Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unraid.net Account Upgrades

Featured Replies

  • Replies 111
  • Views 31.9k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • This is a security upgrade. Your persistent and vocal concerns over pricing changes have been heard loud and clear. You make a lot of assumptions in your subsequent posts. Please rest assured, any fut

  • Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence t

  • MFA Setup We highly recommend that you also set up Multi-Factor Authentication with this new identity provider.   To enable MFA, click on your account name in the top right of the forum

Posted Images

I got signed in, changed password and everything appears to work as intended. Whilst I was changing things, I also decided to change the email address associated with the account. Unfortunately I get caught up in a vicious circle - change email, requires to re-authenticate, which uses the old email, the screen says the email was changed, I get an email change notification at the new e-mail), but it will only accept my old credentials when re-logging in. Rinse and repeat. No joy.

lol, I don't think I've ever had to use a 12-Digit password before. 

I am locked out of my usual username(csrihari). I can login with my correct email with MFA as well but then I get to this screen.

1601637192_Screenshot2023-03-02at1_51_41PM.thumb.png.9cd43adeec1dd5a9aeef7c4bad9a33da.png

 

I try to re-authenticate and it says password is incorrect (that was just allowed a moment earlier to get to this page!!!). Tried multiple times and different browsers. Reset password, enabled MFA and nothing helps. I had to create a new account just to post this. Frustrating experience to say the least. 

 

 

Edited by csriharitemp

11 minutes ago, csriharitemp said:

I can login with my correct email with MFA as well but then I get to this screen.

 

Please try signing in again. We are fixing these as we see them, working on automating the fix.

3 minutes ago, ljm42 said:

 

Please try signing in again. We are fixing these as we see them, working on automating the fix.

Thanks. This worked now(obviously!!). Not sure what to do with that temp account. Will it be purged if I do not use it again?

2 hours ago, ljm42 said:

> How can i create backup codes and download if i loose my phone?

 

Unfortunately Cognito does not support this. You would need to contact support and we'd send you a token via email, when you respond with that token we'll disable MFA on your account.
 

 

But this way also someone else with access to my mail account can get the token to deactivate MFA. This person could also already have the password of the account. That would defeat the whole purpose of MFA.

18 hours ago, johnwhicker said:

This is very confusing unless I am slow. My old username and password did not work, so I had to do a password reset. Should be pretty transparent right? I am using Safari if that matters. 

Same for me (I use Brave as my browser mostly).  Mostly I was thrown by the unexpected need to use email address instead of user name and only fully realised that after doing a password reset anyway.  Had me scratching my head for a few minutes.  I don't use MyServers, so I was unaffected by that side (not sure whether I would have been or not...)  

26 minutes ago, kennymc.c said:

But this way also someone else with access to my mail account can get the token to deactivate MFA. This person could also already have the password of the account. That would defeat the whole purpose of MFA.

 

It is a strange design decision by Amazon Cognito for sure. MFA on your email will help protect against loss of your email account.

Strange decision to use Amazon Cognito maybe ?

1 hour ago, terag1e said:

I got signed in, changed password and everything appears to work as intended. Whilst I was changing things, I also decided to change the email address associated with the account. Unfortunately I get caught up in a vicious circle - change email, requires to re-authenticate, which uses the old email, the screen says the email was changed, I get an email change notification at the new e-mail), but it will only accept my old credentials when re-logging in. Rinse and repeat. No joy.

 

Sorry for your issues, but thanks for sharing them. You saved me and likely others ton of headache.

 

I was going to do the same thing, since it took me 5 different "reset password" cycles until I got the email address actually used for unraid. However I felt "Nah, I've already had to jump through so many hoops already, I'll save that for another day".

 

I'll save changing the email address for after someone says they were able to complete the process without issue.

There are definitely some compatibility issues with Safari on macOS. I first signed out in Safari. I used Chrome, signed in successfully, enabled MFA using Bitwarden. Then switched back to Safari and signed back in. I was prompted for the code and signed in successfully. On Safari when I go to manage my Unraid.net account it shows that MFA is disabled while Chrome shows it's enabled.

 

Safari is my primary browser on my Mac since I use iDevices and it's just easier so that I have the same bookmarks on all my devices. Most things work fine on Safari. I only have Chrome on my Mac just in case something isn't working correctly.

14 hours ago, JamieV said:

Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security. 

 

Please, please, please, follow best practices:

Use a minimum password length of at least 12 and maximum at least 64

Drop complexity requirements

Check passwords against a compromised password list (e.g. haveibeenpwned.com)

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords

 

Don't just take my word for it though:

https://letmegooglethat.com/?q=modern+password+requirements

 

These best practices do come with a caveat, using brute force alone, a 12 character password consisting of only upper and lower case English alphabet characers would take just over two years to crack on a single RTX6000. This time more or less scales downward linearly with the number of GPUs you add. This is just brute force. Rainbow table based dictionary attacks can throw the entire English dictionary and all documented first, last, middle, and pet names at the problem in a fraction of that time, and then start concatenating them together for additional attempts. 

