Jump to content


Photo

GMC forums cyber attack.


  • Please log in to reply
235 replies to this topic

#101 cookieboy

cookieboy

    Seabass (The Human)

  • GMC Member
  • 747 posts
  • Version:GM:Studio

Posted 04 December 2015 - 01:47 AM

Oh, this again?

 

Sorry, I don't mean to cause a stink, but at this point, my GMC password literally resides in its own text file on my computer. It's a 256 character long alphanumeric string that I generated using random.org

 

Needless to say, but I don't use the password anywhere else. So, since the hackers want it so badly, I'll save them a few trillion years. Here you go!

 

oB1LuAHvrtgYG83OZClg1P8ecEJQMROMVgAakuP2u4ywEdlB43wHSXeQsGbiiotZQChFSns5HoetIuBDwmBo6VaMjEAgZvZjwz1tV8Ke1Zv8kbceESYUoLjO07fz1ECh0ZHCeBShvF9oxdfq9g8blZGxmHL07kKZlbVNdVLtas9PR1SHbZxt8eycUh1wqt01qmZM6SGUSXYkqqPFrVyzCGFJTxbQYS8CtUTDqPtTO6xQewssxSwJ8ytUjsi3FyDX

 

Even more effective, my password is now your password except the ASCII number for each character. And then I used base64 encoding.


  • 0

Vnc5NxB.jpg

Support a fellow GMC member? <3

http://store.steampo...com//app/357650


#102 Yal

Yal

    Even though the GMC may be gone, our love will prevail eternally

  • Global Moderators
  • 11774 posts
  • Version:GM:Studio

Posted 04 December 2015 - 01:56 AM

Mike will make sure your death is drawn out and painful. A dangerous game to play  :P

 

Yup, he'll hand over your execution to me :3 (I quite enjoyed drawing the Your Fault scenes~♫)


  • 2

- The above is my personal opinion and in no way representative of Yoyogames or the GMC, except when explicitly stated -

 

Open this spoiler for my games:

Spoiler

Some useful game engines, music and other resources at affordable prices:

My collection of game resources at itch.io

 

New user? Can't draw but want to look unique? You can request a new avatar in this thread!


#103 MikeDark_x

MikeDark_x

    The Shadow Angel

  • GMC Member
  • 470 posts
  • Version:Unknown

Posted 04 December 2015 - 02:56 AM

I tend to use a mix of symbols, both upper and lower case, as well as numbers. I use a minimum of 11 characters. I feel relatively safe.

The minimum for me is 12 max I can remember I have used is 30 or something (felt like a poet that day), and I include symbols too, I feel safe, however I always forget my passwords... and have a hard time figuring what was I thinking when I created them, sometimes I just go with stuff like "PancakesRLuv4L;fe"... not really... I mean that sounds stupid... however I do use the random symbols/numbers replacing letters (which gives me the headache when it comes to recovery)


  • 0

And here I would put my cool signature... If I had one


#104 mmimadi

mmimadi

    ChickenMan

  • GMC Member
  • 162 posts
  • Version:GM:Studio

Posted 04 December 2015 - 04:31 AM

So are the GMC storing password hashes, or just plain text passwords (i hope not, shouldn't be done nowadays on bigger websites like this)? Not sure if I should change my password across several websites or only this one yet.

hope not. 

May I ask where you got your avatar? its sweet!


  • 0

ip4RkD.png
First Published Game. Would really love if you could rate :) 

https://play.google....erine.mrrunfree
 


#105 Dragon47

Dragon47

    Mytino

  • GMC Member
  • 687 posts
  • Version:GM:Studio

Posted 04 December 2015 - 05:14 AM

hope not. 
May I ask where you got your avatar? its sweet!

Thanks! Drew it myself
  • 0

wfoEubT.png       BNY6m3V.png       cfwjSDg.png       jermsLg.png       WqPXsGB.png

 

Games:   Blue Void (3D horror)   Icebound (2D puzzle platformer)


#106 Forester

Forester

    The One And Only Enragement Cat

  • GMC Member
  • 412 posts
  • Version:GM:Studio

Posted 04 December 2015 - 08:43 AM

Up until last week, my gmail password was literally "Forester123"


  • 2

gg guys - wp

Forester.jpg
soundcloud - twitter - facebook - ask.fm - advc


#107 Lindion45

Lindion45

    Scared of the Ducks

  • GMC Member
  • 1554 posts
  • Version:Unknown

Posted 04 December 2015 - 04:35 PM

my GMC password 

 

oB1LuAHvrtgYG83OZClg1P8ecEJQMROMVgAakuP2u4ywEdlB43wHSXeQsGbiiotZQChFSns5HoetIuBDwmBo6VaMjEAgZvZjwz1tV8Ke1Zv8kbceESYUoLjO07fz1ECh0ZHCeBShvF9oxdfq9g8blZGxmHL07kKZlbVNdVLtas9PR1SHbZxt8eycUh1wqt01qmZM6SGUSXYkqqPFrVyzCGFJTxbQYS8CtUTDqPtTO6xQewssxSwJ8ytUjsi3FyDX

