If you know what your contact email address is, but you've lost access to it, usually that is no problem. As long as you still know your login and password, you can just log in, go to the profile tab, and change the email address we have on file to your correct address.
The only time this becomes a problem is when you have lost access to your email address and you can't log in. That's a much more difficult situation. If you contact us from an email address not associated with your membership, we have no way of differentiating you from someone who set up that email address five minutes ago in your name to steal access to your membership. That's one reason why it's very important to keep your member contact email address up to date at all times. (But if you're reading this, it's probably too late for that reminder to be helpful right now, so just keep it in mind for the future.)
To resolve this situation, you will have to have us change the email address associated with the membership. That is done by completing our login recovery process.
For this type of recovery, we require the login recovery action about attempting (and failing) to reach you through your current contact email address. If that address is working but you don't have access to it, we may have to wait up to a week to confirm that we are not going to get a reply.
Once the process is completed, we will update the email address associated with your membership to the one you used to initiate the recovery process. At that point, unless there are other problems, you should be able to reset your password and regain access to our system.
You can recover your login name (using your member email address) or reset your password (using your login name and email address) from this page on our public web site.
Here are two crucial pieces of information you need to reset your password and log in successfully:
Your new temporary password will be in your password reset email, but the change will not take effect until you click the confirmation link.
The confirmation code (used to confirm you want a reset) and your new temporary password are both in the email but are not the same thing.
To complete a password reset, you must perform all four of the following steps:
Request a password reset email from our public web site. (You can do this once per hour.)
Click the confirmation link in the password reset email. (This prevents others from harassing you by resetting your password without your consent.)
Log in to our member interface using the temporary password found in the password reset email.
Visit the Profile tab and select the "Change Password" action to set a new permanent password.
If at any point prior to step 2 you successfully log in with your old password, the password reset will be cancelled. Likewise, requesting a new password reset (once an hour has elapsed) cancels any incomplete previous password reset attempt.
The short answer is that fraudsters and thieves wrecked it for you.
While we support the notion of Tor on an ideological level, our real-world experience with Tor has consisted of extensive problems with Tor-sourced hacking attempts and an unsustainable level of Tor-sourced credit card fraud. We also encountered relentless exploitation by spammers and phishers using Tor to create throwaway accounts. (Sign up, create a site, send spam, get caught, sign up, create a site, send spam, get caught, sign up...)
We understand that it isn't the existence of the Tor network that makes these things possible, but it does make them easy, and when virtually all of the traffic from a certain source is malevolent, blocking that source can be the only option. Forcing people off of Tor at least long enough to confirm their membership and make an initial deposit may not be the ideal solution, but it's hard to argue with results.
For that reason, we restrict access to our member interface from IP addresses that are listed as a current Tor exit node. To lift the Tor restriction for your membership, you must already have a membership and a funded account, and you must explicitly request that Tor access be allowed via our assistance request system. (All of which must be done without using the Tor network.) We require manual approval to filter requests based on the common sense of a real person and protect members who don't use Tor from Tor-based brute force attacks on their password. We charge a nominal fee ($1.00 -- waived for subscription members) to reflect the manual nature of the review.
If you know of a reliable way for us to distinguish a handful of good people amidst a throng of would-be criminals in an environment that's raison d'ĂȘtre is to make distinguishing people impossible, please let us know. So far, making sure we already have a relationship with the good people is the best we've come up with.
Note: if your IP is operating a Tor exit node with a policy that allows access to our system, it doesn't matter whether you are using Tor to access our system or not; if traffic originates from a Tor exit node, there is no technical way to distinguish whether or not it passed through Tor. (If there were, it would seriously undermine Tor.) For example, the limit will still apply if you run a Tor exit node but bypass it to access our system. Similarly, if you use a VPN service that allows its customers to run Tor exit nodes, your VPN server's IP may be listed as an exit node even if you are not personally running one. These are all situations that can be addressed through the approval process.
Completely separate from that, we also have concerns about reports of unscrupulous Tor exit node operators diverting TLS connections. This is a real thing; I have personally experienced a case where using a particular exit node led to TLS certificate mismatches when accessing a site where I knew no such mismatch existed. You should think carefully about passing any secure information through the Tor network.
