!!ATTENTION!! - Please Secure Your Passwords!
-
- Posts: 148
- Joined: Sat Apr 27, 2013 10:53 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
So, wait, is the only captcha on this site the ssg one? Cause that's the only one I've ever seen. Is there a limit to the number of login attempts that can be made even with captchas or are there cooldowns?
Actually let me go check.
EDIT: So I just went and tried to login with a bad password like thirty times, and the only captcha I saw is the SSG one. There was no attempt cooldown or anything, I logged in just fine on the 31st attempt with the correct password and my correctly solving the SSG captcha.
If I'm interpreting this correctly and there isn't a cooldown sometime after the 30th attempt that I just didn't see, this means that while the captcha will stop random spam bots from trying to hawk Cialis and tell us how they made $300 a day from home, there is basically no site protection against brute forcing a password, and it's up to the user to have a password the maximum password length in order to delay any brute force attempts, and the only real surefire way to defend against any dedicated script kiddie is to change your max length password on a regular schedule. What is the max password length btw? The regular changing of passwords might not be needed if the length means something like a year of continuous attempts to crack.
Now, I know very little about net security, and my qualifications are basically that I have logged into a lot of websites, but wouldn't it make sense to at least introduce a cooldown after x failed attempts, if a captcha would be infeasible?
Actually let me go check.
EDIT: So I just went and tried to login with a bad password like thirty times, and the only captcha I saw is the SSG one. There was no attempt cooldown or anything, I logged in just fine on the 31st attempt with the correct password and my correctly solving the SSG captcha.
If I'm interpreting this correctly and there isn't a cooldown sometime after the 30th attempt that I just didn't see, this means that while the captcha will stop random spam bots from trying to hawk Cialis and tell us how they made $300 a day from home, there is basically no site protection against brute forcing a password, and it's up to the user to have a password the maximum password length in order to delay any brute force attempts, and the only real surefire way to defend against any dedicated script kiddie is to change your max length password on a regular schedule. What is the max password length btw? The regular changing of passwords might not be needed if the length means something like a year of continuous attempts to crack.
Now, I know very little about net security, and my qualifications are basically that I have logged into a lot of websites, but wouldn't it make sense to at least introduce a cooldown after x failed attempts, if a captcha would be infeasible?
-
- Admin
- Posts: 6190
- Joined: Thu Feb 26, 2004 3:02 pm
- Preferred Pronouns: He/Him
Re: !!ATTENTION!! - Please Secure Your Passwords!
Something like that does help a lot against brute-forcing accounts. I think Apple does a progressively-increasing cooldown, so every time you miss it multiplies the amount you have to wait to try again. A more dynamic recaptcha would be better too, since this one is static and could probably be script-bypassed.
-
- Lead GZDoom+Raze Developer
- Posts: 49118
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: !!ATTENTION!! - Please Secure Your Passwords!
No wonder that the idiot was able to crack this many accounts.
I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
-
- Posts: 513
- Joined: Tue Mar 24, 2015 3:43 pm
- Location: Steam: faslrn
Re: !!ATTENTION!! - Please Secure Your Passwords!
What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.
I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
-
- Posts: 148
- Joined: Sat Apr 27, 2013 10:53 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.
I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.
-
- Lead GZDoom+Raze Developer
- Posts: 49118
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: !!ATTENTION!! - Please Secure Your Passwords!
Amazing that such shitty software is still so widely in use.faslrn wrote: What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Honestly, the two best protections against brute-forcing are
a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
-
- Posts: 2383
- Joined: Thu Feb 11, 2016 9:59 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
A) There is no cooldown on failed login. No need for this feature.Graf Zahl wrote: Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are
a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
B) You're right, there's gonna be a major abuse of it.
By the way, has anyone seen any trolls around lately? My ISP caught fire thanks to a thunderstorm; I was with no net for a day. (Oh the horror...)
-
- Posts: 513
- Joined: Tue Mar 24, 2015 3:43 pm
- Location: Steam: faslrn
Re: !!ATTENTION!! - Please Secure Your Passwords!
I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.scroton wrote:Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.Graf Zahl wrote:No wonder that the idiot was able to crack this many accounts.
I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.
Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.
I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.Graf Zahl wrote:Amazing that such shitty software is still so widely in use.faslrn wrote: What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Honestly, the two best protections against brute-forcing are
a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
-
- Posts: 148
- Joined: Sat Apr 27, 2013 10:53 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
I hadn't even considered that, but that would basically be the first thing they'd do.Graf Zahl wrote:b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.faslrn wrote: I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.
I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.
I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:
So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.
-
- Posts: 513
- Joined: Tue Mar 24, 2015 3:43 pm
- Location: Steam: faslrn
Re: !!ATTENTION!! - Please Secure Your Passwords!
Looks like there is reCaptcha 2.0 for phpbb:scroton wrote:I hadn't even considered that, but that would basically be the first thing they'd do.Graf Zahl wrote:b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.faslrn wrote: I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.
I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.
I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:
So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.
https://github.com/vinny/recaptcha-2-phpbbmod
-
- Lead GZDoom+Raze Developer
- Posts: 49118
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: !!ATTENTION!! - Please Secure Your Passwords!
scroton wrote: So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.
AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.
Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.
-
- Posts: 148
- Joined: Sat Apr 27, 2013 10:53 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
I just checked, and it does not notify the old email. If my account had been compromised I wouldn't have any indication until I checked the forums, and I couldn't recover the account via my email either.Graf Zahl wrote: AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.
Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.
The separating login names from account names would be best; is that possible for phpbb? And if so can you have it take effect for existing accounts?
While having emails as login information isn't great, at least with some there's the possibility for two-factor authentication. EDIT: Wait a minute, that wouldn't matter in this context. My am dumb.
Hooray! Randi plz add asap.faslrn wrote:Looks like there is reCaptcha 2.0 for phpbb:
https://github.com/vinny/recaptcha-2-phpbbmod
Last edited by scroton on Thu Jun 02, 2016 10:40 am, edited 2 times in total.
-
- Posts: 2058
- Joined: Mon Feb 07, 2011 5:02 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
They've been trying mine Again... so sick of this...
-
- Posts: 1383
- Joined: Tue Jul 07, 2015 7:30 am
- Location: :noiƚɒɔo⅃
Re: !!ATTENTION!! - Please Secure Your Passwords!
I think they're trying to raid my account now, got the captcha thing. >_>
If you do happen to see posts that seem off on my account, let me know.
I don't wanna be a victim of a false ban because of these assholes.
If you do happen to see posts that seem off on my account, let me know.
I don't wanna be a victim of a false ban because of these assholes.
-
- Posts: 1183
- Joined: Tue Jun 02, 2015 7:54 am
Re: !!ATTENTION!! - Please Secure Your Passwords!
I got ruled out as a spambot thanks to my dynamic IP assigning me to a notorious address. For a second there I thought my account was done for and I've gotten a problem that I really need to fix too.
Also, the hackers are probably targeting active accounts now considering the old inactive accounts are now unusable to them. It's seems futile and if this keeps up for months that's just desperation.
Also, the hackers are probably targeting active accounts now considering the old inactive accounts are now unusable to them. It's seems futile and if this keeps up for months that's just desperation.