News:

The default theme for this site has been updated. For further information, please take a look at the announcement regarding HAF changing its default theme.

Main Menu

Forum Security Updates

Started by Whitney, January 04, 2011, 06:12:05 PM

Previous topic - Next topic

Whitney

For the time being I have made it a requirement that all new user passwords contain letter and numbers.  

You will also be forced to change your password every[strike:28v5j06o]30[/strike:28v5j06o] 365 days. (but if you are 'under attack' you should change it more often...policy with hacked accounts is to ban them till the correct owner can be figured out)

Max login attempts before captcha is changed to 1.

I suggest that if you are one of the people getting the exceeded mass login attempts notice that you change your password more often or make it really long to lessen the chance of it being broken.

I also found a button I could tick that checks IPs against a spam database; so I set that to yes.  It might help cut down on the spam we get every now and then.

LegendarySandwich

We'll be forced to change our password every month? Really? My password right now is really secure...I doubt anyone will ever crack it. Do I have to create a new password?

KDbeads

Did we just have to reset our passwords because of this, like 2 minutes ago?  Just want to be sure since I hadn't been having trouble until now!
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams

MariaEvri

Quote from: "KDbeads"Did we just have to reset our passwords because of this, like 2 minutes ago?  Just want to be sure since I hadn't been having trouble until now!

yeah took me a while to understand what was going on, but finally i changed my password and I managed to log in...
God made me an atheist, who are you to question his wisdom!
www.poseidonsimons.com

Whitney

those that didn't have a complex password couldn't change their password so I took off the complex requirement (people should still use complex passwords, at some point I will make that a requirement again and those that don't have complex alpha numeric passwords won't be able to log in without help).

You can theoretically change your password to the same password (I think) This is not advised unless you are really confident in how secure your password is.  I'm using a really complex password and plan to change it very frequently until this hacker threat passes since if my account gets hacked it will be a huge pain in the ass to recover it (in that event that it does happen I will pull the plug on the board while I'm fixing it so that no further damage can be done; I am making more frequent board backups too just in case)

I had to do something to make sure everyone changed their passwords to something new, this is just a temporary thing eventually they'll get tired of trying to crack the accounts.  I'll go ahead and change it to 365 days so it only forces it every year but still makes everyone have to have a new password today.

Tank

If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

Velma

Quote from: "Whitney"those that didn't have a complex password couldn't change their password so I took off the complex requirement (people should still use complex passwords, at some point I will make that a requirement again and those that don't have complex alpha numeric passwords won't be able to log in without help).

You can theoretically change your password to the same password (I think) This is not advised unless you are really confident in how secure your password is.  I'm using a really complex password and plan to change it very frequently until this hacker threat passes since if my account gets hacked it will be a huge pain in the ass to recover it (in that event that it does happen I will pull the plug on the board while I'm fixing it so that no further damage can be done; I am making more frequent board backups too just in case)

I had to do something to make sure everyone changed their passwords to something new, this is just a temporary thing eventually they'll get tired of trying to crack the accounts.  I'll go ahead and change it to 365 days so it only forces it every year but still makes everyone have to have a new password today.
I don't blame you.  I was on staff at a forum when a hacker got the password for the site admin (the forum was just one part of a larger site).  What a nightmare that was!!  

Everyone should watch out for phishing scams - any communication that claims to be from HAF that asks for your password should be deleted without clicking on any links.
Life is but a momentary glimpse of the wonder of the astonishing universe, and it is sad to see so many dreaming it away on spiritual fantasy.~Carl Sagan

KDbeads

Quote from: "Whitney"Max login attempts before captcha is changed to 1.
Hmmmmmmmmmmmmm.......

I just had to do the whole security thingy, me thinks le-hacker is now trying to use me  :mad:
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams

terranus

Think someone tried to hack my account. Got captcha'd on the way in today.
Trovas Veron!
--terranus | http://terranus.org--

Will

Thanks for the new policy, Whitney. While it might seem a bit frustrating, the security of accounts is important. I see it as analogous to preventing identity theft IRL.
I want bad people to look forward to and celebrate the day I die, because if they don't, I'm not living up to my potential.

Tank

Since the log in attempts have been dropped to one I have buggered up logging in 4 out of 5 times so far :upset:
If religions were TV channels atheism is turning the TV off.
"Religion is a culture of faith; science is a culture of doubt." ― Richard P. Feynman
'It is said that your life flashes before your eyes just before you die. That is true, it's called Life.' - Terry Pratchett
Remember, your inability to grasp science is not a valid argument against it.

The Magic Pudding

Quote from: "Tank"Since the log in attempts have been dropped to one I have buggered up logging in 4 out of 5 times so far :upset:

Yes I've had some trouble passing as human, it's not easy being a pudding.
I suspect the cracked password was very simple.
I changed my password once, but I don't plan on doing it again soon, its 20+ characters, some upper-case, some numerical, no special characters though.

terranus

Quoteno special characters though

Can we use special characters in our passwords? I imagine that would help increase their overall strength.
Trovas Veron!
--terranus | http://terranus.org--

McQ

Quote from: "terranus"
Quoteno special characters though

Can we use special characters in our passwords? I imagine that would help increase their overall strength.

Yes, and I recommend doing so in every password you use on the Internet. Our hacker is a rank amateur, but others out there are more sophisticated, and getting more so every day. Special characters strengthen a password and make it harder to crack.
Elvis didn't do no drugs!
--Penn Jillette

terranus

Cool. Yeah I usually do use special characters but I didn't know if this board supported it or not.

Thanks!
Trovas Veron!
--terranus | http://terranus.org--