Hello Everyone. 

A couple weeks ago Royal Road added new security features to keep everyone’s account safe. This announcement has been delayed due to our Birthday as that took priority (we didn't want to offset that post with this one), but here we are! You can read about it here.

Lockout

We have implemented a lockout system to ensure that brute force attacks against your account fail. The lockout time is not very long, but it should suffice to deter attacks by randomly guessing your password.

Two Factor Authentication

The best security measure that was added in this round is the 2FA, also known as Two-Factor Authentication. This means that you can now enable this service on Royal Road for extra account security, which uses apps like Google Authenticator or Authy. We recommend you enable this over at https://www.royalroad.com/account/twofactorauthentication.

Backup Codes

2FA does mean your account is more secure, but what if you lose access to your phone or other service required for the 2FA? In this possible case you can use a backup code in order to recover your account. Without this code your account WILL be lost, so store these codes in a safe place. 

Have I (you) been pwned? 

A general best-practice to keep yourself safe online would be to never ever reuse passwords. This way a single breach on one site or database will not compromise your other accounts. You can check if your email has been in any database dumps using https://haveibeenpwned.com/. In case your email is found in any breaches, we advise you to change your passwords on the sites you use, even if you’re not found in any breaches. Better safe than sorry, right?

 

Stay safe out there!

Comments(57)

More security is always welcome!

Better safe than slightly inconvenienced.

I always use two-factor stuff so this is great. Use it on Steam and it doesn't take much time. Thanks for this.

Yay 2fa is so great. I really appreciate the added security

Tomolone
S.Mod

Used it for a while already. Can reccomend!

I will be using the additional security, thanks!

Backup codes really? Never turning 2fa then.

    kanadaj
    Admin

    For reference, the system doesn't generate backup codes by default until you visit the backup codes page. If you feel safer without any codes, you can simply never visit the page.

      You assumed more intelligence on my comment than there was. It was more around of me losing both the authenticator phone and losing the code and forever losing access to my account. Shouldn't a email verification with a couple days waiting time (to give the user time to recover a stolen email account if that is the case) be a better option? Because I'ma be honest I'm kinda retarded and I see myself being locked out of my account by turning 2fa on.

       
      kanadaj
      Admin

      Technically speaking, email can be used as a second factor for authentication so recovery via email should be perfectly acceptable I think. Will think on that when it's not past midnight, since email as 2FA is a weird thing when password can also be substituted for emails.

    kanadaj
    Admin

    On that note, at a bare minimum it would take over 200,000 years to brute force a single account with 10 recovery codes.

    The math: 8 characters from a set of 36 gives you 36^8 combinations [2,821,109,907,456] and you can try 5 times before a lockout. You have 10 codes so let's divide that by 10 since it's 10x easier to brute force that, and let's assume you find the right code after brute forcing half of that. That means you need 28,211,099,074.56 attempts of 5 codes, waiting for the lockout between each batch. If you have to wait 5 minutes between batches, that 268,370 years.

      That's if hackers play nice with brute forcing it, in reality the math is heavily dependent on how/if they screw your lockout.

      Even with that in mind, the idea that someone is going to brute force your RR 2fa code is ridiculous, maybe the guy has some other problem with the codes? 

      kanadaj
      Admin

      They can't really screw with the lockout, we have both IP and account lockouts in place.

      The only other potential issue would be if someone got hold of the codes directly, but techniques like stuffing don't work because the codes are single-use, so even if you acquire the code somehow when it's sent to the server, it's not usable a second time.

The haters be hating, but they ain't gettin in.

Why does this site still allow people to use the copy paste function on the stories, every other site seems to have fixed this problem.

Woo! My main email has not been pwned!

It's honestly kind of worrying that you didn't have the mechanism you describe as 'lockout', before.

    kanadaj
    Admin

    We simply haven't felt the need before - Royal Road grew from a small fan-site over time, so it never came up as an issue before. In addition, lock-out can be very inconvenient for the users especially without authenticator support due to the DOS possibility.

    We've always had a very slow password algorithm as well, so brute forcing passwords has never been a major concern, but we've recently observed some activity that encouraged us to tighten up the login security.

      I can understand that, and to some extent I can even sympathize with it.

      But even when taking a "slow" hashing algorithm for granted, lack of these kinds of (to be blunt) very basic security features and considerations tends to be a telltale sign of sloppy security in general.

      I don't mean to throw accusations around, especially as they would be thoroughly unfounded (unless you had undisclosed breaches), this is just my experience.

      kanadaj
      Admin

      That's not necessarily the case though. Lockouts aren't a particularly basic security feature, and almost any security setup that comes with the capability has it disabled by default because it may inconvenience users and may cause other potential issues which I'd rather not list here. The reason it wasn't enabled wasn't because we forgot, but because we deemed it unnecessary at the time. But it was definitely a consideration.

      I know it may be surprising, but I code RR in a very security conscious manner, be it XSS, RCE or SQLI. We've always had 2FA in the system (ask the moderators, I've shoved it down their throat years ago!) but I simply haven't had the time until recently to move the 2FA pipeline from the admin panel to general availability.

      kanadaj
      Admin

      And no, no undisclosed breaches, we simply flagged an incoming credential stuffing attack coming from a large number of IP addresses, and decided to move the timetable forward for security to avoid compromised accounts. 

      Was there any sign that RR was specifically targetted or was it yet another shotgun‐style attempt by some botnet to breach every site that it could? I’m almost certain it was the lattter, but…

      kanadaj
      Admin

      Most likely the latter, but better safe than sorry. Credential stuffing is a very common attack and 2FA is the most secure solution against it.

nice, it is appreciated

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Don't add an achievement, it's better to keep those types of things secret.

Yeah, why would you advertise who has better security on their account?  That's just asking for the people that don't do this to be hacked.

    kanadaj
    Admin

    You need the email address to try to hack an account. And the achievement stays even if you remove 2FA afterwards.

      Showing who has the better security is not a good idea.  There is zero need for an achievement. 

      I appreciate that you're offering better security, though.

      kanadaj
      Admin

      Achievement removed, just so you guys feel more secure. Though personally I feel like encouraging 2FA with an achievement would make the site overall more secure, not less.

      Awww, the only reason I did the 2FA, was for the achievement...
      Those who don't want it can always make it non-visible in their settings.
      Bring it back please!

      I think the problem wouldn't be showing who had better security, but who didn't. If someone is targeting popular authors for instance, they could see if one particular person didn't have it enabled or showing.

Thanks for the chapter

ಠ‿↼

I didn't mind the achievement, I just turned it off. I do mind not being able to turn off the two factor authentication now that I turned it on... or maybe I'm missing something obvious. I've never used this app system before and I couldn't get it to keep me signed in at first. Which was a REAL pain for a bit, as I'm not very coordinated and it had a sixty second timer on each code.

Not a big fan of 2FA unless done really well, theres too many Auth apps these days and SMS is just easier. Nowadays I just use a password manager for my pointlessly long passwords, were RR to increase their character limit beyond 30 I'd change mine right away.

I realy Like the story and story line. If the whole story was up I would keep reading untill the end. I feel that it is captivating and intregging. I would definetly buy it. 

Log in to Comment