Account Security Best Practices

Purpose

This manual describes the security mechanisms available in the INTROSERV Client Area and recommended practices for protecting your account. It specifies the tools available, how to use them, and best practices to prevent unauthorized access and maintain account integrity.

Scope and Audience

Intended Audience: New and existing INTROSERV clients responsible for account management, billing, and service administration.

This manual covers security features within the INTROSERV Client Area and practices for personal account protection. It does not cover server-level security, application hardening, or infrastructure security beyond account access controls.

1. Overview

The INTROSERV Client Area includes several security tools to prevent unauthorized access: strong passwords, two-factor authentication (2FA), IP access restrictions, verified contact information, and activity logging with history review.

No single security measure provides complete protection. INTROSERV recommends using multiple security tools together to protect your account. Security measures are cumulative; each added control significantly reduces risk.

Security Layers

The account security system operates through five complementary layers:

Strong Password - First barrier against brute force and credential stuffing attacks
Two-Factor Authentication (2FA) - Second barrier protecting against password theft and unauthorized login
IP Access Restrictions - Perimeter control limiting access to trusted locations only
Contact Verification - Recovery and identity verification layer for account restoration, including optional Code word for identity confirmation during sensitive operations
Activity Logging - Detection layer that records account operations and allows you to review access history for signs of compromise

2. Password Security

2.1 Password Requirements

A strong password is the foundation of account protection.

Location: Settings > Security > Change Password

Strong passwords must include:

Minimum 12 characters (16+ recommended for critical accounts)
Uppercase and lowercase letters
Numbers and special characters (!@#$%^&*)
Unique password for each service (do not reuse passwords)

Examples of strong passwords:

Zk9$Pm2#Vx7nQ!wL
Blue$Sky-River-92!

Examples of weak passwords (do not use):

INTROSERV123
qwerty2024
mypassword
123456789

2.2 Password Management

Use a password manager to securely store and generate strong passwords. Password managers encrypt your passwords locally and require only one master password to access them.

2.3 Changing Your Password

Important: Change your password immediately if you suspect unauthorized access or if it may have been compromised.

3. Two-Factor Authentication (2FA)

3.1 How 2FA Works

Two-factor authentication strengthens account protection by requiring both your password and a unique code generated by an authenticator application.

Location: Settings > Security > Two-factor authentication

3.2 Enabling 2FA

To enable 2FA, follow these steps:

Open the Two-factor authentication section in Settings > Security
Scan the QR code displayed with an authenticator application:

Google Authenticator
Authy
Microsoft Authenticator
Any compatible TOTP application

Enter the 6-digit code generated by the application
Save the changes

3.3 When 2FA Is Required

2FA verification is required for account login. Once authenticated, you can access all account features within your active session.

3.4 Recovery Codes

When you enable 2FA, the system generates recovery codes. Store these codes securely in case you lose access to your authenticator device. Recovery codes allow you to regain access to your account if your authenticator is unavailable.

Important: Keep recovery codes in a secure location separate from your authenticator device. Recovery codes grant full access to the account. Treat them with the same security level as your master password.

4. Code Word

A Code word is an optional security feature used to verify your identity during sensitive account operations and support interactions.

Purpose: Code word protects against unauthorized access even if someone has obtained your credentials. It serves as a final identity verification step when contacting support.

Location: Settings > Security

When it is used: INTROSERV support will ask for your Code word only when you contact support to restore access to your account (forgotten password, lost 2FA device, etc.). This confirms you are the account owner.

Support may request your Code word when you:

Request password reset
Report unauthorized account access
Make changes to billing or payment information
Request sensitive service modifications

Important: Never share your Code word if someone contacts you first claiming to be INTROSERV support. Legitimate support staff will only request it when you initiate a recovery request.

5. IP Access Restrictions

5.1 Purpose

The "Restriction by IP" feature limits account access to trusted IP addresses only. Once configured, you can access your account only from listed IP addresses.

