Jump to content

Forced Password Resets


Dark0ne

Recommended Posts

In response to post #41127735.


LTJoeDark wrote: I must be amazingly lucky. I haven't changed my password until just a few minutes ago and I went to go check my email to see if anything was wrong or out of place, but everything was fine even though I did create my account in June of 2013. I dodged the mini nuke I guess. I'm glad I saw this now, though. Thank you.


someone hacked my humble bundle and stole my keys :(
Link to comment
Share on other sites

  • Replies 181
  • Created
  • Last Reply

Top Posters In This Topic

In response to post #41166720. #41207065 is also a reply to the same post.


Thandal wrote:

@xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how).

 

Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones.

MadnessEternal wrote: A question concerning the data breach 3 years ago... when Nexus removes an account due to it being banned, is the data simply deleted, or do they scrub the data with the equivalent of a digital file shredder?

I ask because, if they're persistent enough, hackers can recover even removed accounts.


@MadnessEternal: Uhh, unless Nexus is doing some weird things with their banned accounts (which I doubt, because it would be a whole lot of effort for a whole lot of nothing), I doubt a 'hacker' would need to be persistent. Usually, banned accounts aren't deleted *at all*. They're just locked out from using any of a websites features.

Enforcing a ban would be really tricky if you delete all data related to banned accounts.
Link to comment
Share on other sites

In response to post #41222915.


master408646 wrote: Don't see why this is an issue,
unless for some reason you use the same password twice.


;)


It's an issue because some mods contain executables, and those that do not can be modified to add executables. An account with a popular mod downloaded by many people can be extremely valuable to a botnet owner: They download the mod, insert some malware, upload the trojaned mod to the account they have chosen to hijack, and sit back while a couple hundred unsuspecting people download and install their malware. This particular method of distributing malware is amenable to distributing one-off custom malware as well, meaning that no virus scanners will spot it because none of them will have seen it yet.

If you're an old hand with VMware and wireshark and whatnot, you probably defend against this sort of thing out of habit all the time because you expect unauthorized outbound packets to start trying to get out of your machine at any moment, but if you're just a regular mod-using Joe that didn't consider the above nefarious use of a hijacked account of a popular mod maker, a way to defend against it is to check the last updated date on a mod - if a mod is a couple weeks old and has been download by a thousand people, you're probably good. If it's a popular mod and a fresh upload just appeared without any apparent reason for having been uploaded, you might want to hold off for a little bit.
Link to comment
Share on other sites

In response to post #41198720.


bben46 wrote:

Ten years ago ( some of our accounts go back much further than that) a simple password for a site like Nexus was sufficient. After all, there was no money to be had for the effort and the worst you could do was use a hijacked account to troll the site. Then, the criminal scum discovered that many of the members were dumb enough to use the same password on other accounts where they could steal real money. Not many as the majority of the users on a game site were young enough that they didn't have credit cards. But those kiddies grew up and many still didn't change their simple easy to crack passwords. But now they had jobs, money, bank accounts and credit cards. Now cracking a password on Nexus still didn't get them any money directly, but it might get them access to other accounts where they could steal some money. And access to social media accounts where they could harvest a lot of personal info that scammers and spammers will pay for.

 

I have a very close friend who posted her telephone number on an open FB post to someone. She has been swamped with spam and scam phone calls on that number. As many as 7 and 8 a day. That phone number was likely harvested by a scraper that reads thousands of FB posts every second looking for data like phone numbers, email addresses, mailing addresses and any other valid personal information. The scraper then sold her verified phone number, along with hundreds of others for about 5 cents per number, That doesn't sound like much, but they likely sold her number in a package that included around 10,000 already verified good numbers making them $500 from each of a dozen or so scammers making their total haul around $6 to 7k

 

Change your password if you haven't already - AND do not post private info on any public forum.


> there was no money to be had for the effort

I think a significant danger is the use of hijacked mods to distribute malware (ie: to grow botnets). If I were a nexus coder, I'd build some kind of tripwire into the nexus that would be set on any account that had more than N downloads a day on it and post an email to moderators to check out uploads if they came from IP addresses that the account owner had never uploaded a mod from before, or something like that.
Link to comment
Share on other sites

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405, #41185030, #41185770, #41187610, #41189710 are all replies on the same post.


MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event
xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.
jesusristus wrote: ...hae9dUve&eD...
Too short.
garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.
garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)
erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.
Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm
trabpukcip wrote: You just mashed the keyboard didn't you?
Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/
Loxus wrote: First rule is to use unique passwords everywhere.
TheForkOnTheLeft wrote: you gotta put the whole story of ann frank in one word and one number in the middle or end
TerminusVitae wrote: first rule is uniquity; make them all different, so that if they steal one, they don't have them all.

second rule is long length, and high character complexity, but that is conditional on rule three, which is memorizability.
as the obligatory xkcd (i know which one, without even clicking) states, we've trained ourselves to pick short, symbol complex passwords that are hard for humans to remember, but easy for computers to guess. short? too few different character types? easy for computer to guess by brute force trial and error. too many random symbols? you'll have trouble remembering it, or worse, your keyboard might not support it's characters, and you're royally screwed. but xkcd messed up, on this one, sadly; actual word? dictionary attack'll force that open, in a similar way, probably even faster. the xkcd actually sets you right up for a dictionary attack, so while it's good inspiration for an actually good plan, (and generally an awesome webcomic) it in itself is a bad plan.

i avoid most of these issues, with my technique; i create a suitably long nonsense word that doesn't exist, but is easily pronouncable. example, right off the top of my head... "Gablorfingloingy." just made it up, have never used it; feel free, since i definitely won't use this publicly posted one, now... :P if you need inspirational nonsense, calvin, morty, rick, and hobbes are your new best friends. anywho, capitalize the word, give it a punctuation character that changes the tone of it's pronunciation, and slap some numbers on it. you're done! it's long, because it's a long word, it's dictionary immune because it doesn't actually exist, and it's hard to brute force because of its length and because it always has at the very least four different types of characters, uppercase, lowercase, the punctuation and the numbers. (Brute forcers slow down immensely the more characters they have to try per spot, so more types = much longer to crack. complexity is your friend.) and best of all, it's easy to remember, because your mind can simply say it in your head, complete with "tone of thought" reminder about the accompanying grammar. perfect score, 5/7; highly recommend.
cevmarauder wrote: It's not randomness that makes passwords secure--in fact, it makes it less secure since you're inclined to write it down. Human difficult != machine difficult.

You want a secure password? Make it a sentence, or a phrase (not a single word--they're easily subject to dictionary attacks.) Throw in some numbers/special characters if you really feel froggy.

Keep it simple, but keep it 10-15 characters. And to make it easy to remember and unique, you can include the site's name.

Something like "JoinedNexusMods4-20-16" would take centuries to be brute forced with current technology.


@TerminusVitae: You're wrong about the XKCD password selecting scheme. It's exactly as safe as that comic says it is.

A dictionary attack utilizes a list of commonly selected passwords (and some variations on those passwords). In the XKCD scheme, there is no such thing as a 'commonly selected password'. A dictionary attack is an informed statistical attack, which have zero advantage over bruteforce attacks if the password is actually generated randomly (at that point they are, for all intents and purposes, exactly the same).

A truly random, regularly rotating, XKCD-password for each web service you use and you are perfectly safe (in practice, obviously, in theory there's no such thing as safe).
Link to comment
Share on other sites

In response to post #41097055. #41098705, #41108050, #41131275, #41131535, #41138630, #41173615, #41174715, #41181405, #41185030, #41185770, #41187610, #41189710, #41224900 are all replies on the same post.


MikhailScott wrote: The EASIEST way to make a password is to use a format like the following word_number(4 or more digits) this what my bank requires for their passwords A good example would be Spot_1976. Pick something like your Grandmothers cats name an underscore and then the year of an important personal event
xbon wrote: lmao... no. a good way to make a password is randomize letters and numbers + special characters and longest string possible. hae9dUve&eD for example.
jesusristus wrote: ...hae9dUve&eD...
Too short.
garbalen wrote: That's a good way to pick a username, but not at all a secure password. Search for "strong password generator" and bump it up to around 32 characters and store it with KeePass, a free/open source password manager.
garbalen wrote: Got me looking at KeePass's built in generator.