The best practices assume a well designed validation model. Per-user time delay login attempt lockouts (Too many failed attempts! Try again in 15 minutes!) increases the time to crack exponentially. 2FA also practically eliminates brute force as an attack vector. 

P.S. @ljm42 the site you linked would seem to suggest that cracking even just a 12 characer Upper/Lowercase password is sufficiently complex for most users. It's using some pretty outdated data that doesn't take GPU compute into account, or rainbow tables though.

On 3/1/2023 at 3:52 PM, SpencerJ said:

The previous 2FA system you may have set up for the Unraid forums will no longer be used and will need to be reconfigured.

Is it safe to delete the old 2FA setup (Inc Backups?)

32 minutes ago, NathanR said:

Is it safe to delete the old 2FA setup (Inc Backups?)

 

yes please delete it to avoid confusion 

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  Have tried email address as preferred in the new method and my username as was done before.  I have also submitted this case through the support form via the plugin.

15 hours ago, ljm42 said:

> Drop complexity requirements

 

We realize that complexity requirements are controversial. But upper/lower/number doesn't seem that harsh? The good news is that phrases still work, you just need to tweak them slightly. Here is a site that shows how poor an all lowercase 12 character password is, and the value of using a larger character set:
  https://passwordbits.com/password-cracking-calculator/ 

 

 

It is not controversial, it is wrong. You calculator is just that, a calculator that states how many combinations there are available. Unfortunately, by enforcing complexity you have just removed any password from the available pool that does not meet your complexity requirements and drastically reduced the amount of time needed. However, this is pretty moot now as brute force password cracking is only really available once the password DB has been obtained. Most online compromises are now performed by using password breach lists (Password spray attacks) so checking that passwords are not on a breach list is really important - you are not doing this. The password Mississippi1 complies to your complexity rules and can be set as a password but it exists in the top 100 most common passwords. 

 

Removing complexity makes passwords easier to remember and encouraging pass phrases makes passwords easier to remember and harder to crack. Users mostly do the same thing when they create a password with complexity, they add a number to the end, or a ! and the bad actors know this. 

https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

What can you do to improve:

  • Add federation to allow user of Google, Microsoft or Apple accounts to signin - one less password for a user to remember and these companies are very good at security. 
  • Enable passkeys - The next gen in internet security
  • Add compromised password checking - use a service such as https://haveibeenpwned.com/API/v3#PwnedPasswords which will stop any compromised password being set and therefore drastically reducing the success of password spray attacks.
  • Remove complexity to increase the available number of passwords and make them easier to remember.

 

Side note, happy to sell you some consultancy  on this ;-) 

 

 

8 hours ago, Xaero said:

These best practices do come with a caveat, using brute force alone, a 12 character password consisting of only upper and lower case English alphabet characers would take just over two years to crack on a single RTX6000. This time more or less scales downward linearly with the number of GPUs you add. This is just brute force. Rainbow table based dictionary attacks can throw the entire English dictionary and all documented first, last, middle, and pet names at the problem in a fraction of that time, and then start concatenating them together for additional attempts. 

The best practices assume a well designed validation model. Per-user time delay login attempt lockouts (Too many failed attempts! Try again in 15 minutes!) increases the time to crack exponentially. 2FA also practically eliminates brute force as an attack vector. 

P.S. @ljm42 the site you linked would seem to suggest that cracking even just a 12 characer Upper/Lowercase password is sufficiently complex for most users. It's using some pretty outdated data that doesn't take GPU compute into account, or rainbow tables though.

 

Yes, you're correct but as you also say this is only really for brute force which assumes you have lost your password DB. Most attacks are either phishing or spray attacks now using compromised passwords.

 

2 things

 

1. i quite like the new login screen, looks less cluttered.

 

2. i had 2fa enabled, now is asking me to re-enable it.

Hello,

 

While trying to Reauthenticate, I'm getting Password Incorect.

 

image.thumb.png.7c25ac81b8c1d7ddbfca853e6a610652.png

The update went well.

9 hours ago, xlelx said:

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  Have tried email address as preferred in the new method and my username as was done before.  I have also submitted this case through the support form via the plugin.

I have exact the same issue and can´t use the plugin.

 

edit: problem solved. Support told me to reinstall the plugin / use the terminal of the browser.

Edited by Civic1201

Ugh... 20 minutes of fighting logins and pw reset nonsense and I finally got in. Now, I can't set up 2FA - how long do we expect it to sit at "Enabling MFA"? I seems stuck, but won't give an error, progress, and refreshing the page just puts me back into a holding patter. Seems like others are having trouble with MFA 'sticking' once set up, anyone got a tip on how to get this entirely frustrating "improvement" moving forward? 

10 hours ago, xlelx said:

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  

 

There is a potential issue where the My Servers plugin might be referencing an old file that is cached locally. I'd recommend uninstalling/reinstalling the My Servers plugin to resolve that issue.

3 hours ago, dianasta said:

Hello,

 

While trying to Reauthenticate, I'm getting Password Incorect.

 

image.thumb.png.7c25ac81b8c1d7ddbfca853e6a610652.png

 

Please press the "Sign In with Unraid.net" button

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.