I won't get into an argument as you hope, but it's fairly obvious that you are the one who is being insulting.

I've been working very hard on these security updates since 24th July and they are genuine improvements.

Thanks for the notification. I've now improved the error message from the web server.

It now reports "Wrong password" instead of the misleading "Unknown user name" in that case.

I'll look into that misleading error message but there is a good reason for this.

The reason is here: https://www.lfs.net/forum/thread/111994

Hopefully it's just a few seconds to get your new unlock code via email from your details page and enter it into the LFS unlock screen.

Quote from turbofan :

I never provided my email or personnal details, as a security measure. It worked well with LFS for 17 years.

As Flame pointed out, email verification has always been required to create an account.

No personal details are required, other than your email address.

This is all about protecting the accounts of our users, so "grotesque" is a bizarre description of our increased security measures. If you find it grotesque to provide an email address, you'd better not join in the first place.

That is correct but you do need to click the link "send email to set new address" to start the 7 day timer, which you should clearly see on your details page.

1) Visit details page
2) Click "send email to set new address"

If you can't access your existing email address then you need to wait a week after clicking that link, then you can proceed without access to your old email, to set a new email address.

3) Wait one week and come back to your details page, you will see a link to proceed.

It's the only way we can prevent license thefts. It is very important to make sure your LFS email is up to date.

Please do not ask technical support for help. Geraldine cannot help with this, she would have to email the old address to make sure the existing owner hasn't had their account stolen, then give them a week to reply. We have an automated process in place to do that. She doesn't have the time for this. It is your responsibility to keep your email address up to date.

Last edited by Scawen, Tue 5 Aug 2025, 23:17.

In case you get one of these messages and you don't know what it is:

A change has been made to improve security.
You now have only one password, that you use for the website.
In game, you use an "unlock code" instead of the old "GAME password".


How to use your unlock code:

Please install the test patch with better support for the new unlock code.
Test patch: [EDIT: official version is now available]

Then...
1) Visit details page
2) Click: send email with a new unlock code
3) Get email
4) Paste code from email into LFS "GAME password" (or "Unlock code" in the new test patch)
5) Click unlock

The "GAME password" or "Unlock code" field is in the LFS unlock screen, accessible by a button at the bottom right of the entry screen.


If you do not have access to your registered email account:

You will need to register a current email address to receive your unlock code. But with our improved security, to change email instantly you need to confirm the change by receiving an email on your old address. Alternatively you can wait 7 days to proceed without confirming the email on your old address.

To do this, visit your details page and click the link "send email to set new address" even though you know you won't receive the email. Now you can see the time, 7 days ahead, when you will be able to set a new email address without the instant confirmation. This time remains visible on your details page.


Why do we need confirmation on the old email address or force you to wait 7 days?

This is to prevent license theft by anyone who manages to log into your account by somehow obtaining your password. Some people may have had passwords that were easy to guess. Others entered their LFS user name and password into at least one site run by hackers. This really happened and we had to rescue hundreds of accounts and return them to their original owners.

Before recent changes it was possible to change password and emails instantly, enabling theft of licenses. Now we send an email to the old email address and we give the recipient seven days to respond.


For information about this change, please read this thread: Removal of WEB password and GAME password

Last edited by Scawen, Sat 16 Aug 2025, 17:35.

I think around 3% of people who had already set their new unlock code, got it zeroed again in this evening's process.

Sorry for the inconvenience. I should not need to zero any unlock codes from now on.

There was a 20 minute break when I zeroed the old passwords on the master server. Testing in a test environment only resulted in a few seconds pause, but the main master server took a lot longer than expected. Maybe that's what you are talking about?

If anything isn't working now, do let me know!

Yes, we made this change with full compatibility and minimal technical changes.

Your unlock code is used in the same place you previously entered GAME password.

That continues to be the case if you use a current, past or future version of LFS, but in the future version that field will be named "Unlock code".

I don't guarantee that will always be the case but for now it is and I prefer to keep it that way.

The layout editor was originally developed for autocross but gradually developed into a lot more.