Doesn't work xD


  • 3

UzQSAz6.pngXhTycnt.png


#108 Yal

Yal

    Even though the GMC may be gone, our love will prevail eternally

  • Global Moderators
  • 11774 posts
  • Version:GM:Studio

Posted 04 December 2015 - 05:38 PM

I personally really hate when a site enforces arbitrary symbol restrictions on passwords - any character is the same level of 'easy to guessness' so it's more pointless to enforce using symbols and stuff than people may think (there's a fallacy about symbols being safer, but most password attacks aren't done by humans nowadays), but I'm even more annoyed when a system REJECTS symbols - Windows passwords can't contain characters like Ä. Seriously, what the ****? You're not gonna let people stay safe, are you? r______r Bonus points for complaining about using non-letter characters, too. Darn cultural imperialists *insert rant here*


  • 3

- The above is my personal opinion and in no way representative of Yoyogames or the GMC, except when explicitly stated -

 

Open this spoiler for my games:

Spoiler

Some useful game engines, music and other resources at affordable prices:

My collection of game resources at itch.io

 

New user? Can't draw but want to look unique? You can request a new avatar in this thread!


#109 Forester

Forester

    The One And Only Enragement Cat

  • GMC Member
  • 412 posts
  • Version:GM:Studio

Posted 04 December 2015 - 06:15 PM

 Windows passwords can't contain characters like Ä. Seriously, what the ****?

 

I detect a swede :P


  • 3

gg guys - wp

Forester.jpg
soundcloud - twitter - facebook - ask.fm - advc


#110 Lindion45

Lindion45

    Scared of the Ducks

  • GMC Member
  • 1554 posts
  • Version:Unknown

Posted 04 December 2015 - 06:17 PM

I personally really hate when a site enforces arbitrary symbol restrictions on passwords

https://www.youtube....h?v=luv_bWmb9lE

https://www.youtube....h?v=jQ7DBG3ISRY


  • 2

UzQSAz6.pngXhTycnt.png


#111 WWAZman

WWAZman

    GMC Member

  • GMC Member
  • 1538 posts
  • Version:GM:Studio

Posted 04 December 2015 - 08:38 PM

actually this forum gets hacked often enough I feel it's safe to use a "dummy" password that I never use elsewhere.


  • 1

I tried turning it off and on again.
I made definitely sure I unplugged the soldering iron when I was done.
MY Games are here: https://play.google....aXNfc291bmRzIl0.
and here: http://www.blinkinstudios.com

Dyscalculia sucks, but I keep learning piece by piece. Thanks for helping along the way!


#112 Dangerous_Dave

Dangerous_Dave

    GMC Member

  • Global Moderators
  • 9450 posts
  • Version:Unknown

Posted 04 December 2015 - 09:04 PM

actually this forum gets hacked often enough I feel it's safe to use a "dummy" password that I never use elsewhere.

You should be doing that anyway. Ideally, you should use a different password for each site you use. At a minimum, make sure your email account has a password that is not used anywhere else.


  • 0

#113 Mercerenies

Mercerenies

    Koopa King

  • GMC Member
  • 1945 posts
  • Version:GM:Studio

Posted 04 December 2015 - 09:10 PM

actually this forum gets hacked often enough I feel it's safe to use a "dummy" password that I never use elsewhere.

You should be doing that anyway. Ideally, you should use a different password for each site you use. At a minimum, make sure your email account has a password that is not used anywhere else.

I learned that lesson the hard way a few months back when my Steam account got hacked and with it my emails started suddenly disappearing. Don't reuse passwords, everybody.
  • 0
iPqfGiP.png

#114 Lukan Spellweaver

Lukan Spellweaver

    Gay Wizard Freak & mcmonkey's plaything

  • GMC Member
  • 3704 posts
  • Version:GM:Studio

Posted 04 December 2015 - 09:15 PM

I call the password I do use in multiple places my dummy.

I use it for sites I don't visit often, or if I'm signing up for something and can't be bothered to make a new one right then.

 

All of my social media, email accounts, and game dev related accounts each have unique passwords.


  • 0

DeEuDARh.pngi1SR21Q.png

Find me on Itch.io | GameJolt | YouTube | Twitter | Facebook | Website | Ask.FM

 GMC Google Hangout | I liek monkehs

The GMC, here lies she. Kicked to the curb, with nary a word. She shall live on, though. Remain strong, bros.