Location: Settings > Security > Restriction by IP

5.2 Configuration

Navigate to Settings > Security > Restriction by IP
Add one or more trusted IP addresses
Access will be allowed only from listed addresses
All other access attempts will be blocked

5.3 When to Use IP Restrictions

IP restrictions are recommended if:

You access your account from a static (unchanging) office or home IP address
You want maximum security for your account
Your organization has a corporate network with a fixed IP

Note: Do not enable IP restrictions if your IP address changes frequently (for example, if you use mobile networks). Contact INTROSERV support if you are locked out due to IP restrictions.

6. Contact Information Verification

6.1 Email Verification

Accurate email information is required for password recovery, security notifications, and account verification.

Location: Settings > General settings

Email must have "Confirmed" status for:

Password reset requests
Receiving security notifications
Account recovery procedures

To verify your email:

Go to Settings > General settings
Click the verification link next to your email address
Complete the verification process

6.2 Phone Number Verification

Phone number verification is required for identity verification during support interactions and sensitive account operations.

Location: Settings > General settings

To verify your phone number:

Go to Settings > General settings
Click the "Confirm by Call" button next to your phone number
Follow the verification instructions
Your number will be marked as confirmed

6.3 Updating Contact Information

Important: Update your contact information immediately if it changes. Outdated contact information may prevent password recovery and account access.

7. Phishing Protection

7.1 What Is Phishing?

Phishing involves fraudulent attempts to impersonate INTROSERV or other trusted services to steal your credentials, payment information, or 2FA codes.

7.2 Identifying Phishing Emails

Phishing emails typically display these characteristics:

Red Flags - Likely Phishing:

Sender is not from the @INTROSERV.COM domain
Requests for passwords, 2FA codes, or card details
Artificial urgency ("Your account will be suspended within 24 hours!")
Links do not point to the official INTROSERV.COM domain
Spelling errors, grammar mistakes, or unusual formatting
Unexpected attachments or download requests
Generic greetings ("Dear Customer" instead of your name)

Green Flags - Authentic INTROSERV Emails:

Sender address is from @INTROSERV.COM
Personal greeting using your registered name
No requests for passwords or authentication codes
Links only to https://INTROSERV.COM
Professional formatting and spelling

7.3 What INTROSERV Will Never Request

INTROSERV will never request the following through any channel (email, chat, phone, or support):

Your account password
2FA codes
Disabling security features
Payments via cryptocurrency, gift cards, or wire transfers
Remote desktop access to your computer
Full credit card details via email or chat

If you receive such requests, it is fraudulent. Report suspicious communications immediately through the official support ticket system.

7.4 Verifying Links

Before clicking a link in an email, verify its actual destination:

Hover your cursor over the link (do not click)
Observe the actual URL in your browser status bar
Compare the destination with the claimed source

Legitimate INTROSERV link:

https://introserv.com/ (main website)
https://my.introserv.com/ (Client Area)

Phishing - suspicious domains:

Red Flags in URLs:

Unencrypted protocol (http instead of https)
Domain extensions other than .com
Additional words before or after "INTROSERV" in the domain
URL shorteners (bit.ly, tinyurl, etc.)
Misspellings or character substitutions (INTR0SERV, INTROSERY, INTROSERB)

7.5 Reporting Phishing

If you receive a phishing email claiming to be from INTROSERV:

Do not click links or download attachments
Do not reply to the email
Report the email through the official support ticket system
Include the email headers if possible

Contact INTROSERV support immediately: support@INTROSERV.COM

8. Activity Monitoring

8.1 Reviewing Account History

Regular monitoring of account activity enables you to detect unauthorized access or suspicious behavior.

