• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

It's Time for Real Account Security

How do you feel about adding the option to use a hardware security token to log in?

  • It sounds great - do it tomorrow!

  • It seems like a good idea, but I have reservations.

  • I'm not sure if that's such a good idea.

  • I think that's probably a bad idea.

  • This is a terrible idea.

  • I don't want to have to buy hardware for this.


Results are only viewable after voting.
Status
Not open for further replies.

Chrontius

New Member
Tangential reminder to anyone reading this: Never re-use passwords between sites / services / systems. Get a password manager program that allows you to generate and use unique, random, high-entropy password for every single site and account you use, and never look back.

+1 to this! LastPass has a free tier, and there's FOSS programs that run locally on a PC.

You have no excuse now. Just stick your encrypted blob in Dropbox (or Spideroak, if you're paranoid) so you have a backup, and boom.
 

Nerts

Intergalactic Planetary
Are those authenticator devices still a thing? I figured most would just use a smartphone app for it now.
 
D

Deleted member 82554

Guest
Mmm, yus, gotta keep that pOrnz under high secruity, mang.

While I'm not against the idea of having better security protocols in place, you need to know what extremes to go to for a site like FA.

You're idea seems overkill.
 

LyrrenClock

Blarg~
Mmm, yus, gotta keep that pOrnz under high secruity, mang.

While I'm not against the idea of having better security protocols in place, you need to know what extremes to go to for a site like FA.

You're idea seems overkill.
you are right if you think of the site purely as a gallery to view however alot of people on the site are there for business and profit gains and if we get locked out or comprimised it can effects us a great deal more than the average gallery viewer. So I would like to see an authentication process for log in as an "optional" choice for those who want or need the extra security on their individual accounts of which I feel most if not all the artists will opt into I know I would
 

Chrontius

New Member
you are right if you think of the site purely as a gallery to view however alot of people on the site are there for business and profit gains and if we get locked out or comprimised it can effects us a great deal more than the average gallery viewer. So I would like to see an authentication process for log in as an "optional" choice for those who want or need the extra security on their individual accounts of which I feel most if not all the artists will opt into I know I would

I never said anything about making this mandatory. Just like Google allows you to use U2F but doesn't require it…

It's a good model for people who want the extra security because FA pays their rent - or already own the token because they use it for Gmail or Lastpass or whatever…
 

Chrontius

New Member
Are those authenticator devices still a thing? I figured most would just use a smartphone app for it now.
Some people don't have smartphones, for one. For two, Steam Guard fails more often than it works. For three, Blizzard Authenticator and Mog Station won't let you back up your secret, so if your phone shits itself or ends up in the toilet, you're locked out for … about two weeks, while you slog through the claims process. And if that fails, you're locked out forever.

Smartphone apps aren't the end-all be-all.
 

kisuka

New Member
we'll be looking into how to implement two-factor authentication.").

Here you go:
1) Make sure server time is synced always.
2) When the user enables 2FA generate a secret with generate_secret()
3) Generate a QR code with generate_qr()
4) Ask the user the scan the code and fill out the code they get.
5) Confirm the code with generate_passcode()
6) If it's correct then store the user's generated secret into the database.
7) When user logs in, check if 2FA is enabled and remember me for 30 days not set then ask for the code after successful login attempt. Check code with generate_passcode() using the stored secret.

I'll leave you the work for the 'remember this PC for 30 days' to you guys. :)

No need to thank me.
 

HTML

<neck content="beard"/>
Here you go:
1) Make sure server time is synced always.
2) When the user enables 2FA generate a secret with generate_secret()
3) Generate a QR code with generate_qr()
4) Ask the user the scan the code and fill out the code they get.
5) Confirm the code with generate_passcode()
6) If it's correct then store the user's generated secret into the database.
7) When user logs in, check if 2FA is enabled and remember me for 30 days not set then ask for the code after successful login attempt. Check code with generate_passcode() using the stored secret.

I'll leave you the work for the 'remember this PC for 30 days' to you guys. :)

No need to thank me.
Maybe I'm wrong, but isn't this just effectively having two passwords, one which is randomly generated? Also isn't using rand() not cryptographically secure?
 

xTwilightStarx

A polished turd.
Some of these ideas just seem a bit far-fetched to me.
While yes, I agree that better security measures should be implemented, I also think that users should take some responsibility to ensure safety of their stuff.
And this isn't exactly a huge website that needs such drastic security, I mean what are hackers gonna do with a bunch of porn?
If you're the type of person who uses different passwords for everything and doesn't put important info all over your FA profile, then you should be fine.
And I think people are looking way too deeply into the hackers intentions; as far as I see it, they just wanted to mess with the site because they don't like it.
 

