.

#8
Alehazar

Alehazar

    Neuropath

  • Premium Member
  • 1,136 posts
So, no more 2FA for people without a smartphone?
The old 2FA didn't require one.
(All I require from a cellphone is call and text functionality.)

#9
5133p39

5133p39

    Old hand

  • Supporter
  • PipPipPip
  • 652 posts
"If you are currently logged in, you can still use the site without having to update your password just now"
...except not really. I cannot access the settings to change my email address - the site asks me to "log in".
If i cannot change my email address, i cannot receive the confirmation email for the password change.
So what am i supposed to do?

#10
Pickysaurus

Pickysaurus

    Community Manager

  • Admin
  • 12,319 posts
In response to post #75020403.


Spoiler

Looks like you were trying to open the old login prompt, which link did you click to log in?




Page loaded in: 0.943 seconds