New password policy & account lockout

neptronix

neptronix

Administrator
Staff member
Joined
Jun 15, 2010
Messages
20,423
Location
Utah, USA
What's going on:

We've been having problems with 'credential stuffing' on this site, where a spammer will do a brute force attack on the login page with known, previously breached usernames and passwords to try to get access to accounts to spam us with.

This kind of attack has a high success rate and relies on users neglecting their security ( and a lot of people do that, so.. )

Many members ( 100% of the victims so far don't use the site much and have just a few posts ) set a weak password on this site, or never changed theirs after a breach and have been re-using that username/password on other sites/ours. This makes the spammers' job really easy because anyone can buy or download list of compromised passwords from all kinds of sites these days.

To stem the tide of these accounts from being unlocked and used for spammage ( then getting banned since we usually have no option ), i've added the have i been pwned service to our system which checks hashed partial password input against databases of known hacked passwords. It's similar to how the hacked password protection works in google chrome, and in this instance, because irreversible hashes of partial passwords are being sent, and compared, we don't accidentally end up compromising our user's security in order to gain security.

In addition, we now set a minimum password length and complexity for all new passwords going forward. And also added much stricter server-level protection against brute force attacks.


What does the trap look like if i fall in?

If you have a username/password combination known to be hacked on another website, the system will eventually require that you reset your password.

The indication isn't exactly clear, but the symptom that you will be that you are logged in but can't post.

If this doesn't clear out spammers' use of long inactive accounts, i will escalate our security while doing my best to not reduce the convenience level we currently have.


How do i get out of the trap?

Two options:
1) Set a new password:

1721858496065.png


1) PM a staff member asking to reset your password for you.
In this case, we'll verify some information and then reset it for you.


What else can i do to increase security?

If you wish to increase your account's security level, i recommend turning on the email-based 2FA. We have tried that feature at the moderator team level and found it to work pretty well. You can change those settings here: https://endless-sphere.com/sphere/account/security
 
Last edited:
How do we know this is the REAL NEPTRONIX... posting this.. and not some kind of savvy spammy rAi computer robot posing as Nep?


Huh? Huh?

Lol.
 
I'm going to be honest, that's going to be a problem someday :eek:
 
nicobie said:
I have had the same 4 character long password here since this forum was started. Do I need a new one now?
Click to expand...

Yes, that's way too weak.
 
I really hope you're pulling my chain dude 🧐
 
have been hacked yesterday and my email also i asked help but you didn't reply to me
 
Hi, i can't seem to find any help requests from you, not sure where you sent them.

Will respond via pm.
 
neptronix said:
I'm going to be honest, that's going to be a problem someday :eek:
Click to expand...

Though might not be feasible here, thought to share: Linux Kernel developers use PGP keys cross-signed by other members creating a web of trust to verify the identity

Dunno how to prove I am I :mad:
 
Last edited:
chuyskywalker said:
It's ok, my password is HUNTER2 which is automatically censored, so no hacker can find it.
Click to expand...
OK chuyskywalker? Now you've done it. Thought I would test your password that you shared with every human and computer with a internet connection. I signed out as marty. tried to sign in again using:

chuyskywalker + HUNTER2 it did not work?

Then I had to sign in again.

Your account is currently security locked and you need to reset your password to login. A password reset request has been emailed to you. Please follow the instructions in that email.
Click to expand...

I had the easiest to remember password of every website on planet earth. It was one digit! Yep Nep. 1 digit as in one number. Sorry I can share this password. Top secret! If I told anyone I would have to kill them.

Now for the adventure of creating a new password. I need another password like I need more information to forget.

Lets try a new one digit password?

Oops! We ran into some problems.
Password must be at least 10 characters long.
Click to expand...

OK lets try 0000000000

Oops! We ran into some problems.
Your password is too weak.
Click to expand...

I can count 10 letters. Try espassword

This password is similar to a commonly used password.
Click to expand...

Marty uses a big old computer here. Lets try the top row of letters on my keyboard? qwertyuiop

This password appears in the Top 100 most common passwords list.
Click to expand...

Wow! I should win a prize for guessing every one else's password. Just to let it be known the very best password is password all lower case letters. Yep - password. If you can't guess that? You probably should not word for the FBI.

Done! I now have a all new hard to remember password.

Serious Question? If I used the same password that I use to access my bank account. Could someone deep into the inner workings of Endless-Sphere software see all the members passwords and try to hack into their bank accounts and steal all the money?
 
afzal said:
Though might not be feasible here, thought to share: Linux Kernel developers use PGP keys cross-signed by other members creating a web of trust to verify the identity
Click to expand...

