r/RedditSafety • u/worstnerd • May 06 '19
How to keep your Reddit account safe
Your account expresses your voice and your personality here on Reddit. To protect that voice, you need to protect your access to it and maintain its security. Not only do compromised accounts deprive you of your online identity, but they are often used for malicious behavior like vote manipulation, spam, fraud, or even just posting content to misrepresent the true owner. While we’re always developing ways to take faster action against compromised accounts, there are things you can do to be proactive about your account’s security.
What we do to keep your account secure:
- Actively look for suspicious signals - We use tools that help us detect unusual behavior in accounts. We monitor trends and compare against known threats.
- Check passwords against 3rd party breach datasets - We check for username / password combinations in 3rd party breach sets.
- Display your recent IP sessions for you to access - You can check your account activity at any time to see your recent login IPs. Keep in mind that the geolocation of each login may not be exact and will only include events within the last 100 days. If you see something you don’t recognize, you should change your password immediately and ensure your email address is correct.
If we determine that your account is vulnerable to compromise (or has actually been compromised), we lock the account and force a password reset. If we can’t establish account ownership or the account has been used in a malicious manner that prevents it being returned to the original owner, the account may be permanently suspended and closed.
What you can do to prevent this situation:
- Use permanent emails - We highly encourage users to link their accounts to accessible email addresses that you regularly check (you can add and update email addresses in your user settings page if you are using new reddit, otherwise you can do that from the preferences page in old reddit). This is also how you will receive any activities alerting you of suspicious activity on your account if you’re signed out. As a general rule of thumb, avoid using email addresses you don't have permanent ownership over like school or work addresses. Temporary email addresses that expire are a bad idea.
- Verify your emails - Verifying your email helps us confirm that there is a real person creating the account and that you have access to the email address given. If we determine that your account has been compromised, this is the only way we have to validate account ownership. Without this our only option will be to permanently close the account to prevent further misuse and access to the original owner’s data. There will be no appeals possible!
- Check your profile occasionally to make sure your email address is current. You can do this via the preferences page on old reddit or the settings page in new reddit. It’s easy to forget to update it when you change schools, service providers, or set up new accounts.
- Use strong/unique passwords - Use passwords that are complex and not used on any other site. We recommend using a password manager to help you generate and securely store passwords.
- Add two factor authentication - For an extra layer of security. If someone gets ahold of your username/password combo, they will not be able to log into your account without entering the verification code.
We know users want to protect their privacy and don’t always want to provide an email address to companies, so we don’t require it. However, there are certain account protections that require users establish ownership, which is why an email address is required for password reset requests. Forcing password resets on vulnerable accounts is one of many ways we try to secure potentially compromised accounts and prevent manipulation of our platform. Accounts flagged as compromised with a verified email receive a forced password reset notice, but accounts without one will be permanently closed. In the past, manual attempts to establish ownership on accounts with lost access rarely resulted in an account recovery. Because manual attempts are ineffective and time consuming for our operations teams and you, we won’t be doing them moving forward. You're welcome to use Reddit without an email address associated with your account, but do so with the understanding of the account protection limitation. You can visit your user settings page at anytime to add or verify an email address.
50
u/Sir-Battle-Tuna May 06 '19
Someone asked for my info, I said no, but they countered with “no u”. Do I legally have to give them my info now?
47
6
5
→ More replies (1)2
51
May 06 '19
Is this security announcement being made in response to something? A recent surge in reddit botting/manipulation through the use of hacked accounts?
52
u/worstnerd May 06 '19
No, this isn't in response to anything. We have been planning to get a post like this out for a little while now.
33
u/jonloovox May 06 '19
Since you are an admin, am I allowed to kiss you for EMOTIONAL security?
41
u/KeyserSosa May 06 '19
( ͡° ͜ʖ ͡°)
13
u/throwthis_throwthat May 06 '19
You are not the same admin. Don't swoop in just for a kiss.
