AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Forum & Site Feedback

Notices

Reply
 
Thread Tools
Old 2014-05-13, 14:50   Link #181
Nvis
Where are the good animes
 
 
Join Date: Dec 2003
Sounds like something that when hacked they can use the "program" to steal all your passwords and sites that use them.........

Maybe better if I just write it on a piece of paper.
Nvis is offline   Reply With Quote
Old 2014-05-13, 14:51   Link #182
AKENOLOVER01
Junior Member
 
 
Join Date: Jan 2012
Well holy shit, glad I got the email when I did, went and made a stronger password for my account, gonna copy it to my password saver on Google Chrome so it'll be saved .
AKENOLOVER01 is offline   Reply With Quote
Old 2014-05-13, 14:52   Link #183
Dextro
He Without a Title
 
 
Join Date: Feb 2008
Location: The land of tempura
Quote:
Originally Posted by Nvis View Post
Never heard of Lastpass/whatever. Enlighten this old and very grumpy guy.
I think this is the kind of question that should have it's own thread in the Tech Support forum but I'll give a quick rundown. If you want I'll be glad to go into more detail (just ping me through VM/PM).

LastPass/1Password are cloud services/applications that store an encrypted list of passwords. You unlock that list with a master password and the service part keeps the store synchronized between devices. The service providers themselves shouldn't really have access to your keys or the master key that unlocks them so it's far safer than even using your browsers saved password features (that, on most systems and by default, stores the passwords in clear text on the hard drive).
__________________
Dextro is offline   Reply With Quote
Old 2014-05-13, 14:58   Link #184
Nvis
Where are the good animes
 
 
Join Date: Dec 2003
Quote:
Originally Posted by Eisdrache View Post
While I don't really have technical knowledge about this topic it seems that the invaders knew exactly what they were doing and quite skilled as well. This could have happened to a lot if not most large(r) online community sites in one way or another, so we shouldn't look for 'someone to take responsibility' but instead for ways to prevent this and more from happening again.
My pitch fork and torch is lit. Now who to burn?
Nvis is offline   Reply With Quote
Old 2014-05-13, 15:00   Link #185
Hiroi Sekai
ゴリゴリ!
*Graphic Designer
 
 
Join Date: Jan 2009
Location: Vancouver, British Columbia
Age: 32
Quote:
Originally Posted by Nvis View Post
Sounds like something that when hacked they can use the "program" to steal all your passwords and sites that use them.........

Maybe better if I just write it on a piece of paper.
From my PHP instructor that teaches bits of cryptology, LastPass has a passive system built into it that sets automatic danger flags if things like DNS and IP location is too skewed from the user's original information. Most likely it would have you validate from your email account, creating one additional step for you but locking everything to the potentially unauthorized hacker.

If you're comfortable with it, keeping a piece of paper with the passwords is undoubtedly the safest way. For me, I personally have a workspace that would eat up a single piece of paper like that between personal notes, tax forms, business letters, prints, not to mention the myriad of electronics equipment stuffing up my remaining space. Even with constant cleaning and organization, it's not a place I can keep one important thing like that; I'll lose it eventually and that'll be it. You could try and counter that by keeping them also documented in a mobile phone or a document on your hard drive, but I'd trust that less than LastPass myself.
__________________
Hiroi Sekai is offline   Reply With Quote
Old 2014-05-13, 15:05   Link #186
xzx
Junior Member
 
Join Date: Oct 2011
I'm not trying to scare people but it's a good idea to check with your bank that everything is okay with your bank accounts. My bank "luckily" blocked my card 8/5 because of other people trying to use my card and I did not put any other information here other than my e-mail. I can't be 100% sure that this is the cause but chances are that it is.
The sad part is that I don't remember which password I used on this site - so it's impossible for me to know which I need to change.
xzx is offline   Reply With Quote
Old 2014-05-13, 15:06   Link #187
KanbeKotori
失礼、噛みました
 
 
Join Date: Jul 2013
Quote:
Originally Posted by Hiroi Sekai View Post
tl;dr: GET LASTPASS, GENERATE NEW PASSWORDS FOR EACH SITE. NEVER REUSE PASSWORDS WHEN YOU DON'T HAVE TO.
This is just plain lazy. I have 20 over shitass long password that are almost impossible to brute force(I did run a check). You just need to know some basic rules of creating passwords and you're good to go. Even when my passwords are long, they are fairly easy to remember cos I don't depend on any Tom, Dick or Harry to create my password.

Moral of the story: Learn to create passwords.
__________________
「友達なんていない。人はすぐに裏切るし、学校っていうのは誰かを標的にしないとやってられない馬鹿共の集 まり。ままごとみたいな役決めて、仲のいいふりして都合が悪くなったら知らんぷり。そんな奴らと仲良くした いとか全然思わない。」
KanbeKotori is offline   Reply With Quote
Old 2014-05-13, 15:11   Link #188
Dextro
He Without a Title
 
 
Join Date: Feb 2008
Location: The land of tempura
Quote:
Originally Posted by Nvis View Post
Sounds like something that when hacked they can use the "program" to steal all your passwords and sites that use them.........

