!!ATTENTION!! - Please Secure Your Passwords!

We sure do have a lot of rules and guidelines threads - find them all here, and please make sure you've read them! Also, community-wide announcements (that aren't major ZDoom News) go here as well.
User avatar
enderkevin13
Posts: 1383
Joined: Tue Jul 07, 2015 7:30 am
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by enderkevin13 »

Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by wildweasel »

enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.
User avatar
enderkevin13
Posts: 1383
Joined: Tue Jul 07, 2015 7:30 am
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by enderkevin13 »

wildweasel wrote:
enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.
He sent the website errors to me. I screencapped the messages and the pictures he sent.
User avatar
Matt
Posts: 9696
Joined: Sun Jan 04, 2004 5:37 pm
Preferred Pronouns: They/Them
Operating System Version (Optional): Debian Bullseye
Location: Gotham City SAR, Wyld-Lands of the Lotus People, Dominionist PetroConfederacy of Saudi Canadia

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Matt »

Graf Zahl wrote:I wouldn't store anything security related in the cloud when everybody can immediately see that it's security related.
This.

I just got a too many failed login attempts again logging in now,* so I'd hate to see what would happen with an automatic lockdown. Am definitely for cooldown time though (even like 5 seconds on a first try).

*I've been getting these since people had been hijacking inactive accounts too, so I don't think there's any real pattern to this.
User avatar
Rachael
Posts: 13727
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Rachael »

Graf Zahl wrote:
faslrn wrote: What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).

If your machine happens to host an open proxy that the attacker uses - you're SOL. Secure your network.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49141
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Graf Zahl »

Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
If it was that easy. What about TOR?
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by wildweasel »

Eruanna wrote:Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).
What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
  1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
  2. Why stop at only two captchas? Why not implement several and choose randomly between them on each failed attempt? Maybe one time it's the SSG question, maybe the next it's the "click on all the puppies hidden among these photographs of potatoes" one, maybe after that it's reCAPTCHA, etc etc.
Graf Zahl wrote:
Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
If it was that easy. What about TOR?
From what I've been told by other forums' moderators who have been dealing with the same guy, TOR is used quite frequently.
User avatar
Caligari87
Admin
Posts: 6190
Joined: Thu Feb 26, 2004 3:02 pm
Preferred Pronouns: He/Him

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Caligari87 »

wildweasel wrote:What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
  1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

8-)
Nevander
Posts: 2254
Joined: Mon Jan 06, 2014 11:32 pm

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Nevander »

For fricks sake again it's telling me max attempts. Why won't they give up?
User avatar
Rachael
Posts: 13727
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Rachael »

Caligari87 wrote:If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

8-)
Exactly correct.

The idea is to not punish legitimate users needlessly - only make it harder for certain troublesome IP ranges (since proxy scans usually go by IP range, anyway). Those IP ranges can still log in - they just have two challenges to solve from the get-go. It's annoying, sure, but it's better than completely blocking them. It won't do anything for bots except to slow them down - which really is kind of the idea when you're facing brute force attacks.

Login key cookies can bypass the IP ban. That means if you ticked "Keep me logged in" it will let you stay on that account.

If the account you are logging into has an IP whitelist (you successfully logged in to your own account repeatedly within the last 180 days, or registered from that IP), your IP will also be able to bypass the challenges.

If typing your password is a bit of a doozy and you hit the max login attempts, you should still be able to reset your password and log in that way. That won't stop any attacker who can compromise people's emails, but it goes a long way to ensuring most legitimate users will have access to their accounts no matter what.
DnB-Freak
Posts: 304
Joined: Sun May 19, 2013 12:09 pm

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by DnB-Freak »

This is weird, but when I brought my laptop to the work I got a message that I was banned when tried to login.
At home I tried again and it worked, was I banned or not, I got several 503 Errors on the next attempts at work.
Enhanced my password after this crazy moment.
Accensus
Posts: 2383
Joined: Thu Feb 11, 2016 9:59 am

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Accensus »

But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Image
User avatar
enderkevin13
Posts: 1383
Joined: Tue Jul 07, 2015 7:30 am
Location: :noiƚɒɔo⅃

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by enderkevin13 »

Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Image
Because they think that getting rid of ZDoom will make them better, even though they rely on us pretty much.
User avatar
Rachael
Posts: 13727
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by Rachael »

Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Attention.

Some people get off on stuff like this. The attacker is probably really proud of this thread.
User avatar
randi
Site Admin
Posts: 7749
Joined: Wed Jul 09, 2003 10:30 pm

Re: !!ATTENTION!! - Please Secure Your Passwords!

Post by randi »

Eruanna wrote:Some people get off on stuff like this. The attacker is probably really proud of this thread.
Exactly. I should probably lock this thread so people stop talking about it and giving the attacker more reason to continue.

Return to “Rules and Forum Announcements”