Forced Password Resets

[Jord159]

Just realised how close I came to being a victim of this hack. I joined Nov 2013. Nicely done with the auto change of passwords. It's nice to see the lengths you'll go to to protect the community.

[LTJoeDark]

I must be amazingly lucky. I haven't changed my password until just a few minutes ago and I went to go check my email to see if anything was wrong or out of place, but everything was fine even though I did create my account in June of 2013. I dodged the mini nuke I guess. I'm glad I saw this now, though. Thank you. Edited August 5, 2016 by LTJoeDark

[CanadianxNinja]

Very grateful I joined so late, December 2015.

[garbalen]

In response to post #41124910. #41125555, #41125870 are all replies on the same post.

qwertyzeldar wrote:

 

Why exactly are people trying to gain access to a nexus account? I see no benefit whatsoever. Apart from if they hack actual modders accounts like this post said. But for everyone else... Like. Hooray. You gain access to nothing.

also you can post as though you are another person and troll with the account to get people in trouble as well.

Udini wrote: Access to e-mail accounts, which, if you're above the age of 14, which guarantee half of the community isn't, could lead into banking information.

Jord159 wrote: Some accounts allow donation so it could lead to people donating money to a random person

The problem is that people use the same password on multiple sites. An email address and a password could get them into multiple gmail or whatever accounts. A bank statement in the email and they may be into the bank account with the same password. It's bad to use the same password, but people do, and that's why there is still value to the data even though Nexus took steps to protect the site.

[garbalen]

In response to post #41092740. #41123235 is also a reply to the same post.

bben46 wrote:

@CG123

 

Yeah, decrypting passwords should not be possible, if stored properly in the database. How come?

Ask Yahoo. They are the latest victim of a password stealing database hack. I hope you didn't use the same password for your bank account that you used for your Yahoo account.

 

BTW, the Nexus hack was THREE YEARS AGO and they are just now getting the passwords they hacked THREE YEARS AGO decrypted.

If you have changed your password anytime in the last three years you are not hacked.

Mitsurugi2424 wrote: But, if your old pw is still used on other sites, those might be at risk

They got ahold of a 3 year old database. The breach was more recent.

[garbalen]

In response to post #41097055. #41098705, #41108050 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

[garbalen]

In response to post #41097055. #41098705, #41108050, #41131275 are all replies on the same post.

MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event

xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.

jesusristus wrote: ...hae9dUve&eD...
Too short.

garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.

Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)

[Ironman5000]

I wonder what's going to happen to the inactive mod authors here, I just happen to poke my head in every now and again so I changed mine as soon as the news popped up but i'm not creating anything atm and have little reason to hang around much at all so if it happens again while i'm away...

 

Also there are authors who have been here for years with their original passwords and I doubt very highly we will hear from again and their content is still hosted here, so what happens to them? Sure they can can get email msg but I get that for every fkin thing that happens on the forums thanks to a mysterious notifications glitch (which hasn't been fixed for a looong time) and I ignore every email notification from this site these days and it's likely others will too who get this.

[jackienspy]

Let me see if i've gotten this right. If i've changed my password here on Nexus after the breach(i joined in 2012) and befor they decrypted the infomation, i'm in the clear? Or am i still in danger if anyother sites i use has the same password as i used here on Nexus befor the breach? If any of those is the case, then i've little to worry about, as the important sites and servies all have different passwords and are only used on that site and nowhere else. Edited August 5, 2016 by jackienspy

[mytigio]

In response to post #41099430. #41111490 is also a reply to the same post.

Thandal wrote:

Ummm... guys;

 

As usual, xkcd got it right years ago:

 

Bjornir90 wrote: Hum actually, while troubador is not extremely safe, correct horse isn't that safe, since a dictionnary bruteforce, and by that i mean trying all words in a dictionnary, would still get it right somewhat fast. And the informations shown here is only right (entropy) if the attacker know what the pattern of your password is, which he shouldn't unless he already know your password, in which case he doesn't need the pattern.
The only way to be safe is to use a password manager, such as lastpass or keepass. That way you can have very long passwords, and that is important because length + variety of characters used is what matters. That's why troubador isn't that bad, it isn't very long but it uses a lot of different "class" of characters (number, letters both capitals and not, and symbols) So the entropy for the first password here would be closer to 2^616 assuming 20 symbols.
26 letters + 10 digits + 20 symbols * 11 characters = 616

Dictionary attacks run on the assumption of single modified words (like the troubador example above) or common word combinations, not on every possible combination of every possible word.

If you choose 4 random words and use them in a random order, it's perfectly fine (although most password strength checkers require additional symbol categories and will bounce the password back)