WarMocK
I like to nuke ^^
This, and whenever a user attempts to change his PW it is checked to see if it is in that list. If it isn't, then it's ok, if it is - BUZZ, please try again.
"Your account has been hijacked/disabled."
- Thread starter net-cat
- Start date
- Status
Valerion
Member
Two words. Rainbow tables. And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes. I just need a single hit from the entire list, unless I am targeting a specific user. That's above and beyond MD5-insecurities and dictionary attacks.
DigitalMan
Member
Well... yeah, that's about it.
I thoroughly concur with this.
If people want to use whatever password, then let them. Just... let them. I think everyone should have that basic right, in places it doesn't affect a whole company. And if it's a stupid password, and it gets hacked, then maybe they'll learn. And if they complain to you... then you ban them, because they're idiots.
I did not ask for security. I did not ask DA to have that retarded warning page. I did not ask AT&T to log me out after 15 minutes. I don't want it. So whatever it is you may be thinking of - anything, no matter how good an idea it may seem to you (since your current bright idea is already well into unacceptable territory) - just stop. Leave me the hell out of it.
And people wonder why humanity is in such a sad state...
net-cat
Infernal Kitty
They are salted, and hashed using several different algorithms. This leak was years ago. And even then, it was straight up MD5 hashed. That's why all the leaked passwords were words you might find in /usr/share/dict/words or a sequence of numbers.
Well, they get a warning the first time. The second time, they get a ban. This is so they are forced to come talk to us so we can make it clear that ignoring the problem won't make it go away. People who continue to use the same password even after all that, in all likelihood, would be outright banned. But it hasn't actually gotten that far yet.Personally, I think they should go even farther with the defacing of the pages of users who absolutely refuse to switch their password to something new.I mean, if they're seriously using the same three year old password that any troll can find with some effort, they should be given a pretty harsh lesson.
I'm reasonably certain the original leak was a straight-up dictionary attack. But yes. Ferrox is using either salted Whirlpool or salted SHA256 for the password database. (I forget which, though.)
foozzzball
Lazy and Fuzzy
I didn't get a warning. I never even knew about the first password fiasco years ago. I first found out about this in this exact thread by clicking the list of names and seeing myself on it.
selth
Linuxian Dragon
Dear sir admin,
I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..."
Those kinds of script are used everywhere and I'll be more than happy to help you come up with valid regular expressions for your site.
~a FA fan, Selth Blackwings
I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..."
Those kinds of script are used everywhere and I'll be more than happy to help you come up with valid regular expressions for your site.
~a FA fan, Selth Blackwings
net-cat
Infernal Kitty
What you're missing is that someone was actively using this list to exploit accounts. If I hadn't reset all the passwords, yours might have been next.
net-cat
Infernal Kitty
We will be implementing this check. That will take slightly more time, though.
foozzzball
Lazy and Fuzzy
That's just it. My password hadn't been reset, I didn't get logged out of FA, nothing had changed. I had to look at the list to find out, and I've changed things now, but you probably have a lot of people who still have no idea about this if I slipped through the cracks.
WarMocK
I like to nuke ^^
Would you add a routine to check the new PW against a blacklist as well, please? ;-)
DigitalMan
Member
Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.
And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.
And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.
Arshes Nei
Masticates in Public
I'm trying to figure out how people didn't get the warnings when:
1. I remember when FA was down, there were points to the Livejournal community page at the time. It had all the nasty details. When the site went back up people were flooding journals with that password list.
2. Dragoneer had stated on FA news on the front page, please change your passwords. He also stated it on his personal journals on FA, and stated on this forum. They may have been sticky at one time because they aren't now.
3. I also remember nags on the control panel on the main site about passwords.
1. I remember when FA was down, there were points to the Livejournal community page at the time. It had all the nasty details. When the site went back up people were flooding journals with that password list.
2. Dragoneer had stated on FA news on the front page, please change your passwords. He also stated it on his personal journals on FA, and stated on this forum. They may have been sticky at one time because they aren't now.
3. I also remember nags on the control panel on the main site about passwords.
net-cat
Infernal Kitty
Actually, I just checked. It has been. If you try to log out and log in, you won't be able to. The initial round of changes was a bit rushed, so we didn't blank the session cookie. (Which is something I'm considering going back and doing.) If you need your email changed, PM me on the main site before you try to reset your password.