Also: MIKE DAILLY TOLD ME TO UPDATE MY SIGNATURE


#115 Dangerous_Dave

Dangerous_Dave

    GMC Member

  • Global Moderators
  • 9450 posts
  • Version:Unknown

Posted 04 December 2015 - 09:19 PM

I learned that lesson the hard way a few months back when my Steam account got hacked and with it my emails started suddenly disappearing. Don't reuse passwords, everybody.


If people are wondering how on earth to not reuse passwords when they have 100 different accounts on various websites, the answer is with a password manager.

I have heard LastPass is popular.

Personally I use KeePass, but for this you need to keep the database somewhere yourself, and make sure it's backed up. You set a master password, and then all others are stored in the database (it can generate random passwords for you). I don't store my email password in there as if I lose the password database or password I need to access my emails to restore access to things, but my email password is not reused anywhere. I would probably recommend LastPass as a first stop as it manages things for you.


  • 0

#116 Lukan Spellweaver

Lukan Spellweaver

    Gay Wizard Freak & mcmonkey's plaything

  • GMC Member
  • 3704 posts
  • Version:GM:Studio

Posted 04 December 2015 - 09:47 PM

I've never understood people's inability to remember passwords...
Like, I used to forget them when I was a kid a lot, but all of the ones I have now are locked in my head, safe and sound.

Except for my neopets... Those poor bastards... They ded.

Edited by Lukan Spellweaver, 04 December 2015 - 09:47 PM.

  • 0

DeEuDARh.pngi1SR21Q.png

Find me on Itch.io | GameJolt | YouTube | Twitter | Facebook | Website | Ask.FM

 GMC Google Hangout | I liek monkehs

The GMC, here lies she. Kicked to the curb, with nary a word. She shall live on, though. Remain strong, bros.

Also: MIKE DAILLY TOLD ME TO UPDATE MY SIGNATURE


#117 TsukaYuriko

TsukaYuriko

    Remember... and never forget

  • Global Moderators
  • 9535 posts
  • Version:GM:Studio

Posted 05 December 2015 - 01:56 AM

I personally really hate when a site enforces arbitrary symbol restrictions on passwords

https://www.youtube....h?v=luv_bWmb9lE

 

Please tell me I'm not the only one who was expecting "seeeeeecreeeet password" or something similar being mentioned at some point.

 


  • 0

yBGBXQa.pngmWOQbeq.png


#118 Bleed

Bleed

    Chevalier

  • GMC Member
  • 763 posts
  • Version:GM:Studio

Posted 05 December 2015 - 11:10 AM

Another vote for (http://keepass.info/). That in conjunction with chromeIPass extension, makes it automatic. You don't even have to type the password anymore.


Edited by Bleed, 05 December 2015 - 11:17 AM.

  • 0

rlztjp_zpsoqffaixe.jpg


#119 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 05 December 2015 - 11:11 AM

 

I learned that lesson the hard way a few months back when my Steam account got hacked and with it my emails started suddenly disappearing. Don't reuse passwords, everybody.


If people are wondering how on earth to not reuse passwords when they have 100 different accounts on various websites, the answer is with a password manager.

I have heard LastPass is popular.

Personally I use KeePass, but for this you need to keep the database somewhere yourself, and make sure it's backed up. You set a master password, and then all others are stored in the database (it can generate random passwords for you). I don't store my email password in there as if I lose the password database or password I need to access my emails to restore access to things, but my email password is not reused anywhere. I would probably recommend LastPass as a first stop as it manages things for you.

 

This is so true.. There is literally 0 reason for anybody not to use a password manager, especially people involved in IT because you can just tell how poor some sites security practices are. Lastpass is very worth the negligible $1 a month for the service that it provides.


  • 0

#120 Funk E. Gamez

Funk E. Gamez

    GMC Member

  • GMC Member
  • 774 posts

Posted 05 December 2015 - 11:51 AM

 

I personally really hate when a site enforces arbitrary symbol restrictions on passwords

https://www.youtube....h?v=luv_bWmb9lE

https://www.youtube....h?v=jQ7DBG3ISRY

 

Hilarious as this easy, obviously the guy has never heard of brute-force attacks.

 

Here's the thing... When a user's account gets hijacked, yes it's an inconvenience for the user, but it also makes more work for the company that runs the site. More than likely the user will complain about what they lost, and somebody is going to have to go information hunting and do what they can to restore things to appease the user. Said user may leave hateful reviews that damage the company's reputation. (Unfair as it may be.) Therefore, password restrictions are as much for the benefit of the site administrators as they are for the user.

