If you know what your contact email address is, but you've lost access to it, usually that is no problem. As long as you still know your login and password, you can just log in, go to the profile tab, and change the email address we have on file to your correct address.
The only time this becomes a problem is when you have lost accessed to your email address and you can't log in. That's a much more difficult situation. If you contact us from an email address not associated with your membership, we have no way of differentiating you from someone who set up that email address five minutes ago in your name to steal access to your membership. That's one reason why it's very important to keep your member contact email address up to date at all times. (But if you're reading this, it's probably too late for that reminder to be helpful right now, so just keep it in mind for the future.)
To resolve this situation, you will have to have us change the email address associated with the membership. However, that can only be done after completing our login recovery process. To complete this process for a lost email address, please follow these steps:
Carefully review the list of possible recovery actions in this FAQ entry.
Determine which of those actions you wish to perform. For lost email accounts, our failure to contact the current address must be one of the actions.
Email us from the new email address you want to use. In your email, specify a list of which recovery actions you wish to perform. Make sure your list includes enough actions for a successful recovery. (The default is 3 but if you customized this from the profile tab, you'll have to remember that.)
Include any documentation pertaining to the recovery actions you have chosen as attachment(s) to that email. Typically this will include a photo ID and a bank account or credit card statement.
Other requested steps will be initiated from our end as appropriate once all documentation requirements have been satisfied. After the process is complete, any personally-identifying information you provided during the recovery process will be discarded.
While completing this process, please observe the following guidelines:
Do not attempt to use an optional recovery action that you did not set up beforehand.
Do not send any documentation not specifically identified as acceptable.
Do not send documentation that does not meet the requirements.
Do not redact, crop or edit any documentation you send.
Do not ask for any exceptions to the policy.
Do not attempt to negotiate or argue with the recovery process.
The process typically takes 10-60 minutes of work on your part to complete. Although burdensome by Internet standards, it is typically not actually difficult unless there are extenuating circumstances. For example, if you gave us a fake name when you signed up, you're probably about to have a very bad day.
Due to the requirement that we attempt (and fail) to reach you through your current contact email address, recoveries of this type can take a long time, up to a week. Once the process is completed, we will update the email address associated with your membership to the one you used to initiate the recovery process. At that point, you will be able to recover your login information and regain access to our system.
Important: Because we don't know whether you're you, we will not help you complete the process. We will not give you hints. We will not tell you how many actions you have to complete. We will not give you any information about the status of the membership. In fact, you may find our staff unusually distant and/or unhelpful during the recovery process. To avoid leaking information, while your membership is in the recovery process, the only response to any inquiries you send will be automated messages indicating whether or not you are making progress toward recovery.
This is not personal, nor is it representative of our attitude toward helping our members. It reflects that most people who attempt the recovery process are trying to steal something, and those are people we have no interest in helping at all. That we helped them accidentally or with the very best of intentions won't be any consolation to the member we helped them steal from. So, we apologize in advance to our legitimate members for any "guilty until proven innocent" treatment they may receive while completing the recovery process. It's hard, and it sucks for everyone, but it's the right way to keep our members' stuff safe.
Visit the Profile tab and select the "Change Password" action to set a new permanent password.
If at any point prior to step 2 you successfully log in with your old password, the password reset will be cancelled. Likewise, requesting a new password reset (once an hour has elapsed) cancels any incomplete previous password reset attempt.
The short answer is that fraudsters and thieves wrecked it for you.
While we support the notion of Tor on an ideological level, our real-world experience with Tor has consisted of extensive problems with Tor-sourced hacking attempts and an unsustainable level of Tor-sourced credit card fraud. We also encountered relentless exploitation by spammers and phishers using Tor to create throwaway accounts. (Sign up, create a site, send spam, get caught, sign up, create a site, send spam, get caught, sign up...)
We understand that it isn't the existence of the Tor network that makes these things possible, but it does make them easy, and when virtually all of the traffic from a certain source is malevolent, blocking that source can be the only option. Forcing people off of Tor at least long enough to confirm their membership and make an initial deposit may not be the ideal solution, but it's hard to argue with results.