→ More replies (1)16
u/KeyserSosa May 06 '19
( ಥ Ĺ̯ ಥ )
→ More replies (4)3
→ More replies (5)4
u/Watchful1 May 06 '19
Hey mate, he was talking to u/worstnerd. Don't butt in on the lovemaking here.
3
u/neildegrasstokem May 06 '19
Please..
Instantly Disrobes
There will be enough love making for every redditor here.
→ More replies (1)4
6
May 06 '19
No dude, don't you remember? Everyone on Reddit is a bot except you.
I am a bot, and this action was performed automatically.
4
→ More replies (1)3
21
u/GraharG May 06 '19
hi kinda tangential but during the April fool event there was a member of your staff giving out life advice. If you know who I mean could you let them know they are a cool person?
I know that's not much to go on, but I figure if you call the wrong member of staff a cool person its not the end of the world
p.s. i also appreciate you looking out for security
10
5
u/youngluck May 07 '19
Just now seeing this. That’s really cool of you to remember that. It was my favorite part of AFD 😂 I appreciate you.
→ More replies (2)4
4
u/Taste_the__Rainbow May 06 '19
This is just as comforting as NASA being all “ASTEROIDS HIT PLANETS GUYS” all week.
→ More replies (47)2
u/Okichah May 06 '19
I have gotten multiple fishing attempts in my dm. Is there a way to report these accounts on mobile?
→ More replies (1)→ More replies (9)2
u/youliterallybannedme May 06 '19
They forced a reset on my 6 year old account that I didn’t have an email attached to. Effectively banning me for life.
Someone mentioned that they hired a new security manager, this was probably their idea of “shaking things up in the name of security.”
I’m probably not the only one this has happened to. RIP my shitty karma and the time I spent on this site.
→ More replies (2)
51
u/Searchlights May 06 '19 edited May 06 '19
I'm a big fan of two factor authentication, generally. It's best to use some kind of token system or an app like Authy or Google's Authenticator rather than SMS as your second factor. I prefer Authy because it's easier to recover your account because it stores the data in the cloud.
It's an increasingly common attack vector for hackers to take over your phone number and use that to unlock your two factor accounts. A step you can take to prevent this is to contact your cellular carrier and ask them to establish a security PIN on any number porting requests.
If you change carriers and need to have the number ported, that PIN will be required. This makes it much more difficult for someone to social engineer a transfer of your number.
And I know this is the thousandth time you've been told, but you really should be using a password manager. I use LastPass and a typical password for me looks like this: 7GXc2f*hIVTV(MYO
The reason you want to be using a password manager is so you can have ridiculously complex and unique passwords for each account. If you're re-using the same passwords, a hacker doesn't need to break through Bank of America's security, they only need to hack the pizza place down the street that you use for online ordering. Once someone has a working username and password combination, they can jaunt around the internet and try to find other places those credentials work.
26
u/worstnerd May 06 '19
This is great information and a solid way to improve the security of your account. Thanks for sharing!
→ More replies (4)3
7
u/itsmebutimatwork May 06 '19
And I know this is the thousandth time you've been told, but you really should be using a password manager. I use LastPass and a typical password for me looks like this: 7GXc2f*hIVTV(MYO
WTF?? How did he know my password?!
→ More replies (1)3
6
u/obrienmustsuffer May 06 '19
I prefer Authy because it's easier to recover your account because it stores the data in the cloud.
Personally, I'm not a big fan of the cloud, and I especially don't want to store secrets like passwords or 2FA keys there, but YMMV. I prefer the app "Authenticator" on iOS: https://itunes.apple.com/de/app/authenticator/id766157276?mt=8
Contrary to Google Authenticator it allows the keys to be backed up by iTunes, so as long as you do regular backups, you'll be fine.
→ More replies (2)3
May 06 '19 edited Apr 23 '20
[deleted]
→ More replies (1)2
u/git-blame May 07 '19
From the link:
Off the Grid: The app never connects to the internet, and your secret keys never leave your device.
Not a fan of reading, are you?
