Hello speedfriends.
In light of repeated attempts at account takeovers and leaderboard vandalism (you can read more in this very detailed and helpful post by DerekMK) we've introduced a new security measure:
E-mail authentication
This is mandatory (and already enabled) for all verifiers and moderators (of games, series, marathons, teams, and future modules), translators, and site staff. It is optional for everyone else, however if you ever want to be added as a moderator you'll need to enable it first. It can be toggled in Settings.
I realise that this may be an inconvenience to some of you, but I hope you can understand why it's necessary.
Oh, and anybody having trouble receiving e-mails should contact support@speedrun.com or message me on Discord (don't forget to mention your username and account e-mail address).
Cheers 🍻
Thank you very much for implementing this, and especially thanks for making it mandatory for mods/verifiers/etc. This should at least cut back on the frequency of these incidents.
I've heard a lot of people giving sentiments to the effect of "Why should I be inconvenienced if my own account is secure?" The answer is mainly that one person's account being compromised can affect other people. It's not just a matter of "Secure your account or something bad will happen to you." It's moreso "Secure your account or something bad will happen to you and all the people who run or spectate the game you moderate." So hopefully that puts things into perspective.
Potential future steps going forward to build on this could be to implement SMS-based 2FA, or even better, authenticator-based 2FA. Email-based 2FA is definitely a huge step up from nothing, but other forms of 2FA would make the system more effective (removing the vulnerability if someone's email account is also compromised), and potentially even more convenient for end users.
As someone who uses randomised passwords stored in a KeePass container, I'm really, really happy that this 2FA solution is email-based rather than requiring a telephone number
This isn't inconvenient at all, everyone has an email and it's not just something you can lose like a phone, which is why i never have phone 2fa. Thank you for finally adding this.
If you're going to make it even more of a pain in the rear to log in to the site, can you PRETTY PLEASE let us stay logged in forever? It really grinds my gears that the dang site logs me out every couple days.
[quote]If you're going to make it even more of a pain in the rear to log in to the site, can you PRETTY PLEASE let us stay logged in forever? It really grinds my gears that the dang site logs me out every couple days.[/quote] Ignoring the obvious bait about 2FA...
I've been logged into the site for 8 months straight - the only times I've ever been logged out were forced logouts by staff after accounts were compromised before (hence the whole point of this) or when I do a full browser clean that involves removing my cookies. As far as I know, the site doesn't do any regular logouts of users.
Yeah, if you're actually being logged out every couple days, that's probably on your end. Like @Timmiluvs I also haven't had to log in for quite a while. Aside from global password resets, the only time the site forces me out is very rarely when the site's cache is refreshed or something (which I only remember happening like twice ever). No idea what would be causing your frequent logouts, but it's not the site itself.
On a somewhat related note, perhaps "logout all instances" would be another good security feature to have.
[quote=ShikenNuggets]On a somewhat related note, perhaps "logout all instances" would be another good security feature to have.[/quote]Added! You'll find the new button on Settings > Password.
Very good feature and glad to see it implemented. I hate seeing vandalized leaderboards, and this should help quite a bit with that.
good that you added email 2fa as i dont have a phone
love the idea. this is a nice happy medium between log-in effort spent and account security. will we be able to re-use previously used passwords now? I came up with a really sweet password between rollbacks 1 & 2 and was sad that I only got to use it for a day
[quote=stllr]will we be able to re-use previously used passwords now?[/quote]
@stllr I don't know what exactly the site currently does in terms of restricting password re-use, but in any case, you absolutely should not do that ever.
This new security measure is NOT a replacement for good password security. It is a fallback for a worst-case scenario where somebody gets your password (which ideally should never happen in the first place). You should still use a strong password, and you should still never ever re-use passwords (even ones you only used for a day).
We finally got that feature we all waited for so long, but why mail only? Can we get the option to use Google authentificator for this site aswell? I am not a big fan of mail 2FA because most of the "insecure/most likely to be compromised" users are using the same passwords for their mail account aswell...
Best regards
That might be a wake-up call to also become more aware of your passwords. Change those ;)
I have a password system for all of my important passwords. I came up with a password I really like for SRC after the first leaderboard compromise. I was forced to swap it to a different password because of the second leaderboard compromise. I'm not asking for people to let me use a really weak password ("dog123" for example) again, I just want to be able to re-use the earlier password I came up with specifically for SRC before I had to come with a separate, not as enjoyable one to use.
I understand why password security is important, you don't need to lecture me about it. I just want to use the original one. If that can't happen it's not a huge deal I was just asking.
Honestly, what bothers me, is why people who are seemingly at least moderately tech-savvy (I guess every speedrunner) don't all like the idea of using a password manager like Keepass.
I assume that is because people wrongly assume their passwords are secure enough to keep having passwords they can remember. Personally, all my passwords are randomly generated and stored in a password manager. At this point, even I don't even remember what most of my passwords are, and I prefer to keep it that way.
I think it would be nice to have the site have a device whitelist like how Gmail does. Basically, logging in from an unrecognized device would trigger the regular PIN requirement and send a message to the linked e-mail account along with providing instructions to whitelist the device so the PIN requirement doesn't constantly appear each time I log in. It's tedious having to go over to my e-mail account every single time just to log in.
I think most browsers just cache a logged in session. A device whitelist wouldn't do more than that already.