!!ATTENTION!! - Please Secure Your Passwords!

We sure do have a lot of rules and guidelines threads - find them all here, and please make sure you've read them! Also, community-wide announcements (that aren't major ZDoom News) go here as well.

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby enderkevin13 » Thu Jun 02, 2016 4:03 pm

Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
User avatar
enderkevin13
Official abbadon of ZDoom
Banned User
 
Joined: 07 Jul 2015
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby wildweasel » Thu Jun 02, 2016 4:06 pm

enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?

Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.
User avatar
wildweasel
I love the smell of sourdough in the morning
Moderator Team Admin
 
Joined: 15 Jul 2003
Location: avatar by kurashiki

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby enderkevin13 » Thu Jun 02, 2016 4:10 pm

wildweasel wrote:
enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?

Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.

He sent the website errors to me. I screencapped the messages and the pictures he sent.
User avatar
enderkevin13
Official abbadon of ZDoom
Banned User
 
Joined: 07 Jul 2015
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Matt » Thu Jun 02, 2016 4:12 pm

Graf Zahl wrote:I wouldn't store anything security related in the cloud when everybody can immediately see that it's security related.
This.

I just got a too many failed login attempts again logging in now,* so I'd hate to see what would happen with an automatic lockdown. Am definitely for cooldown time though (even like 5 seconds on a first try).

*I've been getting these since people had been hijacking inactive accounts too, so I don't think there's any real pattern to this.
User avatar
Matt
Putting the XD into *xdeath since 2007
 
Joined: 04 Jan 2004
Location: Gotham City SAR, Wyld-Lands of the Lotus People, Dominionist PetroConfederacy of Saudi Canadia

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Rachael » Thu Jun 02, 2016 4:47 pm

Graf Zahl wrote:
faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).


Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.


Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).

If your machine happens to host an open proxy that the attacker uses - you're SOL. Secure your network.
User avatar
Rachael
QZDoom + Webmaster
 
Joined: 13 Jan 2004

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Graf Zahl » Thu Jun 02, 2016 5:07 pm

Eruanna wrote:(which would force the attacker to use less and less reliable proxies).


If it was that easy. What about TOR?
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby wildweasel » Thu Jun 02, 2016 5:10 pm

Eruanna wrote:Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).

What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
  1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
  2. Why stop at only two captchas? Why not implement several and choose randomly between them on each failed attempt? Maybe one time it's the SSG question, maybe the next it's the "click on all the puppies hidden among these photographs of potatoes" one, maybe after that it's reCAPTCHA, etc etc.
Graf Zahl wrote:
Eruanna wrote:(which would force the attacker to use less and less reliable proxies).


If it was that easy. What about TOR?

From what I've been told by other forums' moderators who have been dealing with the same guy, TOR is used quite frequently.
User avatar
wildweasel
I love the smell of sourdough in the morning
Moderator Team Admin
 
Joined: 15 Jul 2003
Location: avatar by kurashiki

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Caligari87 » Thu Jun 02, 2016 6:01 pm

wildweasel wrote:What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
  1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

8-)
User avatar
Caligari87
I'm just here for the community
 
 
 
Joined: 26 Feb 2004
Location: Salt Lake City, Utah, USA
Discord: Caligari87#3089

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Nevander » Thu Jun 02, 2016 7:19 pm

For fricks sake again it's telling me max attempts. Why won't they give up?
User avatar
Nevander
The Doomslayer
 
Joined: 06 Jan 2014
Location: United States

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Rachael » Fri Jun 03, 2016 12:20 am

Caligari87 wrote:If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

8-)

Exactly correct.

The idea is to not punish legitimate users needlessly - only make it harder for certain troublesome IP ranges (since proxy scans usually go by IP range, anyway). Those IP ranges can still log in - they just have two challenges to solve from the get-go. It's annoying, sure, but it's better than completely blocking them. It won't do anything for bots except to slow them down - which really is kind of the idea when you're facing brute force attacks.

Login key cookies can bypass the IP ban. That means if you ticked "Keep me logged in" it will let you stay on that account.

If the account you are logging into has an IP whitelist (you successfully logged in to your own account repeatedly within the last 180 days, or registered from that IP), your IP will also be able to bypass the challenges.

If typing your password is a bit of a doozy and you hit the max login attempts, you should still be able to reset your password and log in that way. That won't stop any attacker who can compromise people's emails, but it goes a long way to ensuring most legitimate users will have access to their accounts no matter what.
User avatar
Rachael
QZDoom + Webmaster
 
Joined: 13 Jan 2004

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Chickenlegz » Fri Jun 03, 2016 7:41 am

This is weird, but when I brought my laptop to the work I got a message that I was banned when tried to login.
At home I tried again and it worked, was I banned or not, I got several 503 Errors on the next attempts at work.
Enhanced my password after this crazy moment.
Chickenlegz
 
Joined: 19 May 2013
Location: Stockholm, Sweden

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Lud » Fri Jun 03, 2016 8:14 am

But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Image
Lud
 
Joined: 11 Feb 2016

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby enderkevin13 » Fri Jun 03, 2016 8:37 am

Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Image

Because they think that getting rid of ZDoom will make them better, even though they rely on us pretty much.
User avatar
enderkevin13
Official abbadon of ZDoom
Banned User
 
Joined: 07 Jul 2015
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby Rachael » Fri Jun 03, 2016 9:32 am

Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...

Attention.

Some people get off on stuff like this. The attacker is probably really proud of this thread.
User avatar
Rachael
QZDoom + Webmaster
 
Joined: 13 Jan 2004

Re: !!ATTENTION!! - Please Secure Your Passwords!

Postby randi » Fri Jun 03, 2016 10:26 am

Eruanna wrote:Some people get off on stuff like this. The attacker is probably really proud of this thread.

Exactly. I should probably lock this thread so people stop talking about it and giving the attacker more reason to continue.
User avatar
randi
Site Admin
 
Joined: 09 Jul 2003

PreviousNext

Return to Rules and Forum Announcements

Who is online

Users browsing this forum: No registered users and 1 guest