Maybe better if I just write it on a piece of paper.
If you're really paranoid (like I am ) you could go the Keepass route.

Keepass is a little different from Lastpass and 1Password in that it's not a service but an open source application. Basically it stores your passwords in an encrypted binary that you can then sync in the best way you see fit (I personally use Dropbox to sync it but you could use something like BTSync to avoid any servers at all).

The downside to Keepass is that the latest version (and safest) is written in .NET (Mono) so that makes it a bit harder to run in something other than windows. However there are open source clients for other devices. MacPass for OS-X, Keepassdroid and Keepass2Android for Android, 7Pass for Windows Phone and KeeFox to integrate into Firefox. These are just the ones I've personally used but I'm sure there are others out there.

Of course LastPass is an awful lot easier to setup and maintain and they still encrypt everything in your machine and NOT their servers so there's less risk of having a compromised server leaking your passwords.
__________________
Dextro is offline   Reply With Quote
Old 2014-05-13, 15:12   Link #189
psicomenace
Member
 
 
Join Date: Nov 2008
Location: Mexico City
Quote:
Originally Posted by Nvis View Post
Sounds like something that when hacked they can use the "program" to steal all your passwords and sites that use them.........

Maybe better if I just write it on a piece of paper.
Agree, if nothing is safe anymore, then makes me think is just a matter of time to be robbed of all your pass in just one batch.
Even so, a piece of paper seems a lot less secure to me, I mean, c'mon, unless you write in your own personal invented code, anybody can read it.
psicomenace is offline   Reply With Quote
Old 2014-05-13, 15:27   Link #190
noahgab1133
Junior Member
 
Join Date: Jun 2009
well i haven't been on this forum in gods knows how long. now i have to change all my passwords since i had no clue what was my old pass from here XD
noahgab1133 is offline   Reply With Quote
Old 2014-05-13, 15:31   Link #191
Hiroi Sekai
ゴリゴリ!
*Graphic Designer
 
 
Join Date: Jan 2009
Location: Vancouver, British Columbia
Age: 32
Quote:
Originally Posted by KanbeKotori View Post
This is just plain lazy. I have 20 over shitass long password that are almost impossible to brute force(I did run a check). You just need to know some basic rules of creating passwords and you're good to go. Even when my passwords are long, they are fairly easy to remember cos I don't depend on any Tom, Dick or Harry to create my password.

Moral of the story: Learn to create passwords.
Hey man, if you are tech-savvy enough to superform your passwords, then power to you, you could definitely make better passwords than the LastPass generator could. However, with the general public, most of us don't have the formulaic dexterity to compose 20-30+ passwords and remember them all on the fly. In no way is the LastPass generator weak either, as you can combine numerics, capital/lowercase and special characters, plus it's encrypted with several LastPass secret PHP codes and proper SHA1 encryption. When it comes down to it, not even LastPass knows your password after it's encrypted. Not discarding your method, but I think the everyday man would feel a lot safer with an encryption service supporting them.

P.S. "Laziness" is no longer an appropriately usable term in today's technological workflow. We have the ability to complete basic tasks much more efficiently and effectively, so we take on more as a result. We simply don't have the time to burn doing everything manually when a computer can achieve similar results for you in a fraction of the time. It's not being lazy, it's being efficient and saving the time for other tasks.
__________________
Hiroi Sekai is offline   Reply With Quote
Old 2014-05-13, 15:36   Link #192
xzx
Junior Member
 
Join Date: Oct 2011
Quote:
Originally Posted by noahgab1133 View Post
well i haven't been on this forum in gods knows how long. now i have to change all my passwords since i had no clue what was my old pass from here XD
Haha yes - the same happened to me.
xzx is offline   Reply With Quote
Old 2014-05-13, 15:37   Link #193
hplgonzo
Junior Member
 
 
Join Date: Oct 2013
Location: Austria
I am more of a forum reader, than an active poster.
Received your warning mail, so I visited the forum to learn more about the topic.

You know what. I despise these criminals that hack websites/forums/... to gain access to the user database and steal information. my important accounts (mail/...) have other passwords.

That is exactly why we cannot have nice things.
__________________
hplgonzo is offline   Reply With Quote
Old 2014-05-13, 15:39   Link #194
Anh_Minh
I disagree with you all.
 
 
Join Date: Dec 2005
Quote:
Originally Posted by KanbeKotori View Post
This is just plain lazy. I have 20 over shitass long password that are almost impossible to brute force(I did run a check). You just need to know some basic rules of creating passwords and you're good to go. Even when my passwords are long, they are fairly easy to remember cos I don't depend on any Tom, Dick or Harry to create my password.