For that reason, we restrict access to our member interface from IP addresses that are listed as a current Tor exit node. To lift the Tor restriction for your membership, you must already have a membership and a funded account, and you must explicitly request that Tor access be allowed via our assistance request system. (All of which must be done without using the Tor network.) We require manual approval to filter requests based on the common sense of a real person and protect members who don't use Tor from Tor-based brute force attacks on their password. We charge a nominal fee ($1.00 -- waived for subscription members) to reflect the manual nature of the review.
If you know of a reliable way for us to distinguish a handful of good people amidst a throng of would-be criminals in an environment that's raison d'être is to make distinguishing people impossible, please let us know. So far, making sure we already have a relationship with the good people is the best we've come up with.
Note: if your IP is operating a Tor exit node with a policy that allows access to our system, it doesn't matter whether you are using Tor to access our system or not; if traffic originates from a Tor exit node, there is no technical way to distinguish whether or not it passed through Tor. (If there were, it would seriously undermine Tor.) For example, the limit will still apply if you run a Tor exit node but bypass it to access our system. Similarly, if you use a VPN service that allows its customers to run Tor exit nodes, your VPN server's IP may be listed as an exit node even if you are not personally running one. These are all situations that can be addressed through the approval process.
Completely separate from that, we also have concerns about reports of unscrupulous Tor exit node operators diverting TLS connections. This is a real thing; I have personally experienced a case where using a particular exit node led to TLS certificate mismatches when accessing a site where I knew no such mismatch existed. You should think carefully about passing any secure information through the Tor network.
If you are running a Tor exit node on your IP, even if you aren't using it to access us, you'll have to cut back to relay-only long enough for the change to be picked up by Tor's published server list before you can sign up or log in. If someone else is running a Tor exit node on your IP address, you'll need to either work with them to do so or use a different IP address to access our system and request approval.
To make sure you receive automated system emails from us (including signup confirmations, password resets, account balance warnings, domain renewal notices, and other automatic service-affecting messages), make sure you are allowing email from notify@NearlyFreeSpeech.NET.
To make sure you receive any handwritten emails from us, make sure you are allowing email from support@NearlyFreeSpeech.NET. Finally, each support ticket is assigned a unique email address @support.nearlyfreespeech.net (but we don't get too many reports of those being blocked).
We won't send you any spam or unnecessary messages from any of these addresses.
If you're not receiving email from us, the first thing to check is your junk mail folder. Since our system is highly automated, junk mail filters occasionally incorrectly flag the messages it sends as spam. If you don't find them there, check your junk mail settings. Some email providers make it very easy to block a sender and silently delete such messages, making it very hard for you to figure out later that the sender is blocked.
If you're still unable to resolve a problem receiving email from us or our system, please feel free to contact us. Ironically, you'll probably have to do that by email, but if the problem is with receiving automatic messages, we'll have a real person write back. Write to us from the email address you're having trouble with, and we'll look up the fate of any messages we tried to send there. If there's a problem on our end, we'll fix it. If there's a problem on your end, we'll try to find a way to provide you with the relevant log entries so you can ask your email provider what the heck is going on.
Our login recovery process applies in very specific, rare situations:
You have lost your login information and access to your email address at the same time.
You have a two-factor authentication configured, your second factor is lost or broken, and you don't have one-use recovery codes saved.
We determine that control of a membership and the associated email address have been hijacked or transferred to someone other than the named member.
To recover access to a membership in these situations, we offer a variety of possible recovery actions, and a certain number of them must be completed successfully. The login recovery process is very onerous (by Internet standards, anyway; it's not really that difficult) and since its goal is to prevent illicit membership access, you will probably find that we are not very helpful while you are completing it.
These recovery actions can be performed by any member at any time:
You provide a legible, unredacted image of a currently-valid government-issued photo ID matching the name on the membership. Examples include a driving license, passport, or state-issued ID card. All ID's are considered on a case-by-case basis, but a good rule of thumb for whether a particular photo ID will be acceptable is whether it shows your date of birth and whether you can go to prison for forging it. (Note: Most school-issued ID's do not meet our requirements.)