DravenDonovan

You can call me Oni~
I love when I hear people on DeviantArt saying how FA should be more like DA. Why? Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks? At least FA staff acts like they care :/ Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything. Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead. Was..kind of frightening so many sites are allowed to exist..
 
I'd like to see FA adopt two-factor authentication.
That would be good, though for those of us who already have long (and I mean long) passwords, 2FA is being a bit redundant. Also, many people don't really have the ability to use hardware token two-factor authentication.

I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.
I don't think that means what you think it means. I do not see FA or the users of the site purchasing KIV-7 circuit crypto units (you said "military grade"; nothing more mil spec than what they're actually using); nor do I see the FA staff willing to deal with rekeying the bastards or re-synchronizing a dropped connection.


I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").
Thank you very much for the hard work you and the rest of the staff do on the site. Though please don't use the word "encryption" and "password" in the same sentence; it makes anyone who has dealt with the un-fun task of password storage and authentication go to full "Oh dear lord no." mode. Highly iterated salted/keyed hashes (English: PBKDF2 with a large number of iterations) or a specific algorithm like scrypt are the preferred methods; salted hashes have become outmoded now, especially with the proliferation of hardware designed for very fast hashing (thanks cryptocurrencies we really wanted the ability for people to break hashes in minutes...). Anyway, Computerphile has a good video (from 2013 so it's a bit outdated) of how NOT to store passwords, which many people might find quite informative (hence why I'm linking it).


Would be nice, but I don't see it being very friendly for users. Plus; who'll generate the keypairs? FA, the user, some third party? If FA generates the keypair how do you trust the site isn't holding onto a copy of the private key, or how do you make sure the RNG is secure? If the user generates the keypair, how do you make sure the key is really coming from the user? Most furs aren't going to have a signing certificate that can be verified, and those that do have a cert probably have no wish to associate their real information with their FurAffinity login; if you accept self-signed well what's stopping RandomHaxx0r1234 from going "Hey yeah, I'm 'Neer; lost my key here's the new one." you'd have to authenticate the user with a password anyway to stop stuff like that happening. And if we're letting a third party generate and sign the keypairs... both problems now exist: How does the user trust the third party not to hold onto the private key, and how does the site verify that the generate key really did come from who it claims to be from?

What would be "neat" would be if someone could start a sort of "VeriSign for Furries"; i.e. being a trusted third party to create signing certs that users could use to sign their public key. Only problem I really see with that is since the service would be giving out identify proving certificates, said service would need to check and verify that the person really is who they say they are. The certificate itself would not have any of this personally identifiable information, instead it would be the username/alias the person would choose. (Said "VeriSign for Furries" would also need to pay for a cert from VeriSign and/or other trust brokers, that way the chin of trust can be easily verified with a standard browser. Since the user's key is signed with the VSfF cert, check if VSfF acknowledges it, they do; who signed the VSfF cert? Oh VeriSign did, is it right? It is, good! KEY ACCEPTED.)

As an aside, the other nice thing about public/private keypairs, and verifiable certificates is that it'll mitigate problems with art theft. Artist signs their original work, and when they see it appear somewhere else: "Yeah that's mine, here's undeniable proof."
 

Traveller800

The sexy mistress of chaos
We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.
how bad could this get? I know from reading news articles on hacks that hackers can decrypt passwords if they try...so how bad could this get? Shopuld I change my email password too or watch out for suspicious emails?
 

Vrghr

New Member
how bad could this get? I know from reading news articles on hacks that hackers can decrypt passwords if they try...so how bad could this get? Shopuld I change my email password too or watch out for suspicious emails?

1) If you use the same password on other sites that you used on FA before the hack, you should immediately change those other sites' passwords!
2) You should always watch for suspicious emails, even if FA wasn't hacked. But you should be even more careful now if you get an email from an FA user (Hackers can spoof email senders from the FA list). And you should be cautious of Phishing or other similar emails sent to the email account that was listed in your FA information, as hackers can try to target those users.
 