 

That being said... The specifics of what restrictions should be used are up for debate. The system is only as secure as the least secure allowable password. If the hacker knows that the site allows letters-only full lowercase passwords, that will be the first thing they attempt. Most places have a minimum requirement of 6 or 8 characters, so I'll use 8 for my example. An 8-character password that fits this description would have exactly 26^8 (208,827,064,576) possible combinations. Depending on how fast log-in system is, this could take less than a minute to brute-force. By requiring a capital letter and numbers, we are extending the character set that the attacker needs to use. 26 lowercase + 26 uppercase + 10 numbers = 62^8 (218,340,105,584,896) possible combinations for an 8-character password. This takes more like 15 hours to brute-force. This seems like a substantial improvement, but for valuable information, 15 hours is nothing. Increasing the character set does increase password security, but it doesn't do nearly as much as minimum length requirements. For example, even with the extended character set, a 6-char-password has 56,800,235,584 combinations - that's less than our original number for an 8-char-password of only lowercase letters. On the flip side, 26^12 = 95,428,956,661,682,176 = up to ~273 days if my math and estimations are accurate. Of course, computers are a lot faster now than they were a few years ago, and as they continue to get faster, a hacker can try many more combinations much faster. A website password is significantly slower than a local computer password because of network speeds, but hopefully you get the point.

 

The minimum character limit is the strongest way to improve password security. It's just math. Increasing the minimum character requirement to 12 would be a slight nuisance as many of my password are around 8 characters, but I would gladly take that over arbitrary limits regarding characters, numbers, and casing. No automated strength system can save users from dictionary attacks, as there will always be short go-to cheats, like capitalizing the first letter or adding 123 to the end. (And as mentioned, the password system is only as safe as its weakest password... If the hacker assumes someone is using this convention and they try multiple users, they are bound to find someone with a weak enough password.) The best thing sites can do is to inform users about what makes a secure password and leave it up to them to apply that knowledge. Even the 12-character minimum won't do any good if the user is clueless about password security and enters "aaaaaaaaaaaa", as that will be cracked instantly.


Edited by Funk E. Gamez, 05 December 2015 - 11:55 AM.

  • 1

#121 Lindion45

Lindion45

    Scared of the Ducks

  • GMC Member
  • 1554 posts
  • Version:Unknown

Posted 05 December 2015 - 03:51 PM

the user will complain about what they lost, and somebody is going to have to go information hunting and do what they can to restore things to appease the user. Said user may leave hateful reviews that damage the company's reputation.

It's a good point.

What if the login screen told you it was a weak password, and if you got hacked it wasn't their responsibility. Then when they get hacked, and complain to customer support, they can see that they used a really weak password, and tell them what the login screen told them initially.

 

The system is only as secure as the least secure allowable password.

How so? If the hacker gets through the weakest password, great! They... Now have access to that one account! The system hasn't become less secure as a result? Also, you can't just take the weakest point and attack it, the hackers have no idea what username will have a weak password.
 

the site allows letters-only full lowercase passwords

Are there actually sites that have this requirement though? 26 possible combinations?

This is off topic, as he wasn't asking for sites to restrict their passwords, he was asking them to allow less complicated passwords. If the system accepts A-Z a-z 0-1 !"£$%^&*()-=_+{}@~:><?[];'#/.,\, it doesn't matter if my password is "likliklik". To guess a password that's say 6 letters long, you need to do 96^6 (646,990,183,449 combinations), and that's just the minimum.
 

208,827,064,576 possible combinations. Depending on how fast log-in system is, this could take less than a minute to brute-force.

What?!?! That's ridiculous. If EACH password was say 20 bytes, that would require 4TB of data to be transferred. Please, link me to your ISP that gives you that sort of speed per minute!

Also, you're assuming that a login system wouldn't just stop you from trying that password after even 50 consecutive failed password attempts in the same microsecond.
 

A website password is significantly slower than a local computer password because of network speeds, but hopefully you get the point.

We're not talking about your local computer password haha. If you want to bypass that, you have to enter like 2 lines into the console from safe mode. Also you can literally just take out the hard drive and access it from a computer that's unlocked through explorer.
 

Even the 12-character minimum won't do any good if the user is clueless about password security and enters "aaaaaaaaaaaa", as that will be cracked instantly.

So what you're saying here, is all these precautions and regulations are completely pointless in the first place.


  • 2

UzQSAz6.pngXhTycnt.png


#122 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 05 December 2015 - 04:57 PM

[snip]

ayee there we go; I couldn't be bothered


  • 1

#123 TeraTheGreat

TeraTheGreat

    GMC Member

  • New Member
  • 7 posts
  • Version:GM:Studio

Posted 05 December 2015 - 05:51 PM

I just joined today, (three days after this thread was put up), so I'm guessing I should not have to worry about this, right?


  • 0

#124 SilverOmega

SilverOmega

    GMC Member

  • GMC Member
  • 11 posts
  • Version:Unknown

Posted 05 December 2015 - 05:55 PM

Thanks for the headsup

 

 

I just joined today, (three days after this thread was put up), so I'm guessing I should not have to worry about this, right?

 

Since you registered after the hack you're fine. Of course the attack is still being investigated so another attack is not out of question but is very unlikely.


Edited by SilverOmega, 05 December 2015 - 06:06 PM.

