Account Verification Time!

[Xepher]

It's that time folks! In preparation for the server move, it's time to find out what accounts are still active. The following email was just sent to every non-locked account on Xepher.net If you are a phase 2 user and had a forwarding email set up, the email was sent straight there, with an extra bit on the link to save you from having to reverify your email. (As such, use the link in your email, not the one below.) For everyone else, the email went to your account here on Xepher.net, which (according to the rules) you should be checking occasionally, if you're not using forwarding. Of course, I know a lot of people don't, and will thus miss the message. :-P That's why I'm posting it here.

Dear Xepher.net User ($username):
As you may be aware, I am preparing to move Xepher.net to a new physical server. The current server is overloaded, and because of this, many things run slower than they should. Likewise, the storage capacity is nearly maxed out, meaning I can't accept new sites. The new server should be many times faster, and have nearly one terabyte of storage, hopefully giving us years of spare capacity before it needs replacing.

As part of the moving process, I am cleaning out dead/unused accounts, as well as collecting definitive information from each user in order to facilitate easier administration. Mostly, I'm looking to collect a valid contact email address, basic information about your site, such as description, title, and type of content. Also, you'll be asked to set a new, secure password. Several users have had their accounts comprised in the past because they used easy-to-guess passwords.

Some of the benefits of the new system will include:
   Easy access to site/user preferences. You'll now be able to easily change your password, setup email forwarding, change your description. Phase 2 users currently enjoy this, but now it will be extended to all users.
   New email system and spam filtering. The spam filtering system will now be trainable. After the first few messages are trained, most email will be automatically classified and dropped straight into Junk or the Inbox. If the filter is unsure of something and needs you to double-check it, it will deliver the message to a folder called 'Unsure' Users will have folders named 'LearnAsSpam' and 'LearnAsHam' in their account. Simply moving a message into either of these folders will train the spam filter, and automatically redeliver the message to the Inbox or Junk folder as appropriate. Additionally, users with their own domain names hosted here will have the option to setup multiple email accounts, and choose specific delivery options for each.
   New newsbox system in the works. This will probably come sometime after the new server is in place, but tentative plans call for each user to be able to set image-based 'ads' that will be rotated in the newsbox on all Xepher.net sites, rather than the text-only 'featured site' currently in use. Additionally, the newsbox code will be changed to javascript, so that it no longer requires the use of php, and can be used/previewed properly on your local computer before upload.
   A lot of behind the scenes changes will go into place as well, making it easier for site administration, and to greatly enhance security and performance.
   
For more information, and to keep up to date with the status of the transition, please visit the forums.
http://xepher.net/forum/
   
That said, and if you wish to continue using your xepher.net site, please visit the following URL and complete the account verification process. If you no longer use your account, or have received this email by mistake, simply ignore this message and you won't be bothered again.

https://xepher.net/account-verification/index.php

If the above line/link is broken into two lines, you may need to reassemble it and then copy/paste into your browser.

Thank you for your time,
--Xepher

P.S. Feel free to contact me with any questions or feature requests for the new system, or if you have problems with the verification process.

If you didn't get the email, had the wrong address set, etc... Just follow the direct link to https://xepher.net/account-verification/index.php and follow the instructions. For those of you that have forgotten your passwords (shame on you!) email me with your username and what you'd like it set to for now.

I'm going to give this about a week or two, and then I'll start locking unverified accounts. That usually gets people's attention. After that, I'll give it another couple weeks (or more) before the actual move, in order to let the stragglers catch up.

Oh, and sorry the whole thing looks so ugly. It's one of the most kludged together pieces of code I've ever written. If you manage to break it (or think you might have), don't hesitate to let me know.

[griever]

How long should it take the verification email to get to us after we fill out our details?  I filled out one an hour or so ago? from your email notification and no verification with login information email sent. 

I thought I did something wrong, or was not remembering things right.  In a mistake, I clicked the link in your post, got a new hash string, and it said an email had been sent with the new URL, but I checked my account and nothing, not even in the spam folder.

I copied and pasted the string onto the end of the old URL and filled out the form again, but I also did not get a return email either.  Are you getting the information or is this some kind of bug?

[reinder]

It's not working for me either. Nothing in my spam box, nothing in my inbox.

[dragyn]

Same here.  Filled out the form, but didn't receive an email.

