How to keep your Reddit account safe

=> https://www.reddit.com/r/RedditSafety/comments/bletrr/how_to_keep_your_reddit_account_safe/

created by worstnerd on 06/05/2019 at 17:11 UTC

2940 upvotes, 196 top-level comments (showing 25)

Your account expresses your voice and your personality here on Reddit. To protect that voice, you need to protect your access to it and maintain its security. Not only do compromised accounts deprive you of your online identity, but they are often used for malicious behavior like vote manipulation, spam, fraud, or even just posting content to misrepresent the true owner. While we’re always developing ways to take faster action against compromised accounts, there are things you can do to be proactive about your account’s security.

• What we do* to keep your account secure:

• Actively look for suspicious signals - We use tools that help us detect unusual behavior in accounts. We monitor trends and compare against known threats.
• Check passwords against 3rd party breach datasets - We check for username / password combinations in 3rd party breach sets.
• Display your recent IP sessions for you to access - You can check your account activity[1] at any time to see your recent login IPs. Keep in mind that the geolocation of each login may not be exact and will only include events within the last 100 days. If you see something you don’t recognize, you should change your password immediately and ensure your email address is correct.

If we determine that your account is vulnerable to compromise (or has actually been compromised), we lock the account and force a password reset. If we can’t establish account ownership or the account has been used in a malicious manner that prevents it being returned to the original owner, the account may be permanently suspended and closed.

=> 1: https://www.reddit.com/account-activity

• What you can do* to prevent this situation:

• Use permanent emails - We highly encourage users to link their accounts to accessible email addresses that you regularly check (you can add and update email addresses in your user settings page[2] if you are using new reddit, otherwise you can do that from the preferences page[3] in old reddit). This is also how you will receive any activities alerting you of suspicious activity on your account if you’re signed out. As a general rule of thumb, avoid using email addresses you don't have permanent ownership over like school or work addresses. Temporary email addresses that expire are a bad idea.
• Verify your emails - Verifying your email helps us confirm that there is a real person creating the account and that you have access to the email address given. If we determine that your account has been compromised, this is the only way we have to validate account ownership. Without this our only option will be to permanently close the account to prevent further misuse and access to the original owner’s data. There will be no appeals possible!
• Check your profile occasionally to make sure your email address is current. You can do this via the preferences page on old reddit[4] or the settings page in new reddit[5]. It’s easy to forget to update it when you change schools, service providers, or set up new accounts.
• Use strong/unique passwords - Use passwords that are complex and not used on any other site. We recommend using a password manager to help you generate and securely store passwords.
• Add two factor authentication[6] - For an extra layer of security. If someone gets ahold of your username/password combo, they will not be able to log into your account without entering the verification code.

We know users want to protect their privacy and don’t always want to provide an email address to companies, so we don’t require it. However, there are certain account protections that require users establish ownership, which is why an email address is required for password reset requests. Forcing password resets on vulnerable accounts is one of many ways we try to secure potentially compromised accounts and prevent manipulation of our platform. Accounts flagged as compromised with a verified email receive a forced password reset notice, but accounts without one will be permanently closed. In the past, manual attempts to establish ownership on accounts with lost access rarely resulted in an account recovery. Because manual attempts are ineffective and time consuming for our operations teams and you, we won’t be doing them moving forward. You're welcome to use Reddit without an email address associated with your account, but do so with the understanding of the account protection limitation. You can visit your user settings page at anytime to add or verify an email address.

=> 2: https://new.reddit.com/settings | 3: https://old.reddit.com/prefs/update | 4: https://www.reddit.com/prefs/update/ | 5: https://new.reddit.com/settings | 6: https://www.reddithelp.com/en/categories/using-reddit/your-reddit-account/how-set-two-factor-authentication

Comments

=> Comment by [deleted] at 06/05/2019 at 17:13 UTC*

88 upvotes, 17 direct replies

[deleted]

=> Comment by Sir-Battle-Tuna at 06/05/2019 at 17:21 UTC

49 upvotes, 5 direct replies

Someone asked for my info, I said no, but they countered with “no u”. Do I legally have to give them my info now?

=> Comment by [deleted] at 06/05/2019 at 17:15 UTC

48 upvotes, 5 direct replies

Is this security announcement being made in response to something? A recent surge in reddit botting/manipulation through the use of hacked accounts?

=> Comment by Searchlights at 06/05/2019 at 17:25 UTC*

48 upvotes, 17 direct replies

I'm a big fan of two factor authentication, generally. It's best to use some kind of token system or an app like Authy or Google's Authenticator rather than SMS as your second factor. I prefer Authy because it's easier to recover your account because it stores the data in the cloud.

It's an increasingly common attack vector for hackers to take over your phone number and use that to unlock your two factor accounts. A step you can take to prevent this is to contact your cellular carrier and ask them to establish a security PIN on any number porting requests.

If you change carriers and need to have the number ported, that PIN will be required. This makes it much more difficult for someone to social engineer a transfer of your number.