Traveller800

The sexy mistress of chaos
1) If you use the same password on other sites that you used on FA before the hack, you should immediately change those other sites' passwords!
2) You should always watch for suspicious emails, even if FA wasn't hacked. But you should be even more careful now if you get an email from an FA user (Hackers can spoof email senders from the FA list). And you should be cautious of Phishing or other similar emails sent to the email account that was listed in your FA information, as hackers can try to target those users.
ok, thanks
 

Volvom

Anthro Artist, Finland
I love when I hear people on DeviantArt saying how FA should be more like DA. Why? Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks? At least FA staff acts like they care :/ Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything. Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead. Was..kind of frightening so many sites are allowed to exist..
Nailed! I have, err.. 5 different hacked accounts in dA, which I couldn't restore because I was so kid and I didn't know how to write even shitty english, so I just made always new one.
More or less, my account nowadays was also few times attacked, but I sent mails etc. to the admins and got my account back.
Not to mention, I think that more or less DeviantART's so called improvements are really going to too far.

But back to thread. I think that better security is always welcome, I just don't really wanna pay too much (ideal thing is free) for keeping all safe, but if it's not too high priced or there is another ways to make security better, that should be enough for us.
 

mcdoga

Dancing Machine
I like the idea
What i don't like is paying for services that were free in the past
 

zilchfox

New Member
I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").
I believe Google Authenticator is free. It doesn't use SMS per se, but anyone can just download the Google Authenticator app on the smart phone and enter a code to login. It'd be a nice opt-in feature I'm sure.
 

HTML

<neck content="beard"/>
I love when I hear people on DeviantArt saying how FA should be more like DA. Why? Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks? At least FA staff acts like they care :/ Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything. Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead. Was..kind of frightening so many sites are allowed to exist..
Eh, not so sure about that. There is some history with the administration not acting on information they knew for a while in regards to security exploits. One of the ex-developers, Eevee, demonstrated this back in 2010. He also made a giant write up with a list of known vulnerabilities, some which weren't fixed until years later. However, that is in the past. I have reason to believe they may have changed their priorities. So hopefully security won't be as big of an issue in the future. As for the DA hacking sites, I am a bit skeptical of how reliable those are.
 

DravenDonovan

You can call me Oni~
Eh, not so sure about that. There is some history with the administration not acting on information they knew for a while in regards to security exploits. One of the ex-developers, Eevee, demonstrated this back in 2010. He also made a giant write up with a list of known vulnerabilities, some which weren't fixed until years later. However, that is in the past. I have reason to believe they may have changed their priorities. So hopefully security won't be as big of an issue in the future. As for the DA hacking sites, I am a bit skeptical of how reliable those are.
They probably aren't reliable on the least, but I do know DA gets hacked all the time. They have the same level of security that FA currently has, so I just don't get where these people who try and say DA's security is better, is all. Of course these are the same people who like to complain about pretty much everything xD.
Only difference I've noticed, at least with this case, with DA and FA is at least FA made it public and are trying to fix the issue, even if it means losing members.
They could have easily kept us in the dark, tried fixing it on the side, let people's accounts be screwed up or lost, and try to play it off as, "we're doing the best we can"
 

Saokymo

Art Cookie
They probably aren't reliable on the least, but I do know DA gets hacked all the time. They have the same level of security that FA currently has, so I just don't get where these people who try and say DA's security is better, is all. Of course these are the same people who like to complain about pretty much everything xD.
Only difference I've noticed, at least with this case, with DA and FA is at least FA made it public and are trying to fix the issue, even if it means losing members.
They could have easily kept us in the dark, tried fixing it on the side, let people's accounts be screwed up or lost, and try to play it off as, "we're doing the best we can"
I think the difference here is DA is a lot bigger than FA, and stands to lose a whole lot more in terms of their user base should something like this happen to them. That alone makes it more likely for the DA staff to keep the hacking situations under wraps just to avoid the bad press that comes along with it.
FA, for having a much smaller and more intimate user base, probably did the right thing by making a public announcement letting us all know what was going on.
 

KimButt

Member
I love when I hear people on DeviantArt saying how FA should be more like DA. Why? Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks? At least FA staff acts like they care :/ Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything. Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead. Was..kind of frightening so many sites are allowed to exist..

The DA Staff, honestly. Could care less about their members unless they get the greens from them.

Honestly, I think FA is a lot more better to be around. At least the admins try and protect members
 
Status
Not open for further replies.
Top