Happy Atheist Forum

Getting To Know You => Ask HAF => Topic started by: Whitney on January 04, 2011, 06:12:05 PM

Title: Forum Security Updates
Post by: Whitney on January 04, 2011, 06:12:05 PM
For the time being I have made it a requirement that all new user passwords contain letter and numbers.  

You will also be forced to change your password every[strike:28v5j06o]30[/strike:28v5j06o] 365 days. (but if you are 'under attack' you should change it more often...policy with hacked accounts is to ban them till the correct owner can be figured out)

Max login attempts before captcha is changed to 1.

I suggest that if you are one of the people getting the exceeded mass login attempts notice that you change your password more often or make it really long to lessen the chance of it being broken.

I also found a button I could tick that checks IPs against a spam database; so I set that to yes.  It might help cut down on the spam we get every now and then.
Title: Re: Forum Security Updates
Post by: LegendarySandwich on January 04, 2011, 06:13:17 PM
We'll be forced to change our password every month? Really? My password right now is really secure...I doubt anyone will ever crack it. Do I have to create a new password?
Title: Re: Forum Security Updates
Post by: KDbeads on January 04, 2011, 06:13:34 PM
Did we just have to reset our passwords because of this, like 2 minutes ago?  Just want to be sure since I hadn't been having trouble until now!
Title: Re: Forum Security Updates
Post by: MariaEvri on January 04, 2011, 06:29:21 PM
Quote from: "KDbeads"Did we just have to reset our passwords because of this, like 2 minutes ago?  Just want to be sure since I hadn't been having trouble until now!

yeah took me a while to understand what was going on, but finally i changed my password and I managed to log in...
Title: Re: Forum Security Updates
Post by: Whitney on January 04, 2011, 06:37:03 PM
those that didn't have a complex password couldn't change their password so I took off the complex requirement (people should still use complex passwords, at some point I will make that a requirement again and those that don't have complex alpha numeric passwords won't be able to log in without help).

You can theoretically change your password to the same password (I think) This is not advised unless you are really confident in how secure your password is.  I'm using a really complex password and plan to change it very frequently until this hacker threat passes since if my account gets hacked it will be a huge pain in the ass to recover it (in that event that it does happen I will pull the plug on the board while I'm fixing it so that no further damage can be done; I am making more frequent board backups too just in case)

I had to do something to make sure everyone changed their passwords to something new, this is just a temporary thing eventually they'll get tired of trying to crack the accounts.  I'll go ahead and change it to 365 days so it only forces it every year but still makes everyone have to have a new password today.
Title: Re: Forum Security Updates
Post by: Tank on January 04, 2011, 08:39:16 PM
:pop:
Title: Re: Forum Security Updates
Post by: Velma on January 04, 2011, 10:59:45 PM
Quote from: "Whitney"those that didn't have a complex password couldn't change their password so I took off the complex requirement (people should still use complex passwords, at some point I will make that a requirement again and those that don't have complex alpha numeric passwords won't be able to log in without help).

You can theoretically change your password to the same password (I think) This is not advised unless you are really confident in how secure your password is.  I'm using a really complex password and plan to change it very frequently until this hacker threat passes since if my account gets hacked it will be a huge pain in the ass to recover it (in that event that it does happen I will pull the plug on the board while I'm fixing it so that no further damage can be done; I am making more frequent board backups too just in case)

I had to do something to make sure everyone changed their passwords to something new, this is just a temporary thing eventually they'll get tired of trying to crack the accounts.  I'll go ahead and change it to 365 days so it only forces it every year but still makes everyone have to have a new password today.
I don't blame you.  I was on staff at a forum when a hacker got the password for the site admin (the forum was just one part of a larger site).  What a nightmare that was!!  

Everyone should watch out for phishing scams - any communication that claims to be from HAF that asks for your password should be deleted without clicking on any links.
Title: Re: Forum Security Updates
Post by: KDbeads on January 04, 2011, 11:56:09 PM
Quote from: "Whitney"Max login attempts before captcha is changed to 1.
Hmmmmmmmmmmmmm.......

