Note: If you are currently logged in, you can still use the site without having to update your password just now, however, towards the end of November 2019 all users will be logged out at which point everyone will be required to update their passwords.
What's happening?
Our new user portal includes vital security updates to our login, registration, password reset, Two-Factor Authentication and account recovery processes. As part of the upgrade, users will be required to log out and update their passwords to be at least 12 characters long - including at least one capital, at least one lowercase letter, as well as a number. Updated passwords in the new user portal will be secured with new, stronger encryption algorithms. This is a necessary upgrade to reinforce the security of your account data.
We have completely reworked our registration process to make it a cleaner and more straight forward process for new users. Our new registration system no longer makes use of the Invision Board forum registration system (though your logins, whether "old" or new, will still work on the forums). This change is something anyone who registered on the site within the past 6 years will know was needed, very much.
Why are we making this change?
Over the last few years, our developers have been dedicating a lot of time and resources to reducing our reliance on the Invision Board forum which was the foundation of our user service. It has now reached a point where the only way we can be confident in the security of our user data is to build a bespoke, modern user portal.
Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards.
We understand that this may cause inconveniences for some of you, but we are convinced that this is a necessary step that will ultimately benefit the vast majority of our current and future users.
What does this mean for me?
As part of the roll-out, all users will have to update their passwords, either now, or towards the end of November 2019 when all users will be logged out.
If you do not remember your password, you will be able to reset it via the new user portal that will send an email with further instructions to the email address linked to your Nexus Mods account.
Because it is our main way of identifying that you are the owner of your account, the email address that is linked with your Nexus Mods account is of paramount importance. Unfortunately, rolling out the new user service will mean that users who do not remember their passwords and - at the same time - no longer have access to the email linked to their account will lose access to their accounts. In this event, we will only be able to restore your account if you have purchased Supporter or Premium Membership in the past and send us the receipt for the purchase to [email protected]. If you are unable to recover your account due to this, you are more than welcome to register a new one.
Re-enable Two-Factor Authentication
Because the new user system comes with an upgraded 2FA system making use of authentication apps such as Google Authenticator and Authy, all users who were previously using our old 2FA system will have to re-enable it on the new user system in order to secure their accounts.
We highly recommend enabling 2FA for added account security, especially for mod authors with mods and/or Donation Points attached to their accounts.
That being said - if you aren’t already - please consider following best practices for online security such as using a password manager, not reusing the same password across multiple sites, and always keeping your login credentials and emails up to date.
Foundations
Moving forward, the new user portal will be expanded upon to handle our Supporter and Premium Membership systems, along with other user-related services.
Once the team are confident that the launch has gone smoothly and the dust has settled a little, work will begin on improving the checkout, payment and management sections for Premium Members as well as the support and contact systems for users trying to reach us, the staff.
We have been thoroughly testing the new portal for weeks leading up to the release, but it's always possible we missed something. If you encounter a problem, please let us know on our bug tracker or by emailing [email protected].
408 comments
Comments locked
A moderator has closed this comment topic for the time beingThe e-mail thing from before was fine too imo but I'll add it to my Google Auth app, no problem.
Wish these other commenters could stop being so negative about every update you guys put out, but I guess they're taking it as a grave offense that they got minorly inconvenienced for one second and apparently that's enough to forget all the positives ¯\_(?)_/¯
Congratulations on making my account less secure by your asinine rule change.
I set my password to something like YouAreBunchOfFuckingIdiots123 and sent it as reply to mail about password change cuz i knew that i won't forget the special password on only site that requires 12character long one and I would be reseting it every damn time, I actually don't remember the one i set around 2 weeks ago :v
This isn't directed at Nexus specifically, but rather is a general question for anyone who runs a web site. I still remember when LM Hash was considered secure because "computers will NEVER be able to crack 7 letters!" and then of course, it happened. First in hours, then in minutes, and now it takes milliseconds. The same thing will, inevitably, happen with 12 characters eventually. And then 13, then 14, and so on. There will come a day when a cell phone will crack a 250 character password using the full unicode character set in mere seconds, too. When that day comes, what do we do? Up it to 251 characters? Make password managers mandatory? What happens then the password managers become integrated into the OS and then THEY get hacked? What if your box gets flashed with a hacked CMOS and the hackers get to dictate the "random" seed your password manager uses?
In all of these cases, some of which are already happening today, the solution is simple: make account recovery easier instead of making account logins harder. This is the one and ONLY solution that actually scales. Put the onus for security on the user, then make that security easy for them. That is how you handle security properly. It may be harder for IT managers, but that's what you get paid $60k/year or more for. (And no, it's not for your knowledge. 99% of that stuff can be learned by any village idiot at every community college across the country. You are paid for your WORK, not your expertise, so work for it.)
My suggestion? Mandate 2FA and then remove ALL password requirements since NO password requirement will EVER stop a determined hacker. If a hacker has to physically acquire my actual phone, I have security they can never crack in the form of my Beretta 391 Urika-II 12ga shotgun.
In any case, it should be noted that, unless someone manages to ascertain the server-side database at Nexus, their ability to crack any password, regardless of length, is severely hampered, and if they DO managed to get the database, then the security failure isn't on the users for having weak passwords, it's on Nexus for having weak security on their end. So, in effect, the changes they made don't accomplish anything. This is, and was never, about increasing security, because the innate delay involved in testing every attempt, combined with Nexus's extensive DDoS protection, means a remote hack through the web interface would take millennia even with a 6 or 7 character password. Instead, it's about shifting blame in the event of a hack, i.e. "it's not our fault for having weak security and allowing someone to get their hands on our account database, it's your fault for having a weak password!" Which is to say, BS.
Anyhow, just had to reset mine for the second time since these short-sighted rules were put in place. Before this, I've literally not had to reset it once in 4 years. These measures haven't stopped a single hacker, but they HAVE made the site less convenient for me, twice.
If you want to make the password length longer, fine, I agree that increases security. But then drop the complexity requirements so that we can pick longer passwords while still being able to remember them.
https://xkcd.com/936/
Set a minimum password length, sure. That's fine. But don't tell me what that password has to contain (numbers, upper and lower case, special characters, etc) and just let me create a password that I can fucking remember!
It has actually, there's an account from 2009 which has that username.
I guess no hyphen will have to do for now.
The password thing doesn't bother me. Captcha is a big old pain in the you know what. I used to be able to switch on my VPN to bypass it but, that doesn't seem to work anymore. Oh well. It's not like I had anything else to do today