  • 0

#125 NakedPaulToast

NakedPaulToast

    GM Studio/Mac/Win

  • GMC Member
  • 8808 posts
  • Version:GM:Studio

Posted 05 December 2015 - 07:24 PM

I just joined today, (three days after this thread was put up), so I'm guessing I should not have to worry about this, right?

If you bought a new TV after your house is robbed, do you have have to worry about your TV being gone?


  • 0

If the Bible truly is inspired by God, you would think that somebody as omnipotent and all-knowing would have known to get his message out using TCP instead of UDP.

 


#126 HopelessComposer

HopelessComposer

    GMC Member

  • GMC Member
  • 1337 posts
  • Version:GM:Studio

Posted 05 December 2015 - 11:33 PM


If you bought a new TV after your house is robbed, do you have have to worry about your TV being gone?

Uh, depends on whether or not your house has been better fortified since the last break-in, right? =P


  • 2

#127 Smarty

Smarty

    GMC Member

  • GMC Elder
  • 7522 posts
  • Version:GM:Studio

Posted 06 December 2015 - 12:19 AM

While we're at it, can we patch up the security of the yoyogames.com a bit more.

First of all the forums are not using SSL at all, which means anything that's exchanged can be intercepted on unsecured networks such as public WiFi's. This would make it possible for eavesdropping outsiders to steal, for example, the authentication token of an admin.

Second, SSL has been applied to the rest of yoyogames.com, but you're using certificates with different encryption mechanisms - specifically, the Home, GameMaker and Showcase sections use a certificate with TLS 1.0 which is considered obsolete and should not be used anymore (you will not see it unless you prepend the URL with https, see next). These sections don't use personal information so it doesn't hurt much, but I'm unsure why you don't just secure everything with a single certificate.

Last, the remaining sections of the site correctly use SSL but the site does not enforce it - one could come in using http instead of https, leaving their connection unsecured. You should reroute incoming http connections to https.
  • 8

#128 Neon Jackal

Neon Jackal

    GMC Member

  • GMC Member
  • 173 posts
  • Version:GM:Studio

Posted 06 December 2015 - 04:44 AM

If anything, this alerted me to the fact that my account here was still using my 15 year old email address... Which I had forgetten existed since the last time I logged into iy was probably about 10 years ago. Though, when I tried to today out of curiosity, it said I had already tried to log in unsuccessfully too many times...


  • 0

#129 TheJJGamer

TheJJGamer

    GMC Member

  • GMC Member
  • 114 posts
  • Version:GM:Studio

Posted 06 December 2015 - 06:21 AM

I will change my password then. Thanks!


  • 0

achievmentstare.png


#130 sub

sub

    EVIL GENIUS

  • GMC Member
  • 1905 posts
  • Version:GM6

Posted 06 December 2015 - 06:33 AM

Iloveprettyponies :)
  • 0

#131 Funk E. Gamez

Funk E. Gamez

    GMC Member

  • GMC Member
  • 774 posts

Posted 06 December 2015 - 02:11 PM


How so? If the hacker gets through the weakest password, great! They... Now have access to that one account! The system hasn't become less secure as a result? Also, you can't just take the weakest point and attack it, the hackers have no idea what username will have a weak password.

It has if it was an administrator's account. Even admins play by the rules of the login system in many cases, and some may not know the extent of what makes a secure password. I don't mean to say that allowing simple passwords automatically makes your entire site vulnerable, but if a hacker gets into any account that is bad. For important things like banking, it would be inexcusable to say "well they only got into one account so it's ok."

This is off topic, as he wasn't asking for sites to restrict their passwords, he was asking them to allow less complicated passwords. If the system accepts A-Z a-z 0-1 !"£$%^&*()-=_+{}@~:><?[];'#/.,\, it doesn't matter if my password is "likliklik". To guess a password that's say 6 letters long, you need to do 96^6 (646,990,183,449 combinations), and that's just the minimum.

You're assuming that the hacker is trying to break into a specific account or every account. Suppose they have a long list of usernames and are just trying to crack one account. Because a simple password is allowed, they can assume that some people have more secure passwords than others. As you pointed out, it would take significantly longer to try out all the valid characters, so they're only going to look for a weak point. If they just use the 26 character set, they can go through 2000 users in the time it would take to do 1 with 96 valid characters. All they need is 1 of those 2000 to have a simple enough password that it doesn't use any numbers, capitals, or symbols. (And we're lazy, so you know it wouldn't even take 2000 users to find one.)

What?!?! That's ridiculous. If EACH password was say 20 bytes, that would require 4TB of data to be transferred. Please, link me to your ISP that gives you that sort of speed per minute!

I wasn't talking about transferring over a network. To be fair, my numbers were based on data other sites have compiled about how quickly brute-force attacks can be carried out, as I don't have specifics on that. I assume that they were also not taking into account network speeds. The actual numbers are not super important to the point, as I'm just trying to demonstrate a principle.

