[X] My Assistant

Due to a large increase to the number of brute-force login attempts against member accounts, there have been some hardening changes made to the login mechanism to thwart this. For most of you this will never come into play, but if you fail multiple login attempts or connect from what the site considers a suspect IP, you will now also have to solve a captcha for every login attempt. Hosts that fail a large number of attempts may be shut out entirely.

Note that if you are using a weak password, one that closely resembles your login username, or one that you've reused on other sites, you may want to change it just to be safe.

If you keep getting 7-day bans, your account is likely compromised, and you need to reset your password to restore functionality.

Hmm, interesting.

Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?

Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?

Probably not for H@H, at least not before HTTP/2 is implemented, but possibly for the site itself.

Pony authenticator?

As long as it doesn't make sad pandas even more deadly, it should be ok

Pony authenticator?

Not really usable for a login page since the chance for success by picking randomly is too large.

just got to remember your password i guess

Does nobody use the "Remember Me" option?

I use the remember me option, so i forgot my password it would suck to need a relog now
But security upgrades are always a good news, for me at least.

Big T, keeping us all safe.

Probably what happened to bunbun a couple nights ago... *shrug*

Well at least it's a good news to me.... lol

If one wants to login from an unsafe network he can always go to / and login through there, right? (this does not prevent session hijacking, but prevent password spoofing)

If one wants to login from an unsafe network he can always go to / and login through there, right? (this does not prevent session hijacking, but prevent password spoofing)

That is the only way to log in, the other login forms all direct you there to complete the process.

Is there some easy way to tell your account has been compromised? Just in case.

<-- paranoid

Ops... my mistake, i haven't monitored my EH login with wireshark (or something similar) since it changed last time.

Given that the authentication takes some time the brute force attacks must have been very directed, i.e. they must have known the password (or a likehood of the password) from another source. I cannot find a hash of my password in my cookies so there must be some salt on EH side. I do not believe that whoever got the passwords got some hash to compare against.

BTW Tenb, when you change your password do all your sessions are invalidated? The session time on EH is quite long (i never managed to expire it myself, i always cleaned cookies) therefore someone that managed to get hold of an account may open a session and use it for a long time.

This post has been edited by blue penguin: Feb 22 2015, 00:59

What happened to bunbun a few days ago?

Are the attacks directed (specific account names, rich/high level accounts etc ) or generally random and hitting lotsa accounts including non-existent ones?

What do they do once they get in?

Any educated guesses on the motive behind the mass brute-forcing?
I can think of HV and one other reason, but in both cases it would still be rather excessive

Any educated guesses on the motive behind the mass brute-forcing?

China; they're coming for our hentai money!

Well, as always, keeping same passwords in multiple services or otherwise easy to guess password is very bad idea. Because people tend to do that it is also good idea to sometimes remind them about that.