Security Breach

joxer

The Smoker
Original Sin Donor
Original Sin 2 Donor
Joined
Apr 12, 2009
Messages
23,459
I did not resort to visiting the, well, other place.
Me neither. There are more than enough other places of internet to occupy my interest(s).
 
Joined
Apr 12, 2009
Messages
23,459

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Hash by itself is weak. You have to toss in some salt. Still if the algorithm is known it becomes weak for folks using weak passwords. Anyway there are many papers on the topic but brush up on your math. The best intercept is before the hash.

If you aren't already, you might consider investigating SHA-3 for secure hashing, although SHA-2 is still pretty good. :)
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
P

purpleblob

Guest
I know you didn't ask me, but I couldn't finish that review. I thought it was a load of pretentious tripe. And the Codex turns my stomach. It's just chock full of toadies so desperate to appear undenIably clever but not really having the chops. It's like 6th-grade chess club over there.

I can't finish their review most of the time...
 

Bundyo

Watchdog
Original Sin Donor
Original Sin 2 Donor
Joined
Nov 11, 2006
Messages
110
I got one too, in my spam folder…but I had accounts on all the thing listed. :/

This is a security check if the mail can be found in https://haveibeenpwned.com/. The data in there is real and means that your account has been a subject of a leak at some point in time. If you didn't change the passwords on those sites, it would be wise to do so. Also on sites that you use the same passwords, if any. One can also subscribe on that site for security updates if a new leak is added.

On a different tune - I would rather like two factor authentication implemented on RPGWatch. :)
 
Joined
Nov 11, 2006
Messages
110

joxer

The Smoker
Original Sin Donor
Original Sin 2 Donor
Joined
Apr 12, 2009
Messages
23,459
Joined
Apr 12, 2009
Messages
23,459

Bundyo

Watchdog
Original Sin Donor
Original Sin 2 Donor
Joined
Nov 11, 2006
Messages
110
Which one? SMS with giving away my phone number? Never. Just no. I refused to do it on Steam and I constantly click skip everywhere that's bugging me with that notoriety.
https://www.kaspersky.com/blog/2fa-practical-guide/24219/
https://www.cnet.com/how-to/why-you-are-at-risk-if-you-use-sms-for-two-step-verification/

I'd rather leave a site or service before accepting SMS authentication.

The one in Steam doesn't work with SMSes - you need to use their mobile app for authentication. It is actually a form of time-based OTP (TOTP), so you can authenticate with any OTP generator that supports it, for instance KeePassXC.
 
Joined
Nov 11, 2006
Messages
110

rjshae

Periapt vs Paronomasia
RPGWatch Donor
Joined
Mar 22, 2012
Messages
5,386
Location
Seattle
Hash by itself is weak. You have to toss in some salt. Still if the algorithm is known it becomes weak for folks using weak passwords. Anyway there are many papers on the topic but brush up on your math. The best intercept is before the hash.

Yep. Ideally the password change page would include strength testing with an option for two-factor authentication and Captcha, then force everybody to change to the new standard.
 
Joined
Mar 22, 2012
Messages
5,386
Location
Seattle

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Yes but for a forum like this that is probably overkill. I mean the most they will get is your email but then again if they stole the database they have your email...

Yep. Ideally the password change page would include strength testing with an option for two-factor authentication and Captcha, then force everybody to change to the new standard.
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston

Cacheperl

SasqWatch
Joined
May 18, 2012
Messages
2,315
Since the link posted here allows you to change passwords with only access to the old password... doesn't that put inactive / rarely used accounts at risk? Because they may not change their password in time?
 
Joined
May 18, 2012
Messages
2,315

joxer

The Smoker
Original Sin Donor
Original Sin 2 Donor
Joined
Apr 12, 2009
Messages
23,459
The one in Steam doesn't work with SMSes - you need to use their mobile app for authentication. It is actually a form of time-based OTP (TOTP), so you can authenticate with any OTP generator that supports it, for instance KeePassXC.
To use Steam phone malware for authentication you need to give them your phone number.
It's called Steam Guard and the first thing it asks you is to provide them the phone number so they can sell it to 3rd parties.
 
Joined
Apr 12, 2009
Messages
23,459

Capt. Huggy Face

Troll Aspiring to Responsibility
Original Sin Donor
Original Sin 2 Donor
Joined
Sep 16, 2010
Messages
4,812
I'm so sick of every damn Web-based account I have hounding me for my phone number, which I never give them.
 
Joined
Sep 16, 2010
Messages
4,812

Corwin

On The Razorblade of Life
Staff Member
Moderator
Joined
Aug 31, 2006
Messages
12,592
Location
Australia
I'm one of those troglodytes who doesn't own a mobile/cell phone, so I can't do any form of SMS !! :D Ah the joys of being old!!!! :)
 
Joined
Aug 31, 2006
Messages
12,592
Location
Australia

HiddenX

The Elder Spy
Staff Member
Original Sin Donor
Original Sin 2 Donor
Joined
Oct 18, 2006
Messages
16,455
Location
NRW/Germany
I'm one of those troglodytes who doesn't own a mobile/cell phone, so I can't do any form of SMS !! :D Ah the joys of being old!!!! :)

Then we are the last two on Earth without one. :)
 
Joined
Oct 18, 2006
Messages
16,455
Location
NRW/Germany

Myrthos

Cave Canem
Joined
Aug 30, 2006
Messages
11,212
Since the link posted here allows you to change passwords with only access to the old password… doesn't that put inactive / rarely used accounts at risk? Because they may not change their password in time?
No, as changing your password means you are sent an email, with a link you need to click in order to activate the change.
 
Joined
Aug 30, 2006
Messages
11,212

Bundyo

Watchdog
Original Sin Donor
Original Sin 2 Donor
Joined
Nov 11, 2006
Messages
110
Just trying to say that there is no need for a phone number and SMSes for two factor authentication and increased security. A simple TOTP generator can be used for authentication (which does basically the same as your bank login tokens) - like how for instance 2FA is implemented in the completely OSS Mastodon and GitLab.
 
Joined
Nov 11, 2006
Messages
110

figment

Keeper of the Watch
Original Sin Donor
Original Sin 2 Donor
Joined
Apr 23, 2010
Messages
688
Not familiar with that specific mod but I've implemented TOTP with QR code for in-house tools and now that I'm familiar with it I would be willing to use it here. I dont like email or sms variants because it can be annoying to get to when needed. Not putting my phone number out there regardless as I get enough spam on my phone and is harder to ignore than email.

There are many free clients for TOTP from Microsoft, Google, Red Hat, including ones for Windows and iOS. Desktop clients are hard to use with just QR code as no camera but with the uri and copy+paste they are fine.

Also I thought self-salting systems like argon2, bcrypt or scrypt are current security hashing recommendations though bcrypt is no longer generally recommended but better than sha+salt. But again its not like my bank account info is stored here so not too worried either way.
 
Joined
Apr 23, 2010
Messages
688
Top Bottom