ListNook

You asked for it, and we’re delivering! Today, all Listnook users have the option to enable [two-factor authentication](https://i.redd.it/2y66bw0sapb01.gif) for an additional layer of account security. We have been [slowly rolling this feature out](https://www.listnook.com/r/modnews/comments/7bfoqg/twofactor_authentication_now_available_for/), starting with beta testers, moderators, and third-party app developers, to ensure a positive experience across devices. Your feedback has been incredibly valuable, from pointing out bugs to recommending features. Thank you to everyone involved in testing. Two-factor adds more security to your Listnook account by requiring a second step to sign in. In this case, if you opt into 2FA, you’ll access a 6-digit verification code generated by your phone after a new sign-in attempt. With two-factor enabled, even if someone else obtained your Listnook username and password, they still could not log in as you. You can enable two-factor by selecting the [password/email](https://www.listnook.com/prefs/update/) tab under your preferences on desktop. Select **enable** under _two-factor authentication_ and follow the steps given to you. And make sure to generate your backup codes in the event your phone is unavailable! You can find more help in our [Help Center](https://www.listnookhelp.com/en/categories/using-listnook/your-listnook-account/how-set-two-factor-authentication). Two-factor is supported across desktop, mobile, and third-party apps. It requires an authenticator app (Google Authenticator, Authy, or any app supporting the TOTP protocol) to generate your 6-digit verification code. A few handy security reminders: * Choose a strong and unique password. We recommend at least 8 characters. And don’t reuse the same password on Listnook as other sites! * Add a verified email address. Email is the only way for us to reset your account. (We do require a verified email for setting up two-factor authentication since the account can be lost if, for example, you lose your phone). * Check your [account activity](https://www.listnook.com/account-activity) for recent logins. It’s a good idea to look at this page from time to time to make sure there’s nothing fishy going on. Thanks!

199 Comments

Realtrain Jan 24, 2018 +7894

Can we get a "remember this device" feature? It's annoying having to whip our my phone every time I log in on my work computer.

7894

[deleted] Jan 24, 2018 +6627

[deleted]

6627

sodypop Jan 24, 2018 +8767

ಠ_ಠ

8767

chmilz Jan 24, 2018 +1341

The sooner you realize we all need a main account and a p*** account the better off we'll all be.

1341

BunnyOppai Jan 24, 2018 +297

Exactly. I know I personally wouldn't want my name tied to anything I'm into, even if my name is just a psuedo-anonymous username on a social media site.

297

[deleted] Jan 25, 2018 +86

It's also really nice to have a "free time" account and an account for academic interests, to keep the subscriptions separated even when both are completely sfw.

omincon Jan 25, 2018 +41

Isn't this technically the point of multilistnooks?

subm3g Jan 25, 2018 +38

Oh.... *quietly shuffles back to the main page to create multilistnooks...*

slolift Jan 25, 2018 +236

Rip Ken Bone.

236

robbyb20 Jan 25, 2018 +74

Beautiful human submarines

[deleted] Jan 25, 2018 +25

you have now entered the Bone Zone

[deleted] Jan 24, 2018 +34

bluesox Jan 25, 2018 +16

Where’s your novelty account, casual?

BillieRubenCamGirl Jan 24, 2018 +39

I just blend mine all together. Sex is a part of my life, and a part of my Listnook feed.

ProfWhite Jan 24, 2018 +63

So...like...what do you do when you're working? Do you just....*not* use Listnook while you're working?! No. No that can't be it. No one that uses Listnook *doesn't* **not** also use Listnook while working. That's a logical axiom. Remote worker? NEET hippie no bucks? An in between?

PM_ME_TRUMP_PISS Jan 25, 2018 +24

These days, you can listnook on your phone! What will they think of next?!

ProfWhite Jan 25, 2018 +27

Yeah but why use a 6 inch screen when there's a 13 inch ~~d***~~ screen right in front of you? Go big or go home.

PM_ME_TRUMP_PISS Jan 25, 2018 +27

Well obviously I only watch little-d*** p*** on my phone. I save the elephant dwangers for the 4K cinema setup.