Yes, yes. We're working on strengthening our password requirements.
Your bank doesn't take action against people whose account details have been publicly leaked?
... might I suggest you find a new bank?
No, this problem is separate from that incident.
Arshes Nei
Masticates in Public
That accidental admin thing has less to do with it than you think.
Ebony Leopard's account was compromised through the same list. So it looks like the guy went through as many as he could and kept getting hits. Takes a lot of patience I suppose but hey, if he found more than one he could get to....
A password strength checker I think is better, I don't think it necessarily means you get booted out for deliberately choosing a weak password, but at least you weren't warned for using it.
And I've still seen more security than the banks when it comes to passwords/site log-in security.
foozzzball
Lazy and Fuzzy
!
Okay. That'd be the session cookie then. I think it let me think I was changing my password, too, or it got reset again, since what I switched it to didn't stick.
DigitalMan
Member
That is bull and you know it. One hacked account, or even 10, would not have even caught the attention of most people, and would have been dealt with quietly.
But a catastrophic flub that ended up bringing down the entire site caused hysteria. I figured things would just go back to normal when things are fixed, that the only changes would be on the administrative side - but apparently not.
You absolutely can not honestly tell me that, in all the time that leaked list has been out there, you are just now spontaneously deciding to make stricter password requirements for reasons completely unrelated to the security scare that just occurred.
Arshes Nei
Masticates in Public
I haven't seen an actual requirement other in place than a password strength checker suggestion. It was requested you do not use the same one off the list. I also haven't seen where it was said specifically where it said that you'll get locked out if a password checker were in place and you used a weak password. The only lockout that's happening are to the users using the same passwords from the leaked list 3 years ago. So you know that thing how you said "well that affects them, and not you" Same situation, it doesn't affect you at all Digitalman. So please stop trying to make it sound otherwise.
It was recently realized and confirmed people are still using the same old passwords that are getting their accounts compromised. Since it was more than one user compromised this way, went through a check and discovered this number was the one net-cat posted.
net-cat
Infernal Kitty
You've made up your mind, and there's nothing I can say that'll change it. So I'm not going to bother.
Last edited:
Armaetus
Nazis, Communists and Antifa don't belong on FA
Don't come crying to the staff if your account becomes compromised.
DigitalMan
Member
... Have you read any of my other posts, at all? I have repeatedly stated over and over again that I take full responsibility for my account security or potential lack thereof, and everyone else should have to do the same. That's kind of the whole thing I've been rambling on about.
Shoot, I was actually expecting to be on that list.
As for everyone on it:
As for everyone on it:
CaptainSaicin
Member
Re: "Your account has been hijacked."
Bruteforces are carried out on the hashes (obtained by other means) typically, not the site. Most sites will block an account if more than 3 or so failure audits occur.
I'm referring to the processing time taken to hash a string, compare it to an existing hash, and increment to the next string.
I have a program that will do it for things like tripcodes. You can crack the first 6 characters in no time at all, though to crack all 10 could take up to several weeks, it is by no means impossible.
OK, a few points here.
We do store passwords as hashes. We have since I started working for FA - which, admittedly, wasn't far enough back that I was a staffer when this password disclosure breach happened.
As for your combinations, you are quoting very, very overstated brute force numbers for a local attack. Bruteforcing a user account login on FA is quite a different matter. Even taking the conservative number that you said, taking a pageload time approx. half that what is actually required (I assume no images would be loaded, no pagination would happen, which would minorly cut down on time), to brute force a 6 character password would take 7.2 x 10^16 seconds. Also known as 2 million millennia. Far longer than the age of the Universe. More than five million times as long, actually.
I'm pretty sure we'd catch it by then.
Bruteforces are carried out on the hashes (obtained by other means) typically, not the site. Most sites will block an account if more than 3 or so failure audits occur.
I'm referring to the processing time taken to hash a string, compare it to an existing hash, and increment to the next string.
I have a program that will do it for things like tripcodes. You can crack the first 6 characters in no time at all, though to crack all 10 could take up to several weeks, it is by no means impossible.
CaptainSaicin
Member
It is a sad, sad fact, that every bank in the U.S., has lower online security standards than World of Warcraft.
Most of them limit passwords to 6-8 characters, and NONE of them offer two-factor authentication or OTP tokens.
This is why I don't use online banking. AT ALL.
- Status