Potential Database Breach

[mokaiba]

In response to post #31561115. #31561180, #31561660, #31562180, #31562605, #31562795, #31563395 are all replies on the same post.

mokaiba wrote: im not worried about anyone getting into my email since I dont even know my email password. I have it written down because its just a bunch of randomness. eg, SJDHF&yhfsdhgf&*^#&*$TGFg375r2hdehfbghus <- like that lol

katleigh93 wrote: Hehehehe, thats the best kind to have mokaiba :D

mokaiba wrote: I do this for all websites that i care about keeping others out. This was not one of them and had a really simple password because I didnt care if anyone gained access as they wouldnt gain anything from it. I think they gained access to my account but didnt change anything and only wrote down the email. I have noticed an increase of spam mail to my email address this past week. Just in case they try to change my password here, I went and changed it from my 'lower case eight-letter' password to an alphanumeric :)

btw, I dont use my real name or personal information anywhere as well. even facebook has a fake name for me.

ultim8f8 wrote: Difficulty to remember: maximum
Bits of entropy: maximum

But there are better ways: xkcd: Password Strength

mokaiba wrote: I use entire sentences when it comes to work and financial-related passwords. I treat those as on an entirely different level than everything else. eg, ILikePinkButterFliesthatswimintheOcean1! good luck guessing that and cracking it lol

katleigh93 wrote: Lol, now that security, hehehehe

SingABrightSong wrote: As strong as XKCD's password is in regards to bits of entropy, it is rather vulnerable to dictionary attacks, where instead of "CorrectHorseBatteryStaple" being 25 characters, it is just four common strings that are concatenated.

That said "gibberish" strings can be made more easily remembered. An example given was "4S&7Ya,oFb4thutCanN,ciL,&dttPtaMac=.", which is interpreted by the human reader as an abbreviaton of the opening of the Gettysburg Address

thats why you add numbers and symbols (to delay dictionary attacks). brute force is going to check letter by letter first then word by word, however, once you pass 20 characters, it becomes time consuming for the process to complete. it doesnt matter if they are all known words. the fact is, it will take years to brute force a 25 character password (government could do it in less time though). one would assume, that before that occurs, that you have changed the password. Most websites will lock your account after so many failed attempts as well.

use my example above (pink butter flies):

2 quattuorvigintillion possible combinations.

It would take a desktop PC about 22 octodecillion years to crack.

or, take a super computer capable of 50,000,000,000,000,000 keys per second.

1.7767289882885646e+40 years 166 days 23 hours 51 minutes and 36 seconds
(2.803405260273855e+49 password combinations)

just shows you that using real words is irrelevant after 20 characters.


regardless of passwords used or the methods for them. the easiest solution for this website is to change to ssl (https) for all connections. 80% of the issues related to passwords and security will be eliminated when that change occurs.

Bascially, it would come down to a potential hacker doing this.

1. its ssl
2. passwords are hashed and salted.
3. not really worth my time.
4. moves on to another website. Edited December 6, 2015 by mokaiba

[mobzk]

Whats Going On?

[MetalCaveman]

Thanks for the heads up, I've gone through all of my recently installed mods and didn't find anything strange (I've only installed mods for NV). Also went and changed some passwords (I never re-use them, but better safe than sorry).

[TechSnarf]

As an SA myself I feel your pain. It's great you're willing to get out in front of this. GeohoundJason does a great job of saying how most of us feel about the situation. People forget security is a burden we all must share, and you do a great job explaining things in terms most can understand without talking down to anyone. Hang in there!

[xraybravoxray]

Windows defender has caught 3 Trojans since Thanksgiving, all from Nexus. Could it be all the adds? They all seem to target my browser. Virus scans after download have not caught anything. Only catching when looking a the site.

[thehappiestEmo]

Just the fact that you are being straightforward with us is enough for me. Even the best security in the world isn't impervious, but informing your users before things actually get ugly is the right thing to do. Kudos.

[khmp]

Thanks for keeping us in the loop. And I wish you and your team much luck in figuring out the extent and fix quickly if indeed a breech has occurred.

[leevon13]

yo, thanks for the heads up.

 

Would it be possible to get the names of the mod files that were affected?

[esfewsf]

In response to post #31566170. #31566375, #31567315 are all replies on the same post.

algustin wrote: help im trying to change my password but it keeps telling me that my current password is wrong even tho im sure it's right

urielz wrote: try resetting you password

algustin wrote: and how do i exactly do that? please?

log out and when you try to log in again look for a "forgot password" button. Maybe you have to enter a wrong password to get to the screen where you can find the "forgot password" button.

[Gwenneby]

In response to post #31566170. #31566375, #31567315, #31569360 are all replies on the same post.

algustin wrote: help im trying to change my password but it keeps telling me that my current password is wrong even tho im sure it's right

urielz wrote: try resetting you password

algustin wrote: and how do i exactly do that? please?

esfewsf wrote: log out and when you try to log in again look for a "forgot password" button. Maybe you have to enter a wrong password to get to the screen where you can find the "forgot password" button.

yeah i did that like a second ago thanks anyway