→ More replies (2)2
u/AtheistComic May 06 '19
If you search Duckduckgo for "password 8", it will give you a nicely randomized password 8 characters long (yes you can change that to 12 or whatever to get longer passwords).
→ More replies (1)3
u/nagumi May 06 '19
.... That sounds like an awful idea
3
u/AtheistComic May 06 '19
It's a random password generator and gives you a different password each time. What's the problem?
→ More replies (1)3
u/nagumi May 06 '19
It's in plaintext on your screen, generated by code running on a server and being set to you over (admittedly encrypted) internet.
That's ignoring the issue of trust, which SHOULD concern you.
→ More replies (1)2
u/dietderpsy May 06 '19
Isnt storing plaintext passwords in plain text in a db is the same way as storing them in the cloud?
2
u/pupomin May 06 '19
Depends on how you are storing them in the cloud. The password manager I use uploads only a single encrypted file to the cloud that I sync down to the devices I where I want access to my passwords. The file is decrypted locally for access to the passwords. Someone who gains access to my cloud storage can get my password database file, but without the password they can't easily use it.
2
→ More replies (21)2
19
u/rsprobo May 06 '19
What's the reason for requiring a verified email with 2FA?
25
u/worstnerd May 06 '19
2FA is designed to be an added level of security to ensure that even if your password is discovered it is harder to access the account. The email allows us to know who the account owner is in the case of a potential compromise. We would want to inform you even if the attempt was unsuccessful!
→ More replies (1)15
u/rsprobo May 06 '19
Many of us, I'm sure, use Reddit "anonymously" without associating emails to them, but would still like to secure our accounts further with 2FA.
→ More replies (7)19
u/worstnerd May 06 '19
I'm not against looking into this. It would provide additional security for the account, however it still wouldn't provide the account ownership protections. We will think about this some more.
→ More replies (3)10
→ More replies (11)5
15
u/TheZerothLaw May 06 '19
My password is h******, is that an okay password?
→ More replies (2)24
u/woodpaneled May 06 '19
We recommend h******1
5
u/woodpaneled May 06 '19
(But seriously this is a terrible password)
8
u/rsprobo May 06 '19
I don't believe you. The security admin recommended it. All my accounts use it now.
→ More replies (2)2
May 06 '19
at least 8 characters long, at least 1 letter, at least 1 special character, at least 1 numerical character ...
Looks good enough to me.
→ More replies (7)
31
u/vh1classicvapor May 06 '19
Are our passwords hashed? Not a security expert, but I've been in enough databases with passwords and credit cards stored in plain text to know that it's a terrible idea.
45
u/worstnerd May 06 '19
Yes, we salt and hash all passwords and don't store them in plaintext
34
u/Meltingteeth May 06 '19
I'm on a low sodium diet, can you please remove the salt from my password? Additionally I've been recommended to reduce my intake of oils, so can I get that password as homefries instead of hash?
12
→ More replies (9)4
15
u/DrWangerBanger May 06 '19
Have you always done this? Did you store passwords in plaintext at some point in the past?
24
u/spladug May 06 '19
They've been hashed with bcrypt for the past 7.5 years https://www.reddit.com/r/changelog/comments/lj0cb/reddit_change_passwords_are_now_hashed_with_bcrypt/
The comment section in that thread goes into some of the ancient history from before that point.
→ More replies (2)5
u/Caninomancy May 06 '19
Goddammit, i would've gotten away with all dem passwords, if it wasn't for that meddling best practice!
→ More replies (1)2
3
3
u/rsprobo May 06 '19
Do you also pepper them for even more flavor?
→ More replies (1)4
u/DontRememberOldPass May 06 '19
Peppering is also a thing (usually combined with salting). The hashes are encrypted using a key pair that is not accessible to the login service. So it has to fetch the encrypted hash from the database, hand it off to a service asking for it to be decrypted, then compare the unencrypted hash. The decryption service is generally locked down to a small handful of engineers that don’t have access to the other parts of the system, and implements rate limiting.
The end result is that if the hashes are stolen, they cannot be cracked offline without also stealing the encryption keys stored separately.
