remember me
Register | Forgot Login

Forums > Suggestions & Development Discussion > Improving security practices?

Is there by any chance RPR could suggest good password practices during the actions of signing up or changing credentials? By good password practices, I mean passphrases instead of passwords, along with suggesting the use of trusted password managers such as BitWarden?

What about sending passwords during registration/changing credentials to the have I been pwned API? We don't want users to be using compromised passwords.

One more thing, would Time-based One-Time-Passwords (TOTP) somehow make it's way into RPR? This could be an opt-in feature for regular users, and enforced for admins/mods. SMS based two-factor authentication should be avoided, as it is personally identifiable information and insecure.

While I think RPR is an amazing tool for roleplayers, I think there is some areas that could improved.

It breaks down to:

  • The average user may not know their password is compromised, so it should be checked (additionally during the login process).
  • We should nudge them in the right direction for securing their accounts/data with best practices (passphrases, password managers, never sharing passwords, multiple factors of authentication).
  • Extra steps should be taken to secure admin/mod accounts, and opt-in for regular users.

Sorry for any errors, this was a bit lengthy.

I'm happy to report that some of this is already planned; other pieces are under consideration. :)

Kim wrote:
I'm happy to report that some of this is already planned; other pieces are under consideration. :)

Nice! Care to share which are planned?

2 Factor is on my list, though we won't be able to get to it right at launch.

Password best practice campaigns of one kind are another are something I'd also like to do after the launch of 2.0, whether it's an awareness campaign via news posts or some kind of enforcement.

Kim wrote:
2 Factor is on my list, though we won't be able to get to it right at launch.

Password best practice campaigns of one kind are another are something I'd also like to do after the launch of 2.0, whether it's an awareness campaign via news posts or some kind of enforcement.

That's awesome to hear! You're doing so great on your project.

Moderators: MadRatBird, Keke, Libertine, Copper_Dragon, Sanne, Dragonfire, Heimdall, Darth_Angelus


Forums > Suggestions & Development Discussion > Improving security practices?