squeaky, is there some kind of issue happening with the site? since yesterday have been unable to reply to comments from email and at times can't logout of accounts, can't generate certain pages. getting 404 and 302 errors.
hey, squeaky. it seems like there's been an uptick in people making use of the lack of security features and they're using password crackers to get into peoples journals. is there a way you can look into maybe restricting the number of times someone can guess a password to prevent scripts from running an endless list of passwords? or even upping the security requirements on passwords? right now someone's password could be as simple as "hey".
+1, i also had an account stolen recently and increasing password safety would be really good for the site.
and idk if support was the right route to take this, but i also raised a support request suggesting that when email addresses are changed on an account, a confirmation/notification should absolutely be sent to the old account too for security's sake.
i wanted to also say we need this. i help moderate tradingspaces and since July 21st almost 20 user names were reported hacked to me, but i'm certain there's more. it's just taking time for people to realize their accounts were broken into. this is a security issue that needs to be addressed considering this isn't the first time it's happened. please limit the amount of failed login attempts or else someone can keep trying to guess a password 92870712098039280938 times and continue to keep going until they're inside. it'd also be great if you made it so new accounts were forced to create passwords with at least six letters, a capital, and numbers. thank you for listening
Yeah, this is a huge security issue, and it needs to be addressed by you. If our accounts are that easily compromised, something needs to be changed in how login attempts are handled immediately.
It's not just limited to Insanejournal as the sole concern, as togetherinparis points out; if access to our emails and at least one password used in conjunction with that email is stolen, there's a good chance the person or people doing this could be using the information they're getting to try to gain access to people's accounts on other sites as well, some of which may store things like credit card information and phone numbers.
I second limiting login attempts to three attempts per X amount of hours, and requiring more complex passwords for accounts. Security of users' information and accounts should be top priority.
even limiting to 3 instead of 5 is a good idea, if you mess up twice you're going to send the password to yourself and log in using the correct pw. like i said in my comment they can limit how many times you can send a pw to yourself so why not limit how many times you can attempt to log in in 24 hours?
In case you were wondering, Squeaky, your silence and seeming lack of any urgency on this extremely important security issue - especially after such a successful summer sale - is not a good look for you.
We had 6 hours of down time. Was that you trying to address this? If so, better and more open communication is required here.
Additionally, many of the users on this site are paying customers. As a person who runs a website, I find it very hard to believe that advertising and Patreon aren't easily paying for the servers, hosting, and minimal upkeep on IJ.
All that to say, we're very literally paying you, Squeaky. Despite this, I have seen very little evidence from my interactions with you that you're willing to go even slightly out of your way to help us out. Support requests lay unanswered for months or even years, responses of any kind/on any platform are usually slow, and they are often vague or unhelpful, and the site has seen next to no updates in a decade. All of which is frustrating. However, your seeming lack of urgency and utter lack of communication regarding a serious threat to our privacy moves past frustrating to alarming.
I know you have a life and a job outside of this site and don't want to downplay that. However, the fact remains that as I said, we are paying you to do a job and doing our best to support you. Unfortunately, our user experience and security do not seem to be things on which you place a premium. That's a problem.
Perhaps it is time to consider adding to the administrative team so that these sorts of things can be dealt with more speed and communication in the future.
this this this, i also would like to recommend a feature like most sites have where if someone password requests you it doesn't just send your literal password to your email but sends you a link to reset it entirely, just thought i'd throw that out there. something absolutely needs to be done about security nonetheless.
in that case, it might also be good to add in a feature where when your account gets a pm it notifies you via email? since right now a lot of people are having to request pws to get people to log in to check their pm inbox.
if there is a way to limit how many times a person can guess a password in a 24 hour period, please put it in place! most of us might mess up our password once or twice, but then we can send it to ourselves. there's no need for unlimited tries or more than say, 5. it limits how many times you can send a password to yourself, so please limit how many times we can guess our own password. if i'm locked out by my own stupidity i'd rather be locked out than have any of my journals at risk of being hacked.
Agreed. If I put the wrong password in a couple of times I just have my information sent to me. I also like when you have to confirm part of your email address before it will send it, usually in the form of a radio button list of three options, and then all of them are mostly asterisked out so that you have to actually know your email to pick the right one.
For instance, if my email was firstname.lastname@example.org it would say email@example.com; I know what my email name is and I know how many characters in it, so picking it out of a list to confirm sending the password email is pretty easy, but someone who doesn't own the account would have a harder time picking.
Most sites that limit login attempts to 3-5 will usually put a hold on further attempts for the next 1-3 hours, and honestly the few times I've just completely forgotten a password and that's happened to me I was fine with having to wait to try again with the right password.