IdoNOThateNEVER Jan 25, 2018 +9

I do this the other way around and all the dicks end up looking normal sized.

pupi_but Jan 24, 2018 +3366

lol he's mad because you're only allowed to do that if you pay them

3366

CoopertheFluffy Jan 24, 2018 +1014

If you pay them, they'll do the pivoting for you ~~Edit~~ About face: voting, not pivoting

1014

MuonManLaserJab Jan 24, 2018 +2573

The best part is that pivoting is ~3.14159265359 times better than upvoting.

2573

[deleted] Jan 24, 2018 +447

447

TrippyWentLucio Jan 24, 2018 +240

Was a great movie.

240

thisischemistry Jan 24, 2018 +130

So was Pi, you'd have to have a hole in your head not to like that one!

130

sunshine2846 Jan 24, 2018 +65

Username does not check out

[deleted] Jan 24, 2018 +26

sunshine2846 Jan 24, 2018 +24

Ah damn it, time for another coffee

twowheels Jan 24, 2018 +77

~? Would you mind being more specific? We don't like approximations, so we'll need you to give us the full precision value to the last decimal place, thanks.

MuonManLaserJab Jan 24, 2018 +260

Oh, sorry! The full-precision answer is: exactly 10, in base-pi.

260

Frankvanv Jan 24, 2018 +35

Well it's not a decimal place then is it?

MuonManLaserJab Jan 24, 2018 +71

Fine, 10.0 you nutter

twowheels Jan 24, 2018 +19

Touché! :)

ra4king Jan 24, 2018 +39

Genius...

pingMeSnap Jan 24, 2018 +31

Pielease leave

Serpardum Jan 24, 2018 +12

When he gets around to it.

[deleted] Jan 24, 2018 +28

Can someone please explain this joke to a friend of mine?

MuonManLaserJab Jan 24, 2018 +67

"Pivoting" is turning around, and it was a typo that should have just been "voting" or "upvoting", but I was pretending it was "pi-voting", which I interpreted to mean, "voting in increments of pi". Pi, of course, is the number 3.14159265...

Serpardum Jan 24, 2018 +40

Oh. I took at as pivoting in place is going around a point so you are making an arc of a circle. But I guess pi voting works too.

[deleted] Jan 24, 2018 +73

SupermotoArchitect Jan 24, 2018 +65

#PIVOT! #PIVOOOOT!

HoTTab1CH Jan 24, 2018 +28

#SHUT UP! SHUT UP! #[SHUUUUUUUT UP!](https://youtu.be/R2u0sN9stbA?t=1m23s)

mangongo Jan 24, 2018 +9

That is honestly the greatest Chandler scene and maybe even the greatest Friends scene of all time.

lefondler Jan 24, 2018 +57

lmfao just burned the admins

Jacobjs93 Jan 24, 2018 +32

It’s a dog eat dog world out here. And when you have more than one dog... well.. you get the point.

B-Knight Jan 24, 2018 +95

He meant "Ults" Like "Ultimate" from Overwatch. He has a legitimate and special power where he can get people to upvote him more. ^^that ^^was ^^close ^^guys.

Realtrain Jan 24, 2018 +264

Unidan?

264

[deleted] Jan 24, 2018 +114

RIP

114

[deleted] Jan 24, 2018 +145

Here's the thing...

145

[deleted] Jan 24, 2018 +99

Hes still around, he was just forced to change his username and plead a "f***, im not gonna do that anymore"

Atari_7200 Jan 24, 2018 +56

His last post was over 3 months ago. He's made less than 4 posts in since last year till 3 months ago. Not really what I'd consider "still around"

[deleted] Jan 24, 2018 +128

128

Yodamanjaro Jan 24, 2018 +101

ಠ_ಠ I'm not even /u/WarLizard

101

Warlizard Jan 25, 2018 +146

146

[deleted] Jan 24, 2018 +32

Yes, I Agree.

[deleted] Jan 24, 2018 +54

Unidan also downvoted people who disagreed with him with his alts.

[deleted] Jan 24, 2018 +149

Yeah, but that's just being efficient.

149

[deleted] Jan 24, 2018 +35

Exactly. Why have alts just to upvote when they can also downvote.

StringerBell5 Jan 24, 2018 +2139

This is something we received a lot of requests for during the 2FA beta. We're looking into ways to implement and want to make sure we do so in a secure way.