Also, you're assuming that a login system wouldn't just stop you from trying that password after even 50 consecutive failed password attempts in the same microsecond.

Yes, because we're just talking about the effect password restrictions have on security; other factors are not considered.

 

We're not talking about your local computer password haha. If you want to bypass that, you have to enter like 2 lines into the console from safe mode. Also you can literally just take out the hard drive and access it from a computer that's unlocked through explorer.

I wasn't talking about the Windows user login. I meant any password-restricted file which is accessible without network transfer. But again, that's not really the point... Even if the numbers are impractical for any real situation, the relative values remains the same. 95,428,956,661,682,176 / 208,827,064,576 = 456,976x as long to crack a 12 char password as compared to an 8-digit. That's the important part.

So what you're saying here, is all these precautions and regulations are completely pointless in the first place.

Yes. I agree. But I think it's unfair for people to just discredit it without any real facts to back it up. I set it up to explain why they are requirements and how they do in fact increase security as they're supposed to... Only to point out in the end that all of it is useless in comparison to length requirements. You have to include a minimum password length or some passwords are bound to be vulnerable to brute-force attacks. Even if your password system accepts all 255 ASCII characters, it will take the hacker less time to check all 6-char combinations than it would to crack an 11-char password of only lowercase letters.


  • 0

#132 Lindion45

Lindion45

    Scared of the Ducks

  • GMC Member
  • 1554 posts
  • Version:Unknown

Posted 07 December 2015 - 01:09 AM

It has if it was an administrator's account.

We're not talking about administrator accounts, we're talking about the general user base. If the admins choose to have a password like "123" then there's really no point having passwords at all. So there's a crux - make any account that has admin privileges have password rules.
 

For important things like banking, it would be inexcusable to say "well they only got into one account so it's ok."

They got into one account, that had the password "123", make a public statement that if you don't want to be hacked, don't use a crass password! It's just common sense. Besides we're not talking about banking, we're talking about things like the GMC :D
 
 

You're assuming the hacker is trying to break into a specific account. Suppose they have a long list of usernames and are just trying to crack one account. All they need is 1 of those 2000 to have a simple enough password, you know it wouldn't even take 2000 users to find one.

Ok, but then what? They still only have access to that one account. And unless it's a high value account, it's really pointless.
 
 

My numbers were based on data other sites have compiled about how quickly brute-force attacks can be carried out. I assume that they were also not taking into account network speeds. The actual numbers are not super important to the point, as I'm just trying to demonstrate a principle.

So in a completely theoretical situation, where basic security and bandwidth does not exist, a password can be brute force hacked in under 2 minutes? Why don't we just add that the hacker happens to be looking over the shoulder of the account holder too? :P

Network speed is a huge factor to take into account, not to mention any kind of account lock that sees a bunch of logins from unknown sources, that all tried the password to the max limit before a capacha was shown, and also happened to get every single attempt wrong. Where did this data come from?
 

 

Also, you're assuming that a login system wouldn't just stop you from trying that password after even 50 consecutive failed password attempts in the same microsecond.

we're just talking about the effect password restrictions have on security; other factors are not considered.

 

I think we should be taking other factors into consideration, especially since they have such a large impact. Having a mechanism that blocks your ip for an exponential amount of time after say 10 consecutive failed passwords would stop ANY brute force attack.

Even if said hacker hijacked 2000 computers to all pry from different IPs, the account could go into lockdown mode, and only let the IP address on file be allowed to sign in. Maybe even a nice little warning message that says "Your account is receiving pressure" next time the real owner logs in.

 

I meant any password-restricted file which is accessible without network transfer.

I thought we were talking about website logins lol.

 

the relative values remains the same. 95,428,956,661,682,176 / 208,827,064,576 = 456,976x as long to crack a 12 char password as compared to an 8-digit. That's the important part.

I disagree. It doesn't matter if it takes 200 tries or 3 billion tries to crack a password if the system stops you at 10 failed attempts.
 
 

I set it up to explain why they are requirements and how they do in fact increase security as they're supposed to...

Sure, it increases security! As would requiring direct permission from a third party via phone call to access your house without setting off your alarm. But another important factor you have to take into account here, is convenience.

 

You have to include a minimum password length or some passwords are bound to be vulnerable to brute-force attacks.

So what if they are? There will always be people who take those risks, despite what precautions are put in place to stop them. So really it's just inconveniencing those that use the system properly, to sort out people who don't care.


Perhaps a solution to this problem would be to educate people on how passwords can be cracked. From this information, people can make their own intelligent decisions on what passwords to use. So if they use what they know is a weak password, they made that decision themselves, and are aware of it.


Edited by Lindion45, 07 December 2015 - 01:11 AM.

