Notice Account Security Advice

[lindsay]

There have been a small number of instances of TP accounts being hacked and taken over by scammers over recent months. In the main these have been quickly spotted and shut down, but it's not always obvious to the automated detection tools and only when something starts smelling do we get to know a problem exists.

For this reason, we would strongly encourage members to regularly change their passwords, and use strong, complex ones to deter the hackers, and also try not to use the same password on multiple online accounts (I know easier said than done).

Also, seriously consider enabling Two-Factor Authentication on your login, particularly if you are going to use the Classifieds, so that when you login, you will be asked to also enter a verification code that you get either from an email to your TP-registered email address, or preferably from an Authenticator app on your phone (google and microsoft offer them, amongst others). This level of verification makes it a whole lot harder for someone to pretend to be you on the site and so the vast majority of these oiks won't bother.

 

[ecoleman]

There have been a small number of instances of TP accounts being hacked and taken over by scammers over recent months. In the main these have been quickly spotted and shut down, but it's not always obvious to the automated detection tools and only when something starts smelling do we get to know a problem exists.

For this reason, we would strongly encourage members to regularly change their passwords, and use strong, complex ones to deter the hackers, and also try not to use the same password on multiple online accounts (I know easier said than done).

Also, seriously consider enabling Two-Factor Authentication on your login, particularly if you are going to use the Classifieds, so that when you login, you will be asked to also enter a verification code that you get either from an email to your TP-registered email address, or preferably from an Authenticator app on your phone (google and microsoft offer them, amongst others). This level of verification makes it a whole lot harder for someone to pretend to be you on the site and so the vast majority of these oiks won't bother.

I didn't even know that TP had 2FA. Now enabled.

1Password usually tells me if a site has 2FA available but not for TP. Is there something that you can do to enable that?

I'm sure there must me many of us that signed up years ago who don't know about it.

 

[troutfisher]

Thanks for that password changed and 2FA enabled

 

[Faldrax]

Password updated and 2FA enabled

 

[Box Brownie]

I have updated my password but could not see 2FA during or after the process

As for the Android Play store app, I have seen that suggested by other official sites. I have yet to check it out

 

[lindsay]

I don't think we can do anything to trigger your 1Password software @ecoleman
2FA is an option when you click on your userid above right, select Password and Security.

 

[Box Brownie]

I don't think we can do anything to trigger your 1Password software @ecoleman
2FA is an option when you click on your userid above right, select Password and Security.

Thanks, I have now found the right bit on the TP page

Do you have any insights about the 2FA App from the Playstore?

 

[ecoleman]

Thanks, I have now found the right bit on the TP page

Do you have any insights about the 2FA App from the Playstore?

Google do an authenticator which you should find on the app store.

Google Authenticator – Apps on Google Play

Enable 2-step verification to protect your account from hijacking.

play.google.com

but for £30 odd per year, 1password is excellent for storing passwords, passkeys, 2FA, secure notes, card details etc.

 

[Box Brownie]

Google do an authenticator which you should find on the app store.

Google Authenticator – Apps on Google Play

Enable 2-step verification to protect your account from hijacking.

play.google.com

Thanks, I will investigate and hopefully it will be usable as current 2FA based on phone numbers that allow me to take the 2FA code and enter on my desktop PC login as appropriate right now for some of the websites I use that have such extra layer(s) of security?

but for £30 odd per year, 1password is excellent for storing passwords, passkeys, 2FA, secure notes, card details etc.

In interesting, especially I often need to do a 'forgotten password' step for certain lesser used sites

 

[Faldrax]

Google do an authenticator which you should find on the app store.

Google Authenticator – Apps on Google Play

Enable 2-step verification to protect your account from hijacking.

play.google.com

but for £30 odd per year, 1password is excellent for storing passwords, passkeys, 2FA, secure notes, card details etc.

I use KeyPass, which does the same, but is free and open source.

 

[gramps]

2FA enabled - awaiting ensuing chaos!



Good grief, it works!

 

[Craikeybaby]

Thanks for the reminder. I have now set it up using the tools build into macOS/iOS.

 

[seaodyssey]

I use KeyPass, which does the same, but is free and open source.

Keypass has only 5k+ downloads on Google play Store.
A search for Keypass on Google show Keepass first.

I don't think I will be downloading either. Nor will I add another £30 per year for 1Password either seeing they have had a data breaches in it's past a well as several other security based products.

 

[Brinkly]

Enabled 2FA a while back but I requested a nickname change earlier today, hopefully no one's counting that as suspicious activity!