2139

Realtrain Jan 24, 2018 +204

Awesome! Thanks for listening

204

kaett Jan 24, 2018 +194

i got tagged as one of the beta testers and have noticed that my usual devices (work computer, home computer, and phone) are always remembered. it's only when i log out or try to log in with another device that it makes me use the second authentication.

194

RoboticPlayer Jan 24, 2018 +83

It requires you to validate with 2FA any time you log into your account. If you stay logged in, you won't have to. But for example if you switch accounts, you'll have to re validate.

[deleted] Jan 24, 2018 +77

pieps Jan 25, 2018 +22

A thousand times this. 2fa is cool, but FIDO U2F is the future.

Wiltonator Jan 25, 2018 +12

I’m at the Fido plenary meeting this week talking about U2F. This authenticator would be perfect for Listnook

[deleted] Jan 24, 2018 +39

TheGoldenHand Jan 24, 2018 +24

You could add another parameter for a unique device string. These are unique per account. Then on the server side, you allow users to store and deactivate the device strings. They commonly attach human readable names to them like "Home PC." This is how every 2FA I've used does it. Google, Apple.

[deleted] Jan 24, 2018 +90

Yeah. Whipping it out at work always creates a scene...

GameTourist Jan 24, 2018 +16

https://www.youtube.com/watch?v=HgRE6BPhN2I

[deleted] Jan 24, 2018 +66

SpecialGuestDJ Jan 24, 2018 +39

Use a private browser window for your Alts then.

the_noodle Jan 24, 2018 +40

Firefox also has a feature where certain tabs are treated as separate browsers with their own cookies and therefore account logins

SpecialGuestDJ Jan 24, 2018 +36

This is not a native feature, it is an add-on called "Multi-account containers". Previous add-ons were called "Priv8" or "Private Tab"; these are no longer compatible with FF Quantum 57+.

the_noodle Jan 24, 2018 +28

I saw it in a Mozilla blog post similar to this, if it's developed by Mozilla themselves then it doesn't make any difference whether it's an addon or a setting, it's just as much of a feature either way. https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/

SpecialGuestDJ Jan 24, 2018 +12

Yep that's the one! It used to be a native feature but got moved to an extension. I can't tell if the extension works on Android/IOS or if that even matters.

[deleted] Jan 24, 2018 +15

Its a feature designed to prevent you from browsing Listnook on the job

rtyu1120 Jan 24, 2018 +1204

Was 123456 your one-time-password? That's so lucky.

1204

sodypop Jan 24, 2018 +1803

That's amazing. I've got the same combination on my luggage.

1803

[deleted] Jan 24, 2018 +405

405

[deleted] Jan 24, 2018 +112

112

No, he needs a code from his luggage to unlock his phone.

adifferentlongname Jan 24, 2018 +95

can you please make hunter2 = ******* on all pages? I need this easter egg.

umopaplsdnwl Jan 24, 2018 +104

> can you please make ******* = ******* on all pages? > > I need this easter egg. Please stop cursing on my christian server

104

[deleted] Jan 25, 2018 +18

h*ck

[deleted] Jan 24, 2018 +53

DearBurt Jan 24, 2018 +14

I'm huffing [Perri-air](https://www.geek.com/wp-content/uploads/2015/12/scroob-air-625x350.jpg) as I type ...

Torandax Jan 25, 2018 +6

Me too but I’m a Druish princess...nobody knows the trouble I’ve seen...

miraoister Jan 25, 2018 +9

/u/sodypop, a true American hero.

_invalidusername Jan 24, 2018 +121

What did you write? All I see is ******

121

[deleted] Jan 24, 2018 +81

_invalidusername Jan 24, 2018 +103

[I don't get it?](https://i.imgur.com/6wLgoWH.png)

103

[deleted] Jan 24, 2018 +2125

Heaven forbid my listnook account is hacked and posts some thing positive about thief scam artist Johann Gevers.

2125

todayyalllearned Jan 24, 2018 +1632

It's so funny how much listnook has changed. Listnook was great because of it's anonymity. Now they "encourage" you to provide your email/phone/etc? The point of listnook was that listnook didn't know your email/phone/etc. Edit: It's funny how so many shill accounts are pushing the "4chan" defense. As if anonymity would turn listnook into 4chan.

