Regarding Security


#1

Hey all! What a crazy week. The launch of LP Zone went way better than I thought it would - thank you to our patrons and everyone who’s posting! Y’all are an awesome bunch.

Just wanted to quickly give a security update for the forums. I’d like to confirm that SSL is working for our site and we’re in good standing as far as data security goes. However, it doesn’t matter how much prep you do or how many walls you put up - there’s always a chance something bad could happen. Even high profile politicians and big companies get hacked these days, so I wanted to let you know the steps you can take to help protect yourself on The Entire Net™ :globe_with_meridians:.

First, your password. Here are some good rules of thumb:

  • Do not use the same password for everything.
  • Make sure your password is 8 characters minimum.
  • Make sure your password contains at least 3 of the following: upper-case letters, lower-case letters, numbers, and special characters.
  • Try to renew your password every 90 days.
  • Use 2-step authentication for account verification on sites that have it. Here’s how to enable that on Gmail: https://www.google.com/landing/2step/ And here’s how to enable it on Twitter: https://support.twitter.com/articles/20170388

As far as our site goes, I’ve increased the minimum password requirement for all users to 8 characters and blocked simple passwords, as well as raised password requirements for our admins. We are also not connected to Patreon at all (Patreon rewards are applied manually), so don’t worry about any payment information being leaked. Really, the most effective thing you can do to prevent a hack is to use a different password for everything. That way if your data is compromised, it’s localized. And please don’t just follow these rules on LP Zone - follow them for every site and service you use.

In summary: be safe. Follow the guidelines we have here. After that, you’ve done basically everything you can do - so relax and play/watch/read/appreciate some videogames!


#2

#3

As a general practice, I use a password manager and have a different password for every site that I’m even remotely worried about security at. There are a ton out there, both online in the cloud and standalone programs. I personally use KeePass Password Safe.

I know one of the most popular online password manager right now is LastPass

Stay safe, friends!


#4

I’ll also throw out 1Password as another good password manager.

@bob Does Discourse support two-factor authentication?


#5

KeePassX is another password manager alternative, and is multi-platform native for Windows/Mac OS/Linux.


#6

Not currently, but that is item #1 on our list of features to approach Discourse with. We’re getting ready to add SSO for Twitter though, so if you have 2FA enabled on Twitter you’ll be able to get enhanced security here.


#7

I use Authy for my 2-factor keys, it works better than Google Authicator because you can sync your keys between multiple devices, and I have to use it a lot to log into stuff at work… Makes it a lot easier than having to get emails (for the sites that support it) all the time anyway. I wish these apps were more widely supported, I swear every financial account I have rolls their own damn thing.


#8

KeePass is wonderful for password security and generation - just make sure you back up the vault file and remember its own password or youre kinda boned if you cant get at em anymore and you’re locked out of your reset email.


#9

Also, for anyone who is not starting to use a Password Manager and needs to chose a good password for it, here’s how to make your choice:


#10

Do make sure not to literally make “correct horse battery staple” your password, though. You wouldn’t think that’d need to be said, but…

Also, many password managers will help you generate word-based passwords (though I supposed that doesn’t help for the initial one):


#11

While valid, most passwords aren’t cracked that way nowadays unless someone is really set on cracking one person’s specific thing, and most websites have protections against multiple password attempts in a short period of time. Generally hackers find exploits in website software or SQL or whatever to expose all the passwords, then they just go nuts trying the same username/password combinations on other websites.

Discourse uses salted password hashes and doesn’t store passwords in plaintext, so that’s good in case some unknown exploit with Discourse in the future gets used to rip out the password database here. See: https://meta.discourse.org/t/what-hashing-algorithm-is-used-in-discourse-for-hashing-passwords/32235


#12

Well yes, but in terms of what an end-user can do creating a reasonable password that will not be too short or too complex for memorization is the biggest concern.

And note that I recommend this method to generate the password for the Password Manager which is really the only one essential for memorization. Once one has that done, they can generate a 256 bit entropy password at their leisure for peace of mind.


#13

+Yeah!
This is my go-to method for writing login screens, too. It’s easy to implement and it keeps your passwords relatively safe.


#14

In regards to the passwords thing, I usualy use a different one for every site and have them all written down in a notebook that is always near me. Writing the down somewhere can help you with remembering them and making it so they aren’t similar.


#15

Lastpass also has a feature that allows you to change your passwords automatically for a bunch of more popular sites. That plus two factor authentication means that even if a hacker knows your lastpass master password, they won’t be able to access your password vault unless they also have your phone.


#16

To generate a passphrase for whatever password management program/service you use, consider using Diceware to create one. It’s a system where you roll dice to create a passphrase from words and abbreviations.


#17

Don’t forget that your account isn’t the only thing you need to keep secure! Your identity can be just as important to protect, especially if you are in the long list of minorities the internet targets for harassment. Use a different username from other sites, try not to mention your last name, or your first name if it’s particularly unusual. If you don’t live in an enormous city like New York or Boston, try not to mention your location more specifically than a state or region.

Obviously it’s up to the individual to determine how much they care about anonymity, but these are some basic guidelines for people who want to keep their online identity separate from their “irl”.