Thanks to the mods for the update!

 

[Faldrax]

Keypass has only 5k+ downloads on Google play Store.
A search for Keypass on Google show Keepass first.

I don't think I will be downloading either. Nor will I add another £30 per year for 1Password either seeing they have had a data breaches in it's past a well as several other security based products.

The original version of Keypass is a Windows application

https://keepass.info/

This has then been ported to a range of different OS implementations, there are several for Android I believe.
The big advantage of Keypass is that all the info is stored where you decide - locally on whichever device you are running it on, or in one of the various cloud platforms (such as OneDrive, GoogleDrive, Dropbox, etc) - there is no big central server holding your password info to suffer a directed data breach.
If held locally, you can synchronise between devices via a USB stick, for example.

 

[Dave Canon]

Keypass has only 5k+ downloads on Google play Store.
A search for Keypass on Google show Keepass first.

I don't think I will be downloading either. Nor will I add another £30 per year for 1Password either seeing they have had a data breaches in it's past a well as several other security based products.

I use Keypass ever since it was recommended by the head of Sophos development. What has Google play store got to do with anything given that is primarily aimed at Windows. I downloaded mine from the Keypass website.

Dave

 

[GreenNinja67]

Keypass has only 5k+ downloads on Google play Store.
A search for Keypass on Google show Keepass first.

I don't think I will be downloading either. Nor will I add another £30 per year for 1Password either seeing they have had a data breaches in it's past a well as several other security based products.

We use KeyPass at work (a global lawfirm).

So it's safe (and free)

 

[Plain Nev]

Well, I have changed my password, because it was about time. Although, I'm not sure my account would be of interest to anyone.

 

[lindsay]

@Plain Nev The concern primarily is that if someone hijacks your account they might put up a sale notice, and using your long standing on the site, someone might feel it safe to send you money for said sale item. Except it won't be going to you, it'll be going to Russia, India, China, or wherever.
Our life would be much much easier without HT and Classifieds, but we know a lot of people like and use those sections, so we keep them.

 

[gramps]

Some sites email unused accounts and if there is no response after a set time the account is deleted, is that a reasonable option?

 

[F1.2]

Just changed my PW

 

[Topsy]

PW changed 2SV set up. Thanks for the heads up.

 

[sirch]

Thanks, I have now found the right bit on the TP page

Do you have any insights about the 2FA App from the Playstore?

I use Aegis - https://getaegis.app/

 

[sirch]

Some sites email unused accounts and if there is no response after a set time the account is deleted, is that a reasonable option?

Sounds very fraught. What counts as no reply? What if the email ends up in your Spam, you don't notice and we delete your account?

 

[gramps]

Sounds very fraught. What counts as no reply? What if the email ends up in your Spam, you don't notice and we delete your account?

Don’t know, presumably one member just recently lost £750?
Question of lesser bad option I guess, maybe just Suspend?

 

[ChrisR]

I didn't even know that TP had 2FA. Now enabled.

1Password usually tells me if a site has 2FA available but not for TP. Is there something that you can do to enable that?

I'm sure there must me many of us that signed up years ago who don't know about it.

I use 1Password 7, and when I updated my TP password I was hoping to set up 2FA. I found the bit on TP, but I couldn't work out how to persuade 1PW to enable it. Did you manage it, @ecoleman (or anyone)?

 

[lindsay]

Question of lesser bad option I guess, maybe just Suspend?

We are investigating and discussing options, but doing as much as we reasonably can- bear in mind this is not a job for us so is currently occupying a lot of our spare time. We are absolutely trying to find the best way of protecting users without making the site difficult to use and without removing Classifieds altogether which would be the obvious blunt option.

 

[ecoleman]

I use 1Password 7, and when I updated my TP password I was hoping to set up 2FA. I found the bit on TP, but I couldn't work out how to persuade 1PW to enable it. Did you manage it, @ecoleman (or anyone)?

I'm using 1Password 8 but I'm sure it was the same on 7 before I updated so here goes.

You can add the OTP password manually.

Once you have the QR code on the screen on the TP website. Open 1Password and edit your TP login.

You then need to "add another field" (below your username and password) and choose "One-Time password" from the dropdown.
To the right of the field you will see an icon for scanning the QR code. Click that and it should automatically detect the QR code displayed on the TP website.
Once added it will display your code which you enter into TP.