Moral of the story: Learn to create passwords.
- Password entropy isn't a solution if you reuse passwords. All it takes is someone getting your password (from something like what happened here, for example).
- If your "shitass long passwords" are existing words with common l33t alterations... well, if everyone starts adopting that strategy, "not-so-brute force" approaches will start taking that into account, and you'll realize the strength for that isn't that big. (Fortunately, many people still use "password".) I mean, how many words does the average user knows? A few thousands in English, maybe a few thousands more in another language.
Anh_Minh is offline   Reply With Quote
Old 2014-05-13, 15:47   Link #195
RRW
Unspecified
*Scanlator
 
 
Join Date: May 2010
Location: Unspecified
Well we certain appreciated staff effort of dealing this. But it clearly the entire animesuki staff is heavily understaffed.

I mean both GHD and nightwish is hardly regular right now and other stuff this day is busy with irl stuff. This mean this forum is lacking staff to watch the technical side of the forum regularly.

So how do you guys deal with this. Hire more staff or promote some mod into staff?

Note I am not talking about mod as I think we have enough of that for now.
__________________
*TL Note: Better than
Skype and Teamspeak

RRW is offline   Reply With Quote
Old 2014-05-13, 15:49   Link #196
Audit01
Member
 
 
Join Date: Dec 2009
Location: Suburb of Athens - Greece
Great just fucking great....The last time i was in this forum it was almost 2 years ago or maybe more and now i find out that this place has been hacked and my password and personal info are in the hands of hackers (who in the right mind would hack a anime fan forum is beyond me) fortunately my other accounts around the net have different passwords and my email password is different too
__________________
Also member of the largest Greek anime network:
www.animeplanet.gr

^^------------------------- Macross Frontier !!!! -------------------------^^
Audit01 is offline   Reply With Quote
Old 2014-05-13, 15:49   Link #197
Krono
Senior Member
 
Join Date: Feb 2009
Quote:
Originally Posted by Alistair View Post
There is absolutely NO reason any user should not expect to have the most BASIC protections in place to secure their data. It is not the responsibility of users to ensure that the data stored by the forum's servers adequately protect their information, as they cannot have such control. It is instead the responsibility of the moderators. This goes for ANY website that stores any potentially sensitive information about users.
See, the problem with your logic here is that they do indeed have the most basic protections in place. The most basic protections being MD5 salted hashes for storing passwords, limits on log in attempts to prevent brute forcing, and a password recovery mechanism that requires email account access.

Stronger hashes for storing passwords still are not standard, hence the poor availability of it for popular forum software like this one. Yes MD5 is largely useless these days, but it's still the basic default protection. Https by default isn't standard either hence why even popular sites like MyAnimeList, or Gamefaqs don't have it enabled by default.

https would likely have been meaningless in this case anyways, as the dormant mod account was more likely compromised by older incidents such as MyAnimeList being hacked several months back. At no point does the hack seem to have relied on traffic between you and the site being sniffed, which is what https primarily protects against. Having a signed certificate would have been meaningless as the certificate would have still been saying everything is fine.





The bottom line is that only one flaw responsible for this incident is easy to fix, that of leaving inactive accounts with elevated privileges. Everything else requires investigating and evaluating options for forum software, such as whether more secure upgrades are available, whether those upgrades can be used without sacrificing existing functionality, whether it's worth sacrificing existing functionality for greater security, whether alternative forum software is required to improve security, whether the alternatives provide comparable functionality and the existing content converted and imported. That's not something that happens in a day.

Furthermore, it should be mentioned that better hashing algorithms being used would not automatically make your password safe. The problem is that the website was compromised, and the password database stolen. Which greatly increases the ease at which it can be attacked, and weak passwords are weak passwords regardless of the hashing method used. If you want a better understanding of the issue of cracking password, I recommend you read this article.
Krono is offline   Reply With Quote
Old 2014-05-13, 15:52   Link #198
Miraluka
Banned
 
Join Date: Jan 2009
Age: 34
I'm interested to know when the avatar system is going to be fixed since the only way to update it is trought uploading the files and linking is impossible.
Miraluka is offline   Reply With Quote
Old 2014-05-13, 16:05   Link #199
triviper
Junior Member
 
Join Date: Jun 2008
Users are responsible for creating safe passwords different from accounts they create elsewhere, but this is really disappointing to hear.

When websites and servers are compromised so often today, and internet security is such a hot topic and has been for a while now, I would expect AnimeSuki to keep their security measures more up to date. Obviously you guys have been around for a while and are still active for a reason, so I hope there are new plans in place to prevent this from happening again. Even if you don't update security every other patch, there should at least be some sort of bi-annual update. MD5 is far too archaic and there are people who run this site that are well aware of that fact.

Although, very thankful for updating the users so well!
triviper is offline   Reply With Quote
Old 2014-05-13, 16:06   Link #200
Houreki
Senior Member
 
 
Join Date: Nov 2013
Age: 29
Well, damn!! I use the same password almost everywhere, good that I already change it.
The hacker can also mess with the computer itself, I mean with a virus or something like that because my laptop started to lock sometimes but, I don't know if is because of this or something else.
__________________
<a rel=nofollow href=http://myanimelist.net/animelist/Houreki target=_blank><img src=http://imgur.com/xQNVsxa border=0 alt= /> </a>
Houreki is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 04:05.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.