Unraid.net Account Upgrades


SpencerJ

Recommended Posts

I got signed in, changed password and everything appears to work as intended. Whilst I was changing things, I also decided to change the email address associated with the account. Unfortunately I get caught up in a vicious circle - change email, requires to re-authenticate, which uses the old email, the screen says the email was changed, I get an email change notification at the new e-mail), but it will only accept my old credentials when re-logging in. Rinse and repeat. No joy.

Link to comment

I am locked out of my usual username(csrihari). I can login with my correct email with MFA as well but then I get to this screen.

1601637192_Screenshot2023-03-02at1_51_41PM.thumb.png.9cd43adeec1dd5a9aeef7c4bad9a33da.png

 

I try to re-authenticate and it says password is incorrect (that was just allowed a moment earlier to get to this page!!!). Tried multiple times and different browsers. Reset password, enabled MFA and nothing helps. I had to create a new account just to post this. Frustrating experience to say the least. 

 

 

Edited by csriharitemp
Link to comment
2 hours ago, ljm42 said:

> How can i create backup codes and download if i loose my phone?

 

Unfortunately Cognito does not support this. You would need to contact support and we'd send you a token via email, when you respond with that token we'll disable MFA on your account.
 

 

But this way also someone else with access to my mail account can get the token to deactivate MFA. This person could also already have the password of the account. That would defeat the whole purpose of MFA.

Link to comment
18 hours ago, johnwhicker said:

This is very confusing unless I am slow. My old username and password did not work, so I had to do a password reset. Should be pretty transparent right? I am using Safari if that matters. 

Same for me (I use Brave as my browser mostly).  Mostly I was thrown by the unexpected need to use email address instead of user name and only fully realised that after doing a password reset anyway.  Had me scratching my head for a few minutes.  I don't use MyServers, so I was unaffected by that side (not sure whether I would have been or not...)  

Link to comment
26 minutes ago, kennymc.c said:

But this way also someone else with access to my mail account can get the token to deactivate MFA. This person could also already have the password of the account. That would defeat the whole purpose of MFA.

 

It is a strange design decision by Amazon Cognito for sure. MFA on your email will help protect against loss of your email account.

Link to comment
1 hour ago, terag1e said:

I got signed in, changed password and everything appears to work as intended. Whilst I was changing things, I also decided to change the email address associated with the account. Unfortunately I get caught up in a vicious circle - change email, requires to re-authenticate, which uses the old email, the screen says the email was changed, I get an email change notification at the new e-mail), but it will only accept my old credentials when re-logging in. Rinse and repeat. No joy.

 

Sorry for your issues, but thanks for sharing them. You saved me and likely others ton of headache.

 

I was going to do the same thing, since it took me 5 different "reset password" cycles until I got the email address actually used for unraid. However I felt "Nah, I've already had to jump through so many hoops already, I'll save that for another day".

 

I'll save changing the email address for after someone says they were able to complete the process without issue.

Link to comment

There are definitely some compatibility issues with Safari on macOS. I first signed out in Safari. I used Chrome, signed in successfully, enabled MFA using Bitwarden. Then switched back to Safari and signed back in. I was prompted for the code and signed in successfully. On Safari when I go to manage my Unraid.net account it shows that MFA is disabled while Chrome shows it's enabled.

 

Safari is my primary browser on my Mac since I use iDevices and it's just easier so that I have the same bookmarks on all my devices. Most things work fine on Safari. I only have Chrome on my Mac just in case something isn't working correctly.

Link to comment
14 hours ago, JamieV said:

Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security. 

 

Please, please, please, follow best practices:

Use a minimum password length of at least 12 and maximum at least 64

Drop complexity requirements

Check passwords against a compromised password list (e.g. haveibeenpwned.com)

Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords

 

Don't just take my word for it though:

https://letmegooglethat.com/?q=modern+password+requirements

 

These best practices do come with a caveat, using brute force alone, a 12 character password consisting of only upper and lower case English alphabet characers would take just over two years to crack on a single RTX6000. This time more or less scales downward linearly with the number of GPUs you add. This is just brute force. Rainbow table based dictionary attacks can throw the entire English dictionary and all documented first, last, middle, and pet names at the problem in a fraction of that time, and then start concatenating them together for additional attempts. 

