Jump to content

Forced Password Resets


Dark0ne

Recommended Posts

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405, #41185030, #41185770, #41187610 are all replies on the same post.


MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event
xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.
jesusristus wrote: ...hae9dUve&eD...
Too short.
garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.
garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)
erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.
Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm
trabpukcip wrote: You just mashed the keyboard didn't you?
Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/
Loxus wrote: First rule is to use unique passwords everywhere.
TheForkOnTheLeft wrote: you gotta put the whole story of ann frank in one word and one number in the middle or end
TerminusVitae wrote: first rule is uniquity; make them all different, so that if they steal one, they don't have them all.

second rule is long length, and high character complexity, but that is conditional on rule three, which is memorizability.
as the obligatory xkcd (i know which one, without even clicking) states, we've trained ourselves to pick short, symbol complex passwords that are hard for humans to remember, but easy for computers to guess. short? too few different character types? easy for computer to guess by brute force trial and error. too many random symbols? you'll have trouble remembering it, or worse, your keyboard might not support it's characters, and you're royally screwed. but xkcd messed up, on this one, sadly; actual word? dictionary attack'll force that open, in a similar way, probably even faster. the xkcd actually sets you right up for a dictionary attack, so while it's good inspiration for an actually good plan, (and generally an awesome webcomic) it in itself is a bad plan.

i avoid most of these issues, with my technique; i create a suitably long nonsense word that doesn't exist, but is easily pronouncable. example, right off the top of my head... "Gablorfingloingy." just made it up, have never used it; feel free, since i definitely won't use this publicly posted one, now... :P if you need inspirational nonsense, calvin, morty, rick, and hobbes are your new best friends. anywho, capitalize the word, give it a punctuation character that changes the tone of it's pronunciation, and slap some numbers on it. you're done! it's long, because it's a long word, it's dictionary immune because it doesn't actually exist, and it's hard to brute force because of its length and because it always has at the very least four different types of characters, uppercase, lowercase, the punctuation and the numbers. (Brute forcers slow down immensely the more characters they have to try per spot, so more types = much longer to crack. complexity is your friend.) and best of all, it's easy to remember, because your mind can simply say it in your head, complete with "tone of thought" reminder about the accompanying grammar. perfect score, 5/7; highly recommend.


It's not randomness that makes passwords secure--in fact, it makes it less secure since you're inclined to write it down. Human difficult != machine difficult.

You want a secure password? Make it a sentence, or a phrase (not a single word--they're easily subject to dictionary attacks.) Throw in some numbers/special characters if you really feel froggy.

Keep it simple, but keep it 10-15 characters. And to make it easy to remember and unique, you can include the site's name.

Something like "JoinedNexusMods4-20-16" would take centuries to be brute forced with current technology.

Link to comment
Share on other sites

  • Replies 181
  • Created
  • Last Reply

Top Posters In This Topic

In response to post #41163350.


xanderh2404 wrote: Were you using a reversible algorithm?! That's completely unacceptable and inexcusable. You should never, under any circumstances, use a reversible algorithm to store the passwords. Hash and salt passwords, and store the hash and salt in your database. Even if someone gets their hands on your database, it's going to take centuries to crack the passwords, as long as you use hashing with individual salts for each user.

Doing anything else is a massive security hole.

Thanks for letting us know, but this made me lose all trust in the security of this site.


You might want to do a bit more research on this topic because hashing and salting is exactly what we did.

All it takes is enough processing power, and time, to crack hashes and salts. And that's exactly what has happened after 3 years. Edited by Dark0ne
Link to comment
Share on other sites

Ten years ago ( some of our accounts go back much further than that) a simple password for a site like Nexus was sufficient. After all, there was no money to be had for the effort and the worst you could do was use a hijacked account to troll the site. Then, the criminal scum discovered that many of the members were dumb enough to use the same password on other accounts where they could steal real money. Not many as the majority of the users on a game site were young enough that they didn't have credit cards. But those kiddies grew up and many still didn't change their simple easy to crack passwords. But now they had jobs, money, bank accounts and credit cards. Now cracking a password on Nexus still didn't get them any money directly, but it might get them access to other accounts where they could steal some money. And access to social media accounts where they could harvest a lot of personal info that scammers and spammers will pay for.

 

I have a very close friend who posted her telephone number on an open FB post to someone. She has been swamped with spam and scam phone calls on that number. As many as 7 and 8 a day. That phone number was likely harvested by a scraper that reads thousands of FB posts every second looking for data like phone numbers, email addresses, mailing addresses and any other valid personal information. The scraper then sold her verified phone number, along with hundreds of others for about 5 cents per number, That doesn't sound like much, but they likely sold her number in a package that included around 10,000 already verified good numbers making them $500 from each of a dozen or so scammers making their total haul around $6 to 7k

 

Change your password if you haven't already - AND do not post private info on any public forum.

Link to comment
Share on other sites

Hi, I have a little bit of a problem now. My password got force-changed (I already changed it after the breach) and now I can’t get a new one because, one week ago, I accidently delated the e-mail-address I use for my account (and couldn’t get it back, it was one address of a mailaccount with multiple addresses) and now I can’t change the e-mail-Address because for this I have to login (into the forum?) first, for that I need a new password what I can’t get because of the mailaddress.

Anyone knowing what to do now?

And before you ask, I can write this because I was on ‘Remember me’ and didn’t got locked out of this page (up to now), but I don’t know if I can get a support-ticket without logging into the forum because there it is said you should log in or else you will most likely be ignored

 

Edited by Matereniam38
Link to comment
Share on other sites

In response to post #41204165.


Closeded wrote: What do you mean "encrypted passwords?" Did you lose hashes, or actual encrypted passwords that can be decrypted?


It doesn't matter either way at this point as the news post says that the plain text has been retrieved and is being sold. Whether that's from decryption, or after the password hashes have been brute-force reversed doesn't matter now.

Would be nice to know how password data is currently stored for the site though.
Link to comment
Share on other sites

In response to post #41204165. #41205440 is also a reply to the same post.


Closeded wrote: What do you mean "encrypted passwords?" Did you lose hashes, or actual encrypted passwords that can be decrypted?
Sostrmnn wrote: It doesn't matter either way at this point as the news post says that the plain text has been retrieved and is being sold. Whether that's from decryption, or after the password hashes have been brute-force reversed doesn't matter now.

Would be nice to know how password data is currently stored for the site though.


Since they are using IP.Board for forums it's probably salted with the username, and brute forced by now.
Link to comment
Share on other sites

In response to post #41166720.


Thandal wrote:

@xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how).

 

Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones.


A question concerning the data breach 3 years ago... when Nexus removes an account due to it being banned, is the data simply deleted, or do they scrub the data with the equivalent of a digital file shredder?

I ask because, if they're persistent enough, hackers can recover even removed accounts. Edited by MadnessEternal
Link to comment
Share on other sites

When this breach came to light I said you should do a full password reset, to be on the safe side and was ignored. And the encryption on the stolen password database was broken at least a year ago, it's not a recent thing. Hopefully if this happens again you will be more realistic proactive ad not pretend things will be all right. Edited by Zombie_Hunter
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...