• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

"Your account has been hijacked/disabled."

Status
Not open for further replies.

Valerion

Member
First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.

Two words. Rainbow tables. And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes. I just need a single hit from the entire list, unless I am targeting a specific user. That's above and beyond MD5-insecurities and dictionary attacks.
 
You're actually complaining because we're taking steps to protect users' data, accounts and security. Am I reading this right?

Well... yeah, that's about it.

You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.

The site admins here should realize that when they're being being worthless jerks on purpose, complaining when everyone doesn't praise them for it is pretty dang dumb.

I thoroughly concur with this.

If people want to use whatever password, then let them. Just... let them. I think everyone should have that basic right, in places it doesn't affect a whole company. And if it's a stupid password, and it gets hacked, then maybe they'll learn. And if they complain to you... then you ban them, because they're idiots.

I did not ask for security. I did not ask DA to have that retarded warning page. I did not ask AT&T to log me out after 15 minutes. I don't want it. So whatever it is you may be thinking of - anything, no matter how good an idea it may seem to you (since your current bright idea is already well into unacceptable territory) - just stop. Leave me the hell out of it.

And people wonder why humanity is in such a sad state...
 

net-cat

Infernal Kitty
First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.
They are salted, and hashed using several different algorithms. This leak was years ago. And even then, it was straight up MD5 hashed. That's why all the leaked passwords were words you might find in /usr/share/dict/words or a sequence of numbers.

Personally, I think they should go even farther with the defacing of the pages of users who absolutely refuse to switch their password to something new. :p I mean, if they're seriously using the same three year old password that any troll can find with some effort, they should be given a pretty harsh lesson.
Well, they get a warning the first time. The second time, they get a ban. This is so they are forced to come talk to us so we can make it clear that ignoring the problem won't make it go away. People who continue to use the same password even after all that, in all likelihood, would be outright banned. But it hasn't actually gotten that far yet.

Two words. Rainbow tables. And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes. I just need a single hit from the entire list, unless I am targeting a specific user. That's above and beyond MD5-insecurities and dictionary attacks.
I'm reasonably certain the original leak was a straight-up dictionary attack. But yes. Ferrox is using either salted Whirlpool or salted SHA256 for the password database. (I forget which, though.)
 

foozzzball

Lazy and Fuzzy
Well, they get a warning the first time. The second time, they get a ban. This is so they are forced to come talk to us so we can make it clear that ignoring the problem won't make it go away. People who continue to use the same password even after all that, in all likelihood, would be outright banned. But it hasn't actually gotten that far yet.

I didn't get a warning. I never even knew about the first password fiasco years ago. I first found out about this in this exact thread by clicking the list of names and seeing myself on it.
 

selth

Linuxian Dragon
Dear sir admin,

I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..."

Those kinds of script are used everywhere and I'll be more than happy to help you come up with valid regular expressions for your site.

~a FA fan, Selth Blackwings
 

net-cat

Infernal Kitty
I didn't get a warning. I never even knew about the first password fiasco years ago. I first found out about this in this exact thread by clicking the list of names and seeing myself on it.
What you're missing is that someone was actively using this list to exploit accounts. If I hadn't reset all the passwords, yours might have been next.
 

net-cat

Infernal Kitty
Dear sir admin,

I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..."

Those kinds of script are used everywhere and I'll be more than happy to help you come up with valid regular expressions for your site.

~a FA fan, Selth Blackwings
We will be implementing this check. That will take slightly more time, though.
 

foozzzball

Lazy and Fuzzy
What you're missing is that someone was actively using this list to exploit accounts. If I hadn't reset all the passwords, yours might have been next.

That's just it. My password hadn't been reset, I didn't get logged out of FA, nothing had changed. I had to look at the list to find out, and I've changed things now, but you probably have a lot of people who still have no idea about this if I slipped through the cracks.
 

WarMocK

I like to nuke ^^
We will be implementing this check. That will take slightly more time, though.
Would you add a routine to check the new PW against a blacklist as well, please? ;-)
 
Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.

And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.
 

Arshes Nei

Masticates in Public
I'm trying to figure out how people didn't get the warnings when:

1. I remember when FA was down, there were points to the Livejournal community page at the time. It had all the nasty details. When the site went back up people were flooding journals with that password list.

2. Dragoneer had stated on FA news on the front page, please change your passwords. He also stated it on his personal journals on FA, and stated on this forum. They may have been sticky at one time because they aren't now.

3. I also remember nags on the control panel on the main site about passwords.
 

net-cat

Infernal Kitty
That's just it. My password hadn't been reset, I didn't get logged out of FA, nothing had changed. I had to look at the list to find out, and I've changed things now, but you probably have a lot of people who still have no idea about this if I slipped through the cracks.
Actually, I just checked. It has been. If you try to log out and log in, you won't be able to. The initial round of changes was a bit rushed, so we didn't blank the session cookie. (Which is something I'm considering going back and doing.) If you need your email changed, PM me on the main site before you try to reset your password.

