!!ATTENTION!! - Please Secure Your Passwords!
-
- Posts: 1383
- Joined: Tue Jul 07, 2015 7:30 am
- Location: :noiƚɒɔo⅃
Re: !!ATTENTION!! - Please Secure Your Passwords!
Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
-
- Posts: 21706
- Joined: Tue Jul 15, 2003 7:33 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): A lot of them
- Graphics Processor: Not Listed
Re: !!ATTENTION!! - Please Secure Your Passwords!
Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
-
- Posts: 1383
- Joined: Tue Jul 07, 2015 7:30 am
- Location: :noiƚɒɔo⅃
Re: !!ATTENTION!! - Please Secure Your Passwords!
He sent the website errors to me. I screencapped the messages and the pictures he sent.wildweasel wrote:Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
-
- Posts: 9696
- Joined: Sun Jan 04, 2004 5:37 pm
- Preferred Pronouns: They/Them
- Operating System Version (Optional): Debian Bullseye
- Location: Gotham City SAR, Wyld-Lands of the Lotus People, Dominionist PetroConfederacy of Saudi Canadia
Re: !!ATTENTION!! - Please Secure Your Passwords!
This.Graf Zahl wrote:I wouldn't store anything security related in the cloud when everybody can immediately see that it's security related.
I just got a too many failed login attempts again logging in now,* so I'd hate to see what would happen with an automatic lockdown. Am definitely for cooldown time though (even like 5 seconds on a first try).
*I've been getting these since people had been hijacking inactive accounts too, so I don't think there's any real pattern to this.
-
- Posts: 13791
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: !!ATTENTION!! - Please Secure Your Passwords!
Blocking all legitimate forum access can be countered.Graf Zahl wrote:Amazing that such shitty software is still so widely in use.faslrn wrote: What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Honestly, the two best protections against brute-forcing are
a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).
If your machine happens to host an open proxy that the attacker uses - you're SOL. Secure your network.
-
- Lead GZDoom+Raze Developer
- Posts: 49182
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: !!ATTENTION!! - Please Secure Your Passwords!
If it was that easy. What about TOR?Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
-
- Posts: 21706
- Joined: Tue Jul 15, 2003 7:33 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): A lot of them
- Graphics Processor: Not Listed
Re: !!ATTENTION!! - Please Secure Your Passwords!
What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:Eruanna wrote:Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).
- Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
- Why stop at only two captchas? Why not implement several and choose randomly between them on each failed attempt? Maybe one time it's the SSG question, maybe the next it's the "click on all the puppies hidden among these photographs of potatoes" one, maybe after that it's reCAPTCHA, etc etc.
From what I've been told by other forums' moderators who have been dealing with the same guy, TOR is used quite frequently.Graf Zahl wrote:If it was that easy. What about TOR?Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
-
- Admin
- Posts: 6190
- Joined: Thu Feb 26, 2004 3:02 pm
- Preferred Pronouns: He/Him
Re: !!ATTENTION!! - Please Secure Your Passwords!
If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.wildweasel wrote:What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
- Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
-
- Posts: 2254
- Joined: Mon Jan 06, 2014 11:32 pm
Re: !!ATTENTION!! - Please Secure Your Passwords!
For fricks sake again it's telling me max attempts. Why won't they give up?
-
- Posts: 13791
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: !!ATTENTION!! - Please Secure Your Passwords!
Exactly correct.Caligari87 wrote:If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.
The idea is to not punish legitimate users needlessly - only make it harder for certain troublesome IP ranges (since proxy scans usually go by IP range, anyway). Those IP ranges can still log in - they just have two challenges to solve from the get-go. It's annoying, sure, but it's better than completely blocking them. It won't do anything for bots except to slow them down - which really is kind of the idea when you're facing brute force attacks.
Login key cookies can bypass the IP ban. That means if you ticked "Keep me logged in" it will let you stay on that account.
If the account you are logging into has an IP whitelist (you successfully logged in to your own account repeatedly within the last 180 days, or registered from that IP), your IP will also be able to bypass the challenges.
If typing your password is a bit of a doozy and you hit the max login attempts, you should still be able to reset your password and log in that way. That won't stop any attacker who can compromise people's emails, but it goes a long way to ensuring most legitimate users will have access to their accounts no matter what.
-
- Posts: 304
- Joined: Sun May 19, 2013 12:09 pm
Re: !!ATTENTION!! - Please Secure Your Passwords!
This is weird, but when I brought my laptop to the work I got a message that I was banned when tried to login.
At home I tried again and it worked, was I banned or not, I got several 503 Errors on the next attempts at work.
Enhanced my password after this crazy moment.
At home I tried again and it worked, was I banned or not, I got several 503 Errors on the next attempts at work.
Enhanced my password after this crazy moment.
-
- Posts: 2383
- Joined: Thu Feb 11, 2016 9:59 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
-
- Posts: 1383
- Joined: Tue Jul 07, 2015 7:30 am
- Location: :noiƚɒɔo⅃
Re: !!ATTENTION!! - Please Secure Your Passwords!
Because they think that getting rid of ZDoom will make them better, even though they rely on us pretty much.Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
-
- Posts: 13791
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: !!ATTENTION!! - Please Secure Your Passwords!
Attention.Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Some people get off on stuff like this. The attacker is probably really proud of this thread.
-
- Site Admin
- Posts: 7749
- Joined: Wed Jul 09, 2003 10:30 pm
Re: !!ATTENTION!! - Please Secure Your Passwords!
Exactly. I should probably lock this thread so people stop talking about it and giving the attacker more reason to continue.Eruanna wrote:Some people get off on stuff like this. The attacker is probably really proud of this thread.