The best practices assume a well designed validation model. Per-user time delay login attempt lockouts (Too many failed attempts! Try again in 15 minutes!) increases the time to crack exponentially. 2FA also practically eliminates brute force as an attack vector. 

P.S. @ljm42 the site you linked would seem to suggest that cracking even just a 12 characer Upper/Lowercase password is sufficiently complex for most users. It's using some pretty outdated data that doesn't take GPU compute into account, or rainbow tables though.

Link to comment

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  Have tried email address as preferred in the new method and my username as was done before.  I have also submitted this case through the support form via the plugin.

Link to comment
15 hours ago, ljm42 said:

> Drop complexity requirements

 

We realize that complexity requirements are controversial. But upper/lower/number doesn't seem that harsh? The good news is that phrases still work, you just need to tweak them slightly. Here is a site that shows how poor an all lowercase 12 character password is, and the value of using a larger character set:
  https://passwordbits.com/password-cracking-calculator/ 

 

 

It is not controversial, it is wrong. You calculator is just that, a calculator that states how many combinations there are available. Unfortunately, by enforcing complexity you have just removed any password from the available pool that does not meet your complexity requirements and drastically reduced the amount of time needed. However, this is pretty moot now as brute force password cracking is only really available once the password DB has been obtained. Most online compromises are now performed by using password breach lists (Password spray attacks) so checking that passwords are not on a breach list is really important - you are not doing this. The password Mississippi1 complies to your complexity rules and can be set as a password but it exists in the top 100 most common passwords. 

 

Removing complexity makes passwords easier to remember and encouraging pass phrases makes passwords easier to remember and harder to crack. Users mostly do the same thing when they create a password with complexity, they add a number to the end, or a ! and the bad actors know this. 

https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

What can you do to improve:

  • Add federation to allow user of Google, Microsoft or Apple accounts to signin - one less password for a user to remember and these companies are very good at security. 
  • Enable passkeys - The next gen in internet security
  • Add compromised password checking - use a service such as https://haveibeenpwned.com/API/v3#PwnedPasswords which will stop any compromised password being set and therefore drastically reducing the success of password spray attacks.
  • Remove complexity to increase the available number of passwords and make them easier to remember.

 

Side note, happy to sell you some consultancy  on this ;-) 

 

 

  • Like 1
  • Thanks 1
Link to comment
8 hours ago, Xaero said:

These best practices do come with a caveat, using brute force alone, a 12 character password consisting of only upper and lower case English alphabet characers would take just over two years to crack on a single RTX6000. This time more or less scales downward linearly with the number of GPUs you add. This is just brute force. Rainbow table based dictionary attacks can throw the entire English dictionary and all documented first, last, middle, and pet names at the problem in a fraction of that time, and then start concatenating them together for additional attempts. 

The best practices assume a well designed validation model. Per-user time delay login attempt lockouts (Too many failed attempts! Try again in 15 minutes!) increases the time to crack exponentially. 2FA also practically eliminates brute force as an attack vector. 

P.S. @ljm42 the site you linked would seem to suggest that cracking even just a 12 characer Upper/Lowercase password is sufficiently complex for most users. It's using some pretty outdated data that doesn't take GPU compute into account, or rainbow tables though.

 

Yes, you're correct but as you also say this is only really for brute force which assumes you have lost your password DB. Most attacks are either phishing or spray attacks now using compromised passwords.

 

Link to comment
9 hours ago, xlelx said:

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  Have tried email address as preferred in the new method and my username as was done before.  I have also submitted this case through the support form via the plugin.

I have exact the same issue and can´t use the plugin.

 

edit: problem solved. Support told me to reinstall the plugin / use the terminal of the browser.

Edited by Civic1201
  • Thanks 1
Link to comment

Ugh... 20 minutes of fighting logins and pw reset nonsense and I finally got in. Now, I can't set up 2FA - how long do we expect it to sit at "Enabling MFA"? I seems stuck, but won't give an error, progress, and refreshing the page just puts me back into a holding patter. Seems like others are having trouble with MFA 'sticking' once set up, anyone got a tip on how to get this entirely frustrating "improvement" moving forward? 

Link to comment
10 hours ago, xlelx said:

As the documentation pointed out that this was also for the My Servers plugin I signed out of it on my Unraid server and now cannot sign back in.  

 

There is a potential issue where the My Servers plugin might be referencing an old file that is cached locally. I'd recommend uninstalling/reinstalling the My Servers plugin to resolve that issue.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.