  • 3

UzQSAz6.pngXhTycnt.png


#133 Strawbry_Jam

Strawbry_Jam

    Likes Toast

  • GMC Member
  • 345 posts
  • Version:Unknown

Posted 07 December 2015 - 03:55 AM

I don't feel like quoting the above but with password restrictions, doesn't that make brute force attacks easier if the attacker can now skip all the restricted passwords? It should be recommended to the user to use a strong password and inform the user of how strong their password is but ultimately leave it up to the user with strong warnings.

Edited by Strawbry_Jam, 07 December 2015 - 03:57 AM.

  • 0
Spoiler

#134 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 04:09 AM

I've used KeePass for years. If someone got access to my keepass database they'd still need the one password I actually have to remember in order to use it. Of course, since I only have to remember one password, it's very long and complicated. After about 2 weeks of typing it when needed, it became muscle memory. Seriously, use KeePass or another password manager solution. It's important. If you don't take your security seriously, why should anyone else have sympathy when something bad happens? Every single login you have (yes, every single one of them) needs a completely unique high entropy password.


  • 0

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#135 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 04:16 AM

I don't feel like quoting the above but with password restrictions, doesn't that make brute force attacks easier if the attacker can now skip all the restricted passwords? It should be recommended to the user to use a strong password and inform the user of how strong their password is but ultimately leave it up to the user with strong warnings.

I get what you're saying but even with the restrictions it still takes longer to crack (usually, obviously you could implement enough restrictions to make that not the case however) but the bottom line is, if that is what you did, 90% of users would not take the advice and you would have a customer relations nightmare especially if you are a non-tech oriented company (banks, social media etc). Users should be treated as if they are ignorant to the intricacies of password security (as they often are and so they should be, who has time to learn all this stuff if you're not IT oriented) and a few simple, minorily annoying password restrictions later you will be saved a lot more time and effort that would otherwise be needed to fix all the problems when everyone's password is a variant of "password1" 


  • 0

#136 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 04:24 AM

You ask "who has time to learn all this stuff if you're not IT oriented?"

 

Anyone who doesn't care to learn the importance of security shouldn't have their hand held. They'll never learn until forced to. No sympathy for the stupid.


  • 0

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#137 Mercerenies

Mercerenies

    Koopa King

  • GMC Member
  • 1945 posts
  • Version:GM:Studio

Posted 07 December 2015 - 04:45 AM

You ask "who has time to learn all this stuff if you're not IT oriented?"
 
Anyone who doesn't care to learn the importance of security shouldn't have their hand held. They'll never learn until forced to. No sympathy for the stupid.

That's a great policy if your plan is to get shut down. If you're a company, your number one obligation is to your customer. Considering your customer to be inferior or stupid or not worth your time is a great way to no longer have a customer.
  • 3
iPqfGiP.png

#138 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 04:49 AM

You ask "who has time to learn all this stuff if you're not IT oriented?"

 

Anyone who doesn't care to learn the importance of security shouldn't have their hand held. They'll never learn until forced to. No sympathy for the stupid.

I mean... yeah. That's a pretty easy argument to dismantle, I can't really say anything above what Mercerenies said


  • 0

#139 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 04:52 AM

I'm not talking about customers. I'm talking from a personal viewpoint. If you leave your house with the door wide open why should I care when you get robbed? If it's locked properly and reasonable precautions are taken, sure I'll have sympathy. The problem is not that people don't know they should use different high entropy passwords. The problem is that people can't be bothered to care. And if someone doesn't care about their own security, why should I?


Edited by BDMarvel, 07 December 2015 - 04:52 AM.

  • 0

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#140 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 04:57 AM

Well you're changing arguments there a little... and you shouldn't care at all. However if  you have clients that get your bills paid..then they are paying to not have to care and to get you to worry about that for them.

 

"I won't build a house for you if you don't know how to build one for yourself. Its not my fault you dont know how to lay brick  and mortar in a structurally stable way to create a house"

 

Well.. thats kind of why I'm paying you. Because I dont know. Nor do I want to spend the time learning how to


Edited by zbox, 07 December 2015 - 04:58 AM.

  • 0

#141 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 05:00 AM

My customers buy my games. It's not my job to provide or worry about their security. My job is to make a quality game (my games are products, not services).


Edited by BDMarvel, 07 December 2015 - 05:00 AM.

  • 0

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#142 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 05:10 AM

Right so we're in agreeance then...


