What's going on:
We've been having problems with 'credential stuffing' on this site, where a spammer will do a brute force attack on the login page with known, previously breached usernames and passwords to try to get access to accounts to spam us with.
This kind of attack has a high success rate and relies on users neglecting their security ( and a lot of people do that, so.. )
Many members ( 100% of the victims so far don't use the site much and have just a few posts ) set a weak password on this site, or never changed theirs after a breach and have been re-using that username/password on other sites/ours. This makes the spammers' job really easy because anyone can buy or download list of compromised passwords from all kinds of sites these days.
To stem the tide of these accounts from being unlocked and used for spammage ( then getting banned since we usually have no option ), i've added the have i been pwned service to our system which checks hashed partial password input against databases of known hacked passwords. It's similar to how the hacked password protection works in google chrome, and in this instance, because irreversible hashes of partial passwords are being sent, and compared, we don't accidentally end up compromising our user's security in order to gain security.
In addition, we now set a minimum password length and complexity for all new passwords going forward. And also added much stricter server-level protection against brute force attacks.
What does the trap look like if i fall in?
If you have a username/password combination known to be hacked on another website, the system will eventually require that you reset your password.
The indication isn't exactly clear, but the symptom that you will be that you are logged in but can't post.
If this doesn't clear out spammers' use of long inactive accounts, i will escalate our security while doing my best to not reduce the convenience level we currently have.
How do i get out of the trap?
Two options:
1) Set a new password:
1) PM a staff member asking to reset your password for you.
In this case, we'll verify some information and then reset it for you.
What else can i do to increase security?
If you wish to increase your account's security level, i recommend turning on the email-based 2FA. We have tried that feature at the moderator team level and found it to work pretty well. You can change those settings here: https://endless-sphere.com/sphere/account/security
We've been having problems with 'credential stuffing' on this site, where a spammer will do a brute force attack on the login page with known, previously breached usernames and passwords to try to get access to accounts to spam us with.
This kind of attack has a high success rate and relies on users neglecting their security ( and a lot of people do that, so.. )
Many members ( 100% of the victims so far don't use the site much and have just a few posts ) set a weak password on this site, or never changed theirs after a breach and have been re-using that username/password on other sites/ours. This makes the spammers' job really easy because anyone can buy or download list of compromised passwords from all kinds of sites these days.
To stem the tide of these accounts from being unlocked and used for spammage ( then getting banned since we usually have no option ), i've added the have i been pwned service to our system which checks hashed partial password input against databases of known hacked passwords. It's similar to how the hacked password protection works in google chrome, and in this instance, because irreversible hashes of partial passwords are being sent, and compared, we don't accidentally end up compromising our user's security in order to gain security.
In addition, we now set a minimum password length and complexity for all new passwords going forward. And also added much stricter server-level protection against brute force attacks.
What does the trap look like if i fall in?
If you have a username/password combination known to be hacked on another website, the system will eventually require that you reset your password.
The indication isn't exactly clear, but the symptom that you will be that you are logged in but can't post.
If this doesn't clear out spammers' use of long inactive accounts, i will escalate our security while doing my best to not reduce the convenience level we currently have.
How do i get out of the trap?
Two options:
1) Set a new password:
1) PM a staff member asking to reset your password for you.
In this case, we'll verify some information and then reset it for you.
What else can i do to increase security?
If you wish to increase your account's security level, i recommend turning on the email-based 2FA. We have tried that feature at the moderator team level and found it to work pretty well. You can change those settings here: https://endless-sphere.com/sphere/account/security
Last edited:
I'm not too sure if I still remember what it is. It's been awhile...