[Databits]

Just outta stupid curiosity, how many of you use hotmail?

[Xepher]

Note: I am an idiot. I had the actual "send email" bit of code commented out at one point during testing. I uncommented it and saved, but that save never got synced to the server's file. Thus, everything was operating normally EXCEPT it wasn't sending emails. So sorry!

Griever: Yours completed and went through fine. In fact, it somehow let you go back and do it again (you changed from Chanpuru.org to Chanpuru for the site title.) That actually alerted me to fix the fact it allowed duplicate entries. The final email you didn't get merely included your username and password and a note you'd probably get another once the actual transfer was done. It's kind of a pain to resend that, so if you're okay just remembering your password, you're not really missing anything. (And if you forget your password, you know where to find me.)

Reinder and dragyn: You both were at the initial verification of address stage. If you just go back and try again, it'll generate a new email and should work this time. If it doesn't, let me know... feel free to pester me on IM or email if I'm not on the forum soon enough.

Data: I've been talking with you on IM, we'll solve it there. (Hotmail sucks!)

[reinder]

Oh, great. Another new password to forget repeatedly. How many dictionaries did that cryptographic strength checker test again?

(and then after all that effort, it emails me the password in clear text. Ah well. That at least gives me something to save in my Gmail archive, the password to which I won't be spreading around because I don't remember it.)

[griever]

Ah, okay, thanks, Xepher and glad to have helped out.  I've actually been meaning to change my password to the one I picked, but I just haven't yet.

Databits: I use gmail.  Want to come over to the dark side?

[Xepher]

I know it seems strange to give you a plaintext copy when a semi-strong password is required, and I do know it's a pain to remember... which is why I'm sending plain text copies and asking for a valid email. There will be automated systems in place to let you have your password emailed to you if you forget it. The problem I'm fighting against is not that people will hack your local computer or your gmail account and from there, find a copy of your password and THEN break into your account here. That's the sort of attack likely in a normal corporate/network environment. The problem here is that 2/3rds of the attacks I see against the server are brute-force attacks against basic services such as email and SSH... basically throwing a dictionary against the door. The matter is complicated because these are often done by botnets with a hundred different IPs, and against real account names. Thus, I can't reliably ban by IP, and if I locked an account for X number of failed logins, every legit user would be locked out in a matter of minutes. My only options are to require passwords that can't be guessed by the dictionary attacks, or to require an even more esoteric system of public/private keys... and the latter would only work with SSH, since email doesn't support key-pair authentication.

Oh, and it tests against about 2.4 million "words." That doesn't mean you can't use those words, just that you can't use an easy combination of them. It passes a short sentence-like phrase such as "BigHairyMonkey" with no problem, even though the words involved are some of the easiest/simplest ones in the dictionary. 2.4 million is quick enough in computer terms, but 2.4mil^3 is something around 14 quintillion. An attacker would have to try 4.8 billion per second to crack it in a full year. Given that it won't allow more than one try every second, it would take about 438 billion years, or roughly 31 times the age of the universe. If he tried just letters alone (rather than whole words) it would be over 1 septillion possibilities... I'm not even going to do the math on that! Point is, a seemingly simple phrase is more than enough to defeat these brute force attacks. The situation would be completely different in an office environment, where people could have clues about you and your possible password. If you had a bunch of king kong figures on top of your monitor, "BigHairyMonkey" may not be the best password to keep you from the prying eyes of coworkers. :-)

[Databits]

Xeph: I posted that before we started to diagnose things later in the day after the first time.

Griev: I already have a gmail account. 

[Silverfoxr]

forum mucked up my posting but i got the email okies and it worked fine

[cyyeun]

I'm glad it is not too confusing. I have completed it with no problem. 

[fesworks]

haha! Almost forgot about verifying Ardra!! haha!

[pigeon-wing]

Done Well, since a while ago ^^;

[Xepher]

I just got back from a weekend in Dallas. Only about 4 more accounts got verified while I was gone, so I think we're on the long-tail of the email notices. 45 people are verified (with one having left before picking a password) which leaves another 165 accounts... 44 of those have been locked/disabled for some time without their owners contacting me. So I'm reasonably expecting a response from another 120 people or so. Of course, probably only about half those will actually respond, even after I move to locking their accounts. I probably should've weeded out some of these a long time ago. :-)