If you are running a Tor exit node on your IP, even if you aren't using it to access us, you'll have to cut back to relay-only long enough for the change to be picked up by Tor's published server list before you can sign up or log in. If someone else is running a Tor exit node on your IP address, you'll need to either work with them to do so or use a different IP address to access our system and request approval.
To make sure you receive automated system emails from us (including signup confirmations, password resets, account balance warnings, domain renewal notices, and other automatic service-affecting messages), make sure you are allowing email from notify@NearlyFreeSpeech.NET.
To make sure you receive any handwritten emails from us, make sure you are allowing email from support@NearlyFreeSpeech.NET. Finally, each support ticket is assigned a unique email address @support.nearlyfreespeech.net (but we don't get too many reports of those being blocked).
We won't send you any spam or unnecessary messages from any of these addresses.
If you're not receiving email from us, the first thing to check is your junk mail folder. Since our system is highly automated, junk mail filters occasionally incorrectly flag the messages it sends as spam. If you don't find them there, check your junk mail settings. Some email providers make it very easy to block a sender and silently delete such messages, making it very hard for you to figure out later that the sender is blocked.
If you're still unable to resolve a problem receiving email from us or our system, please feel free to let us know. Write to us from the email address you're having trouble with, and we'll look up the fate of any messages we tried to send there. We do not provide email support and won't answer you, but if there's a problem on our end, we'll fix it and try to let you know. Otherwise, you'll have to check with your email provider for further assistance.
If you are a current member of our service and you log in successfully with your correct member login name and password, and then you get redirected (possibly after seeing a "click here to continue link" flash by) to the same login page again without any red error messages, this indicates that your browser did not accept the cookie our site sets to indicate you are logged in.
If this happens, here's what to check:
Make sure that your browser is accepting cookies for members.nearlyfreespeech.net. This can be affected by your browser security settings as well as third-party Internet security software. (When testing this, we recommend you start from a known point by first deleting any cookies you currently have for our sites.)
Verify that your computer's system clock is set to the correct time and time zone. Unlike other sites -- some of which want to track you for years -- our cookies last only a few hours to protect your privacy. As a result, even small-scale system clock and time zone issues can make your computer think our cookies are already expired, even though it will happily accept cookies from most other sites. (Note: Clocks that are 12 or 24 hours off can be particularly hard to spot.)
To help debug these issues, try logging in from a different browser on the same computer. If that works, it tends to indicate a browser issue. If it still doesn't work, that suggests a systemwide issue like security software or a clock problem.
First, if you are having trouble logging in, make sure this is the exact error message you are receiving. There are several other things detailed in this section of our FAQ that can cause problems logging in, but they each display a different message.
To prevent people from using incorrect login attempts to gain information about your membership or our system, this message is intentionally vague. However, if you see the "login information is incorrect" error after attempting to log in, our system will send an email to your member contact address with more detailed information about the failed login attempt. That information will include whether the problem is with the password, or (if you are using it) two-factor authentication.
If the problem is with the username, our system won't know who you are and can't send the email, so make sure to check for typos in the username. If you're not sure about your username, you can request that our system verify it for you.
If the email refers to a problem with two-factor authentication or "secondary auth," that typically indicates that you have a two-factor device configured for your membership, but that you didn't enter an authentication code from your device, used the wrong one (perhaps one for another service), or waited too long to login after generating it. If your two-factor device is lost or broken, you can use previously-generated one-use recovery codes to log in. If you don't have any one-use recovery codes saved, you'll have to go through our login recovery process.
If the email indicates the problem is with the password and you're not sure you have the right one, you can request a reset. When using temporary passwords generated by our system, the most common problems are:
Not confirming the reset before trying to use the new password. (Make sure to follow the instructions in the message.)
Hard-to-discern characters in the password, like 1, l and I, or 0 and O.
Extra whitespace characters before or after the password (especially if using cut and paste).
Entering a confirmation code in the password field. (They are not the same.)
We don't know what your password is, and there is no way for us to retrieve it. If a particular password is giving you trouble, even if you're sure you know what it is, your best option is often to request a reset anyway. (You can do this up to once an hour.)
When you enable two-factor authentication, you are supposed to generate and securely save one-use recovery codes. This situation is what those codes are for; they are used in lieu of codes generated by your two-factor device. As long as you have them, you can use one code to log in as normal and two more codes to remove the two-factor device from your membership. Then you will be all set.