Would you add a routine to check the new PW against a blacklist as well, please? ;-)
Yes, yes. We're working on strengthening our password requirements.

Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.
Your bank doesn't take action against people whose account details have been publicly leaked?

... might I suggest you find a new bank?

And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.
No, this problem is separate from that incident.
 

Arshes Nei

Masticates in Public
Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.

And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.

That accidental admin thing has less to do with it than you think.

Ebony Leopard's account was compromised through the same list. So it looks like the guy went through as many as he could and kept getting hits. Takes a lot of patience I suppose but hey, if he found more than one he could get to....

A password strength checker I think is better, I don't think it necessarily means you get booted out for deliberately choosing a weak password, but at least you weren't warned for using it.

And I've still seen more security than the banks when it comes to passwords/site log-in security.
 

foozzzball

Lazy and Fuzzy
Actually, I just checked. It has been. If you try to log out and log in, you won't be able to. The initial round of changes was a bit rushed, so we didn't blank the session cookie. (Which is something I'm considering going back and doing.) If you need your email changed, PM me on the main site before you try to reset your password.

!

Okay. That'd be the session cookie then. I think it let me think I was changing my password, too, or it got reset again, since what I switched it to didn't stick.
 
No, this problem is separate from that incident.

That is bull and you know it. One hacked account, or even 10, would not have even caught the attention of most people, and would have been dealt with quietly.

But a catastrophic flub that ended up bringing down the entire site caused hysteria. I figured things would just go back to normal when things are fixed, that the only changes would be on the administrative side - but apparently not.

You absolutely can not honestly tell me that, in all the time that leaked list has been out there, you are just now spontaneously deciding to make stricter password requirements for reasons completely unrelated to the security scare that just occurred.
 

Arshes Nei

Masticates in Public
You absolutely can not honestly tell me that, in all the time that leaked list has been out there, you are just now spontaneously deciding to make stricter password requirements for reasons completely unrelated to the security scare that just occurred.

I haven't seen an actual requirement other in place than a password strength checker suggestion. It was requested you do not use the same one off the list. I also haven't seen where it was said specifically where it said that you'll get locked out if a password checker were in place and you used a weak password. The only lockout that's happening are to the users using the same passwords from the leaked list 3 years ago. So you know that thing how you said "well that affects them, and not you" Same situation, it doesn't affect you at all Digitalman. So please stop trying to make it sound otherwise.

It was recently realized and confirmed people are still using the same old passwords that are getting their accounts compromised. Since it was more than one user compromised this way, went through a check and discovered this number was the one net-cat posted.
 

Armaetus

Nazis, Communists and Antifa don't belong on FA
Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.

And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.

Don't come crying to the staff if your account becomes compromised.
 
Don't come crying to the staff if your account becomes compromised.

... Have you read any of my other posts, at all? I have repeatedly stated over and over again that I take full responsibility for my account security or potential lack thereof, and everyone else should have to do the same. That's kind of the whole thing I've been rambling on about.
 

Ralesk

New Member
In after countless bickering and no reaction to using HTTPS if you care anything about password security.

And I've still seen more security than the banks when it comes to passwords/site log-in security.

Nei, are you really sure?
 
Re: "Your account has been hijacked."

OK, a few points here.

We do store passwords as hashes. We have since I started working for FA - which, admittedly, wasn't far enough back that I was a staffer when this password disclosure breach happened.

As for your combinations, you are quoting very, very overstated brute force numbers for a local attack. Bruteforcing a user account login on FA is quite a different matter. Even taking the conservative number that you said, taking a pageload time approx. half that what is actually required (I assume no images would be loaded, no pagination would happen, which would minorly cut down on time), to brute force a 6 character password would take 7.2 x 10^16 seconds. Also known as 2 million millennia. Far longer than the age of the Universe. More than five million times as long, actually.

I'm pretty sure we'd catch it by then. ;)

Bruteforces are carried out on the hashes (obtained by other means) typically, not the site. Most sites will block an account if more than 3 or so failure audits occur.

I'm referring to the processing time taken to hash a string, compare it to an existing hash, and increment to the next string.

I have a program that will do it for things like tripcodes. You can crack the first 6 characters in no time at all, though to crack all 10 could take up to several weeks, it is by no means impossible.
 
In after countless bickering and no reaction to using HTTPS if you care anything about password security.



Nei, are you really sure?

It is a sad, sad fact, that every bank in the U.S., has lower online security standards than World of Warcraft.

Most of them limit passwords to 6-8 characters, and NONE of them offer two-factor authentication or OTP tokens.

This is why I don't use online banking. AT ALL.
 
Status
Not open for further replies.
Top