I just had to do the whole security thingy, me thinks le-hacker is now trying to use me  :mad:
Title: Re: Forum Security Updates
Post by: terranus on January 06, 2011, 04:02:10 PM
Think someone tried to hack my account. Got captcha'd on the way in today.
Title: Re: Forum Security Updates
Post by: Will on January 06, 2011, 11:44:42 PM
Thanks for the new policy, Whitney. While it might seem a bit frustrating, the security of accounts is important. I see it as analogous to preventing identity theft IRL.
Title: Re: Forum Security Updates
Post by: Tank on January 07, 2011, 10:21:44 AM
Since the log in attempts have been dropped to one I have buggered up logging in 4 out of 5 times so far :upset:
Title: Re: Forum Security Updates
Post by: The Magic Pudding on January 07, 2011, 10:47:09 AM
Quote from: "Tank"Since the log in attempts have been dropped to one I have buggered up logging in 4 out of 5 times so far :upset:

Yes I've had some trouble passing as human, it's not easy being a pudding.
I suspect the cracked password was very simple.
I changed my password once, but I don't plan on doing it again soon, its 20+ characters, some upper-case, some numerical, no special characters though.
Title: Re: Forum Security Updates
Post by: terranus on January 07, 2011, 02:26:09 PM
Quoteno special characters though

Can we use special characters in our passwords? I imagine that would help increase their overall strength.
Title: Re: Forum Security Updates
Post by: McQ on January 07, 2011, 03:17:29 PM
Quote from: "terranus"
Quoteno special characters though

Can we use special characters in our passwords? I imagine that would help increase their overall strength.

Yes, and I recommend doing so in every password you use on the Internet. Our hacker is a rank amateur, but others out there are more sophisticated, and getting more so every day. Special characters strengthen a password and make it harder to crack.
Title: Re: Forum Security Updates
Post by: terranus on January 09, 2011, 11:15:17 PM
Cool. Yeah I usually do use special characters but I didn't know if this board supported it or not.

Thanks!
Title: Re: Forum Security Updates
Post by: TheWilliam on January 09, 2011, 11:39:20 PM
Damn. So in thirty days I have to loose my favorite forum and go back to posting with the short bus crowd.
Title: Re: Forum Security Updates
Post by: Whitney on January 10, 2011, 12:40:36 AM
Quote from: "TheWilliam"Damn. So in thirty days I have to loose my favorite forum and go back to posting with the short bus crowd.

?
Title: Re: Forum Security Updates
Post by: Tank on January 10, 2011, 12:21:28 PM
I think something is still 'pecking' at the passwords as I have tried to get in twice today and in both cases I got the 'exceeded attempts' message even though I was very careful to enter my details correctly.
Title: Re: Forum Security Updates
Post by: OldGit on January 10, 2011, 01:34:24 PM
Something is going on.  Yet again I had the devil of a job to get in today and had to do about five captchas - very carefully - before I finally got in.
Then the same thing happened to me on the Venganza forum, which is also a php board.  I've never had that before.

So, is our phantom attacker going for other forums, or is there a fault with the boards?
Title: Re: Forum Security Updates
Post by: Tank on January 10, 2011, 03:00:17 PM
Quote from: "OldGit"Something is going on.  Yet again I had the devil of a job to get in today and had to do about five captchas - very carefully - before I finally got in.
Then the same thing happened to me on the Venganza forum, which is also a php board.  I've never had that before.

So, is our phantom attacker going for other forums, or is there a fault with the boards?
I'm not experiencing this on the other atheist forum I frequent and they are phpBB driven so I assume it's some bot focussing on us for some reason.
Title: Re: Forum Security Updates
Post by: OldGit on January 10, 2011, 05:09:42 PM
This link was posted on Venganza, where a lot of people have had trouble today.

http://sharethefiles.com/forum/viewtopic.php?f=85&t=186493
Title: Re: Forum Security Updates
Post by: lookitsaustin on January 11, 2011, 02:12:07 PM
Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.
Title: Re: Forum Security Updates
Post by: Whitney on January 11, 2011, 02:17:19 PM
Quote from: "lookitsaustin"Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.

This is only a recent problem that started last month.