And I know this is the thousandth time you've been told, but you really should be using a password manager. I use LastPass and a typical password for me looks like this: 7GXc2f*hIVTV(MYO

The reason you want to be using a password manager is so you can have ridiculously complex and unique passwords for each account. If you're re-using the same passwords, a hacker doesn't need to break through Bank of America's security, they only need to hack the pizza place down the street that you use for online ordering. Once someone has a working username and password combination, they can jaunt around the internet and try to find other places those credentials work.

=> Comment by rsprobo at 06/05/2019 at 17:24 UTC

17 upvotes, 4 direct replies

What's the reason for requiring a verified email with 2FA?

=> Comment by TheZerothLaw at 06/05/2019 at 17:25 UTC

16 upvotes, 3 direct replies

My password is h******, is that an okay password?

=> Comment by vh1classicvapor at 06/05/2019 at 17:16 UTC

32 upvotes, 3 direct replies

Are our passwords hashed? Not a security expert, but I've been in enough databases with passwords and credit cards stored in plain text to know that it's a terrible idea.

=> Comment by myself248 at 06/05/2019 at 17:51 UTC

12 upvotes, 2 direct replies

Display your recent IP sessions for you to access - You can check your account activity[1] at any time

=> 1: https://www.reddit.com/account-activity

That's super useful!

Where would I discover that link other than this post? I just went through my user page and Preferences and can't find it anywhere. I'll try to remember it, of course, but I never would've known it existed because it doesn't seem to be linked from anywhere.

=> Comment by [deleted] at 06/05/2019 at 17:19 UTC

22 upvotes, 1 direct replies

Thanks reddit security you're the real MVP

=> Comment by [deleted] at 06/05/2019 at 17:21 UTC

12 upvotes, 0 direct replies

Thank you Reddit, very cool!

=> Comment by Spaghetticandel at 06/05/2019 at 17:29 UTC

10 upvotes, 0 direct replies

Aw thanks m8 for like half a year someone took my reddit account. It wasnt a big deal bc. i postet like 2 rhings and had like 20 karma. I checked my password amd everything is on now 🤗 thanks for reminding

=> Comment by Ajor_Ahai at 06/05/2019 at 17:41 UTC

10 upvotes, 9 direct replies

Is Google authenticator tied to my mobile device or to my Google account? Meaning if I lose my current phone, can I still use Google authenticator on a different device, or do I absolutely have to use a backup code?

=> Comment by randolphcherrypepper at 06/05/2019 at 17:44 UTC

8 upvotes, 0 direct replies

Any plans to support FIDO or other 2FA that does not involve shared secrets? Lots of good libraries out there you can just toss into the backend (after due diligence reviewing code and whatnot)

=> Comment by jenesuispasbavard at 06/05/2019 at 17:40 UTC

7 upvotes, 1 direct replies

Any chance of getting native support for Yubikey-like devices? The current solution[1] is convoluted and essentially just uses the hardware key to generate a six-digit code that you have to type in / paste anyway.

=> 1: https://support.yubico.com/support/solutions/articles/15000012050-securing-reddit-with-yubico-authenticator-and-the-yubikey

=> Comment by DreamlnCode at 06/05/2019 at 17:54 UTC

8 upvotes, 0 direct replies

Yep activity from another country 25 days ago and I never use this account through a VPN. Thanks Reddit.

=> Comment by burnSMACKER at 06/05/2019 at 17:42 UTC

16 upvotes, 4 direct replies

How does it feel to be downvoted to hell in the other thread?

=> Comment by BlatantConservative at 06/05/2019 at 17:13 UTC

7 upvotes, 3 direct replies

I got logged out by the 2FA bug when I clicked this link.

(2FA is great tho)

=> Comment by HeyItsBrunoG at 06/05/2019 at 17:17 UTC

7 upvotes, 0 direct replies

Good info!

=> Comment by Realtrain at 06/05/2019 at 17:16 UTC

6 upvotes, 1 direct replies

Can we get a "remember this device" for the 2FA?

=> Comment by [deleted] at 06/05/2019 at 17:24 UTC

5 upvotes, 0 direct replies

reddit security is serious business!! don't get haxed friends

=> Comment by [deleted] at 06/05/2019 at 17:25 UTC

4 upvotes, 2 direct replies

or you can just use your account 16 hours a day, checking how many upvotes you have every 10 minutes, then you'll quickly see anything unusual.

=> Comment by alurkerwhomannedup at 06/05/2019 at 17:28 UTC

4 upvotes, 1 direct replies

I don’t actually have a question, but will you reply to me for a false sense of validation?

=> Comment by ItsRainbow at 06/05/2019 at 19:28 UTC

4 upvotes, 0 direct replies

I think the whole “verifying your email” thing should be promoted more. It was only until a few months ago when a 3rd party application required me to have a verified email when I realized that I forgot to.

=> Comment by anonstateemployee at 06/05/2019 at 19:44 UTC

5 upvotes, 3 direct replies

Anyone who cares about their account, link it with an email right now.

I lost my main account just a few days ago because it got suspended due to unusual activity, but I never added an email so that account it now lost forever.

I’m a sad cucumber.

=> Comment by Chaosritter at 06/05/2019 at 17:17 UTC

3 upvotes, 0 direct replies

I get logged out from time to time and can't log back in until I used the password reset function.

Any explanation for that?