2014-05-13, 13:10 | Link #161 | ||
NYAAAAHAAANNNNN~
Join Date: Nov 2007
Age: 35
|
Quote:
Also, the mods are human beings too. The amount of attention they can spend here are limited by what they have in real life. Using HTTPS could be a start, however taking into account the time required for implementation and their living needs, it is best that we users protect ourselves first. Quote:
Everything can be hacked and exploited. It is only a matter of time and the hackers' passion.
__________________
|
||
2014-05-13, 13:13 | Link #163 |
大佐
Join Date: Jun 2013
|
You won't believe how careless many people (especially those who are inexperienced or naive) are handling their passwords. For example using very simplistic passwords that are easy to crack, or naive to a degree that it doesn't take much coercion to get them to reveal their passwords.
__________________
|
2014-05-13, 13:20 | Link #165 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
IT SIMPLY ISN'T THAT EASY I haven't really found a ready-made easy-to-implement solution to implement stronger hashing in vBulletin, a complex piece of PHP software that I didn't invent. The link you mentioned earlier gives some hints, but I'm pretty sure if I simply copy & pasted those lines I'd hose the forum. Even if the code works, existing passwords are still MD5 and it doesn't look the code on that page has any provisions for handling "old" passwords (I could be wrong, didn't stare at the code too long). An existing vB 4.x mod I found openly admitted having that same issue (not supporting old passwords). The result would be that absolutely everyone would have to change their passwords again immediately and people will get sick of that, for sure. Added to that, once again this is a custom modification of the source. There are not many official patches for vB 3.x these days but every patch I'd have to be careful not to overwrite the wrong file and/or apply my own modifications again, which is a pain. Rather I'd like to see the custom modifications to the forum reduced to absolute 0, making upgrades painless. SSL, as I've said before, is something I'm very much willing to implement, but I've currently still got some other issues to resolve first. |
|
2014-05-13, 13:22 | Link #166 |
そのおっぱいで13才
Join Date: Dec 2006
|
Otsukaresama~ Mods and staff. ヽ(´∀`)ノ
The email and password I used were so old, I had to randomly put in lines to even get back into my email account. So no worries for me, I guess. I don't use that email, so it doesn't matter if the hacker spams it. (So that "Test" post was the hacker?)
__________________
|
2014-05-13, 14:07 | Link #171 |
Member
Join Date: Jul 2013
|
I don't visit this forum that often, so it's kind of lucky for me to have read the news now, instead of say, a few weeks down the road.
While (for now) I've only used this account name and email address for only AnimeSuki, before this I've used basically only one username and two or three passwords for everything that I did, including on sites I've never visited in years and possibly have forgotten about. I wonder how many of THOSE had suffered something similar to this. |
2014-05-13, 14:09 | Link #172 |
Immortal Flames
Join Date: Apr 2014
|
Well this was quite a shocking surprise. The e-mail I use is an e-mail that is quite active. So I changed the password to something else. All though tbh, if the hackers did get into my email all they will be doing is getting a pizza on me.
I don't put any credit info or cellphone info on my e-mail. The mandatory number I did put belongs to a Domino pizza. Which is rofl, because a lot good that does. The address is to a Subway.
__________________
|
2014-05-13, 14:16 | Link #173 |
ゴリゴリ!
Graphic Designer
Join Date: Jan 2009
Location: Vancouver, British Columbia
Age: 32
|
Perhaps this is a sign that everyone should grab LastPass and just generate your passwords with special characters. If even I don't know my own passwords, cracking this one has no effect on me, aside from a few private messages they can look at.
I also hope the staff will come up with a better hashing and salting algorithm for the passwords this time. MD5 alone is just not enough, no matter the site. If you're allowing input of personal data in accounts, it should be well protected, no matter how much one can play the "at-your-own-disclosure" card. Add secret tags to the algorithm; they're super quick to add but just keeps adding steps for hackers to try and push through. By then, hopefully you can discover that someone's snooping around in your code. Sanitation and adding top-tier levels of code moderation away from the new mods/admins is helpful too. Kudos to you guys for getting the site back up and running, but I hope you'll take the steps necessary to investigate what to do for those who may now have their other accounts compromised as a result, and to improve security so it doesn't happen again. I think it's the least you can do for us all. tl;dr: GET LASTPASS, GENERATE NEW PASSWORDS FOR EACH SITE. NEVER REUSE PASSWORDS WHEN YOU DON'T HAVE TO.
__________________
|
2014-05-13, 14:32 | Link #175 |
He Without a Title
Join Date: Feb 2008
Location: The land of tempura
|
Guy seriously, stop blaming the forum admins for this. They did what they could considering this is a completely free service without a single advertisement in sight that they are providing. For me this was only a minor annoyance: open up Keepass and change the forum password, no big deal. In this day and age people should already be using something like Keepass/Lastpass/1Password to manage different relatively strong passwords for each site they visit.
While I am saddened to see MD5 still being used I'm not at all surprised since this forum isn't really something that warrants high levels of technical maintenance luckily. This stuff happens, not even the most secure system in the world is immune to being broken into.
__________________
|
2014-05-13, 14:37 | Link #176 |
Part-time misanthrope
Join Date: Mar 2007
|
While I don't really have technical knowledge about this topic it seems that the invaders knew exactly what they were doing and quite skilled as well. This could have happened to a lot if not most large(r) online community sites in one way or another, so we shouldn't look for 'someone to take responsibility' but instead for ways to prevent this and more from happening again.
|
2014-05-13, 14:45 | Link #178 |
Anaheim Electronics
Join Date: Aug 2004
|
Disappointing news of course, but I'm glad I was using an old password that I don't use anywhere else (I think). Honestly this isn't the first time AS had an "incident" like this though, so people shouldn't be too surprised.
And I really hope this serves as a wake up call to some people. Big corporations with far more security and oversight are getting hacked left and right, so a smaller forum getting compromised is far less of a big deal. Not to mention the whole Heartbleed debacle. If you're using the same exact password for an anime forum that you are using for sensitive sites like your bank, you seriously need to re-examine your priorities. |
2014-05-13, 14:47 | Link #179 |
大佐
Join Date: Jun 2013
|
I don't use it, but from what I get it is a program that keeps track of passwords, allowing you to use different and very complicated passwords for different websites. What you need to memorise is solely the master password for Lastpass itself.
__________________
|
2014-05-13, 14:48 | Link #180 |
ゴリゴリ!
Graphic Designer
Join Date: Jan 2009
Location: Vancouver, British Columbia
Age: 32
|
LastPass is a secure vault for all of your passwords. You sign up for an account, remember that one password and use it to access all of your other randomly generated passwords. Literally, you can have LastPass generate the strangest babble as a password, and it'll lock it in your vault. If lots of people are touchy with your computer, you can leave it fully locked. If you work alone and want quick access, you can have LastPass auto-login as soon as you hit login pages- you literally touch nothing and it does it for you.
The site has a strong sense of monitoring security, so if anything suspicious occurs as they do their multiple daily checks, they instantly lock everything and notify you to take action. Quite simply, I don't know any of my other passwords, aside from my LastPass one. Once I log into that, I can access my other ones. Your LastPass password is securely hashed as well, of course. It even has useful plugins for most popular browsers like Chrome and even Safari, allowing you to access it from the browser itself.
__________________
|
|
|