Information on accounts, passwords, logging in, and logging out
Please read these as well:
Second password
When you descramble it, you enter it from top down with each horizontal group being each part.
Entering the second password is to some degree annoying, but it thwarts phishing websites and thwarts all keyloggers except those that take screenshots. To top it off, it will work even without javascript or flash on, and it will work on browsers that can't select text or do mouseover events like iPhones.
The second password is much easer to enter each time when it's only ten characters and it only contains four unique characters (the minimum). This will make it less effective at protecting you from keyloggers, though, but should still work against phishing sites as you can change your first password right away if you get a phishing site.
For convenience, when you unscramble your second password, duplicates of the same letters and numbers are removed and the results are then put in order.
Blind users, it is easier to enter this if you obtain a Braille computer monitor.
The only security problem in logins is if you log into a phishing site and it performs a man in the middle attack. This can only happen if you're logging into a site other than "https://randomplaza.com/" as that has a signed SSL certification that prevents man in the middle attacks and https is encrypted.
When login expires
Whenever you change your IP address, you will have to login again. If you use AOL that automatically changes your IP, then access this website from a web browser outside of AOL's software and it should not go through AOL's proxies. If you use internet access that's tethered to a mobile device, then it sometimes keeps your IP address steady and sometimes constantly changes it at whim. If your mobile connection constantly changes it, then connecting to some server that allows a permanent established connection will force your IP to remain the same until it disconnects you for inactivity. One easily way to keep connected to something is to download free IRC software, connect to a free IRC network, and join a new chat room that you make up by typing random characters and make sure nobody is in the room. The later will keep you steady in a chat room where nobody can kick you out of.
Cookies are set to expire based on an internal value in the cookie and have an expiration value on your computer much greater than this in order to deal with people having possibly incorrect computer dates. Our website will see the value in the cookie and unset them if they expire.
Your login normally lasts 4 hours. If you're working on something and then suddenly find yourself receiving the error message that you've been logged out, then login in another window and hit refresh on the screen you were logged out of.
Logging out
When logging out, please click the logout button instead of merely clearing cookies. When you are logged in, we associate the IP address you logged under with your activity and only allow that one IP address access.
If you connect via an insecure network such as certain wifis, then they can monitor all your activity, hijack your cookie, and then access your account. Therefore, clicking logout will fix it so that no one can access your account even with a valid cookie until you properly log back in again.
Some people specifically run open wifis as honeypots to gather people's information. When you enter passwords on our site, it is always through SSL encryption and this prevents any wifi, proxy, or other network that you go through from viewing that information, however they can still steal your cookie and then access Random Plaza from the same IP address as you.
Some wifis also use an insecure data transmission in which people who are not even running the wifi can eavesdrop on your communication.
If the cookie is four hours old, though, then no one can access your account with it.
Password recovery
Please make sure that you have a reliable email provider so if you ever need to use the password recover function at Random Plaza, you aren't locked out of your email account as well.
Beware creating a new account with certain free email services as those accounts like to suddenly lock you out of your account for no reason. Email services that do this are horrible for any kind of password recovery.
Comparison of free email services:
- boardermail.com -- uses an animated gif of 200 letters and numbers running all at once randomly, changing 30 times a second. Unable to make an account due to its CAPTCHA.
- care2.com -- Largely decent. When signing up its CAPTCHA has pictures of animals and says to select which ones are birds but it's broken and may take a human several tries of selecting only birds before the website works, but it's still better than most CAPTCHAs due to being actually being easy for humans to do as opposed to easy for bots to do and near-impossible for humans to do like most CAPTCHAs are. The one downside is their system is that mail sent to a care2.com email account takes forever for it to arrive in a person's inbox.
- excite.com - Crap. Uses some bloated interface to view mail that never finishes loading. Stops at 6%.
- fastmail.fm -- In our experience, 99% of the time when we sign up with them, regardless of the IP range, we'll receive at most 2 small emails on it, we'll never send any emails, never violate TOS, and then suddenly after 3 days of being up, our account is banned, no reason is sent to our alternate email and we receive this when trying to log in, "The account you are trying to access has been disabled due to over-quota use, or usage abuse. The system limits the number and size of emails you can send in an hour as described here and here. You will have been sent a warning email to your account, and your backup address when you reached half your usage quota, and again when you reached your full limit. These emails will describe the limit you reached, and why your account was disabled." After talking with them, they said, "Our system has found multiple "Guest" accounts of which the account '[edited the quote from them to remove it]@fastmail.fm' is a part. Based on our terms of service, you have agreed not to use multiple free accounts: Where free accounts are provided, you agree that you will not create more than one free account to be used by one person." We tested their system and found that they aren't linking accounts by IP range, user-agent, or cookies, but instead every account's password appears to be unencrypted in their database and if you share a password with anyone else, they'll ban both your accounts.