 

[ecoleman]

We are investigating and discussing options, but doing as much as we reasonably can- bear in mind this is not a job for us so is currently occupying a lot of our spare time. We are absolutely trying to find the best way of protecting users without making the site difficult to use and without removing Classifieds altogether which would be the obvious blunt option.

Passkeys are the new password.

I'm assuming TP is run on off the shelf forum software. Perhaps a plugin is available for using passkeys.

How about removing access to classifieds if an account is not logged into after x amount of days. The when the account is re-activated the same rules apply as a new account to access them again. That would also stop those who only login once in a blue moon to use the classifieds but never contribute anything else.

 

[hunnymonster]

2FA for the win

 

[gramps]

We are investigating and discussing options, but doing as much as we reasonably can- bear in mind this is not a job for us so is currently occupying a lot of our spare time. We are absolutely trying to find the best way of protecting users without making the site difficult to use and without removing Classifieds altogether which would be the obvious blunt option.

I'm sure that there are few if any of us that don't appreciate all that you do and my suggestion(s) were in no way meant as a criticism, merely an attempt to offer a suggestion for a possible extra layer of protection for members.
There is no control over those who leave or sadly die and then all of their accounts, which maybe contain references to passwords, fellow members conversations, also access to email accounts linking them to TP etc, etc.
Anyway I'll shut up and go away now.

 

[lindsay]

As I said, we are considering options. This thread was primarily to advise members to increase their account security with the tools already available - complex passwords and 2FA. But thanks for the suggestions.

 

[hunnymonster]

Sounds very fraught. What counts as no reply? What if the email ends up in your Spam, you don't notice and we delete your account?

How about instead of deleting the account restricting it not to be able to post in the first instance (optionally with a message bar)?

I'd encourage everyone to sign up to 2FA via an authenticator app - it's more or less ubiquitous now for most sites of a financial nature. If someone steals my phone (and it isn't 2FA protected - it is, so don't bother trying to steal it ) they have access to my mail & SMS - access to the 2FA app requires me to login (PIN/fingerprint)

 

[Dave Canon]

Not really convinced it was necessary, but just changed the PW; was very strong and now very strong.

Dave

 

[gramps]

ust changed the PW; was very strong and now very strong

Isn't that the same PW?

 

[sirch]

Using different passwords on all sites is recommended. You can use this site - https://haveibeenpwned.com/ to see if your email address is associated with a security breach on another site. We suspect that these attacks are using passwords scraped from other sites that are the same on here.

 

[Box Brownie]

AFAIK I have never used the same password on two sites!

 

[ShinySideUp]

I use Nordpass password manager and one day I used their duplicate and strength password checker to go though some 200 sites and every single one has a unique password now (I thought I already had unique ones but I was wrong).

I have changed my password on this site but 2FA is a step too far as I don't want to get dependent on having my phone to hand. A bad agent might get into one site by hacking my password but if he gets my phone instead, I can't then get into any sites and any thief gets to know what site I'm trying to access because they have my phone. I don't personally like 2FA using a phone for that reason.

All my bank details are in my head, they are not written down or recorded anywhere, this is not practical for 200+ other sites!

 

[Faldrax]

I use Nordpass password manager and one day I used their duplicate and strength password checker to go though some 200 sites and every single one has a unique password now (I thought I already had unique ones but I was wrong).

I have changed my password on this site but 2FA is a step too far as I don't want to get dependent on having my phone to hand. A bad agent might get into one site by hacking my password but if he gets my phone instead, I can't then get into any sites and any thief gets to know what site I'm trying to access because they have my phone. I don't personally like 2FA using a phone for that reason.

All my bank details are in my head, they are not written down or recorded anywhere, this is not practical for 200+ other sites!

If you have an old smartphone you no longer use one option is to keep that at home, connecting via WiFi only (no sim) and run the 2FA authenticator on there.

I have both Microsoft and Google authenticators on my phone (as one site I use doesn't work with the MS authenticator) - both require the apps are unlocked before you get to see the list of sites they are configured for - and with phone tracing apps, the last thing a thief if going to do is sit around with the phone on watching for incommoding notifications!

 

[ShinySideUp]

@Plain Nev The concern primarily is that if someone hijacks your account they might put up a sale notice, and using your long standing on the site, someone might feel it safe to send you money for said sale item. Except it won't be going to you, it'll be going to Russia, India, China, or wherever.
Our life would be much much easier without HT and Classifieds, but we know a lot of people like and use those sections, so we keep them.

Is Hot Topics still a thing? I had myself banned from that years ago.