Is your password secure enough? Have you enabled two-factor authentication?

Niall

All Powerful Super Being
Staff
Joined
Jun 13, 1999
Messages
25,158
We've identified a handful of user accounts were hijacked in the last couple of days and used to post inappropriate content. Our investigation points to those accounts using the same password on multiple websites and that password being made public in a data breach on one of those other sites. Please note that there is no evidence of a data breach occurring on this site.

If you're not familiar with how passwords can be leaked in data breaches, here's a FAQ about them.

To check if your passwords have been leaked in a data breach go to https://haveibeenpwned.com/, enter your email address and it will report whether it has been part of a leak, how and when. Given the high profile nature and volume of some of these breaches I'd be surprised if most people haven't been impacted.

The main thing to understand is that you should always use a unique and strong password for every different website/app account you have. That means even if your password is leaked in one system's data breach, your other accounts aren't then vulnerable as they're using a different password.

Given that, we strongly encourage you to take the following steps on this site:
  1. update your password with this form.
  2. we highly recommend taking a moment to enable two-factor authentication to add an additional layer of security and guard against your account being hijacked.
If you're not familiar with two-factor authentication here's a guide for beginners that should help.

Note: If your email is not up-to-date please take the chance to update that as well using this form.

One more tip: Use a password manager

If you're not already using a password manager it's well worth taking to time to get one. It will make your passwords more secure, and take away the hassle of organising and remembering them.

Modern browsers and operating systems have built in password management so that's always a good option. But if you're using multiple devices (desktop, laptop, mobile, tablet etc) syncing your password data across all devices may be tricky. A dedicated password management app can help with that. Here's a guide to password managers, both free and paid.

If you have any questions about any of this please post here or PM me directly.
 
Useful info, my personal email shows 10 breaches.
I shall be changing passwords
Thanks for the heads up.
 
I use a different password for every account I sign up for. And my caf email is untouched like virgin fedora wearer.
 
Apart from all the joking though, I hope people take Niall's message seriously. This account hijacking stuff is no fun.
 
hi admins, when checking my account to change my password, I just realized that the email address that I used to create this account is no longer exist. How can I update my password and my email address to a working one?
 
Someone hacked accounts and made the tamest threads going? Bizarre, i assumed it was an admin taking the piss.
 
Someone hacked accounts and made the tamest threads going? Bizarre, i assumed it was an admin taking the piss.
Not actually hacked. It rather looks like someone got their hands on a cache of passwords due to a data breach elsewhere and are using them here on old accounts that never changed their passwords. So no hacking involved (in the usual sense of the word), which is why Niall called it 'hijacking' in the OP.
 
Someone hacked accounts and made the tamest threads going? Bizarre, i assumed it was an admin taking the piss.
I’d be less worried about the lame threads and more worried about someone eise having access to my account so easily
 
I use iOS generated strong unique passwords for everything so I’m not really worried, but out of curiosity how does 2FA work on here? Just for new login attempts?

I browse exclusively from my phone, so would this most likely not even be noticed unless someone tries something or I change phone or whatever?
 
I use iOS generated strong unique passwords for everything so I’m not really worried, but out of curiosity how does 2FA work on here? Just for new login attempts?

I browse exclusively from my phone, so would this most likely not even be noticed unless someone tries something or I change phone or whatever?
If you login from a new device, you have to enter a code and are then fine for another 30 days until it asks you to enter the code again.
 
I browse exclusively from my phone, so would this most likely not even be noticed unless someone tries something or I change phone or whatever?
I too browse exclusively on my phone. I’ve looked at the 2FA options available and neither of them are particularly convenient. Would it be possible to get a code by text instead for example?
 
You're almost as bad as @Solius. It's just a case of opening up whichever authenticator app you use, copy the code and paste. Adds 5 more seconds to the login process every 30 days.
Why every 30 days? Make it for new devices only. Not even my bank has this level of security.
 
I've set up my MFA, changed my email to one that hasn't apparently been stolen AND partially shut down my bot army that were hacking accounts on an undisclosed Irish football forum.

FC79D6EB9C9B45117E0ED87E5DD1669878611C4F
 
Who has that kind of time?
It is mildly annoying (30 second delay) via email but after many months using it I've got used to it. I finally got around to switching it to the app that my bank make me use which will be easier still.
 
What is the app for two factor?

For free and open source, bitwarden for managing passwords + Aegis/andOTP for 2FA. You could also use bitwarden's $1/month plan for generating the TOTPs within the password manager itself and it also auto copies the OTP for you on the webpage (this is what I do). I wouldn't trust closed sourced password managers.

Reasons to not use authy discussed here:
https://community.bitwarden.com/t/bitwarden-authenticator-vs-authy/68926
 
Last edited:
I use iOS generated strong unique passwords for everything so I’m not really worried, but out of curiosity how does 2FA work on here? Just for new login attempts?

I browse exclusively from my phone, so would this most likely not even be noticed unless someone tries something or I change phone or whatever?

This is the way (can't wait for the native Apple password manager btw!).

Thanks for the heads up @Niall, I just enabled the 2FA. Should have done ages ago.
 
I too browse exclusively on my phone. I’ve looked at the 2FA options available and neither of them are particularly convenient. Would it be possible to get a code by text instead for example?
Apparently SMS is an insecure method for MFA. Some of the better apps give the option to have a "trusted" person deliver to code to your house.
 
Apparently SMS is an insecure method for MFA. Some of the better apps give the option to have a "trusted" person deliver to code to your house.

Wouldn't say SMS is insecure, it's just less secure than software auth which is then less secure than hardware auth (yubikey, fido etc). Any form of 2FA is better than just password login.

Also, SMS is expensive to the site. If I'm not wrong, 100,000 codes/month will set redcafe back by $5,000 or so. Software auth should cost nothing.
 
Wouldn't say SMS is insecure, it's just less secure than software auth which is then less secure than hardware auth (yubikey, fido etc). Any form of 2FA is better than just password login.

Also, SMS is expensive to the site. If I'm not wrong, 100,000 codes/month will set redcafe back by $5,000 or so. Software auth should cost nothing.
Yeah we wouldn’t be expected to purchase yubikeys. My company phased out SMS at its deemed less secure. Like you say it’s still better than just password alone. Software auth is definitely to way to go from a cost and security perspective.