- gawab.com (recommended) -- It makes you fill in a bunch of long forms during signup (which it then of course will get lots of fake info as a result) however its CAPTCHA is reCAPTCHA and while this CAPTCHA is broken most sites, this site somehow continues to use the old system of which a human is capable of getting past. The service is pretty good. The site includes free POP and SMTP. The site gives a free 10 gig inbox. It does have an annoying popup and confirm message when you check "remember password" on signin. Some mail to gawab from some places will get there instantly and others will not arrive for a day. It's recommended to switch to the classic webmail as that has an extremely better interface and is also more customizeable. The only advantage the new interface has is you can set it to by default to save all sent mail, which they old interface won't do. The new interface is bad as it loads slow and won't let you open mail in multiple windows. This site also has a bug where if you click to remember your password, it'll give an annoying javascript popup to confirm and then it'll ignore the option and in only fifteen minutes of inactivity, it forces you to relogin. Recommended anyway because most free mail services have large problems.
- gmail.com -- Has no way to contact a human and google won't answer anyway. Registration is impossible without a CAPTCHA-reading program. Gmail will also about once every single day make you enter a CAPTCHA at login so it locks you out of your account, the password recover system won't let you get your account back, and there is no way to contact a human at Gmail for help. It is proven guaranteed that no human being can ever read gmail's CAPTCHAs, however the bots read Gmail's captcha 100% of the time accurately. The only advantages of gmail are free POP and SMTP access and also that if you use the webmail interface (doesn't do this for SMTP), it doesn't spill your IP address. Gmail also has a problem where mail isn't sorted into folders, it's hard to mass delete, and even if you delete it and then clear the trashcan, according to Gmail's TOS they may store the email permanently anyway. Gmail will also occasionally block entire time zones from sending email, even to google. On very rare occasions, it scrambles your password, but unlike yahoo, you can get access again. In order to read Gmail's CAPTCHAs, you will need a program like "Jiffy Gmail Creator" and if you put that into Google's search, then Google will ironically show you lots of information on getting it. Gmail designed its signup CAPTCHAs so only AIs can read them to keep real humans out. Oh and now as of June 2009, now they do the must abusive thing website have ever done, which is demand you verify your cell phone to register, which they probably sell to telemarketers but of course you can't ask Gmail if they do because they have no email support for their service.
- hotmail.com -- Interface is very bloated with javascript and other crap. Interface is generally buggy unless using Microsoft Internet Explorer. Also, it's blocked from accounts for Random Plaza because its spam filters lose most legitimate email (not even storing them in the spam folder) and it's hell dealing with a trading partner that never gets your emails. Even worse, when composing mail, with many versions of browsers, it is impossible to enter text in the body of the email. In addition, try sending a test message to yourself, the very same email that made the account, and you will be forced to decipher a human-unreadable CAPTCHA that requires you to buy expensive CAPTCHA-reading software to decipher it.
- inbox.com -- Demands you answer a call to verify, which is completely against the purpose of a free webmail.
- mail.ireland.com (recommended) -- Their signup CAPTCHA uses reCAPTCHA, which is human-passable after several tries when their reCAPTCHA is not broken (during summer 2009 reCAPTCHA was broken on almost all websites including this one). Switch to the standard HTML version because it's better and always is in every mail service. Their standard mail interface is the best mail interface ever. mail.ireland.com is a very good service and reading mail in it is not bloated by crap and you can open mail in different windows because it uses real HTML links to open the mail instead of JavaScript. mail.ireland.com is good when it works, but it sometimes has technical problems such as outages. The worst technical problem is on new accounts, it occasionally makes the password not work and the reset password function will give you a random string to make as the password and well when we've tried it (which wasn't that much), the new randomly generated password that thing gave did not work and instead it secretly made it "password1". This company also is hard to get to answer email. If you can get past its problems, it's the best free email service, but its problems sometimes kill it.
- mail.rediff.com -- Worked in 2008, but since 2009 it's just horrible! Although the CAPTCHA is readable by humans, its main page www.rediff.com uses only bloat, awful flash as its interface. mail.rediff.com must be found by searching with google. Then their mail index page on mail.rediff.com loads about 50 pages hidden within it with javascript and you can't disable pictures or signup won't load the CAPTCHA so your browser must load 10 megs of spam and garbage. Then the signup is completely impossible and worthless because its javascript makes the two text boxes to enter your password for signup uneditable completely. Awful! To top it off, once you get a cookie from them on your browser, most attempts to go to mail.rediff.com are redirected to www.rediff.com. By the way, you can't click any link on mail.rediff.com with javascript disabled because its web designers have never learned a single bit of HTML or XHTML and every single link is in javascript. To top it off, their signup form is also completely with poor instructions and where one expects it to put their rediff username (it says "Your email ID"), it demands you include another email address, which is a horrible, evil privacy violation, but thankfully not all disposable email services are blocked. And even after you hack through and force your way through their intentionally broken site, and get their confirmation string, the site refuses to recognize your "email ID" or password as valid no matter what attempts one tries.
