Account Security Updates & Notice

[Cipher]

Hey everyone, we've been seeing an increase in the frequency of accounts being compromised using information from data breaches, so we felt it was important to provide some resources for keeping your accounts safe and update the community on what we're doing to help.

 

Firstly, over the past week or so we've seen a significant increase in unauthorized account access on the forums. The primary goal of this unauthorized access has been for the purpose of spamming, and some of the spam posts you've seen from older accounts fall within this category (although it is worth noting that the huge majority are from new registrations). Most of the time, this is done through automated scripts which associate email addresses and usernames shared across different services with passwords that have been breached and leaked to the public. Unfortunately, many people use a common / shared password for multiple services, so when a breach occurs, they'll often find that an attacker is able to gain access to their accounts on other services too.

 

While it may seem convenient to use a single password online, it puts you at risk when any service or website experiences a data breach. Instead, you should aim to use strong passwords, containing a mixture of uppercase and lowercase characters in addition to numbers and symbols, and use a unique password for each account or service. Alternatively, you can utilize a password manager such as 1Password to automatically generate and manage randomized passwords for you. If you believe that a service that you use has experienced a data breach and you use a shared password, then I would highly suggest changing your password for Homecoming. To manage your password for Homecoming, access your Account Settings in the user drop-down (see below) or click here.

 

Another thing you can take advantage of which should be offered by most websites, including our own, is multi-factor authentication (AKA 2-factor authentication). This helps secure your account by requiring an additional step after providing your password to verify your identity. This can include anything from TOTP apps such as Google Authenticator or Authy to receiving an SMS message or email with a code. To manage your multi-factor authentication for Homecoming, access your Account Settings in the user drop-down (see below) or click here.

 

How to find Account Settings

 

Finally, in order to help combat unauthorized account access, we've created a new device authorization system which is layered over top of Invision's existing login and multi-factor authentication systems. As of the time of this post, any time you attempt to sign into your Homecoming account from a new device, you will be prompted to authorize your device via a link sent to your registered email address. Once you've authorized a device for your account, you will be able to sign out and back in without going through the authorization process again.

 

Here are some additional resources regarding account and cyber security I would recommend:

• Cybersecurity 101 - 1Password
• Tips to Stay Safe & Secure Online - Google
• Tips to protect your data, security, and privacy - Malwarebytes

 

If you have any questions about anything, please feel free to reach out via support or even message me personally on the forums.

 

Thanks

[UltraAlt]

Thanks for posting this. I was looking for this before logging in because the log-in system had change, and I was suspicious of what was going on.

This should help other know that it is safe to use the new login system.

[Spectral]

Another big tip about passwords that people tend to overlook: length of password, aka more characters... 8 characters is NOT enough... but having 15-18 or even more makes it exponentially harder to break (or brute-force as it is properly called).

And as super long passwords and massively complex mixes of symbols, letters and numbers are impossible for humans to remember without writing them down

 

==> use passphrases

 

that is 3-4 words with at least 15 characters in total(because "you & me" kinda defeats the purpose...)

like "Pacific Soccer 100%"

Pick words that you neither love nor hate (and cannot be guessed through your social media accounts: kid/pet names, holidays, childhood places)

 

If you speak multiple languages: mix it up 😎

If you feel comfortable with Freakshow lingo: us3 L33t b3c4u$3 1t'$ cººl & tr€ndy

 

For each single character you add to your passwords, you make the task exponentially more difficult for the criminals out there... 12 should be minimum... 15 is good... 20+ you're a BEAST 🥳

 

by the way @Homecoming Staff: what is the MAX length of passwords that the server/software can technically handle?

(and what happens if you use a password that's longer? 😇 hihi, no need to answer this second question 😉)

 

Edited February 24, 2023 by Spectral

[UltraAlt]

4 hours ago, Spectral said:

that is 3-4 words with at least 15 characters in total(because "you & me" kinda defeats the purpose...)

like "Pacific Soccer 100%"

Pick words that you neither love nor hate (and cannot be guessed through your social media accounts: kid/pet names, holidays, childhood places)

 

Using words in password makes them less safe.

[Spectral]

@UltraAlt

Using longer passwords with words is safer than shorter passwords with random letters+numbers+symbols that nobody can remember. Simply due to the exponential nature of that equation... https://xkcd.com/936/

Hence why I insisted on 15 chars minimum. And why I suggested tricks like S->$ or E->€ ... Humans can remember these passwords

 

Of course 15 random letters+numbers+symbols would be best "in theory". In reality, they are a pain to type and users get frustrated with the entire password nightmare to begin with and "we" end up with passwords on post-it or in Excel/Word/... files that are not secured...

 

At least the post-it/files should be replaced with some Password Vault thing (https://en.wikipedia.org/wiki/List_of_password_managers).

 

With the Password Vault we go back to: you need at least one good and strong password... 8 chars is clearly known by all Cybersec people to be "not nearly enough"... 8 char can be broken in seconds via brute-force/rainbow tables/... Writing the password to the password vault on a post-it or file is equally unsafe...

 

 

It's about convincing users to have longer passwords and make those less painful... or (what the cybersec industry is currently pushing) passwordless MFA (Biometrics + Token). But password-less MFA means upgrading a long list of legacy software. And until then we'd want to convince users to be safe instead of being annoyed&lazy.

https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-password-rule-book-updated-guidelines-offer-benefits-and-risk

[WanderingAries]

Didn't realize we now had 2FA for the forums (which also protect our game accounts.

[UltraAlt]

19 hours ago, WanderingAries said:

Didn't realize we now had 2FA for the forums (which also protect our game accounts.

 

There was a bot-invasion, forum-spamming attack.

The extra layer of protection for out game accounts was really just a side-effect or special effect ... I guess you could color customise it if you really wanted to.

[UltraAlt]

On 3/5/2023 at 7:55 AM, Spectral said:

Humans can remember these passwords

 

I will not divulge my secrets.
Never take off your mask.

 

On 3/5/2023 at 7:55 AM, Spectral said:

users get frustrated with the entire password nightmare

 

I'm sure they would get much more frustrated if someone stole their game account or, even worse, their bank accounts or stock portfolios.

Increased password length, upper and lower characters, numbers, and special characters mixed are always suggested along with a different password for every account/website.

I think I heard someone say "no pain, no gain" If you think your password is a pain to type in then you are most likely gaining a greater degree of security. And something like "an ounce of prevention is worth a pound of cure". I'm sure there are more that are relevant.

To me, all of this is obvious, but so is using decent anti-virus and having a functional firewall  (or 2)