1632

[deleted] Jan 24, 2018 +1362

Email is standard password recovery, not exactly strange. ~~You're only giving your phone number if you want 2FA. Its not like it's forcing you.~~ edit: And according to the 1million comments it doesn't even use your phone number, so why tf is it even being brought up? edit x2: Wtf do I do with listnook gold

1362

Nathan2055 Jan 24, 2018 +497

> You're only giving your phone number if you want 2FA. And you're not even doing that. Like most modern sites, they adopted TOTP (authenticator apps) instead of the now proven insecure SMS message method. Those don't require you to provide a phone number, or even for you to have a phone.

497

impoverished_techie Jan 24, 2018 +195

> now proven insecure SMS message method God, this is the only 2FA that my bank offers.

195

brownej Jan 24, 2018 +221

This is no surprise. Banks have the worst security systems ever. Passwords are case-insensitive, must be between 6 and 8 characters long, must only include alphanumeric characters, and must be "password"

221

ThatsSoBravens Jan 24, 2018 +99

Oh, I see you have an account with Chase prior to 2016 as well.

brownej Jan 24, 2018 +30

Just for clarity, are you saying Chase post 2016 has reasonable security? Because that's something I've not heard of when it comes to financial institutions ever.

ThatsSoBravens Jan 24, 2018 +49

Their password requirements are more sane now - previously they wouldn't let you use special characters and had a maximum length of 16, possibly some other ones I don't recall. Any time there's a max length on passwords (and it's not, like, 32+ characters) the site should be considered insecure.

BitLooter Jan 25, 2018 +30

> and it's not, like, 32+ characters Even then be suspicious. A max password length of any size implies they could be storing the password instead of its hash, a major security blunder. EDIT: Yes, I understand you may want to limit it to avoid attacks. However, anything larger than ~300-500 would not realistically matter, there would be no need to say "don't use the latest draft of your novel as a password" in the requirements.

[deleted] Jan 24, 2018 +21

brownej Jan 24, 2018 +35

Written 50 years ago in COBOL

Exist50 Jan 25, 2018 +17

As God intended.

frymaster Jan 25, 2018 +11

I mean, we need to be clear. It's a **lot** better than no 2FA at all. All "proven insecure" means is people can either intercept SMS message transmissions, or they can social engineer your mobile provider in order to hijack your mobile account The first of those requires heist movie levels of coordination. The latter... not so much, unfortunately :(

VMorkva Jan 24, 2018 +31

Even if you use 2FA you don't need to give them your phone number. You use one of the many apps for that.

adamhighdef Jan 24, 2018 +240

Looks like you've not even bothered checking if it actually requires your phone number. News flash: **IT DOESN'T.**

Wires77 Jan 24, 2018 +121

The guy above him mentioned the phone, context is key

Whit3W0lf Jan 24, 2018 +30

This is listnook! Context *never* matters!

frogspotting Jan 24, 2018 +137

Yeah, and that they didn't have social media-like profiles on the user pages.

137

RandomBritishGuy Jan 24, 2018 +103

Those pages are so annoying to go through. Really preferred the old system, trying to find my old comments is a pain in the ass now.

madeamashup Jan 24, 2018 +36

if you're on desktop there's a setting on RES or a browser extension you can install to default to 'legacy view'

RandomBritishGuy Jan 24, 2018 +24

o.0 Thanks! Edit: It's found under Users -> Profile Redirect -> Then select 'Overview (legacy)', for those wondering where it is

MoonStache Jan 24, 2018 +8

RDS: Listnook *De-enhancement* Suite

Captain_Shrug Jan 24, 2018 +23

Gotta admit, that worries me.

[deleted] Jan 24, 2018 +9

you don't need to supply your phone number, you can use an Open Source TOTP token generator ("authenticator") like FreeOTP.

FerusGrim Jan 24, 2018 +79

Offering your email and phone number are both entirely optional, for password recovery and 2FA respectively. People who _want_ to be anonymous can still totally do that. But, I do see your point. Listnook isn't _just_ an anonymous discussion board, anymore. Not that that's inherently bad, obviously, but it _has_ changed.

TheBeginningEnd Jan 24, 2018 +47

*comment and account erased in protest of spez/Steve Huffman's existence - auto edited and removed via redact.dev* -- mass edited with https://redact.dev/

[deleted] Jan 24, 2018 +24

_Placebos_ Jan 24, 2018 +198

Can we get some protection against bots?

