Protecting access to user accounts and personal data on this site is of paramount importance to us all.
We have taken a number of steps to avoid the interception of data as it is transmitted across the Internet, and to prevent hostile actors accessing site accounts.
You can read more about the techniques we have used below.
Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- SSL is an encryption-based Internet security protocol. SSL is the predecessor to the modern TLS encryption used today. A website that implements SSL/TLS has “https://” in its URL instead of “http://”.
- SSL/TLS encrypts data that flows between a user’s browser and this site. This means that anyone who tries to intercept this data will only see a garbled mix of characters that is nearly impossible to decrypt.
- That’s why we only allow access to this site through URLs that start with https://.
Captcha
- A Captcha test aims to determine if a user is a real person. Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
- Captchas are used around this site at key points of interaction with the user.
- This site uses a simple Captcha test, asking the user to interpret an obscure image. Get it right and you carry on. Get it wrong, and you have to try again.
- For basic hacking, this may be enough. But it won’t stop advanced hackers.
- That’s why it’s not the only protection we have in place.
- Based on site configuration, this may be on or off.
Two Factor Authentication (2FA)
- 2FA is a method of adding additional security to your account.
- The first “factor” is your usual password that is standard for any account.
- The second “factor” is a one-time verification code, sent to a device that only you have access to.
- In many 2FA implementations, that one-time verification code is sent to your mobile via SMS. Unfortunately, SMS’ costs us money!
- For this site, we send you a one-time verification code by email. Only you should have access to your email address, so email 2FA is a good additional security layer.
- Based on site configuration, this may be on or off.
Accounts
- Registering for an account on the site, requires the user to specify a username of their choice and an email address that they have access to. The username and email address must be unique across the site.
- Usernames need to be a minimum number of characters (based on site configuration) and they have to be unique.
- The site will generate a random password and will email it to the user.
- They can change this random password to something easier to remember through their Profile page after successfully logging in.
Accessing an Account
- In order to access an account, the account holder needs to initially specify their username and solve a Captcha.
- If the username doesn’t exist on the site, we won’t tell you. That way we are not helping hostile actors work out which usernames are valid ones to try to get access to.
- The site will send the account holder a one-time verification code to the email address they first registered on the site with. If the user doesn’t have access to the email address, then they won’t get the one-time verification code and therefore they won’t get access to the account.
- These one-time verification codes are time-limited. I.e. they will only work for 10 mins after they are issued, so that limits any chance of a hostile actor intercepting the one-time verification code.
Summary
Unfortunately, applying these techniques to reduce the likelihood of hostile actors getting access to accounts, leads to some additional hoops for account holders to jump through to login.
We think it’s worth a little bit of pain to protect our account holders as best we can.