  • 0

#143 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 05:21 AM

Not sure, if I understand you're equating personal security with building a house. You don't hire someone to lock your door for you. You make sure your door has a lock, you know how to lock and unlock it, and if it requires a key you make sure you have it and keep it safe. You take responsibility for your own security. People by and large understand this, but for some reason when it comes to cyber security people by and large don't care. They've been told for years now the importance of good passwords. There are plenty of examples occurring all the time in the news. But people just don't want to bother. I've been attempting to teach people the importance of security for over a decade now. Some people get it. The vast majority don't, and won't until something tragic happens to them. So, I continue to talk about the importance of it from time to time and to advocate KeePass, but at this point I honestly don't have any sympathy for someone who doesn't bother to care. Maybe someone is just young and honestly doesn't know the importance of security. That's a different case, and why I still bother to broach the subject from time to time. For such a person I do sympathize. If you get hacked because you honestly didn't know any better, that sucks. But it's been my experience that people DO know better. They just don't bother because it inconveniences them. Security is not easy. It's not supposed to be. It's still important, and if you neglect it, eventually you're likely to pay the price.


Edited by BDMarvel, 07 December 2015 - 05:22 AM.

  • 1

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#144 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 05:31 AM

You kind of stretched the metaphor there into something it wasn't; as a person yes of course I will have a "too bad for you" attitude if someone has their stuff nicked because of ignoring good advice and having bad/similar passwords. But I also have to accommodate that if I ever want to run an IT business, and that's what I'm talking about, because the first point from a personal perspective is a given.


  • 0

#145 Strawbry_Jam

Strawbry_Jam

    Likes Toast

  • GMC Member
  • 345 posts
  • Version:Unknown

Posted 07 December 2015 - 05:31 AM

I get what you're saying but even with the restrictions it still takes longer to crack (usually, obviously you could implement enough restrictions to make that not the case however) but the bottom line is, if that is what you did, 90% of users would not take the advice and you would have a customer relations nightmare especially if you are a non-tech oriented company (banks, social media etc). Users should be treated as if they are ignorant to the intricacies of password security (as they often are and so they should be, who has time to learn all this stuff if you're not IT oriented) and a few simple, minorily annoying password restrictions later you will be saved a lot more time and effort that would otherwise be needed to fix all the problems when everyone's password is a variant of "password1" 
From experience, you will have the customer relations nightmares either way (both being the users fault.) Either the users did not follow advice and created passwords too easy to crack and were hacked or users created passwords fitting a specific requirement and forgot it and they forgot the password to the email to reset their password and didn't think they would ever need to remember the answers to the security questions for that email. Besides, if you only get a limited number of tried before the account is locked and the password needs reset via email, it doesn't matter. Guessing the password of 123 by the third try isn't going to be that easy.
  • 1
Spoiler

#146 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 05:35 AM

1. burn any site that uses security questions with fire

2. more a chance of people remembering to put in a few capital letters and some punctuation than forming a bad habit. One day they might actually remember their more complex password rather than just reinforcing the usage of the crap one they type into every website


  • 1

#147 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 05:37 AM

You kind of stretched the metaphor there into something it wasn't; as a person yes of course I will have a "too bad for you" attitude if someone has their stuff nicked because of ignoring good advice and having bad/similar passwords. But I also have to accommodate that if I ever want to run an IT business, and that's what I'm talking about, because the first point from a personal perspective is a given.

I see. If you're specifically talking about a business where your job is to worry about someone else's security concerns, then that does change things, at least as far as responsibilities go, though it wouldn't change my sympathies in any way. I could never do that job because I've seen just how vehemently people are opposed to taking responsibility for themselves, and how often it's the IT people who take the blame. It's an often thankless job. Good luck to you.


  • 1

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#148 zbox

zbox

    GMC Member

  • GMC Member
  • 2618 posts
  • Version:Unknown

Posted 07 December 2015 - 05:39 AM

and how often it's the IT people who take the blame

 

:( spend so much time making watertight secure login systems etc etc only to know whats going to break it is people with crappy passwords; which no matter how clever I try to be will never be fixable


  • 0

#149 BDMarvel

BDMarvel

    GMC Member

  • GMC Member
  • 335 posts
  • Version:GM:Studio

Posted 07 December 2015 - 05:40 AM

 

and how often it's the IT people who take the blame

 

:( spend so much time making watertight secure login systems etc etc only to know whats going to break it is people with crappy passwords; which no matter how clever I try to be will never be fixable

 

Now THAT get's my sympathy. :( And it's why I could never do that job.


  • 0

gmc_sig.pngen_generic_rgb_wo_60.png

"There is nothing which has yet been contrived by man, by which so much happiness is produced as by a good tavern or inn." - Samuel Johnson


#150 HopelessComposer

HopelessComposer

    GMC Member

  • GMC Member
  • 1337 posts
  • Version:GM:Studio

Posted 07 December 2015 - 06:00 AM

All this password talk has me curious....does anyone know of any programs I could use to brute force my own passwords, to see how long they'd actually take to crack? I entered a few passwords (not mine, but fakes ones like mine) into different sites to see how long they'd take a computer to crack, but different sites give wildly different estimates, so now I'm curious. I googled for password crackers, but they all seem to be for cracking passwords over networks and crap, which I don't understand and don't need. Anything easy I can plug my password into quickly, just for fun?


  • 0