Adapting this to work on a website instead of a git repo or email client would be very difficult.

afzal said:
Dunno how to prove I am I :mad:
Click to expand...

Yes, huge problem that the entire internet is going to have to figure out soon.

marty said:
Wow! I should win a prize for guessing every one else's password. Just to let it be known the very best password is password all lower case letters. Yep - password. If you can't guess that? You probably should not word for the FBI.
Click to expand...

FYI, the '100 most used passwords' comes from not our own password database but from the haveibeenpwned service's ~13 billion leaked username/password combinations.

There is a reference for the top 100 used passwords:
SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt at master · danielmiessler/SecLists

marty said:
Serious Question? If I used the same password that I use to access my bank account. Could someone deep into the inner workings of Endless-Sphere software see all the members passwords and try to hack into their bank accounts and steal all the money?
Click to expand...

It's technically possible for any website operator to do this. But the more likely thing is that the website operator didn't keep the security of the platform up to date, the site got hacked, the hacker decrypted the passwords, attempted to blackmail the website operator, and posted them online if the ransom wasn't paid.

We have above average security for an internet forum, a low value to hackers, we keep things up to date, and the people who run this site are good people, But you should never trust any website with your bank password other than your bank.
 
Last edited:
neptronix said:
Adapting this to work on a website instead of a git repo or email client would be very difficult.
Click to expand...
What I had in mind was email associated with ES to verify the identity in case of a necessity, though personal signed email exchange would be required - an inelegant solution.

I don't know whether it would be possible for the forum posting to leverage signed email capability, even if that is possible, it would be very difficult.
 
Last edited:
Oh, i see.
Yeah, i would expect most users to lose their PGP key, even if we could get them to somehow make one.

Yeah, your results are no surprise. Many of my emails got in a data breach at some point in time. Few systems are safe in the current cyberwar. Microsoft's email systems got blown open 3 times in the last 12 months.

Any internet user is advised to take security pretty seriously these days.
 
Hey yall, updated the main post.

Also updated the password lockout mechanism, it still prevents you from posting and editing things, but you can still message a member of staff if you need help. Most people opened a new account to message me or post on the forum that they needed help, so it's now easier to get out of compromised password hell.

Even though the security measures have been a pain in the ass ( i've had to save 5 people so far ), the incidence rate of account takeover due to weak or compromised passwords & then those accounts being repurposed to emit spam seems to be zero since this was instituted. Not bad!
 
I didn't and still don't like the idea of somebody here cutting me off from this forum in order to save ME from something I don't think is important. I mean the only person who would be harmed would be ME anyway. This is just one more reason that I quit being a moderator.

Thanks for nothing neptronix.
 
We've had this same conversation 3 times, i sent you instructions on how to set a new password months ago, because yours was extremely insecure, and you ignored them, and have been fighting me for months.

I'm pretty tired of it, Nicobie. Please either follow my instructions and set an 8 character password, or drop the issue. It's getting reeally old.
 
Nicobie, you might not appreciate it, but I, and I'm sure many others also, do appreciate the fact that this forum can still exist/function and this is a credit to Nep's efforts to maintain a sane level of security on the platform.
We don't care if you have low security for yourself, but if that low security could impact others then it does matter.

It's a bit like how I've heard many (typically from older generations) claim that they don't care if all the corporations get their data, or they don't care if they get hacked as they've got nothing to loose. That may all be true, but once I point out to them that their lax security could easily lead to hackers impersonating them and extorting their family members for money, they usually change tune.

Cheers
 
My family members have a high enough IQ to not have this problem. If you need to try to stop bad things happening to others that are incapable of taking care of themselves, I wish you the best of luck. So far our governments can't do it.
 
Nick, if somebody cracks your password and starts spewing spam all over the place, all of us are inconvenienced. I'd rather have you type a slightly longer password than me dealing with the fallout from your account getting hacked.
Alternatively, you could also invest in a free password manager ;)
 
You must log in or register to reply here.

Similar threads

neptronix
  • Locked
Endless Sphere 2.0 Preview - please provide feedback!
2 3 4 5
Replies
101
Views
9,423
neptronix
neptronix
neptronix
    • Like
  • Sticky
FAQ About ES 2.0
Replies
6
Views
4,192
neptronix
neptronix
neptronix
    • Like
Endless Sphere knowledgebase system ( zeropress ) and funding drive
2 3 4 5
Replies
104
Views
17,285
neptronix
neptronix
TylerDurden
Gizmodo / Gawker hacked - change yer passwords...
Replies
1
Views
678
grindz145
grindz145
mwkeefer
Endless Sphere Real Time Chat, Virtual Meetings, and ?ore
Replies
12
Views
1,885
Evoforce
E
Back
Top