198

goftc Jan 24, 2018 +238

No because big companies use Listnook bots to promote themselves

238

brock_lee Jan 24, 2018 +662

Can you start working on three-factor authentication?

662

[deleted] Jan 24, 2018 +443

443

D0cR3d Jan 24, 2018 +441

That requires having friends. r/me_irl

441

brock_lee Jan 24, 2018 +126

We can be code buddies! Just send me your password. /s

126

D0cR3d Jan 24, 2018 +44

My password is `Hunter1`. See, everyone expects you to do either Hunter2 or Hunter3, but no one expects Hunter1!

brock_lee Jan 24, 2018 +71

My password is *******. Actual asterisks. It literally shows every time I type it, yet no one suspects. My little joke on them.

Sunny_Tater Jan 24, 2018 +53

Kinda asterisky dontcha think?

gippered Jan 24, 2018 +59

No, no. Four factor authentication. One friend has the username, one has the password, one uses the authenticator app. Now we just need to implement some biometrics for some legit 5FA protection.

Porso7 Jan 24, 2018 +14

The phone with the 2FA app is locked with your fingerprint, but the app has an extra lock on it that only your friend know the password to. Now what would 6FA look like?

brock_lee Jan 24, 2018 +8

I like the way you think.

dbcoopers_alt Jan 24, 2018 +103

Also, don't forget about zero-factor authentication! We need all the authentications! _ ^(*I forgot the password for this particular account and didn't associate an email when I made it. Chrome has me signed in on this one machine and if I logout, I will be locked out forever. Help pls.)

brock_lee Jan 24, 2018 +23

Can't chrome show you the stored passwords? I use FireFox, and it can.

dbcoopers_alt Jan 24, 2018 +36

It's not even stored in the chrome password manager. It's just like an active session or something. I think I can extract it from a cookie, but I tried for like 5 minutes the other day and couldn't figure it out and then I gave up.

[deleted] Jan 24, 2018 +31

slazer2au Jan 24, 2018 +30

Bah, I am waiting on 5 factor. https://youtu.be/R6ynbQcmXfs

JoshuaaMichael Jan 24, 2018 +560

Feedback! After I enabled 2FA. I was able to disable it whilst being still logged into my account, but without being prompted for a 2FA code or generated backup code. I checked using Incognito mode, logging in cleanly, and I was still able to disable it without requiring a 2FA code. So before if a co-worker/spouse/friend jumped my computer they already weren't able to change my Listnook password without me having the option of resetting it to my email, but now they can click 2 buttons to enable 2FA and I get locked out of my own account with no method of recourse to get it back. -_- This isn't a good design, especially with a "log me out from everywhere button". I don't want to scope creep the project, but that seems like it should be within reasonable security scope/threat model. But I do understand the trade off, people losing their phones and such. So I would think the solution may be best left up to the user. An SMS notification perhaps, but people's number may change when they lose their phone anyway too. SMS is not secure, but anyone who knows that would be using a seperate option which would be a default unchecked checkbox which says "I agree that I must provide a 2FA code, or a backup code, to deactivate 2FA OR THIS SETTING"? Also, having to prompt for a 2FA code to get my backup codes would be good. So someone can't come along and have a list of 10 secret codes to use against me later down the line if they figure out my password/email account details, and at that time they wouldn't need to compromise my phone at the same time. Pretty UI stuff: On the Enable Two-Factor setup screen, you have to click "Enter the key manually" to get the image back, that text should update. Secondly. When you login, the button to submit your 2FA code says "Check code", I would suggest it should just be "Submit". That's a blur of the lines between implementation (which is literally checking the code), and usage(which is someone using it is going to legitimately be just submitting you the code they have). If I haven't been clear, feel free to ask for clarification.

560

WittenMittens Jan 25, 2018 +65

We need three factor authentication. First you log in, then you punch in the code on your phone, then you wait for Alexis Ohanian to show up and visually verify you are who you say you are.

RedEnergie Jan 24, 2018 +34

I think it would be nice to have a backup, like the possibility to use a U2F hardware token, to use instead of your phone. This way it could be more secure/reliant and it's way easier to just use a token instead of a authenticator app.

[deleted] Jan 24, 2018 +928

why? almost all of my listnook accounts have been to talk shit to strangers when they disagree with me.

