HackThisSite.org News: Account Security

In a step to increase HackThisSite account security, we've added a number of features and reinforcements to existing account security.

One of the most notable features that we've added is a CAPTCHA and account locking added to the existing login system. While users can still login normally from the login box on the left-hand side of the site without need for a CAPTCHA, they will be forced to authenticate using a CAPTCHA if they enter an invalid password, and will continually be forced to do so for an extended period of time. Furthermore, their account will shortly and temporarily be locked out from login if too many invalid passwords are attempted, further hampering password brute force attempts. Logins were done this way to allow missions to be completed using bots, but still keep security strong on account login.

Another feature that we've added is password expiration. While this may not be everyone's favorite feature, it might greatly enhances account security by not only forcing users to change their password once every 90 days (this time frame may change), but it will also not allow users to use the same password they've used in the past for an extended period of time.

While we're on the subject of passwords, we've added new restrictions to password strength and integrity by enforcing new requirements, such as starting with an alphabetic character, requiring at least one lowercase, one uppercase, and one number, comparing passwords against a large number of wordlists, and maybe even enforcing passwords to use one special character (ie. # $ % & and so forth) (this requirement is pending a staff vote). While again, this may not make everyone happy, it teaches users what strong passwords are.

Yet another password feature we're redoing is the Password Reset function of the site, revamping the whole system to make use of more secure hashes, as well as making use of the new Secret Question/Answer system we recently implemented.

There are actually a lot of other account security-related functions we've already implemented in the background that aren't listed here. We just thought we'd let you know that we're taking as many extra steps as possible to ensure your account is secure.

While some of these measures may be overkill, this is a teaching site. We hope you understand what these features do and why they can, in some circumstances, increase account security.