!!ATTENTION!! - Please Secure Your Passwords!

We sure do have a lot of rules and guidelines threads - find them all here, and please make sure you've read them! Also, community-wide announcements (that aren't major ZDoom News) go here as well.

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby scroton » Thu Jun 02, 2016 6:46 am

So, wait, is the only captcha on this site the ssg one? Cause that's the only one I've ever seen. Is there a limit to the number of login attempts that can be made even with captchas or are there cooldowns?

Actually let me go check.

EDIT: So I just went and tried to login with a bad password like thirty times, and the only captcha I saw is the SSG one. There was no attempt cooldown or anything, I logged in just fine on the 31st attempt with the correct password and my correctly solving the SSG captcha.


If I'm interpreting this correctly and there isn't a cooldown sometime after the 30th attempt that I just didn't see, this means that while the captcha will stop random spam bots from trying to hawk Cialis and tell us how they made $300 a day from home, there is basically no site protection against brute forcing a password, and it's up to the user to have a password the maximum password length in order to delay any brute force attempts, and the only real surefire way to defend against any dedicated script kiddie is to change your max length password on a regular schedule. What is the max password length btw? The regular changing of passwords might not be needed if the length means something like a year of continuous attempts to crack.

Now, I know very little about net security, and my qualifications are basically that I have logged into a lot of websites, but wouldn't it make sense to at least introduce a cooldown after x failed attempts, if a captcha would be infeasible?
User avatar
scroton
 
Joined: 27 Apr 2013

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Caligari87 » Thu Jun 02, 2016 8:16 am

Something like that does help a lot against brute-forcing accounts. I think Apple does a progressively-increasing cooldown, so every time you miss it multiplies the amount you have to wait to try again. A more dynamic recaptcha would be better too, since this one is static and could probably be script-bypassed.

8-)
User avatar
Caligari87
I'm just here for the community
User Accounts Assistant
 
Joined: 26 Feb 2004
Location: Salt Lake City, Utah, USA
Discord: Caligari87#3089

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Graf Zahl » Thu Jun 02, 2016 8:24 am

No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby faslrn » Thu Jun 02, 2016 9:19 am

Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.


What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
User avatar
faslrn
Dangerously cheesy
 
Joined: 24 Mar 2015
Location: Steam: faslrn
Discord: hollow#0721

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby scroton » Thu Jun 02, 2016 9:51 am

Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.

faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.

I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.
User avatar
scroton
 
Joined: 27 Apr 2013

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Graf Zahl » Thu Jun 02, 2016 9:56 am

faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).


Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Lud » Thu Jun 02, 2016 10:03 am

Graf Zahl wrote:Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

A) There is no cooldown on failed login. No need for this feature.
B) You're right, there's gonna be a major abuse of it.

By the way, has anyone seen any trolls around lately? My ISP caught fire thanks to a thunderstorm; I was with no net for a day. (Oh the horror...)
User avatar
Lud
Pirates of the Somallean
 
Joined: 11 Feb 2016
Location: Somalia

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby faslrn » Thu Jun 02, 2016 10:13 am

scroton wrote:
Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.

faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.

I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.


I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

Graf Zahl wrote:
faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).


Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.


I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.
User avatar
faslrn
Dangerously cheesy
 
Joined: 24 Mar 2015
Location: Steam: faslrn
Discord: hollow#0721

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby scroton » Thu Jun 02, 2016 10:28 am

Graf Zahl wrote:b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

I hadn't even considered that, but that would basically be the first thing they'd do.

faslrn wrote:I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.


If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.

I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:

Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.


So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.
User avatar
scroton
 
Joined: 27 Apr 2013

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby faslrn » Thu Jun 02, 2016 10:41 am

scroton wrote:
Graf Zahl wrote:b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

I hadn't even considered that, but that would basically be the first thing they'd do.

faslrn wrote:I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.


If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.

I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:

Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.


So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.


Looks like there is reCaptcha 2.0 for phpbb:

https://github.com/vinny/recaptcha-2-phpbbmod
User avatar
faslrn
Dangerously cheesy
 
Joined: 24 Mar 2015
Location: Steam: faslrn
Discord: hollow#0721

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Graf Zahl » Thu Jun 02, 2016 10:58 am

scroton wrote:So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.



AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.

Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby scroton » Thu Jun 02, 2016 11:15 am

Graf Zahl wrote:AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.

Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.


I just checked, and it does not notify the old email. If my account had been compromised I wouldn't have any indication until I checked the forums, and I couldn't recover the account via my email either.

The separating login names from account names would be best; is that possible for phpbb? And if so can you have it take effect for existing accounts?

While having emails as login information isn't great, at least with some there's the possibility for two-factor authentication. EDIT: Wait a minute, that wouldn't matter in this context. My am dumb.

faslrn wrote:Looks like there is reCaptcha 2.0 for phpbb:

https://github.com/vinny/recaptcha-2-phpbbmod


Hooray! Randi plz add asap.
Last edited by scroton on Thu Jun 02, 2016 11:40 am, edited 2 times in total.
User avatar
scroton
 
Joined: 27 Apr 2013

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby osjclatchford » Thu Jun 02, 2016 11:29 am

They've been trying mine Again... so sick of this...
osjclatchford
 
Joined: 07 Feb 2011

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby enderkevin13 » Thu Jun 02, 2016 11:52 am

I think they're trying to raid my account now, got the captcha thing. >_>
If you do happen to see posts that seem off on my account, let me know.

I don't wanna be a victim of a false ban because of these assholes.
User avatar
enderkevin13
Official abbadon of ZDoom
Banned User
 
Joined: 07 Jul 2015
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby 4thcharacter » Thu Jun 02, 2016 12:34 pm

I got ruled out as a spambot thanks to my dynamic IP assigning me to a notorious address. For a second there I thought my account was done for and I've gotten a problem that I really need to fix too.


Also, the hackers are probably targeting active accounts now considering the old inactive accounts are now unusable to them. It's seems futile and if this keeps up for months that's just desperation.
User avatar
4thcharacter
"I have returned."
 
Joined: 02 Jun 2015

PreviousNext

Return to Rules and Forum Announcements

Who is online

Users browsing this forum: No registered users and 1 guest