Author Topic: Improved Account Handling  (Read 6638 times)

Sekoia

  • Titan Network Admin
  • Elite Boss
  • *****
  • Posts: 1,834
Improved Account Handling
« on: June 14, 2015, 09:53:20 PM »
While Tony's been working to migrate our sites to SSL, I've been working to improve how we handle your accounts.

Usernames: Improved cross-site compatibility
  • For new accounts, usernames are restricted to alphanumeric characters plus spaces, periods, and hyphens and cannot have multiple spaces in a row. This change is to improve cross-site integration. For example, Mediawiki cannot distinguish between space and underscore in usernames. This reduced character set will ensure that account names are compatible across all of the Titan Network sites and projects.
  • Existing accounts that have "invalid" usernames are grandfathered in and will continue to work as they have been. However, we can't promise that your account will work correctly across all sites and services. I'm working on a feature to permit you to change your username, but it isn't ready yet.

Passwords: Better security
  • Passwords are now being hashed using PHP's password_hash, which uses the bcrypt hasing algorithm. The next time you log in on the main Titan page, at Paragon Wiki, at Ouroboros Portal, at City Info Terminal, or at Faces, your account's password hash will automatically be updated. (Logging in on the forums won't trigger the change, as the forums are a special snowflake that stores its own copy of the password hashes in a separate format.) This change should be transparent, but it will ultimately better protect your account's security if Titan is ever hacked. (We hope we won't get hacked, but we'd rather take as many reasonable precautions as possible.) This change is also future-friendly: if PHP ever upgrades to a more secure hashing algorithm, we'll be able to smoothly and transparently upgrade to take advantage of it.
  • Passwords are still restricted to 6+ characters. We now also have a "ban" list of common passwords that we won't let you use (such as "password", "12345678", and "qwerty"). We aren't enforcing any more stringent requirements than that, but please do use a secure password that nobody is likely to guess or hack. The best hashes are useless if you put something in that someone else can guess or brute force.

Improved password resetting
  • The security question and answer feature was removed from the password reset process. Too few people were using it and too many people who were using it had too easily guessable answers. The primary reason the feature was added was so that you didn't have to worry about somewhere else resetting your password, but that issue is now addressed by...
  • Password reset requests now generate a temporary password. This temporary password is only valid for a single login and will expire after 24 hours (or at the next time you log in, whichever is sooner). It can also be safely ignored: your existing password will not be changed unless you log in and change it. So if someone else requests a password reset on your account, you can just ignore it and keep logging in normally.

Email update propagation
  • When you change your email, it will now get updated across all of our sites. Previously, email changes only updated the Titan main site and CIT. Now they will also update the forums, the wikis, and Faces.
Miscellaneous
  • Global handles are no longer required. They are also no longer required to be unique.
  • If you have an older account that doesn't have a corresponding forum account, a forum account will now be created when you change your password.

Titan main website improvements
I've also made some changes to the main Titan website. Many changes are minor, but notably:
  • The site is much more mobile friendly now. Not perfect, but hopefully a big improvement!
  • The account management page now better depicts which Titan sites you are or are not linked to and provides better information about that linkage.
More changes will hopefully be coming soon, so stay tuned!

Questions or Concerns?
Feel free to chime in on the discussion thread.
« Last Edit: June 14, 2015, 09:59:49 PM by Sekoia »

Sekoia

  • Titan Network Admin
  • Elite Boss
  • *****
  • Posts: 1,834
Re: Improved Account Handling
« Reply #1 on: June 28, 2015, 04:47:32 AM »
Username Changing
  • You can now change your username!
  • Users who have usernames that no longer meet our username requirements will be informed of this when logging in at the Titan main site. We encourage you to change your username to meet our requirements, but it's up to you.
  • Changing your username has some caveats, which will be explained to you during the rename process. Be sure to read them!
Account Deletion
  • Occasionally, we get requests to delete accounts. Now you can do it yourself! Of course, we hope you don't.
  • Account deletion has a lot of caveats. Be sure to read them all!
Paragon Chat
  • The account management page now lists Paragon Chat under the list of linked accounts. If you have a valid username, it will tell you what your Paragon Chat login information is. If your username is not valid, it will tell you that and will encourage you to change your username.

Sekoia

  • Titan Network Admin
  • Elite Boss
  • *****
  • Posts: 1,834
Re: Improved Account Handling
« Reply #2 on: June 28, 2015, 06:31:59 PM »
Bugfix
  • The last update broke email changes. That's fixed now. If you tried to change your email and were unable, it should work now.

Sekoia

  • Titan Network Admin
  • Elite Boss
  • *****
  • Posts: 1,834
Re: Improved Account Handling
« Reply #3 on: June 30, 2015, 09:36:45 PM »
Cross-Site Globals and Emails
  • The main Titan Account Management page no longer shows you your global handle, since the game has shut down and since it will become confusing in the handle what it's referring to (since Paragon Chat also has a global handle). You can now edit this field within CoH Faces or CIT.
  • You can no longer edit your email address on the forums or on CoH Faces. This was causing accounts to get out of sync. You must now always change your email address through the main Titan Account Management page.

Sekoia

  • Titan Network Admin
  • Elite Boss
  • *****
  • Posts: 1,834
Re: Improved Account Handling
« Reply #4 on: March 06, 2016, 02:34:26 AM »
Improved security
  • Added a CAPTCHA to the account registration page and to the password reset page.
  • Updated the registration process to require verification of email address prior to account creation.
  • Added additional protections on the backend that should be largely invisible to legitimate members and visitors.
Quality of life
  • The password reset email now clearly states your username.