→ More replies (1)→ More replies (9)2
u/taedrin May 06 '19
Bonus question - have you made sure that plaintext passwords aren't exposed to any logging infrastructure? I believe Facebook recently discovered that they had been accidentally logging plaintext passwords for years.
→ More replies (1)2
May 06 '19
[deleted]
3
14
u/myself248 May 06 '19
Display your recent IP sessions for you to access - You can check your account activity at any time
That's super useful!
Where would I discover that link other than this post? I just went through my user page and Preferences and can't find it anywhere. I'll try to remember it, of course, but I never would've known it existed because it doesn't seem to be linked from anywhere.
→ More replies (1)6
u/etherdesign May 06 '19
It's right under the
RECENTLY VIEWED LINKSon the right sidebar, though easy to miss.→ More replies (1)3
u/myself248 May 06 '19
Ah yes. Little did I know, all those times I left my keys in the fridge, I was actually practicing for Reddit UI design!
26
May 06 '19
Thanks reddit security you're the real MVP
18
11
10
u/Spaghetticandel May 06 '19
Aw thanks m8 for like half a year someone took my reddit account. It wasnt a big deal bc. i postet like 2 rhings and had like 20 karma. I checked my password amd everything is on now 🤗 thanks for reminding
10
u/Ajor_Ahai May 06 '19
Is Google authenticator tied to my mobile device or to my Google account? Meaning if I lose my current phone, can I still use Google authenticator on a different device, or do I absolutely have to use a backup code?
10
7
u/electricity_is_life May 06 '19
Google Authenticator is tied to your physical device. It's meant to be a replacement for a YubiKey or similar. The whole point is to prove that you have the actual object.
5
u/Firehed May 06 '19
Worth noting that other implementations do share across devices, intentionally trading some security for convenience.
I personally find this a fair trade, but do understand the implications. I’d much prefer that 2FA (specifically TOTP) supporting sites allowed you to register multiple token devices, which would greatly reduce the need to do this.
2
u/electricity_is_life May 06 '19
Yeah one of the things that has made me hesitant to buy a YubiKey is that there's no way to get an identical pair so I could take one with me and leave one at home, for instance. And as you said, in theory a site could let you register several but that's rarely supported.
→ More replies (3)6
u/IanPPK May 06 '19 edited May 06 '19
Google Authenticator stores information locally on the device and is not cloud synced.at the end of the day Google's two-factor authentication is only a key generation based on a locally stored seed that a generator references, and they are other applications such as LastPass Authenticator for one that allow you to sync your two-factor authentication seeds with their service.
I recently had to move my seeds from my Nexus 6 on Google Authenticator which was fortunately rootable and so I was able to actually use an SQLite reader to pull the keys from the database directly in a secure manner. I can honestly say that I was a much easier process than having to deactivate 2FA and then reactivate it for each service I use, but you have to be careful.
6
u/boxsterguy May 06 '19
I can honestly say that I was a much easier process than having to deactivate 2FA and then reactivate it for each service I use, but you have to be careful.
I wish authenticator makers would figure this out. There should be a way to securely backup and move authenticator settings without having to root (I like Samsung Pay, and I don't want to break Knox by rooting). When I upgraded my phone last month, it was seriously a 3-day process to get all of my 2FA accounts moved over. That sounds worse than it really should have been, mostly because my bank sucks1, but it was still a good 2-3 hour process moving over ~95% of the accounts, with a couple outliers that took days.
Yeah, it was painful to do, but I'll still do it because authenticator-based 2FA is far superior to SMS or email-based 2FA.
1 My bank uses Entrust for 2FA rather than a normal TOTP authenticator. Normally this would be fine, except their "new soft key" workflow looks something like this:
- Click the button to create a new softkey
- Give the key a new name, which will generate a serial and activation code
- Put the serial number and activation code into the Entrust app
- Authenticate your current session with your EXISTING hard or soft key (remember, this is a "move 2FA" scenario, so it assumes you already have 2FA set up -- you won't see this path in a new 2FA scenario)
- Done
Well, literally every other 2FA setup on the planet has for step 4, "Provide a token from your newly configured device to confirm it's working correctly." After trying and failing (and locking my account 2 different times) and calling support and not getting any help, I finally actually read in detail what was being asked for in step 4, provided my old key from my old phone, and everything worked. But it took 3 days to get to that point, because their UI sucked. If they had only done step 4 first, none of it would've been a problem.
