Hello Everyone. 

A couple weeks ago Royal Road added new security features to keep everyone’s account safe. This announcement has been delayed due to our Birthday as that took priority (we didn't want to offset that post with this one), but here we are! You can read about it here.

Lockout

We have implemented a lockout system to ensure that brute force attacks against your account fail. The lockout time is not very long, but it should suffice to deter attacks by randomly guessing your password.

Two Factor Authentication

The best security measure that was added in this round is the 2FA, also known as Two-Factor Authentication. This means that you can now enable this service on Royal Road for extra account security, which uses apps like Google Authenticator or Authy. We recommend you enable this over at https://www.royalroad.com/account/twofactorauthentication.

Backup Codes

2FA does mean your account is more secure, but what if you lose access to your phone or other service required for the 2FA? In this possible case you can use a backup code in order to recover your account. Without this code your account WILL be lost, so store these codes in a safe place. 

Have I (you) been pwned? 

A general best-practice to keep yourself safe online would be to never ever reuse passwords. This way a single breach on one site or database will not compromise your other accounts. You can check if your email has been in any database dumps using https://haveibeenpwned.com/. In case your email is found in any breaches, we advise you to change your passwords on the sites you use, even if you’re not found in any breaches. Better safe than sorry, right?

 

Stay safe out there!

Log in to Comment

Comments(61)

More security is always welcome!

Better safe than slightly inconvenienced.

I always use two-factor stuff so this is great. Use it on Steam and it doesn't take much time. Thanks for this.

Yay 2fa is so great. I really appreciate the added security

Tomolone
S.Mod

Used it for a while already. Can reccomend!

I will be using the additional security, thanks!

Backup codes really? Never turning 2fa then.

    kanadaj
    Admin

    For reference, the system doesn't generate backup codes by default until you visit the backup codes page. If you feel safer without any codes, you can simply never visit the page.

      You assumed more intelligence on my comment than there was. It was more around of me losing both the authenticator phone and losing the code and forever losing access to my account. Shouldn't a email verification with a couple days waiting time (to give the user time to recover a stolen email account if that is the case) be a better option? Because I'ma be honest I'm kinda retarded and I see myself being locked out of my account by turning 2fa on.

       
      kanadaj
      Admin

      Technically speaking, email can be used as a second factor for authentication so recovery via email should be perfectly acceptable I think. Will think on that when it's not past midnight, since email as 2FA is a weird thing when password can also be substituted for emails.

    kanadaj
    Admin

    On that note, at a bare minimum it would take over 200,000 years to brute force a single account with 10 recovery codes.

    The math: 8 characters from a set of 36 gives you 36^8 combinations [2,821,109,907,456] and you can try 5 times before a lockout. You have 10 codes so let's divide that by 10 since it's 10x easier to brute force that, and let's assume you find the right code after brute forcing half of that. That means you need 28,211,099,074.56 attempts of 5 codes, waiting for the lockout between each batch. If you have to wait 5 minutes between batches, that 268,370 years.

      That's if hackers play nice with brute forcing it, in reality the math is heavily dependent on how/if they screw your lockout.

      Even with that in mind, the idea that someone is going to brute force your RR 2fa code is ridiculous, maybe the guy has some other problem with the codes? 

      kanadaj
      Admin

      They can't really screw with the lockout, we have both IP and account lockouts in place.

      The only other potential issue would be if someone got hold of the codes directly, but techniques like stuffing don't work because the codes are single-use, so even if you acquire the code somehow when it's sent to the server, it's not usable a second time.

The haters be hating, but they ain't gettin in.

Why does this site still allow people to use the copy paste function on the stories, every other site seems to have fixed this problem.

    Makes it real easy for people to steal your work

      Copy paste is for the most basic of stealing, if people take it seriously I'm sure they can find another way to steal your stuff.

      I consider the fact that RR still uses plain text a luxury, makes it easier to manage as a user.

       

      Yes the most basic, thats why it should be easily eliminated.

      People are more likely to do something the easier it is.

      kanadaj
      Admin

      Because copy-paste protection doesn't affect bots, and normal users can remove it simply inside Chrome or Firefox directly without any extra tools. That's how little they are worth.

      kanadaj
      Admin

      To reiterate, blocking copy-paste won't do a whole lot of good. Even ad blockers can strip it (it takes about 3 simple clicks to remove, 5 if there is a JS component, and from that point on the defences no longer work at all). On the other hand, it does significantly inconvenience users since they lose the ability to quote or highlight words.

      Ok thx for the info, I'm not a computer guy so I didn't know that.

      Yeah. I am pretty sure just entering reader view on a Firefox browser gets rid of that.

      Sorry for the lateness of these comments but this is the first time in months I did not open directly into a story I was reading (all bookmarked).  So today was when I first discovered about the authentication changes.

       

      Wallker, every site allows downloading of the information.  If they did not, you could not see the information in your browser.  Everything in the browser can be saved for offline viewing.

