Database Breach - An Update

[Bernt]

Thank you for the heads up. Been using the same password for 6 years. Guess it was time for a wake up Call.

 

[Balloran]

In response to post #31658155.

SydneyB wrote: Thanks for the update, Dark0ne, and great news! :)

+1 This

[Lokie7]

Thanks for all the info and I appreciate your and the entire teams response. So, I just changed my password and renewed my membership while I was there.

I'm in the same boat as others here, in regards to no Cell phone, Smart or otherwise, so that means of authentication would definitely pose problems for me as well. Also, I don't care for nor use Chrome.

I know there is a lot for you and the team to consider and I have absolute faith and confidence in your ability to find the best solutions for the problems that this presents, you have demonstrated that in years past.

I have the utmost Respect for You and the Staff and whatever you determine to be the best course of action or means to address these issues, I will, of course, support you in that decision.

Thanks again for your Immediate response and candor in dealing with this. Thanks also for having the BEST site to get MODS, and more.

 

Best Wishes,

James

 

[gyrofalcon]

In response to post #31635470. #31635895, #31636295, #31639400, #31641690, #31641935, #31642435 are all replies on the same post.

Arthmoor wrote: Good to know about the planned security enhancements, but if I may suggest, please offer something more than 2FA through a smartphone. Some of us don't have one, can't afford one, or don't want to provide that number to anyone over the internet for privacy reasons. I fall into the "can't afford" category for what it's worth, so some other method to enable this would be greatly appreciated.

Dark0ne wrote: I hope we can also implement some sort of system similar to how Facebook and Steam send access codes via email when an unrecognised login is received.

Detonate wrote: I agree, i dont use this, sites that demand it, i dont visit. "We just had a security breach, where they stole your email, now please give us your phone number as well", no thanks!!

Dark0ne wrote: To clarify; the concept of 2FA is that it's an optional security extra. It's not a forced requirement.

scrivener07 wrote: I second the opinion that if 2FA is added please dont require a "smart" phone. I use a "dumb" phone by preference because of its simplicity and durability. I work in an industry where Id go through 1 smart phone a week, this dumb phone been going 3 years strong now :) All other services with 2FA I use are compatible with my dumb phone because its just a text message containing a code. Also when did we stop calling them cell phones?

Eolhin wrote: Oh, good! I was a bit worried, as I also fall into the "can't afford" one category in regards to smartphones.

Thank you for all your hard work Dark0ne. :)

Dark0ne wrote:

Also when did we stop calling them cell phones?

We never started calling them that to begin with. They've always been mobile phones!

Agree... This wonderful community has people from every corner of this world, from every layers of society, left and right, sad and happy, crazy and... more crazy. So I hope you find a solution that fits everybody.
But first of all I think you need to "force" us to make sure that we, as users, has provided you with updated information.
For the day will come, when you get up in the morning, and 5 minutes later had to lock-down all of nexus, force-reset all admin- and users-passwords, and take it all off-line, to prevent more damage.
Then you would need a backup info-channel to broadcast to users, that you (or your team) know, and are working on it. A small corner over at Reddit, maybe? I would like to know what this official backup-channels are, and what usernames to look for.

Your site has become dear to me, and it hurts me when something are not going as planned. Because I know how hard you work for this, Dark0ne.
I have some thoughts about how to update the contact info on us users, since my work are much about the same, data-cleansing.
So I offer my help, in any way I can.

[JaschMedia]

May I recommend contacting https://haveibeenpwned.com/ about adding the emails from the dump to the list?

It is a service that allows you to see if your email has been in any data breach they know of.

[Lokie7]

In response to post #31660700.

JaschMedia wrote: May I recommend contacting https://haveibeenpwned.com/ about adding the emails from the dump to the list?
It is a service that allows you to see if your email has been in any data breach they know of.

Maybe a dumb question, but I presume any of us, "I", could go there and check it out?
If so, Great info.

Edit; I went to the site, as recommended, did a check and so far, I'm good. Thanks for the tip.
BTW, I got my answer, ;) Edited December 8, 2015 by Lokie7

[Dhegonus]

In response to post #31656575.

