Unraid.net Account Upgrades


SpencerJ

Recommended Posts

1 hour ago, MVLP said:

I have tested it also with Bitwarden (Vaultwarden) and it doeasn't work to scan the QR-Code.
My Solution was to Scan the QR-Code with Apple Shortcuts and copy the TOTP Code from the provided Link.

After that it's working like a charm!

 

Another option for Bitwarden users - I was able to successfully scan from my iPhone using the app, or you can click the text that says "Copy MFA Setup URL" and paste that into the 2fA field, which will generate a code the same way. The QR is just a fast way to set this up. 

Link to comment

An email should have been sent, not just an announcement post, about forum security updates.

 

The 12 character password has completely ruined my password management process. 

 

Also, when force logged out on my Android device unread posts never showed as all posts were unread. That's backwards to me. Meaning I didn't see the announcement post until *AFTER* resetting my PW and logging in. Very frustrating.

  • Thanks 1
Link to comment

Maybe I missed something obvious, but honestly I didn't see anything highlighting this change until this morning (my time). And while I see now that it was in a newsletter, it was quite far down. As another poster said, there should really have been an email specifically on this quite important change - surely more significant that another podcast or whatever.

 

So while trying to solve a problem on the forums I suddenly found myself logged out and then saw the MFA message. OK, so I tried to login - yes, using my email address - but no joy with the password which I was quite sure was correct. So I had to do a password reset and entered a complexity-compliant password. My previous password didn't meet the requirements, so maybe the password complexity checking was preventing me from logging in?

 

Anyway, now that I'm in (obviously) I can't get MFA set up using Google Authenticator. I scan the QR, enter the code numbers, click Verify (or whatever the button label is) and nothing happens. I've tried a few times without any luck. (Using Vivaldi on Win 10, if that's relevant). Is it possible that there's some call to another site that is being blocked by pi-hole or some browser privacy setting? Gettiing a bit annoyed by this.

  • Upvote 2
Link to comment
1 hour ago, klepel said:

An email should have been sent, not just an announcement post, about forum security updates.

 

The 12 character password has completely ruined my password management process. 

 

Also, when force logged out on my Android device unread posts never showed as all posts were unread. That's backwards to me. Meaning I didn't see the announcement post until *AFTER* resetting my PW and logging in. Very frustrating.


Sorry for the frustration. Are you subscribed to the monthly newsletter?

https://unraid.net/newsletter

 

Link to comment

Is there a possibility to show the key too instead of only generating the QR code and the URL for Bitwarden,...?

 

I'm using Enpass and I need the key instead of the URL, of course I could copy the URL, paste the URL somewhere and extract only the key but this seems tedious for users who are running into the same situation...

  • Upvote 1
Link to comment

Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security. 

 

Please, please, please, follow best practices:

Use a minimum password length of at least 12 and maximum at least 64

Drop complexity requirements

Check passwords against a compromised password list (e.g. haveibeenpwned.com)

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords

 

Don't just take my word for it though:

https://letmegooglethat.com/?q=modern+password+requirements

 

  • Like 2
  • Thanks 2
  • Upvote 1
Link to comment
8 hours ago, sonofdbn said:

Anyway, now that I'm in (obviously) I can't get MFA set up using Google Authenticator. I scan the QR, enter the code numbers, click Verify (or whatever the button label is) and nothing happens. I've tried a few times without any luck. (Using Vivaldi on Win 10, if that's relevant). Is it possible that there's some call to another site that is being blocked by pi-hole or some browser privacy setting? Gettiing a bit annoyed by this.

 

So I've tried a few more times, including using a clean Edge browser, but still no luck when I click Enable MFA. Nothing happens. And because I keep on trying, Google Authenticator keeps on telling me I already have an unRAID account when I scan the QR code, and asks if I want to keep both accounts. I've always said no (because I can only imagine complications with two accounts).

 

Wasting far too much time on this. 😣

Link to comment
48 minutes ago, JamieV said:

Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security. 

 

Please, please, please, follow best practices:

Use a minimum password length of at least 12 and maximum at least 64

Drop complexity requirements

Check passwords against a compromised password list (e.g. haveibeenpwned.com)

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords

 

Don't just take my word for it though:

https://letmegooglethat.com/?q=modern+password+requirements

 

Echo everything @JamieV says here. Complexity rules do not improve security and if using MFA have even less impact. Complexity rules simply force people to use pattern based passwords which make it easier for them to be discovered by bots.

 

3 random words (not what3words) are far more effective.

 

That said, any plans to implement passkeys?

  • Like 1
Link to comment
16 hours ago, kaiguy said:

For whatever reason, the QR code doesn't seem to work with my Bitwarden app. Never ran into that problem before (it just won't scan). I just tried setting up TOTP on another site and it worked just fine. Odd.

Don't know if you still have an issue, but I just used bitwarden to set mine up with no issues.

Link to comment
3 hours ago, JamieV said:

Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security. 

 

Please, please, please, follow best practices:

Use a minimum password length of at least 12 and maximum at least 64

Drop complexity requirements

Check passwords against a compromised password list (e.g. haveibeenpwned.com)

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords

 

Don't just take my word for it though:

https://letmegooglethat.com/?q=modern+password+requirements

 


Ditto.

Link to comment
13 hours ago, johnwhicker said:

This is very confusing unless I am slow. My old username and password did not work, so I had to do a password reset. Should be pretty transparent right? I am using Safari if that matters. 


I had to do a password reset also. No issues once that was completed.

Link to comment
3 hours ago, JamieV said:

Drop complexity requirements

 

3 hours ago, JamieV said:

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules

I agree with these suggestions.  I had to change from the pass phrase I was using to a 12+ character "complex" password in order to meet the new requirements.  The phrase is easier to remember and more secure.

 

However, the process as outlined by Limetech worked for me without issues as well as 2FA with the QR code on Google Authenticator on iOS.

Link to comment

> there should really have been an email specifically on this quite important change

 

Sorry this has been frustrating for you. For the vast majority of people this has been a seamless migration as intended, but there are definitely folks that are hitting roadblocks and we apologize for that.

We have enabled a new banner for signed out users that points them to the blog post so they see that before starting.


> Drop complexity requirements

 

We realize that complexity requirements are controversial. But upper/lower/number doesn't seem that harsh? The good news is that phrases still work, you just need to tweak them slightly. Here is a site that shows how poor an all lowercase 12 character password is, and the value of using a larger character set:
  https://passwordbits.com/password-cracking-calculator/ 


> I had MFA before. Can i delete that from my google autehnticator?

 

Yes, please do. It is no longer used.


> How can i create backup codes and download if i loose my phone?

 

Unfortunately Cognito does not support this. You would need to contact support and we'd send you a token via email, when you respond with that token we'll disable MFA on your account.

 

TBH you might want to look at a different app for MFA, one that syncs codes between devices. A lot of people like Authy for this, personally I use 1Password which handles both passwords and MFA codes seamlessly.
 

Link to comment
5 hours ago, DanielPT said:

I had MFA before. Can i delete that from my google autehnticator?

 

How can i create backup codes and download if i loose my phone?

 

Thanks!

 

Technology that is used here is called TOTP (Time-based One Time Password). I would recommend migrating to Authy (https://authy.com/) which allows you to have multiple devices and encrypted backups of your secrets (seeds) for generating TOTPs.

 

Cheers.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.