You can place cones and set checkpoints, restricted areas and so on, to create something that looks like an autocross track.

https://en.lfsmanual.net/wiki/Autocross_Editor

I think it may be a good idea to release a compatible patch for this and the other updates in the current Test Patch with the new translation texts that you mention.

Hello LFS Racers,

As part of the ongoing security updates, We have made a change which is significant in a way while not technically a big change.

The WEB password is now called simply "password" and you can no longer manually set a GAME password.

The GAME password is now called "unlock code" and is set automatically and sent to you in an email when you click a link on your details page.

In the next few days we will start passing through and zeroing any old GAME passwords that have not been updated for the new system.


EDIT: Now that we have already zeroed the old GAME passwords...


How to use your unlock code:

Please install the test patch with better support for the new unlock code.
Test patch: [EDIT: official version is now available]

Then...
1) Visit details page
2) Click: send email with a new unlock code
3) Get email
4) Paste code from email into LFS "GAME password" (or "Unlock code" in the new test patch)
5) Click unlock

The "GAME password" or "Unlock code" field is in the LFS unlock screen, accessible by a button at the bottom right of the entry screen.


If you do not have access to your registered email account:

You will need to register a current email address to receive your unlock code. But with our improved security, to change email instantly you need to confirm the change by receiving an email on your old address. Alternatively you can wait 7 days to proceed without confirming the email on your old address.

To do this, visit your details page and click the link "send email to set new address" even though you know you won't receive the email. Now you can see the time, 7 days ahead, when you will be able to set a new email address without the instant confirmation. This time remains visible on your details page.


Why do we need confirmation on the old email address or force you to wait 7 days?

This is to prevent license theft by anyone who manages to log into your account by somehow obtaining your password. Some people may have had passwords that were easy to guess. Others entered their LFS user name and password into at least one site run by hackers. This really happened and we had to rescue hundreds of accounts and return them to their original owners.

Before recent changes it was possible to change password and emails instantly, enabling theft of licenses. Now we send an email to the old email address and we give the recipient seven days to respond.

Last edited by Scawen, Sat 16 Aug 2025, 17:35.

Further update:

I did repeat the operation for demo racers as well. So, just like licensed racers, all demo racers on the hacker list got an email and their passwords were removed if a match was found. It seemed the right thing to do for their security.

On the continuing security improvements:

- email address can now be changed by two possible methods
1) receive a confirmation email on your old email address and proceed instantly
2) wait 7 days to proceed if you cannot access your old email
[after each of these, the new email address must also be confirmed, as before]

- immediate logout on all browsers when WEB password is reset

- must wait half an hour after 3 failed unlock attempts

Turns out this user did a fraudulent payment to obtain their license and the free voucher.

Another update, I've worked all day and evening and finally could take action after enough data processing and testing.

Using an automated script, I have sent an email to all licensed users whose usernames appear in the file.

If they don't have matching passwords, the email is just an advisory and suggestion to check they can still log in and possibly update their passwords. If matching passwords were found, the real passwords have been removed. The emails are adjusted for the action taken.

This drastic action was necessary for all the accounts in the file, with passwords that match real LFS passwords. Unfortunately in some cases we will just be sending an email to someone who has already stolen the account. I hope we will prevent a lot of accounts being taken over and used online.

Maybe I will repeat this action for the Demo accounts tomorrow.

Another update.

This morning I've been detecting which of the listed user names have a password that matches an LFS WEB or GAME password.

Many of the users on the hacked database aren't really LFS users. We know this as around 40% don't have a user name that matches an LFS user name. Around 60% do match an LFS user name, but even then, it's not necessarily an LFS user.

The only way to be fairly certain it really is an LFS user, is if the hacker list username+password matches an LFS username+password (WEB or GAME password). Password matches are a significant minority that we have to deal with because of the security implications. In those cases (password match) we intend to change the password and notify the user (via email) using an automated process.

But I've done a quick test to find out which countries the matching user names come from. This is from the full list of hacker list usernames that match an LFS username, including DEMO accounts.