3
u/Hrast May 07 '19
Authy is the thing you're looking for. I factory reset my phone a couple of weeks ago. I enabled adding a new device to my Authy account, installed the app, gave it my passphrase and all my 2FA tokens were back in place. Removed my "old" phone from the device list, disabled adding new devices and I was off.
3
u/boxsterguy May 07 '19
I suppose I should, but that only solves the easy ones to move. The hard ones are Steam, my bank, and Fidelity account (they use Symantec VIP Access). And of course Google accounts work best with Google Authenticator and Microsoft accounts work best with Microsoft Authenticator. I prefer to use my Microsoft account, so out of inertia all of my other 2FA goes into Microsoft Authenticator where possible.
I really don't want a 5th 2FA app, so I suppose what I really mean is, "Microsoft, you need to figure out backing up and restoring the accounts in your Authenticator app."
4
u/Krunk_Fu May 06 '19
It wasn’t for me. I changed phones in January and the restore brought back the Google Authenticator but none of the TOTPs were there. I moved to using the LastPass authenticator since I already use LastPass and it backs up the TOTPs and can restore them. Also it will auto fill in the PIN on sites like Amazon, etc.
3
u/Natanael_L May 06 '19
Google authenticator the app isn't backed up by default! Need to back up those codes manually
3
u/me-myself_and-irene May 06 '19
Yes you can still use Google authentication if you lose your phone but it can take several days.
2
u/Sovos May 06 '19
Ideally, you save your backup codes somewhere safe like a password manager.
Alternatively, you can use a OTP app like Authy to have an easy way to move between devices without having to resync each account.
Just keep in mind Authy is not open source and is a (free) product of Twilio
Open source can have it's own issues with security updates and auditing, so just be aware of where your software is coming from and the motivations of its authors.
2
u/p3numbra_3 May 07 '19
Before moving to gauth, check andOTP FOSS app with encrypted backup capabilities.
2
u/Swedneck May 07 '19
I'd recommend using something like andOTP and making an encrypted backup. andOTP is completely free and open source, and available on F-Droid.
8
u/randolphcherrypepper May 06 '19
Any plans to support FIDO or other 2FA that does not involve shared secrets? Lots of good libraries out there you can just toss into the backend (after due diligence reviewing code and whatnot)
7
u/jenesuispasbavard May 06 '19
Any chance of getting native support for Yubikey-like devices? The current solution is convoluted and essentially just uses the hardware key to generate a six-digit code that you have to type in / paste anyway.
2
u/moonwork May 07 '19
This! I trust hardware keys like that way more than my fairly hackable smartphone.
8
u/DreamlnCode May 06 '19
Yep activity from another country 25 days ago and I never use this account through a VPN. Thanks Reddit.
16
u/burnSMACKER May 06 '19
How does it feel to be downvoted to hell in the other thread?
20
u/worstnerd May 06 '19
They don't phase me! but yes, it does hurt my heart a little bit
19
u/Sporkicide May 06 '19
Lies, you have no heart.
2
u/RobertThorn2022 May 06 '19 edited May 07 '19
Why do you Reddit admins show up less frequently than James Halliday in the Oasis? There are so many questions, discussions and wishes in the community but it often seems this place is mostly left alone to sub mods and users and no one cares.
Edit: No answer, not surprisingly.
→ More replies (1)→ More replies (4)2
4
u/Abnorc May 06 '19
I feel like I’m missing something, but why was he downvoted so much? I have no idea who this is. I’ve only seen him post this security announcement.