      I routinely use IMDB to get the names of actors, directors, and writers of movies in my personal library.  I pull up the movie/televison episode, save the web page to disk, and run a quick program to extract the information.  It took me about an hour to write and test the program.  It only took that long because the information was in 3 different formats and so my original save only showed one format to process.

      Any programmer worth even minimum wage can extract everything from a web page.  I actually have software that can walk all of Royal Road (or any other site) and download the entire site including downloading web pages linked by the site (Actually if I want to fill a drive, I can set up to walk the site and walk sites that have links to them and walk the sites they link, I used to do that until I started hitting porn sites that I have ZERO interest in.)  The code is quite simple.  With the tools provided by .NET from Microsoft, it is actually quite easy (within less than an hour) to write a custom browser.  That makes cut and paste possible even if the web host has for most browser cut and paste turned off (again they still have to allow the downloading which means the pages can be saved).

      Cut and paste is is a valuable tool.  Authors publish here, with we the readers, as editors and sometimes idea people.  We look at things and say where is this leading.  It could go here.  It could go there.  Oh, that grammar is in error.  Did you mispell this word or did you deliberately spell it that way. 

      Some of the readers are extremely good at this.  Some just like the stories.  Those stories I follow, I actually purchase after they are completed.  I used to purchase as they were written but too many people wrote part 1 and 2 but never finished.  I got tired of purchasing partial stories.  I think good writers, at least those I think are good, should be encouraged to write more.  Buying their books is an incentive.  My chapter comments are usually just questions or tangents I see.

Woo! My main email has not been pwned!

It's honestly kind of worrying that you didn't have the mechanism you describe as 'lockout', before.

    kanadaj
    Admin

    We simply haven't felt the need before - Royal Road grew from a small fan-site over time, so it never came up as an issue before. In addition, lock-out can be very inconvenient for the users especially without authenticator support due to the DOS possibility.

    We've always had a very slow password algorithm as well, so brute forcing passwords has never been a major concern, but we've recently observed some activity that encouraged us to tighten up the login security.

      I can understand that, and to some extent I can even sympathize with it.

      But even when taking a "slow" hashing algorithm for granted, lack of these kinds of (to be blunt) very basic security features and considerations tends to be a telltale sign of sloppy security in general.

      I don't mean to throw accusations around, especially as they would be thoroughly unfounded (unless you had undisclosed breaches), this is just my experience.

      kanadaj
      Admin

      That's not necessarily the case though. Lockouts aren't a particularly basic security feature, and almost any security setup that comes with the capability has it disabled by default because it may inconvenience users and may cause other potential issues which I'd rather not list here. The reason it wasn't enabled wasn't because we forgot, but because we deemed it unnecessary at the time. But it was definitely a consideration.

      I know it may be surprising, but I code RR in a very security conscious manner, be it XSS, RCE or SQLI. We've always had 2FA in the system (ask the moderators, I've shoved it down their throat years ago!) but I simply haven't had the time until recently to move the 2FA pipeline from the admin panel to general availability.

      kanadaj
      Admin

      And no, no undisclosed breaches, we simply flagged an incoming credential stuffing attack coming from a large number of IP addresses, and decided to move the timetable forward for security to avoid compromised accounts. 

      Was there any sign that RR was specifically targetted or was it yet another shotgun‐style attempt by some botnet to breach every site that it could? I’m almost certain it was the lattter, but…

      kanadaj
      Admin

      Most likely the latter, but better safe than sorry. Credential stuffing is a very common attack and 2FA is the most secure solution against it.

nice, it is appreciated

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Don't add an achievement, it's better to keep those types of things secret.

Yeah, why would you advertise who has better security on their account?  That's just asking for the people that don't do this to be hacked.

    kanadaj
    Admin

    You need the email address to try to hack an account. And the achievement stays even if you remove 2FA afterwards.

      Showing who has the better security is not a good idea.  There is zero need for an achievement. 

      I appreciate that you're offering better security, though.

      kanadaj
      Admin

      Achievement removed, just so you guys feel more secure. Though personally I feel like encouraging 2FA with an achievement would make the site overall more secure, not less.

      Awww, the only reason I did the 2FA, was for the achievement...
      Those who don't want it can always make it non-visible in their settings.
      Bring it back please!

      I think the problem wouldn't be showing who had better security, but who didn't. If someone is targeting popular authors for instance, they could see if one particular person didn't have it enabled or showing.

Thanks for the chapter

ಠ‿↼

I didn't mind the achievement, I just turned it off. I do mind not being able to turn off the two factor authentication now that I turned it on... or maybe I'm missing something obvious. I've never used this app system before and I couldn't get it to keep me signed in at first. Which was a REAL pain for a bit, as I'm not very coordinated and it had a sixty second timer on each code.

Not a big fan of 2FA unless done really well, theres too many Auth apps these days and SMS is just easier. Nowadays I just use a password manager for my pointlessly long passwords, were RR to increase their character limit beyond 30 I'd change mine right away.

I realy Like the story and story line. If the whole story was up I would keep reading untill the end. I feel that it is captivating and intregging. I would definetly buy it. 

Always use protection kids.

Seems like I joined RR at a good time.