I don't know if there is a length max; it doesn't say there is in the settings.  Those that know more about this than me seem to think a typically strong password that includes special characters in addition to mixed case is sufficient.
Title: Re: Forum Security Updates
Post by: Davin on January 11, 2011, 02:24:33 PM
Quote from: "Whitney"
Quote from: "lookitsaustin"Is there a password length max? I could come up with something really long if we can use special characters too. As of right now my password is insanely long because Gawen told me that accounts here try to get hacked a lot.

This is only a recent problem that started last month.

I don't know if there is a length max; it doesn't say there is in the settings.  Those that know more about this than me seem to think a typically strong password that includes special characters in addition to mixed case is sufficient.
They're usually hashed, so there should be no hard limit. Things like an MD5 hash will turn anything into like a 32 character string: 2GB Linux iso's, 400 character passwords or even just one character strings. So I'm pretty sure you can have a really long password.
Title: Re: Forum Security Updates
Post by: Tank on January 11, 2011, 03:10:43 PM
As long as a password does not contain contiguous characters that form a word e.g. PASS2WORD, but is like Pa22W0Rd then you can rule out dictionary searches. The search then becomes a case of number crunching. If a password contains alphabetical characters, UPPER and lower case and numeric characters then each character in a password can have 26 + 26 + 10 characters, 62 possible characters in any one place. Each character in the password is theoretically one of those 62 options.

Thus the number of possible combinations for passwords for a given number of characters is:-

(https://www.happyatheistforum.com/forum/proxy.php?request=http%3A%2F%2Fimg96.imageshack.us%2Fimg96%2F3355%2Fpasswordb.jpg&hash=e85f747a160709fcc4b6508223c9520f1c4bdf1d)

The times are based on a system capable of making 1,000,000 attempts per second.

Thus a random 8 character password could take up to 7 years to crack if the last combination were the correct combination. But any one attempt would have a 218,340,105,584,896:1 chance of being correct. The odds of winning the UK national lottery are 14,000,000:1 So a random combination is best for a password but poor for memorising. Thus avoid any combination of values likely to be available to hackers even by guesswork.

Adding special characters makes shorter passwords more effective, but if you create a password relating to real world entities and human mind may well crack it regardless of the characters used. I would suspect we are being attacked by a human not a bot so I'm sure that pure random passwords like 8K3f800e are the best way to go, but ha99yAthEIST while longer, and thus more effective against a brute force attack, would not be a good idea when faced with a human hacker.
Title: Re: Forum Security Updates
Post by: Whitney on January 11, 2011, 04:58:51 PM
Quote from: "Tank"I would suspect we are being attacked by a human not a bot

I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.
Title: Re: Forum Security Updates
Post by: metaed on January 11, 2011, 07:42:52 PM
Tank's chart does not take into consideration that technology will get faster over time. Let us say that every 1.5 years it should become possible to make about twice as many attempts per second as before (approximation of Moore's Law). And let's preserve Tank's other assumptions:
It may surprise you to learn that the time to try all long passwords of N digits becomes a constant: about 8.9 years per digit.

The time to try all 8 digit passwords goes from 7 years to 4 years. The time to try all 9 digit passwords goes from 430 years to 12 years. And the time to try all 10 digit passwords goes from 26687 years to 21 years!

Now notice: because of the progressive speedup of technology, you will have only gotten half the work done when you have 1.5 years of work left. But you'll still finish the job in the last 1.5 years. This suggests a much cheaper strategy for trying all N digit passwords: figure out when you'd be done if you started now. Start then, and you'll be completely done only 1.5 years later than if you started now.

Cheers,

MetaEd

P.S. Odds are that anyone who tries to brute force my password will only succeed long after I'm dead.
Title: Re: Forum Security Updates
Post by: metaed on January 11, 2011, 07:56:56 PM
Quote from: "Whitney"I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.
Bots sometimes try to avoid detection by operating at a slower speed than what they're capable of.
Title: Re: Forum Security Updates
Post by: Tank on January 11, 2011, 08:07:55 PM
Quote from: "metaed"Tank's chart does not take into consideration that technology will get faster over time. {snip}
I was just offering an insight, not writing a thesis. So please don't assume why I left out some points simply to create a presentable post relevant to the audience.
Title: Re: Forum Security Updates
Post by: Whitney on January 11, 2011, 08:09:04 PM
Quote from: "metaed"
Quote from: "Whitney"I would agree, if it were a bot I would have to put int he captcha every time I sign in (because my 1 attempt to sign in correctly would have already been used up by the bot).  I only have to do it once or twice a day.
Bots sometimes try to avoid detection by operating at a slower speed than what they're capable of.