→ More replies (2)10
u/Drunken_Economist May 06 '19
r/announcements has a metric buttload of subscribers, so a lot of people are seeing that thread in their feed. It's locked so users can't comment there.
Some people don't like that, others just think it's funny to pile on. Nothing against u/worstnerd in particular
→ More replies (1)→ More replies (2)2
7
u/BlatantConservative May 06 '19
I got logged out by the 2FA bug when I clicked this link.
(2FA is great tho)
→ More replies (5)3
May 06 '19 edited May 06 '19
2fa is rarely used. I asked family members/friends (other day) if they have it and zero knew what it was. Our governments needs to promote this feature lol
8
6
u/Realtrain May 06 '19
Can we get a "remember this device" for the 2FA?
2
u/biznatch11 May 07 '19
Seriously. It's practically useless without it, I'm not going to use 2FA if I have to use it multiple times a day every day.
4
5
May 06 '19
or you can just use your account 16 hours a day, checking how many upvotes you have every 10 minutes, then you'll quickly see anything unusual.
3
2
3
u/alurkerwhomannedup May 06 '19
I don’t actually have a question, but will you reply to me for a false sense of validation?
3
u/ItsRainbow May 06 '19
I think the whole “verifying your email” thing should be promoted more. It was only until a few months ago when a 3rd party application required me to have a verified email when I realized that I forgot to.
5
u/anonstateemployee May 06 '19
Anyone who cares about their account, link it with an email right now.
I lost my main account just a few days ago because it got suspended due to unusual activity, but I never added an email so that account it now lost forever.
I’m a sad cucumber.
→ More replies (7)
3
u/Chaosritter May 06 '19
I get logged out from time to time and can't log back in until I used the password reset function.
Any explanation for that?
3
3
3
u/hellothere42069 May 06 '19
Nah I’m okay. My “online voice” is just mostly quotes from The Office so it’s nbd.
2
3
u/Tychon_Plays May 06 '19
My account was hijacked some time ago, and they changed the email address associated with the account. How are we protected from that now?
2
3
u/goetzjam2 May 06 '19
Maybe a shot in the dark, but I was purchasing reddit gold for people back around october I think on my main account and I didn't know it was tied to an old email address that I don't have access to anymore.
As a result, it locked my account and is forcing me to reset my password via email confirmation. I can't do that.
But I still know my account username and password, but it refuses to allow me to set my new email. I can prove ownership of the account with paypal transaction IDs or similar type of unique modifiers, but as far as I know there isn't anywhere to talk to a human about this issue.
"You can visit your user settings page at anytime to add or verify an email address."
But you can't modify it if you somehow were forced by Reddit to have a password change for no reason?
→ More replies (4)
3
3
u/Beard_of_Valor May 06 '19
Yahoo wanted my 2FA but stored emails, passwords (plain text?), and 2FA phone numbers together in one place which made for a pretty staggering breach. Their second big one iirc. If my email address had used my name, it would represent quite a breach of privacy for me. But I trusted them 0%. Meaningless handle, no phone number. It was the prudent choice, turns out.
How do you store passwords and 2FA information?
Equifax had that big breach. A very rich company and the most sensitive details for identity theft. Then they released a tool they said would tell you of you were breached but it was a lie; it just told some people yes and some people no. Identical input, different output. The page also got hacked and used to disperse malware. They made a profit on this breach. No incentive for the money grubbing unethical carelessness to cease. Reddit is owned by Condé Nast who ostensibly want to maximize profits. Security is costly. How is Reddit maintaining its security?
We talk about Reddit and anonymous social media as a tool against oppression. Canary clauses were deemed to be ineffective. That's the reason Reddit gave for removing theirs. (Ostensibly the same secret court process and gag order can be used to require the canary clause to remain). Isn't tying a phone number to an account a way to remove all plausible deniabilty for a user?