- xmail.net -- This is a pretty decent mail system. Its CAPTCHA is human readable and it also gives you free webspace if you want to host a few small files. The only problem is that their website has downtime issues. For example, the site went down early February 2009 and didn't come back until late March 2009, after which they never even mentioned the downtime on their site and never responded when we asked why it was down.
- yahoo.com -- For 90% of the new Yahoo accounts we've created whether it's email or something else, no matter the IP range or anything else, Yahoo will rape the account so the password does not work in less than a day. Yahoo also deletes any services related with the account, and then not let us gain access to it again through its "forgot password" function saying, "Sorry, your password cannot be reset online" (google that last quote and you will see it happen to other people, too). They'll do this to accounts that never sent mail or ever even used its service except to receive emails and never do anything wrong. We've confirmed this is something Yahoo is doing on their own. Yahoo does have potential, but to use it properly, you must make an account. Then wait several days and if the account survives, then the email account is good, except that you occassional get emailed advertisements from yahoo and most of the time it's impossible to send email from yahoo without entering a human-unreadable CAPTCHA. Yahoo got tired of people complaining about the CAPTCHAs so they required people to enter the CAPTCHAs to contact yahoo, which then prompted people to send them faxes instead, which they never read. This URL http://us.mg2.mail.yahoo.com/dc/optout?script=no is important for making accounts on it as it gets you to the interface that is less bloated, less buggy, faster, superior and plus you don't sit aroind for 10 minutes while it does a tour before you can use it. When their CAPTCHA looks like it's human-readable, 90% of the time the letters that a human reads, yahoo claims they are wrong, however CAPTCHA-reading software will always read them correctly, despite that humans can't. Try sending a test message to yourself, the very same email that made the account, and you will be forced to decipher a human-unreadable CAPTCHA that requires you to buy expensive CAPTCHA-reading software to decipher it. Even worse, around summer 2009, yahoo did a forced profiles again where it puts your personal information you entered into the account on a public profile. It is impossible to get it removed because it requires bypassing a CAPTCHA for you to change it and the CAPTCHA is broken so it's 100% impossible every single time to get past it and yahoo's staff outright refuses to remove any public profile information on your account no matter what.
- webmail.wapda.com -- This is a great free email site with an adequate interface. Their CAPTCHA at this time is even text that you can copy and paste. However, it only allows one in a trillion of the world's IP address ranges to actually signup.
Know any other good email services? Please
contact us.
Tip: Use a disposable email account to deal with any free email service's abusive demand that you provide it another email.
There are other websites beside free email services that will even scramble your password on its own. With one popular online auction website, if you log into it through open proxies that use HTTPS or else Tor, then it will often scramble both your password and secret question so it's much harder to get your account back. The password recovery systems of such websites work, but often when you make an account many websites start out demanding your personal information and most people give them made up information and don't write it down. Of course, if you did give them your real information, then anyone who finds it out can use it to hijack your account; this type of hijacking happens most often to celebrities.
Phish is not just a band
If you receive any link in email to visit our website, do not sign in by following the same link. For example, you may have a link to confirm your email address. Once done, make sure you log in through the site with the domain ending in randomplaza.com/
In some of our automated emails related to offers you made or received, we may link to a user's feedback or a listing and none of them require you to sign in to view. But it is also possible that you could get a phishing email. The links we send are for convenience and you can still use them, but it is best to open a new window and log into Random Plaza through a fresh URL.
Random Plaza will never email you requesting either of your passwords. Any such email is a phishing scam. We also will never email you that you must update your account information or we'll suspend it.
Misc security information
All our software is programmed by our own company and searched through.
We should be immune to SQL injection as all information to our database filters out lower ASCII and the \ " and ' characters are either filtered out or replaced with something else when stored in the database.
We block javascript from appearing on our listings. So not only are you protected from it, you are free to use your right mouse button again for uses other than making a popup message that was caused by javascript.
At Random Plaza, each account's two passwords and secret date are encrypted and salted in the database and the first password is encrypted and salted in a way that is not reverse-decryptable, only checkable if the password matches it.