1¼Ñ'K½¤ÑÂÝÇëbÀÇDÿÅ`üæ{ëçÓvëÄòA"ð
^ one of the passwords it came up with. That one is pretty dang secure :)
erelde wrote: So secure I'm not sure some websites would accept it ^^
I know for a fact that Google (gmail) doesn't want accentuated 'E' as of 6 six months ago.

Facebook on the other hand will happily take anything.
Mort65 wrote: You should use a password like this :D
kfjjkjvbnfbnzdflkjgbnlgkjfdlkgndzflbkngfbnbzlknzlbkjnzcvlbnf1hhg1f6csfafdfdfdsfml;lbmr;okmfd;lakn;lfn bjm;lglgmflmfzldm'zfbmf;fz;mf;zlmz;mgh;mzd;lm
l;,fadfm,lgmg;lmfs;dlm,hsdf;lhmmsdhf;l
mdlkfgn;lkjgmf;jklfgx,lg'd,j';lkusotpmfzdh/m;lkfnmhkldml
l,Gkfm;ozjg'fxhk;l,'hg;l,k;l,nvc';jgzckm;hfldkm
trabpukcip wrote: You just mashed the keyboard didn't you?
Obscerno wrote: Obligatory xkcd: https://xkcd.com/936/
Loxus wrote: First rule is to use unique passwords everywhere.
TheForkOnTheLeft wrote: you gotta put the whole story of ann frank in one word and one number in the middle or end
TerminusVitae wrote: first rule is uniquity; make them all different, so that if they steal one, they don't have them all.

second rule is long length, and high character complexity, but that is conditional on rule three, which is memorizability.
as the obligatory xkcd (i know which one, without even clicking) states, we've trained ourselves to pick short, symbol complex passwords that are hard for humans to remember, but easy for computers to guess. short? too few different character types? easy for computer to guess by brute force trial and error. too many random symbols? you'll have trouble remembering it, or worse, your keyboard might not support it's characters, and you're royally screwed. but xkcd messed up, on this one, sadly; actual word? dictionary attack'll force that open, in a similar way, probably even faster. the xkcd actually sets you right up for a dictionary attack, so while it's good inspiration for an actually good plan, (and generally an awesome webcomic) it in itself is a bad plan.

i avoid most of these issues, with my technique; i create a suitably long nonsense word that doesn't exist, but is easily pronouncable. example, right off the top of my head... "Gablorfingloingy." just made it up, have never used it; feel free, since i definitely won't use this publicly posted one, now... :P if you need inspirational nonsense, calvin, morty, rick, and hobbes are your new best friends. anywho, capitalize the word, give it a punctuation character that changes the tone of it's pronunciation, and slap some numbers on it. you're done! it's long, because it's a long word, it's dictionary immune because it doesn't actually exist, and it's hard to brute force because of its length and because it always has at the very least four different types of characters, uppercase, lowercase, the punctuation and the numbers. (Brute forcers slow down immensely the more characters they have to try per spot, so more types = much longer to crack. complexity is your friend.) and best of all, it's easy to remember, because your mind can simply say it in your head, complete with "tone of thought" reminder about the accompanying grammar. perfect score, 5/7; highly recommend.
cevmarauder wrote: It's not randomness that makes passwords secure--in fact, it makes it less secure since you're inclined to write it down. Human difficult != machine difficult.

You want a secure password? Make it a sentence, or a phrase (not a single word--they're easily subject to dictionary attacks.) Throw in some numbers/special characters if you really feel froggy.

Keep it simple, but keep it 10-15 characters. And to make it easy to remember and unique, you can include the site's name.

Something like "JoinedNexusMods4-20-16" would take centuries to be brute forced with current technology.

wPatriot wrote: @TerminusVitae: You're wrong about the XKCD password selecting scheme. It's exactly as safe as that comic says it is.

A dictionary attack utilizes a list of commonly selected passwords (and some variations on those passwords). In the XKCD scheme, there is no such thing as a 'commonly selected password'. A dictionary attack is an informed statistical attack, which have zero advantage over bruteforce attacks if the password is actually generated randomly (at that point they are, for all intents and purposes, exactly the same).

A truly random, regularly rotating, XKCD-password for each web service you use and you are perfectly safe (in practice, obviously, in theory there's no such thing as safe).


This is what i got
þ-«-biþ,%ÈÐHÄ#oË8m"ÏÈtË8uÒùÒùfîÖ
³¢=ò¥Oäª'ùÛçôulZQ\VQØéÚËX=P]ge¬ä
NÌ÷~Aê³ V:æÖ4ûeuúã²ã'´3{âܽ¤øÉ{ò
%Ù-^Ý[èÕ*´<Ü`ÃH§Ë0N-ë½t=æ¿Që@¼°]
[-_°~õ^<Á<È,ÅÆQmÚW4J ¬o}¹<7Iª&£e
|Zö T¶Ë5¼æÜÛ<vÿàPW=<ÄdT¸%¡(u=ºØI
'Ý|¦×Z(bÑréÌõå."ü|Y£x°y¾×!ë|FBñ9
²9oYc¯d@ÆPÚôMêêF)/Z0ߧbÍÄf©öy÷O+
k7T)Äk¯N6¸Û:w³òr5*L"Îð"2`SZ*Áb¸ñ
UëºÉÑ)B<¶:ê)UªT,¦f·U9cêÜdã8=yMC®
e¶{ùB4Y&¦¤½xeÑ=äJÝSôt(¸OúÚ¤ÐB$©&
ÿ©p2ÂÞcÂ5àË÷°¥l)Ù0ȵJ°Ïj)-¿ðçÕºÂ
Ë¥¿ÇOZâdÛ¿M!í]Ld×â'»ABíëÙÔêÑÖàà;
çPúu±Iþ$$©ú÷6%RéÛ5Jy\3úãGÕKzàL-þ
Mè¥dy7å¢PεP]¼=UÕ©óPȪg¤óçémTÛõV
×1ÌwÎEBNOíIØþ¼³%µC'Í<LX¨7Ã¥.6ÛLD
¶I1[RëÃ^N ü±ª$4ºBZÍmRØò!ð/BçñYÅ_
zgÁ³û»ÓU¨Ú]Çpâ¥ÁÚLÚFxQïÚ·+©*¤fãþ
¹ó©ÖUö*y?¼Û6%;ß4rS¸¯¾lSÖÿzß7묽1
¬IUYA·pïêú3;E\ù7¼^¼oÁȬfî~û`Ã¥Æõ
Fç¦ã³âà\VvcmÓjxòÕiI1°¥àÈø·6½ÞFêû
áÁù6ãy¥GXûIæó-}3ðv6öAg<ÐÁ2áéñNÏh
a+ù´µ^ò'syÔñ¡b%.qBàäSn{ãéI½yÊ°ÿ
´ºÄ;VíDKñöhV`Éa~gÚY8Ý5¼V4w1iÅ7õ¯
¸j^ôñìu8:6Ðtã¼XÃÿk}¯Ø|CÀÌùöP)[{$
ÐJ;°ß´*AîCÚµUå)ãHÐî½z¦?p½=U¦Íµòº
¬Ö¢9,l÷»ýH5®ûñf¦g¯[kÂF8{[KPñ#XQÒ
§>uÝ©÷ª½m¨¬Ù£õ\øPºÿ±çk·4@+®þ>X%÷
ЮÇç%Uñku~ÐþJ¹IÛ°ÿÁèSl*Ø8j\_êd;(
fºO©ïâÊ)ñUëK×ÍzöàX÷zÓ2òFUªèÙ²ÜF
Link to comment
Share on other sites

For average people/user on the net, password reset and force them to use stronger password usually are the things they dislike most. They prefer the simplest one that they can remember and to make matters worse, they use the same password for other sites, ignoring the threat that they might come across in the future. Using different strong password and using password manager or some sort are meh to them.
Link to comment
Share on other sites

Question: why are passwords being stored, even in an encrypted form? Shouldn't you be hashing and salting them instead?

 

Please read the original post (and the two predecessor topics in the Network News when the breech was first reported.) The passwords were salted and hashed. And the databaset theft under discussion was over three years ago. Referring to the latest information as the passwords in that set being "cracked" is just shorthand.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...