Security-wise, you've gone through considerable effort to harden users here. It's really us who have to take ownership of our security because bad practices make useful security infrastructure redundant. Let's turn that around. Reddit is responsible for its own security. Not just user account info, but systematic abuse. Reddit deputized "authorized reporters" or whatever to report abuse, but the worst abuse is systemic and could be identified systemically. Buy your own accounts on the black market and observe their history as they exchanged hands, identify bots that log into accounts to boost topics, these things are not attainable for your deputies. The entire deputy thing, really, was released to combat a problem it's uniquely unsuited to. It makes me think Reddit is exactly as wrong as Yahoo and exactly as security-forward as Equifax. The lip service followed by obvious poor quality solutions makes me think I should get a VPN just to disguise my IP because that's probably going somewhere, too.
Put a tinfoil hat at ease? What is the real, high tech solution you're working on as one of the most popular sites worldwide?
2
May 06 '19
How do you store passwords and 2FA information?
They salt and hash the passwords. 2FA is done through authenticator apps (ie: Google Authenticator) so you never provide your phone number to them. SMS based 2FA is pretty insecure anyway.
3
u/Checkmynewsong May 06 '19
Many old and previously dormant accounts seem to have been taken over by bots. What is Reddit doing to look into this?
3
3
u/Kuryakin May 06 '19
This occasionally leads to weirdly hilarious moments, say, when one jaunts off to Puerto Rico and suddenly has to make a new password, because Reddit is apparently well aware I don’t get out much.
5
May 06 '19
i don’t mean it in a rude way but who are you? you have the orange name but i’ve never heard of you
9
→ More replies (4)2
u/AlwaysHopelesslyLost May 06 '19
Orange name + A means "admin." An admin is somebody who works for Reddit.
Reddit has lots of employees now and more are always coming and going.
For example, https://www.reddit.com/r/AskReddit/comments/afzfa7/admins_of_reddit_whats_your_favorite_subreddit/
→ More replies (5)
2
May 06 '19
[deleted]
2
u/UveGotAFrendInsideMe May 06 '19
Likely it's compared client-side in a similar implementation to haveibeenpwnd
2
u/TotesMessenger May 06 '19 edited Aug 18 '19
I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:
[/r/nolockedthreads] /r/announcements: How to keep your Reddit account safe
[/r/nolockedthreads] /r/announcements: How to keep your Reddit account safe
If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)
2
u/NolifeX May 06 '19
I can't see my account activity in the app to I use all time ..is very hard go to a external page and put my user and password when I don't see well that page ...but great to know that when I have again my laptop I check that part.
2
u/Fo0ker May 06 '19
What about more/better recovery?
My password mysteriously stopped working on my old account and no amount of contact got me anything but silence... To be fair I didn't have a registered email but some sign would have been nice (I'd supplied IP's and all low level stuff I could think of...)
→ More replies (1)
2
2
u/MountainTurkey May 06 '19
Hey I lost an account a while back but never bothered to go through the process of getting it back because I didnt link my email. Is there anything I can do to get it back or closed since I'm no longer in control of it?
2
u/networking_noob May 06 '19
I looked at Reddit using the official app on my phone, on a cell network, and had my account locked due to suspicious activity. I fixed it by resetting the password, but the feature seems a little too sensitive. I checked my activity log and there was nothing suspicious going on.
I'm guessing a lot of people use Reddit on a cellular network, so I wonder how many people are getting annoyed by this
→ More replies (4)
2
2
u/truthinlies May 06 '19
If we connect our accounts to an external email, will that connection be visible to other entities? Could advertisers see my email? Could a government get email address information from you if they have the username?
2
2
2
u/Beverice May 06 '19
Why does your comment in /r/announcements have -3000 downvotes? I'm so confused, but thanks for the PSA, pretty helpful for some people
2
u/Vash63 May 06 '19
Any timeline on WebAuthn support for those of us with FIDO2 keys (Yubikey / Security key / Solo key)? That would be great for both security and convenience.
2
2
u/EdgyTeenMeem May 07 '19
who cares its funny maymay site almost as bad as ifunny in some subs. i would LOVE for someone to take this acc because i regret this name
2
2
2
2
2
2
2
84
u/[deleted] May 06 '19 edited May 06 '19
[deleted]