Oh, ya that would make sense too.

My pw is pretty long, contains no real words, no numbers that are mean anything, and is mixed case....so I think I'm okay.  I can't even remember the damned thing.
Title: Re: Forum Security Updates
Post by: Asmodean on January 12, 2011, 11:27:08 AM
Had some trouble with CAPTCHA myself. Turns out it's because your input is case-sensitive while the image from which to read the characters is less so.
Title: Re: Forum Security Updates
Post by: The Magic Pudding on January 12, 2011, 01:03:01 PM
Quote from: "Asmodean"Had some trouble with CAPTCHA myself. Turns out it's because your input is case-sensitive while the image from which to read the characters is less so.

It is reassuring others are having problems with CAPTCHA.
I've been practising standing on one foot and emptying my mind of dancing bananas.
Title: Re: Forum Security Updates
Post by: Asmodean on January 12, 2011, 04:12:24 PM
That works... OR we could try and get a captcha which is better in relation to case.
Title: Re: Forum Security Updates
Post by: Whitney on January 12, 2011, 06:57:44 PM
I think you both need glasses  :D

I can get it most of the time on first try...you should have seen it before I made it easier!
Title: Re: Forum Security Updates
Post by: Thumpalumpacus on January 12, 2011, 11:10:42 PM
I haven't had any issues at all.  I have "log me in automatically" checked.

Over at TAF, I have been queried twice last week, and one valued member has been locked out of his account.  I'm not sure if it is related, but the timing seems odd; and we're a php board there as well.  I have let the rest of the staff there know about these issues here.  With your permission, Whitney, I'd like to link to this thread in our TAF Staff thread so that our Admin can get an overview of what's happening here, for himself.

TIA.
Title: Re: Forum Security Updates
Post by: Whitney on January 13, 2011, 12:54:08 AM
Quote from: "Thumpalumpacus"Whitney, I'd like to link to this thread in our TAF Staff thread so that our Admin can get an overview of what's happening here, for himself.

Yes, that would be fine.
Title: Re: Forum Security Updates
Post by: terranus on January 16, 2011, 04:13:50 AM
Takes me 2 tries to login almost everytime. And I have 20/20 vision.
Title: Re: Forum Security Updates
Post by: Tank on January 18, 2011, 01:55:24 PM
Did we just get a denial of service attack or was it just a glitch of some kind?
Title: Re: Forum Security Updates
Post by: Velma on January 18, 2011, 03:40:06 PM
I haven't been able to get on since sometime yesterday.
Title: Re: Forum Security Updates
Post by: Whitney on January 18, 2011, 03:42:36 PM
Quote from: "Velma"I haven't been able to get on since sometime yesterday.

there were too many users logged in (I'm assuming it was an attack and not actually too many real users) and it caused a sql error...no one could get on.  

Not the first time it has happened and probably not the last.
Title: Re: Hi ppl I'm new here
Post by: Tank on January 31, 2011, 10:28:07 AM
Quote from: "ACXICAC"Hi, i found this place on  //google and i enjoy it so far :)
This is Spam, the link goes to a sales site. Post reported. Hopefully user will be deleted swiftly.
Title: Re: Forum Security Updates
Post by: Asmodean on January 31, 2011, 10:55:17 AM
Quote from: "Whitney"
Quote from: "Velma"I haven't been able to get on since sometime yesterday.

there were too many users logged in (I'm assuming it was an attack and not actually too many real users) and it caused a sql error...no one could get on.  

Not the first time it has happened and probably not the last.
You should also check SE crawler activity. I've been told they can on occasion overload a forum. However, I find it unlikely since they are supposed to be made as discreet as possible bandwidth-wise.

What is the connection limit here?