NeoH4x0r wrote:

 

In response to post #31645210. #31646060, #31646785, #31648240 are all replies on the same post.

jet4571 wrote: Heres a quick way to make very hard to crack passwords. Create a new text document and open it. Now randomly mash keys on your keyboard so you get something like dj5vp7;jQE:2ljwer1halk/jb9hl;sfj There's your new hard to crack password.

TrvsD wrote: Or just use some crazy several word long phrase that will stick in your mind. Think sentence not random characters you will forget.

Daelda1 wrote: I'd rather use LastPass or KeyPass to generate random, complex passwords, because those programs actually remember the passwords for you, and encrypt them (of course, you have to remember the phrase you used to encrypt them with - but if you use something long enough, and complex enough, like, "I am the 8th of 16 children. My mom was a VERY tired woman.", I'd say it would be fairly difficult to crack.

Dimon007 wrote: nonono..no word phrases! Hackers can figure those out easier. Always use nonsensical words made up, or ascii symbols are always nice too.

Long words doesen't really make it harder to crack... If you use a password like "ilikemysecurepassword" it would take me max 1 day, probably only 10-50minutes to crack it with rainbowtables or a good wordlist. You are much better of using for example "I#%Like!My#Sec/Passw"

 

That password is more complex .... but it still contains dictionary words.

Better to use a password like this: (64 characters, total random, and non-sense)

,sZa(t9iIIFX_G?Cy^Mq8YA9hB;f]w67z[7/X$&?{qX(wHI8A{%9jk9Yy(AN96wB

irrelevant, the database dump was from prior to 2013. If a computer wanted to decipher your password from scratch it would take at least 60 million years.

[Zopper]

In response to post #31635470. #31635895, #31636295, #31639400, #31641690, #31641935, #31642435, #31659140 are all replies on the same post.

Arthmoor wrote: Good to know about the planned security enhancements, but if I may suggest, please offer something more than 2FA through a smartphone. Some of us don't have one, can't afford one, or don't want to provide that number to anyone over the internet for privacy reasons. I fall into the "can't afford" category for what it's worth, so some other method to enable this would be greatly appreciated.

Dark0ne wrote: I hope we can also implement some sort of system similar to how Facebook and Steam send access codes via email when an unrecognised login is received.

Detonate wrote: I agree, i dont use this, sites that demand it, i dont visit. "We just had a security breach, where they stole your email, now please give us your phone number as well", no thanks!!

Dark0ne wrote: To clarify; the concept of 2FA is that it's an optional security extra. It's not a forced requirement.

scrivener07 wrote: I second the opinion that if 2FA is added please dont require a "smart" phone. I use a "dumb" phone by preference because of its simplicity and durability. I work in an industry where Id go through 1 smart phone a week, this dumb phone been going 3 years strong now :) All other services with 2FA I use are compatible with my dumb phone because its just a text message containing a code. Also when did we stop calling them cell phones?

Eolhin wrote: Oh, good! I was a bit worried, as I also fall into the "can't afford" one category in regards to smartphones.

Thank you for all your hard work Dark0ne. :)

Dark0ne wrote:

Also when did we stop calling them cell phones?

We never started calling them that to begin with. They've always been mobile phones!

gyrofalcon wrote: Agree... This wonderful community has people from every corner of this world, from every layers of society, left and right, sad and happy, crazy and... more crazy. So I hope you find a solution that fits everybody.
But first of all I think you need to "force" us to make sure that we, as users, has provided you with updated information.
For the day will come, when you get up in the morning, and 5 minutes later had to lock-down all of nexus, force-reset all admin- and users-passwords, and take it all off-line, to prevent more damage.
Then you would need a backup info-channel to broadcast to users, that you (or your team) know, and are working on it. A small corner over at Reddit, maybe? I would like to know what this official backup-channels are, and what usernames to look for.

Your site has become dear to me, and it hurts me when something are not going as planned. Because I know how hard you work for this, Dark0ne.
I have some thoughts about how to update the contact info on us users, since my work are much about the same, data-cleansing.
So I offer my help, in any way I can.