928

LemonBomb Jan 24, 2018 +853

I mean you wouldn't want someone logging in pretending to be you and then going around being nice to people would you? Secure your shit, man.

853

[deleted] Jan 24, 2018 +223

223

[deleted] Jan 24, 2018 +98

[removed]

IdTugYourBoat Jan 24, 2018 +27

Gotta protect ourselves against the looming threat of those meddling hackers logging into our accounts and responding to others with comments like: “I wholeheartedly agree with you!” and “I guess I was wrong, turns out you were correct.”

rospaya Jan 24, 2018 +175

Mods of important sublistnooks, I'm guessing.

175

the_beard_guy Jan 24, 2018 +283

You forgot to put quotes around "important"

283

TesticleMeElmo Jan 24, 2018 +75

/r/buttsharpies

ChozoRS Jan 24, 2018 +40

yo wtf

jb2386 Jan 24, 2018 +16

*importance intensifies*

poochyenarulez Jan 24, 2018 +40

That actually makes sense. Some celebrity and business accounts may need the extra security too.

koavf Jan 24, 2018 +26

> important sublistnooks lol

dvsbastard Jan 24, 2018 +25

But now I can protect all that retirement karma!

Be careful when using Google auth. If your phone suddenly breaks, you're sol.

pwildani Jan 24, 2018 +18

Yes! Please create and record your backup codes separately!

gimmick243 Jan 24, 2018 +253

I ask every time you guys talk about 2FA, are you planning on supporting physical U2F tokens like Yubikeys? I prefer that to Auth apps Edit: i missed part of my thought in my original comment

253

pwildani Jan 24, 2018 +198

It's on our wishlist. We need to get the basics right first before the more complicated steps. We discovered an amazing number of login forms implemented in a wide variety of technologies while developing even this level of support, so adding something that's even a tiny bit complicated through all of those will take a while.

Natanael_L Jan 24, 2018 +60

U2F is literally state of art right now, with the tie-in to the browser's TLS session to prevent replay attacks. Plus built in privacy protection when using it with multiple sites (each site will see a unique U2F key).

[deleted] Jan 24, 2018 +38

gimmick243 Jan 24, 2018 +27

Thanks for the reply, I hope you guys consider prioritizing this, especially when U2F support is growing with companies like facebook and google

Cidan Jan 24, 2018 +24

Seconded here on U2F support. It's really the only way to securely enable 2FA.

[deleted] Jan 24, 2018 +11

Wow this looks really cool, I've never heard of this before your comment. This is something that I'm seriously considering purchasing. It makes be safe easy.

RedditThatOneGuy Jan 24, 2018 +21

My password’s so good that I don’t even know it.

lukewarm Jan 24, 2018 +96

What about u2f and/or "classic" yubico OTP? Having to enter a 6 digit number by hand is a serious nuisance for me. Hardware token is much less friction.

pwildani Jan 24, 2018 +57

Those are on our wishlist. As always it's a matter of balancing effort vs risk vs gain.

wayoverpaid Jan 24, 2018 +20

I'm glad they're on your wishlist. Security keys are so much nicer than having to type in an OTP

[deleted] Jan 24, 2018 +22

+1000 requesting U2F support

BlastCapSoldier Jan 24, 2018 +39

If someone is seriously gonna waste their time hacking my dumb account they can keep it tbh

Zencer45 Jan 24, 2018 +17

I’m suppose to trust Stringer Bell? Is Clay Davis in on this too?

D0cR3d Jan 24, 2018 +214

So glad that this is being released to everyone. It's worked very well for me since beta. Pro tip: If you use any script / bot to login with a 2FA'd account, or you don't get prompted for the 2 factor code then in the password field just do `YourPassword:2FactorCode`, ex: `Hunter2:123456`. If you use RES and the Account Switcher, it has support as well if you click the 2FA toggle then it will ask you for the code when you switch accounts.

214

[deleted] Jan 24, 2018 +17

> If you use RES and the Account Switcher, it has support as well if you click the 2FA toggle then it will ask you for the code when you switch accounts. You are my very favorite person in the world right now.

MoNeYINPHX Jan 24, 2018 +160

What was that second field? All I see is *******:123456?

