dw_maintenance | (no subject)

Some of you have noticed an uptick in spam accounts following you this week -- it was because a group of spammers were able to take over some legit accounts and use them for spam. (Our usual antispam efforts have worked pretty well to take care of newly created spam accounts, so spammers are going for the old ones instead.) It does appear that the accounts that were hijacked had used the same password they used on Dreamwidth for other sites, and the spammers found that username/password combination in one of the many black market venues for password resale.

We think we've managed to catch and suspend all the accounts that were being used for spamming -- if yours was one of them, open a support request in the Terms of Service category and we'll help you resecure your account so we can unsuspend it. If you spot one that our automated scan missed, open a support request in Anti-Spam and we'll take a look as soon as we get through the backlog of the already-reported ones. If you spot one and it's already been suspended, you don't have to report it.

This is a great time to remind everyone: please don't reuse passwords for multiple sites! The best and most secure way of handling passwords is to download a password manager, like Dashlane, 1Password, Keeper, LastPass, or Zoho. (Everyone has their own favorite, but those are all reputable and secure.) Let the password manager generate and remember passwords for you. This improves security for everyone!

(Edit:) I also forgot to remind people: you can check to see if your information has appeared in a data breach at Have I Been Pwned? It's a legitimate security research site that keeps a database of which account information is for sale on the black market. They don't tell you which passwords were compromised, just whether your email address appears in a collection of passwords, and they don't have every dataset that's circulating on the black market, but if your email address gets a result there, you should change your password on that site immediately, change the password on any site that you used the same password for (and make it a unique password!), and never use that password again. People who have the black market file try those username/password combinations on every site they can find to see how many accounts they can get into.

Flat | Top-Level Comments Only

Please don't worry, we will never make 2FA mandatory, and there are ways you can implement it without requiring a phone number. (The sites asking you for a phone number are generally doing it for password recovery if you get locked out of your account and can't receive the password reset email; 2FA-via-text-message is only slightly more secure than no 2FA at all, since texts aren't very secure, so most places have moved away to using a phone number for 2FA.) 2FA is, however, a very good option to have for people who are really concerned about the security of their account, people who are "high value" targets like activists and journalists whose accounts may contain information that would be either profitable or compromising, and people who have to use untrusted networks or computers to connect to their accounts. For those people, having the option to enable 2FA can really improve their security. (For instance, even if somebody manages to intercept my password for our payment processo r, they won't be able to steal all our moneyz because I have 2FA turned on.)

that is such good news! thankyou so much for your reply! :D

we thought there must be better ways to do it than requiring phone numbers, we just haven't personally seen anywhere do so and call it 2FA. the only times we've heard the phrase so far have been in reference to requiring phone numbers, so that was the only pattern we had for it, but still we thought it must be more than that (hence saying -if- they require a phone number). we're delighted to learn that our suspicions were correct - there are better ways to do it! and we're unsurprised that you folks are on top of that and being awesome. x3

we're also very glad to hear about the ways 2FA can be used to keep at-risk people safe, and otherwise be extremely helpful. that's excellent and we're very much in favour of the option being there for those who need or want it! we see what you mean about the situations like you mentioned, and we agree it's very important to offer people ways to keep themselves and their data secure no matter what their situation. we're very glad you're working on that, thankyou.

it is sooo good to hear from you that you'll never make it mandatory. we thought you likely wouldn't, knowing the dreamwidth staff and style - your approach has always been in favour of options and choice and diversity and accessibility, which has been instrumental in this place becoming our no1 favourite website ever and online home - but we and accessibility in general get shut out and left by the wayside so consistently that it's still extremely reassuring to hear confirmation from you that you're not going to go that way. so even though we know that in general it's not the sort of thing dreamwidth is likely to do, this website means a lot to us and it's a huge relief to hear specific confirmation that we're definitely not going to lose access to it. thankyou very much for your dedication to keeping things accessible and preserving users' free will and choices. <3

you all are wonderful. <3 <3 <3

Thank you for not making 2FA mandatory! I'm another one who doesn't thinking giving my cell # to everybody on the planet in any way improves my security. Plus, it's an enormous PITA when I routinely access certain accounts from different devices (home computer vs. traveling computer, etc.). I'd much rather be good about my passwords and take reasonable care to maintain my own security.

2FA-via-text-message is only slightly more secure than no 2FA at all, since texts aren't very secure, so most places have moved away to using a phone number for 2FA.

I wish. My banks both still insist on texts. Which is why I don't have online banking set up with either of them.

Yeah, that's part of the problem, there are A LOT of cargo-cult-implemented terrible 2FA systems out there that have really poisoned the well on the concept. As evidenced by how many people panic whenever someone asks us if we'll ever let people enable 2FA on their account in the future!

(I mean, if nothing else, y'all can count on the fact that we don't want your phone number any more than you want us having your phone number; our general philosophy is that there has to be a REALLY GOOD reason for us to ask you for any personal data. And with us you know that's 'really good' from the standpoint of "will it let you do something that people really want to do on the site", not the standpoint of "how can we convince them to give us more data we can sell", because you can ALWAYS count on us being too stubborn (and too lazy) to sell user data.)

one of my perpetual complaints lately is "I wish fandom would move from Tumblr to Dreamwidth, but that isn't going to happen unless Dreamwidth sells its soul", since the main draw of Tumblr is media hosting and that kind of server space costs money and there might not be any ethical means to get Dreamwidth that much money.

thank you for refusing to sell your soul.

I love you, guys. Thanks for all you do.