To be clear, these numbers are too high, because they include some user names that are not really an LFS user (e.g. someone just happened to choose the same username as an LFS user). Also to be clear these are mainly DEMO accounts. I've only shown countries that have more than 100 users listed.

Looking at the numbers below, it seems most likely to me that the source is "LFS Pro" which was a pirate community and master server system based in Brazil.

I'm thinking this because Brazil itself is 2nd on the list and Portugal is 4th, which is higher than expected given the size of Portugal. In my opinion it's because of the language connection to Brazil. Also 3rd on the list is Argentina, probably due to the South American connection.

I'm not really sure why Turkey is on top. Maybe it's because LFS has always been popular in Turkey and LFS seemed expensive there, so a lot of Turks went for LFS Pro. Or possibly the list has come from two separate sources?

TR 7523
BR 3745
AR 1250
PT 1167
BG 737
LT 727
ES 693
US 677
RO 488
PL 438
IN 428
ZA 399
GB 371
HU 337
FR 323
IT 309
DE 275
SA 264
GE 262
PK 245
CZ 236
RS 224
LV 221
CL 213
CO 187
FI 181
UY 167
SE 162
NL 162
GR 150
AE 148
DZ 144
PH 142
EG 141
AU 137
CA 130
ID 125
MX 124
EE 113
DO 110
BA 108
SK 107
MA 106

Last edited by Scawen, Mon 28 Jul 2025, 12:56. Reason : 4rd -> 4th

Dear LFS Racers,

An update on the recent thread about a leak of LFS passwords from an unknown source.

After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.

We are grateful for this action, after the initial disruption, this was the right thing to do.

I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.

Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)

Of the possibly valid names, around 40% are not found in our database.

The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.

So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.

I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.

I'll leave the thread closed for now as I don't really think I need more info at this point.


Changes I have made in the past few days regarding security:

- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.

So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.


A note on security, even if it may sound repetitive:

- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
- NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM
- IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!


Thank you for reading.

I understand the distortion is kind of strange, because it is linear. Although 'correct' in one sense it is sort of wrong in another, related to our perception.

Ideally there could be a distortion shader to make this affect more agreeable but this is not available in LFS.

There is a quite extreme setting you can use. It uses multiple renders to create the main scene.

In Options - View ... there is a setting "Multiple screen layout" and you can set up to 5 left screens and 5 right screens. This can approximate a cylindrical render, created from 11 vertical linear renders per frame.

I'd be interested to know if you get any improvement by using that.

You would adjust the view in that case by "Main screen FOV" and "Screen Angle" which should be a fairly small number.

Thanks for the report, I've fixed that now.

Thanks, that's some good information. I see, the variety of graphics that could be displayed is something to think about, though as you suggest it seems reasonable to stick to single and flashing colours if that is easier to implement.

It's not fully clear to me about maximum distance between light boards being 250m. It seems a lot, so I'm surprised. The wording doesn't clear that up for me as it seems to state that there must be a marshall post every 250m, but at the end of section 9.2 marshall posts can be:

- Track marshal post
- Flag marshal post
- LED panel controller marshal post

So I'm not sure yet if there must be an LED panel every 250m.

EDIT: YouTube video talking about it, that does seem to support that there is an LED panel at every marshall post.
https://youtu.be/_4UusnCaB6s?t=406

Last edited by Scawen, Wed 23 Jul 2025, 18:52.

I don't think the cleanup function could have this effect. It simply deletes mods from your folder. It can't prevent LFS connecting to our website.

To me this issue doesn't seem related to mods specifically, if you can't see an event list either. It looks like some coincidental issue, or possibly antivirus or firewall blocking the connection.

I think it could be good to test a fresh install of LFS if possible, to see if you can do all the expected things with a clean installation.

Good to hear you got it working.

Moved posts about HP Reverb issue (now solved) to a separate thread.
https://www.lfs.net/forum/thread/111922

OpenSharedResource is called to share the D3D9 render target texture with the D3D11 system. I don't know why that would fail. A forum search returns no results, so it seems like a rare issue. Could it be there is something unusual about the Direct3D 9 installation on your computer?