160

plonspfetew Jan 24, 2018 +53

That's because it's their real password. When you type your real password, it shows up as \*\*\*\*\*\*\*. Try it yourself. If anybody doesn't see \*\*\*\*\*\*\* instead of the real of the password, it's because they use the same one.

dewiniaid Jan 24, 2018 +124

One of these days someone is actually going to fall for that. It's why my password is just 8 asterisks, in case that someone is ever me. You'd never think ******** is my actual password.

124

dewiniaid Jan 24, 2018 +178

Oh wow, he wasn't kidding.

178

IqThicc Jan 24, 2018 +36

Top 10 anime plot twists

Lunnes Jan 25, 2018 +13

b0iPussy69 does it working ?

plonspfetew Jan 25, 2018 +13

Yes, for me it shows as \*\*\*\*\*\*\*\*\*\* instead of b0iPussy69.

[deleted] Jan 24, 2018 +8

Thanks for the tip!

bobcobble Jan 24, 2018 +444

Thank you so much for adding 2FA! I've been using it for around a month and I've had no issues with it. :)

444

StringerBell5 Jan 24, 2018 +271

You're very welcome!

271

Adys Jan 24, 2018 +108

Congratulations for now having better generally-available account security than most of the websites holding either my money or large amounts of purchases, including but not limited to Paypal, eBay and Steam. Also, well done on not requiring a phone number to enable TOTP. That makes you better than Twitter, the platform POTUS and many political officials use for communication, and Facebook, a website over a quarter of the planet is registered to. Wish I was kidding. Edit: SMS 2FA is neither secure nor convenient. Stop telling me Paypal has appropriate 2fa.

108

[deleted] Jan 24, 2018 +50

PayPal and Steam constantly mention to link your phone number, it's one of the set up procedures on PayPal you have to do to complete your profile.

kayne_21 Jan 24, 2018 +50

Steam has 2fa.

[deleted] Jan 24, 2018 +29

thearkadia Jan 24, 2018 +28

What about u2f Security keys

BizzyM Jan 24, 2018 +25

Here's another vote for U2F?

[deleted] Jan 24, 2018 +10

Damn Hunter2 isn't going to work anymore.

[deleted] Jan 24, 2018 +84

If someone wants my account to this dump badly enough they can have it.

FlapSnapple Jan 24, 2018 +127

Been using this as a moderator for the past few months now and it's been working great. Thank you! One follow up question though: Any update on having some sort of icon that indicates when a moderator has 2FA enabled so we can hassle other members of our team to turn it on? _(This icon ideally only being visible to other moderators so we don't advertise who on the team is least secure.)_

127

Dlrlcktd Jan 24, 2018 +95

Do you go around telling the whole apartment building when you leave your front door unlocked?

madd74 Jan 24, 2018 +39

As a mod of a somewhat large community having a mod be hacked and being hacked himself, it's actually a really great idea.

Dlrlcktd Jan 24, 2018 +18

I don’t doubt that mods having 2fa is a good thing, but if someone hacks an unsecured mods account, they can see all the other unsecured mods.

Mason11987 Jan 24, 2018 +25

then only have secured mods able to see it, or only allow the top mods. This isn't a huge deal.

Dlrlcktd Jan 24, 2018 +17

Or require all mods to have 2fa. I agree

LordPadre Jan 24, 2018 +11

this would not be ideal as a policy enforced by listnook, if it was just a condition of becoming a mod in a certain sublistnook then sure

kemitche Jan 24, 2018 +13

google, github, AWS, and many other sites that have organizations of users with 2FA all have options to either (1) view the 2FA status of all accounts and/or (2) require that they use 2FA to be part of the org/group. It's a critical feature when using multiple accounts to access a shared resource (such as moderating a large sublistnook) to be able to strictly verify the use of 2FA.

Cycloneblaze Jan 24, 2018 +19

> (This icon ideally only being visible to other moderators so we don't advertise who on the team is least secure.) It would still advertise it to moderators, which could be a bad thing if somebody's account is compromised, since they know who else to go after. And that's assuming you trust your mods in the first place.

Mason11987 Jan 24, 2018 +7

> And that's assuming you trust your mods in the first place. If they aren't trusted, then they don't have permissions to do any harm.

Protect your account with two-factor authentication!

💬 Send a Message

199 Comments