If for some reason you don't have those codes, you will have to complete our login recovery process.
Assuming you contact us from the email address associated with your membership, our system will send you a response with information about:
Whether you have unused single-use recovery codes. (Good to know whether you should spend time looking for them!)
Which recovery actions are configured (and therefore possible) for your membership.
How many successful recovery actions are needed to complete the login recovery process.
If, for some reason, you have lost your two factor device and access to your email at the same time, that's going to be rough. You must do login recovery to update your email address first. We will not process recovery requests related to two-factor devices from email addresses other than the current member contact address.
You can ask our system to send a message to the email address associated with your membership telling you what that address is by visiting the login recovery page.
Please note that due to our privacy policy we will not, under any circumstances, disclose a membership's email address directly. The recovery form is the only way to request this information, and the recovery form will only send the information to the existing member contact address, so for this to be successful, you'll still have to find that address, and it has to work.
If you know what your contact email address is but you can no longer access it, or if you have no idea what the address is and cannot find our recovery emails, please see this related entry.
Memberships are held by individuals and have that individual's name on them. Our policies strictly forbid both sharing memberships and transferring your membership to another person. (It is, however, quick, easy and allowable to transfer an account from one membership to another or to share an account between multiple memberships when appropriate.)
If you share or transfer control of your membership, we will eventually detect that, and the membership will be suspended. Murphy's law guarantees that this will happen at the time that is most inconvenient and problematic for you. If you're reading this entry, that time is probably now.
If you are the named member, you can usually restore access to a membership suspended for this reason by contacting support@nearlyfreespeech.net from the email address that was on the membership prior to any fraudulent transfers, and completing all of the following steps:
Confirm that you are the person named on the membership.
Provide a legible, currently-valid government-issued photo ID matching the name on the membership.
Confirm that you understand that your membership is in your individual name and may not be shared or transferred.
Confirm that if you wish to transfer an account or any of its contents to another person, you (and they) will follow all of our policies in doing so.
If you do not have access to that email address, if that email address does not belong to you (for example because someone else created a membership in your name despite the bold print warning not to do that), or if we determine that access to that email address has been compromised, you will have to complete the login recovery process.
If you are not the named member, and someone else gave you control over their membership and it was subsequently frozen as a result, you will not be able to complete this process. Only the named member can do so. Your only recourse is to find them and obtain their assistance. This is true even if they quit, got fired, moved away, were voted out of office, broke up the band, divorced, went to jail, graduated, made a vow that forbids use of technology, whatever.
Please do not contact us asking for exceptions or special treatment. This situation only occurs as a direct result of violating our Terms & Conditions of Service (and the bold-print warnings presented at signup), and any problems that result are entirely self-inflicted.
Please also be aware that if you violate our policies around memberships and if that violation causes any problems or extra work for us, it constitutes a FAFO Event, resulting in a $50.00 fee to cover the time we spend dealing with the resulting mess.
When you sign up, we send a signup confirmation email. If that message bounces, then the membership is usually deleted within a day.
If the signup confirmation email doesn't bounce, but no one responds to it, it may linger for up to a week before being deleted.
If someone replies to a signup confirmation email from the address we sent it to, and the membership has never been accessed, we will manually delete the membership as time permits.
We will not manually delete a membership associated with one email address in response to inquiries from any other email address.
If you signed up with the correct email address, but that address is no longer valid, please see this entry instead.
If your ISP changes your IP address, or you use Tor or another service that causes your web request to originate from multiple IP addresses, you may find that our system prompts you to log in again whenever your IP changes.
This is a security measure designed to prevent session hijacking. By default, all your requests must originate from the IP address you logged in from. However, if your IP address changes frequently, constantly logging in can get super annoying. So this behavior is configurable.
To review or change your session protection settings:
In the Details box, find the Session Protection line.
You can see the current setting on that line. To change it, select the Edit link.
You must log in from a stable IP address to make this change. This may require using an alternate connection, such as a cell phone data plan, access at work or home, a VPN, or a public library. We are not able to change this setting on your behalf.
The default setting is High, which is fine for most people. We recommend thinking long and hard before choosing a setting below Medium.