You provide a legible, unredacted image of a preprinted statement showing a transaction matching the date and amount of a recent deposit to an account on your membership and the (personal or business) name we have on file for the corresponding account. This usually means a bank or credit card statement. PayPal provides downloadable monthly statements that you can use, but you will typically then also have to verify your address as described below. Email receipts and screenshots (e.g. from PayPal or us) are not acceptable.
If (and only if) you lose access to your email: We try and fail to contact you via the email address we currently have on file for your membership. (This one may take a long time.)
If (and only if) you lose your configured two-factor authentication device: We successfully contact you via the email address we currently have on file for your membership.
These optional actions must be set up in advance from the profile tab in our member interface in order to be used for recovery:
You complete SMS verification. (Requires SMS to be configured in advance.)
You complete two-factor verification. (Requires two-factor authentication to be configured in advance.)
You correctly answer your pre-set security question. (Requires a security question and answer to be configured in advance.)
You use an ssh key to create a file with a specific name on one of your sites hosted here. (Requires an ssh key to be configured in advance. Also requires that you have access to at least one currently-working site hosted by us. Caution: If you are out of funds, your sites can't be accessed!)
The default number of actions required to recover a membership is three, but this can be customized from the profile tab in our member interface to make recovery (and consequently hijacking) more or less onerous.
If (and only if) you choose to provide both a photo ID and an account statement, then at least one must display the same official mailing address as that shown on the corresponding account. If neither does, you must additionally provide address verification, typically a utility bill, lease, or property tax bill matching both the address and the surname or company name on the account (either currently or contemporary with the deposit). If you are providing either photo ID or an account statement, but not both, then you can skip this requirement.
The third and worst case scenario is that you have two-factor authentication configured that isn't working and you didn’t save any one-use recovery codes and you don't know your login and password and your member contact email address isn't working. This case is so spectacularly unlikely that even if your recovery settings are lower, you will have to complete all possible verification steps to regain access to your membership. Seriously, don't let this happen.
Unfortunately, the vast majority of "I lost all my information, please make an exception to your security practices and let me in" requests we receive come from people trying to gain illicit access to someone else's membership. NearlyFreeSpeech.NET takes the security and privacy of our members' services very seriously. We believe our members know that we are serious about protecting their privacy and security. We believe that's at least part of the reason a lot of them pick us. We believe that they expect us to live up to that in situations such as these so that when they emerge from it, they can be supremely confident that their membership can't be hijacked by the first person who comes along with a good story. Consequently, we automatically construe any attempt to convince us to make an exception to our standard practices as an attempt by an unauthorized party to socially-engineer illicit access. This includes threats, attempts at negotiation, sob stories, and everything in between.
If you are a current member of our service and you log in successfully with your correct member login name and password, and then you get redirected (possibly after seeing a "click here to continue link" flash by) to the same login page again without any red error messages, this indicates that your browser did not accept the cookie our site sets to indicate you are logged in.
If this happens, here's what to check:
Make sure that your browser is accepting cookies for members.nearlyfreespeech.net. This can be affected by your browser security settings as well as third-party Internet security software. (When testing this, we recommend you start from a known point by first deleting any cookies you currently have for our sites.)
Verify that your computer's system clock is set to the correct time and time zone. Unlike other sites -- some of which want to track you for years -- our cookies last only a few hours to protect your privacy. As a result, even small-scale system clock and time zone issues can make your computer think our cookies are already expired, even though it will happily accept cookies from most other sites. (Note: Clocks that are 12 or 24 hours off can be particularly hard to spot.)
To help debug these issues, try logging in from a different browser on the same computer. If that works, it tends to indicate a browser issue. If it still doesn't work, that suggests a systemwide issue like security software or a clock problem.
First, if you are having trouble logging in, make sure this is the exact error message you are receiving. There are several other things detailed in this section of our FAQ that can cause problems logging in, but they each display a different message.
To prevent people from using incorrect login attempts to gain information about your membership or our system, this message is intentionally vague. However, if you see the "login information is incorrect" error after attempting to log in, our system will send an email to your member contact address with more detailed information about the failed login attempt. That information will include whether the problem is with the password, or (if you are using it) two-factor authentication.
If the problem is with the username, our system won't know who you are and can't send the email, so make sure to check for typos in the username. If you're not sure about your username, you can request that our system verify it for you.