Some people here apparently doesn't know how it works... The mentioned solution with Google Authenticator is NOT about sending you SMS, calls, or whatever. It is about an app you have in the phone or on PC (Google is using a well-known standard and there are multiple compatible solutions.) And this app/program in PC generates one time passwords based on current time.

So if they decide to use Google Auth, it is probably the best option in terms of compatibility. Of course, it would be nice to add also a support for Yubikey, or some other dongle solution.

[kowai90]

Hi Dark0ne,

 

Until now, I have been a free user while blocking all the ads you guys rely on.

This breach made me realise which financial assets are required to just be able and deliver a solid and secure platform for us modders, and how little I appreciated this.

 

I felt really bad not to do something, so I decided to at least show my support by becoming a Nexus Supporter. it's not much, but it's something (insert meme here ;) )

 

Good luck hunting them down, and I hope you guys can implement measures towards a secure environment.

[PlagueHush]

In response to post #31635470. #31635895, #31636295, #31639400, #31641690, #31641935, #31642435, #31659140, #31662135 are all replies on the same post.

Arthmoor wrote: Good to know about the planned security enhancements, but if I may suggest, please offer something more than 2FA through a smartphone. Some of us don't have one, can't afford one, or don't want to provide that number to anyone over the internet for privacy reasons. I fall into the "can't afford" category for what it's worth, so some other method to enable this would be greatly appreciated.

Dark0ne wrote: I hope we can also implement some sort of system similar to how Facebook and Steam send access codes via email when an unrecognised login is received.

Detonate wrote: I agree, i dont use this, sites that demand it, i dont visit. "We just had a security breach, where they stole your email, now please give us your phone number as well", no thanks!!

Dark0ne wrote: To clarify; the concept of 2FA is that it's an optional security extra. It's not a forced requirement.

scrivener07 wrote: I second the opinion that if 2FA is added please dont require a "smart" phone. I use a "dumb" phone by preference because of its simplicity and durability. I work in an industry where Id go through 1 smart phone a week, this dumb phone been going 3 years strong now :) All other services with 2FA I use are compatible with my dumb phone because its just a text message containing a code. Also when did we stop calling them cell phones?

Eolhin wrote: Oh, good! I was a bit worried, as I also fall into the "can't afford" one category in regards to smartphones.

Thank you for all your hard work Dark0ne. :)

Dark0ne wrote:

Also when did we stop calling them cell phones?

We never started calling them that to begin with. They've always been mobile phones!

gyrofalcon wrote: Agree... This wonderful community has people from every corner of this world, from every layers of society, left and right, sad and happy, crazy and... more crazy. So I hope you find a solution that fits everybody.
But first of all I think you need to "force" us to make sure that we, as users, has provided you with updated information.
For the day will come, when you get up in the morning, and 5 minutes later had to lock-down all of nexus, force-reset all admin- and users-passwords, and take it all off-line, to prevent more damage.
Then you would need a backup info-channel to broadcast to users, that you (or your team) know, and are working on it. A small corner over at Reddit, maybe? I would like to know what this official backup-channels are, and what usernames to look for.

Your site has become dear to me, and it hurts me when something are not going as planned. Because I know how hard you work for this, Dark0ne.
I have some thoughts about how to update the contact info on us users, since my work are much about the same, data-cleansing.
So I offer my help, in any way I can.

Zopper wrote: Some people here apparently doesn't know how it works... The mentioned solution with Google Authenticator is NOT about sending you SMS, calls, or whatever. It is about an app you have in the phone or on PC (Google is using a well-known standard and there are multiple compatible solutions.) And this app/program in PC generates one time passwords based on current time.

So if they decide to use Google Auth, it is probably the best option in terms of compatibility. Of course, it would be nice to add also a support for Yubikey, or some other dongle solution.

The use of Google Authenticator also means moving login details to a non-EU headquartered company, which can cause some problems for EU companies with the recent move to abolish the US Safe Harbor provisions. Not a decision to be taken lightly, but alternatives are available.

I'd be happy to discuss some other potential pitfalls, and provide advice Dark0ne, as per the PM I sent you (which I know must be well buried! lol).