Improving User Account Authentication and Security

If you logged into this past week you’d have noticed a new email verification step after you entered your login details. This change is part of a broader user account security overhaul that was deployed on the website earlier this month.

Two-Factor Authentication

All users on now have two-factor authentication (2FA) enabled on their accounts. When you log into the site, a one-time passcode (OTP) will be sent to the email address on file and you’ll need to enter that code to complete the authentication process. Email OTP isn’t as secure as other 2FA methods, but it’s easy to implement and use. Provided you don’t reuse the same password for your email account, this 2FA method will improve account security over single-factor authentication – more so if your email account also has 2FA enabled (do we call that 4FA?) and/or use a password manager.

Unless you’ve just started your internet journey, you’ll know that large data breaches are becoming more common every day. Millions of emails, passwords, and other personal data have been stolen in cyberattacks. Hackers then use this information to try and gain access to your accounts through brute force, phishing, and social engineering. This makes it risky to rely solely on a username and password to authenticate an account.

This is where 2FA comes into play. After entering your username/password combination, a second identifier you provide is then verified. Even if your password is compromised, a bad actor cannot access your account without that second identifier. You’d then be notified that your account might be compromised through the unexpected 2FA request, and can change your password. It’s another layer of security designed to help protect your account and data.

Password Policy

To help you easily create a secure password on, we’ve implemented WordPress’ password generator and strength meter features. This is the same technology used in WordPress’ Password Reset workflow. If the auto-generated password isn’t for you, the password you set will need to be a minimum of 12 characters long. A combination of letters, numbers, and symbols is recommended, but not required.

Did you know the most common (and insecure) password ever used is 123456? Not only is this easy to guess, but according to Have I Been Pwned, it has been exposed in data breaches over 40 million times! So what makes a good password? It should be long (16-20 characters or more), a mix of letters, numbers, and symbols, and unique for the specific website. But since we are humans and not a machine, trying to remember a secure password like this for every single website you’ve signed up on is a near impossible task. Which is where a good password manager like 1Password comes into play. You only need to remember one long password, and the rest are saved and auto-filled securely by your password manager. 

Account Updates

When updating your email address or password a new verification email will be sent before any changes can be made to the account. Like 2FA on login, this is another layer of security designed to reduce the risk of a bad actor completing a full account takeover. If someone else was able to get access to your account – you might have logged in on a shared computer and forgot to log out – they can no longer change your email or password without your knowledge and permission.

Finally, no security measure is foolproof. The new features are only barriers designed to make it more difficult (not impossible) for your account to be hacked, and it’s important you continue applying good security practices to your daily routine. 

If you have any problems logging in or updating your account details on please get in touch and let us know.

Happy PDFing!