Location: Settings > History

The history section displays:

Recent login attempts (successful and failed)
IP addresses used for login
Timestamps of access
Operations performed in the account

8.2 What to Look For

Review your activity history regularly and watch for:

Logins from unfamiliar IP addresses or locations
Failed login attempts (multiple in short time may indicate attack)
Unexpected changes to account settings
Unexpected service provisioning or modifications
Unusual times of access (especially outside your normal usage patterns)

8.3 Responding to Suspicious Activity

If you notice suspicious activity:

Change your password immediately (Settings > Security)
Enable 2FA if not currently active
Review all recent activity in Settings > History
Verify all services (Dedicated Servers, VPS/VDS, Cloud Storage) for unauthorized changes
Check billing records (Invoicing section) for unauthorized transactions
Update contact information if it has been compromised
Contact INTROSERV support through the official ticket system with complete incident details

9. Responding to Security Incidents

9.1 If You Suspect Unauthorized Access

Immediate actions:

Change your password immediately (Settings > Security > Change Password)
Enable or refresh 2FA if not currently active
Review Settings > History for all recent activity
Verify all services (Dedicated Servers, VPS/VDS) for unauthorized changes or access attempts
Check Billing > Invoices for unauthorized transactions or service provisions
Update contact information if compromised
Contact INTROSERV support immediately

9.2 Providing Incident Details to Support

When reporting a security incident, include:

Date and time of first suspicious activity
Description of what you noticed (unauthorized changes, unfamiliar logins, etc.)
Screenshots of suspicious activity or history records
Any error messages or unusual system behavior
Recent changes you made to account settings
Whether credentials or devices were shared with others

The support team will investigate the incident and recommend specific remediation steps based on your situation.

9.3 Recovery Timeline

Security incident resolution depends on the severity and scope of the incident. INTROSERV support will prioritize security reports and provide initial assessment within standard response times.

10. Additional Security Recommendations

10.1 Account Protection

Do not save passwords on shared devices or public computers
Use a password manager to securely store passwords
Monitor recent login IP addresses in Settings > History
Regularly review the History section (at least monthly)
Use IP restrictions if you have a static home or office IP address
Always log out from public or shared computers
Do not share account credentials with others
Do not provide your credentials to support staff (INTROSERV support accesses accounts through secure backend systems, never through your password)

10.2 Device Security

Keep your operating system and applications updated with security patches
Use antivirus and antimalware software
Avoid accessing your account from public Wi-Fi networks; use a VPN when necessary
Enable disk encryption on devices you use to access your account
Enable screen locks (PIN, biometric, or password)
Use WPA3 encryption for your home network (or WPA2 if WPA3 is unavailable)

10.3 Email Security

Enable 2FA for your email provider account
Use a dedicated email address for critical services (INTROSERV, banking, cryptocurrency)
Do not click links in suspicious emails; visit websites directly instead
Verify sender addresses before responding to emails
Be cautious with email attachments from unknown senders

11. Common Mistakes to Avoid

Avoid these common security practices that weaken your account protection:

Using the same password for multiple services - If one service is compromised, all your accounts become vulnerable. Use unique, strong passwords for each service.
Storing passwords in browser without master password - Browser password managers without encryption offer minimal protection. Use a dedicated password manager with encryption.
Using a single disposable or shared email address - Account recovery depends on email access. Use a dedicated, secure email address for INTROSERV that you control alone.
Disabling 2FA temporarily or "just for now" - Disabled 2FA leaves your account exposed. Re-enable it immediately after the situation that prompted disabling it.
Accessing your account from public Wi-Fi without VPN - Public networks are monitored by attackers. Always use a VPN when accessing your account from public Wi-Fi.
Adding dynamic or mobile IP addresses to IP restrictions - IP restrictions work only with static (unchanging) addresses. Mobile or changing IPs will lock you out of your account.

12. Security Features vs. Risk Mitigation

The following table shows which security features protect against specific threats:

Security Feature	Protects Against
Strong Password	Brute force attacks, credential stuffing
Two-Factor Authentication (2FA)	Password theft, unauthorized login without second factor
IP Access Restrictions	Unauthorized remote access from unknown locations
Email Verification	Account takeover attempts, unauthorized password reset
Activity Monitoring	Undetected breaches, unauthorized account operations
Code Word	Identity impersonation, unauthorized support access