If the email refers to a problem with two-factor authentication or "secondary auth," that typically indicates that you have a two-factor device configured for your membership, but that you didn't enter an authentication code from your device, used the wrong one (perhaps one for another service), or waited too long to login after generating it. If your two-factor device is lost or broken, you can use previously-generated one-use recovery codes to log in. If you don't have any one-use recovery codes saved, you'll have to go through our login recovery process.
If the email indicates the problem is with the password and you're not sure you have the right one, you can request a reset. When using temporary passwords generated by our system, the most common problems are:
Not confirming the reset before trying to use the new password. (Make sure to follow the instructions in the message.)
Hard-to-discern characters in the password, like 1, l and I, or 0 and O.
Extra whitespace characters before or after the password (especially if using cut and paste).
Entering a confirmation code in the password field. (They are not the same.)
We don't know what your password is, and there is no way for us to retrieve it. If a particular password is giving you trouble, even if you're sure you know what it is, your best option is often to request a reset anyway. (You can do this up to once an hour.)
When you enable two-factor authentication, you are supposed to generate and securely save one-use recovery codes. This situation is what those codes are for; they are used in lieu of codes generated by your two-factor device. As long as you have them, you can use one code to log in as normal and two codes to remove the two-factor device from your membership. Then you will be all set.
To start that process, please send a message to firstname.lastname@example.org from the contact email address associated with your membership indicating that you want to complete the login recovery process to generate additional recovery codes.
Assuming you contact us from the correct email address, our system will send you a response listing which recovery actions are configured for your membership and how many of them you must complete, along with more specific instructions about how to proceed.
If, for some reason, you have lost your two factor device and access to your email at the same time, you're probably screwed, but if not you must do login recovery to update your email address first. We will not process recovery requests related to two-factor devices from email addresses other than the current member contact address.
You can ask our system to send a message to the email address associated with your membership telling you what that address is by visiting the login recovery page.
If you know what your contact email address is but you can no longer access it, or if you have no idea what the address is and cannot find our recovery emails, please see this related entry.
Memberships are held by individuals and have that individual's name on them. Our policies strictly forbid both sharing memberships and transferring your membership to another person. (It is, however, quick, easy and allowable to transfer an account from one membership to another or to share an account between multiple memberships when appropriate.)
If you share or transfer control of your membership, we will eventually detect that, and the membership will be suspended. Murphy's law guarantees that this will happen at the time that is most inconvenient and problematic for you. If you're reading this entry, that time is probably now.
If you are the named member, you can restore access to a membership suspended for this reason by contacting email@example.com from the email address that was on the membership prior to any fraudulent transfers, and completing all of the following steps:
Confirm that you are the person named on the membership.
Provide a legible, currently-valid government-issued photo ID matching the name on the membership.
Confirm that you understand that your membership is in your individual name and may not be shared or transferred.
Confirm that if you wish to transfer an account or any of its contents to another person, you (and they) will follow all of our policies in doing so.
If you do not have access to that email address, or if that email address does not belong to you (for example because someone else created a membership in your name despite the bold print warning not to do that), you must additionally complete the verification steps for a lost email address.
If you are not the named member, and someone else gave you control over their membership and it was subsequently frozen as a result, you will not be able to complete this process. Only the named member can do so. Your only recourse is to find them and obtain their assistance. This is true even if they quit, got fired, moved away, were voted out of office, broke up the band, divorced, went to jail, graduated, made a vow that forbids use of technology, whatever.
Please do not contact us asking for exceptions or special treatment. This situation only occurs as a direct result of violating our Terms & Conditions of Service (and the bold-print warnings presented at signup), and any problems that result are entirely self-inflicted.
Please also be aware that as of September 2017, if you have violated our policies around memberships and if that violation causes any problems or extra work for us we may assess a $50.00 fee to cover the time we spend dealing with the resulting mess.
If your ISP changes your IP address, or you use Tor or another service that causes your web request to originate from multiple IP addresses, you may find that our system prompts you to log in again whenever your IP changes.
This is a security measure designed to prevent session hijacking. By default, all your requests must originate from the IP address you logged in from. However, if your IP address changes frequently, constantly logging in can get super annoying. So this behavior is configurable.
To review or change your session protection settings: