patchling Posted April 6, 2020 Posted April 6, 2020 In response to post #78606028. pufthemajicdragon wrote: IT engineer here. You know what the absolute worst thing is for password security? Complex passwords. Counter-intuitive, I know, right? But longer and more complex passwords lead to people reusing more passwords and saving them in Word or Excel documents on their desktops. That's why Microsoft has minimal complexity requirements but encourages (and in some cases requires) MFA. And the cool thing about MFA? A 6 character simple password is no less secure (and arguably more secure) than a 12 character complex password as long as you use MFA. And what's funny is seeing supposed security people talk about brute forcing like it's still how accounts get cracked. "Gotta make the passwords harder to guess!" as if anybody's trying to guess it. Nah, legit hackers don't brute force anymore. If they want your password, they send you phishing e-mails, malware with keyloggers, malware that takes advantage of password manager vulnerabilities (and you thought that would keep you safe), or the real good ones take advantage of website vulnerabilities to steal hashes (oh, look, what happened to Nexus). I do still see brute force attacks, but only in business and they're pretty lazy attacks against outdated protocols where the attacker figures "if they're still using PPTP then they're probably using stupid simple passwords". But what this really boils down to is Nexus screwed up by having bad security and instead of fixing their $%^& they make their users jump through hoops that meet (outdated) "security best practices" but don't actually improve security.I use really complicated passwords, long complicated passwords. Never two times either. Write them down? You bet I write them down, in pen and paper offline.MFA? started looking into that. But umm... where do I get the other piece from? My home phone? That is about all I have to get something else on.
Kulze Posted April 15, 2020 Posted April 15, 2020 In response to post #78606028. #79124798 is also a reply to the same post.pufthemajicdragon wrote: IT engineer here. You know what the absolute worst thing is for password security? Complex passwords. Counter-intuitive, I know, right? But longer and more complex passwords lead to people reusing more passwords and saving them in Word or Excel documents on their desktops. That's why Microsoft has minimal complexity requirements but encourages (and in some cases requires) MFA. And the cool thing about MFA? A 6 character simple password is no less secure (and arguably more secure) than a 12 character complex password as long as you use MFA. And what's funny is seeing supposed security people talk about brute forcing like it's still how accounts get cracked. "Gotta make the passwords harder to guess!" as if anybody's trying to guess it. Nah, legit hackers don't brute force anymore. If they want your password, they send you phishing e-mails, malware with keyloggers, malware that takes advantage of password manager vulnerabilities (and you thought that would keep you safe), or the real good ones take advantage of website vulnerabilities to steal hashes (oh, look, what happened to Nexus). I do still see brute force attacks, but only in business and they're pretty lazy attacks against outdated protocols where the attacker figures "if they're still using PPTP then they're probably using stupid simple passwords". But what this really boils down to is Nexus screwed up by having bad security and instead of fixing their $%^& they make their users jump through hoops that meet (outdated) "security best practices" but don't actually improve security.patchling wrote: I use really complicated passwords, long complicated passwords. Never two times either. Write them down? You bet I write them down, in pen and paper offline.MFA? started looking into that. But umm... where do I get the other piece from? My home phone? That is about all I have to get something else on.Umh... like any other common application nowadays? Either use MFA via phone or E-mail? It's an extra layer of security after all, one which can very very hardly be cracked in any way outside of mistakes from the user-side.Hardly, everything is possible... but that's stuff which should be common practice by now and luckily is for many companies handling sensible data.
Deleted83284153User Posted April 20, 2020 Posted April 20, 2020 Is this related to that time many accounts were exposed in a data breech and passwords stolen while the site Admin, or whoever, failed to inform Nexus users of the breech until much later? Perhaps I'm wrong about action being taken to inform of the breech, but I cannot remember ever being informed unless it had been posted via Nexus Site news back then. Fortunately for me, the password I used back then was only used on the Nexus. I received an email from a hacker trying to con me out of bit coins by attempt to scare me by flashing an old Nexus password. I was able to trace the breech back to Nexus mods via a (Have I been had check) which is where I first found out about the Nexus breech. Regardless, I barely have any trust in this site anymore . Of course I still use Nexus, but I find it funny the site actually wants us to buy premium for faster downloads when I would not even trust this site with a phone number. LOL
lefttounge Posted May 21, 2020 Posted May 21, 2020 (edited) In response to post #78606028. #79124798, #79577573 are all replies on the same post.pufthemajicdragon wrote: IT engineer here. You know what the absolute worst thing is for password security? Complex passwords. Counter-intuitive, I know, right? But longer and more complex passwords lead to people reusing more passwords and saving them in Word or Excel documents on their desktops. That's why Microsoft has minimal complexity requirements but encourages (and in some cases requires) MFA. And the cool thing about MFA? A 6 character simple password is no less secure (and arguably more secure) than a 12 character complex password as long as you use MFA. And what's funny is seeing supposed security people talk about brute forcing like it's still how accounts get cracked. "Gotta make the passwords harder to guess!" as if anybody's trying to guess it. Nah, legit hackers don't brute force anymore. If they want your password, they send you phishing e-mails, malware with keyloggers, malware that takes advantage of password manager vulnerabilities (and you thought that would keep you safe), or the real good ones take advantage of website vulnerabilities to steal hashes (oh, look, what happened to Nexus). I do still see brute force attacks, but only in business and they're pretty lazy attacks against outdated protocols where the attacker figures "if they're still using PPTP then they're probably using stupid simple passwords". But what this really boils down to is Nexus screwed up by having bad security and instead of fixing their $%^& they make their users jump through hoops that meet (outdated) "security best practices" but don't actually improve security.patchling wrote: I use really complicated passwords, long complicated passwords. Never two times either. Write them down? You bet I write them down, in pen and paper offline.MFA? started looking into that. But umm... where do I get the other piece from? My home phone? That is about all I have to get something else on.Kulze wrote: Umh... like any other common application nowadays? Either use MFA via phone or E-mail? It's an extra layer of security after all, one which can very very hardly be cracked in any way outside of mistakes from the user-side.Hardly, everything is possible... but that's stuff which should be common practice by now and luckily is for many companies handling sensible data.I am also an IT major, with a cyber security concentration. I gotta say, a true hacker isn't even going to go for the small fry's "12 character long" password. They're just gonna go directly hack the admins, which would give them access to all of the users passwords, even the 12 character long ones. The sad matter is that many of the vulnerabilities that are associated with these kind of breaches doesn't have anything to do with the nexus. It's Windows. Windows is extremely exploitable, perhaps one of the most exploitable software in history (even if its just my opinion).In fact you could go in your windows computer right now, and delete an important file you need in order to operate your computer, and completely destroy your software. If you can do this, a hacker can do the same thing. No, the real thing that needs to be protected is not just the data, but the actual database. In where if software is compromised, it can easily affect the company. From what I'm seeing, nexus mod's website is still slightly old fashioned compared to what could be improved, this is just from a glance.In terms of constant mod manager updates, you gotta keep in mind that the actual files for the mods are also old fashioned, and if it isn't, trust me, it will be, I'd be shocked if it wasn't) , and so the way they're handled can be old fashioned as well. Not every user on the nexus is computer savvy in wanting to upgrade to vortex, many are nervous they'll lose their mods, even the slightest change can destroy their whole game. It's that finicky, and so it's very stressful for them to not only create a hard to remember password that usually doesn't stop hacking attempts, but upgrade to completely new managers while installing, uninstalling mods. Very stressful!This discourages new users, and makes old users wanna move on.Also another vulnerability, there are many spam users that serve as bots. With Hackers becoming more advanced in programming, and not to mention desperate, they're finding new ways to get their software to get past the CAPTCHA, I think they're Youtube videos that show programs doing this. This combined with a super fluency of bots can further harm the confidentiality of the network.The bots are the huge portion of why the nexus is being compromised so many different ways. As time goes on, these new gen bots capable of passing CAPTCHA (so like over 1,000 bots able to do this) this is gunna butcher the entire site and be very difficult to keep up with, as I'm sure admins do all day is remove fake user accounts for spam. I can go on about what different improvements can be done.Another fun note for those who wanna keep reading, it talks about the utilization of demilitarized zones What Nexus and many other networks use in order to prevent unauthorized access from entering the system, is what's called a DMZ. (Demilitarized Zone). This allows good traffic, such as coworkers and staff, while preventing malicious entry from gaining access such as black hats or script kiddies ;).DMZs consist of a router, firewall, etc. The stronger the DMZ is, the less likely you'll be gaining access. On the user side, you're able to get in no problem, but the trick is to make it so that despite your privileges you cannot access restricted areas. But devs can. If your DMZ is too strong, then nobody will be able to gain entry, this includes staff that really need to, its like a house with no windows and doors, keeps thieves out, but also keeps the home owner out too. :ohdear: If you think about it, an overpowered password system begins to take the role of an overpowered dmz, in where users can't get in as easily, and have a hard time gaining access to their house(the network; their user profile) A bank their serves like this for good reason, however they too struggle when their customers can't gain access to their account when they need to. Its a give and take, the more money a criminal is likely to steal, the greater you need to make your dmz. The less likely a robber will get away with much, the more laxed a dmz can be to allow a continuous flow of the company, and a smooth availability of the network. Edited May 21, 2020 by lefttounge
ogu19635 Posted June 11, 2020 Posted June 11, 2020 Yep, just gonna join here, of course this account is a 10minute mail account. Since the theft of accounts and passwords here on nexus I had to fight over all my secondary instagram, facebook and steam accounts. Luckily they were secondary for a reason and I had nothing heavy to worry about them more than some random Corean using them to contact with random girls around the world. Well, the fight is over and I took control of all my accounts again. And I wouldn't mind forgiving nexus. In the internet most of people is very unforgiving, but my thoughts were: 'Well, I've been using their site for free and enjoying it a lot, sure they have earned me understanding that s#*! happens and keep going'. But now the attitude is forcing passwords security and what not, which wasn't the problem on the first but a security issue on their side... Surely I'm not gonna give them a good password so that they can lose it again... So now I have totally forgotten which my original account pasword was and I'll be using a new fire and forget account whenever I need one to download heavy mods, make a question in a mod page or see adult content... Which I think is not what nexus teams wants us users to do... but in the new envyroment is what I am going to do...
Community Manager Pickysaurus Posted June 11, 2020 Community Manager Posted June 11, 2020 This thread is almost 6 months old and is no longer monitored by the staff. If you have constructive feedback, please post on our forums.
Recommended Posts