Loading. Please Wait...
|
|
|
Login security changes, You shall not pass |
|
Feb 21 2015, 13:52
|
Tenboro
|
Due to a large increase to the number of brute-force login attempts against member accounts, there have been some hardening changes made to the login mechanism to thwart this. For most of you this will never come into play, but if you fail multiple login attempts or connect from what the site considers a suspect IP, you will now also have to solve a captcha for every login attempt. Hosts that fail a large number of attempts may be shut out entirely. Note that if you are using a weak password, one that closely resembles your login username, or one that you've reused on other sites, you may want to change it just to be safe. If you keep getting 7-day bans, your account is likely compromised, and you need to reset your password to restore functionality.
|
|
|
|
|
|
Feb 21 2015, 14:28
|
xmagus
Group: Members
Posts: 1,042
Joined: 16-July 12
|
Hmm, interesting.
Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?
--------------------
|
|
|
Feb 21 2015, 14:32
|
Tenboro
|
QUOTE(xmagus @ Feb 21 2015, 13:28) Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?
Probably not for H@H, at least not before HTTP/2 is implemented, but possibly for the site itself.
|
|
|
Feb 21 2015, 14:41
|
EsotericSatire
Group: Catgirl Camarilla
Posts: 9,643
Joined: 31-July 10
|
Pony authenticator?
--------------------
|
|
|
Feb 21 2015, 15:25
|
uareader
Group: Catgirl Camarilla
Posts: 5,245
Joined: 1-September 14
|
As long as it doesn't make sad pandas even more deadly, it should be ok
--------------------
|
|
|
Feb 21 2015, 15:55
|
Tenboro
|
QUOTE(EsotericSatire @ Feb 21 2015, 13:41) Pony authenticator?
Not really usable for a login page since the chance for success by picking randomly is too large.
|
|
|
Feb 21 2015, 16:16
|
derpderp2
Group: Gold Star Club
Posts: 207
Joined: 30-August 12
|
just got to remember your password i guess
|
|
|
Feb 21 2015, 16:31
|
tetron
Group: Gold Star Club
Posts: 5,583
Joined: 30-July 14
|
Does nobody use the "Remember Me" option?
--------------------
The statement below is true. The statement above is false. --------------------
|
|
|
Feb 21 2015, 17:51
|
kainord
Group: Gold Star Club
Posts: 2,193
Joined: 10-July 10
|
I use the remember me option, so i forgot my password it would suck to need a relog now But security upgrades are always a good news, for me at least.
--------------------
|
|
|
Feb 21 2015, 18:00
|
Binglo
Group: Global Mods
Posts: 9,671
Joined: 16-December 09
|
Big T, keeping us all safe.
--------------------
Treat others like you want to be treated.
Want to suggest a new tag? Read this.
_______________________________________________________________
|
|
|
Feb 21 2015, 18:03
|
Spectre
Group: Global Mods
Posts: 8,354
Joined: 8-February 06
|
Probably what happened to bunbun a couple nights ago... *shrug*
--------------------
QUOTE Spectre: you're crying on the inside aren't you? BunBun: slightly BunBun: it's kind of like BunBun: a tear ran down my face BunBun: and you licked it off and laughed Spectre: XDD When you do things right, people won’t be sure you’ve done anything at all. ↓ Click Me! ↓{/assist } {Can I have it? } {Please Check it. } {Thank you. } My Uploads
|
|
|
Feb 21 2015, 18:40
|
digons
Lurker
Group: Lurkers
Posts: 1
Joined: 25-October 13
|
Well at least it's a good news to me.... lol
|
|
|
Feb 21 2015, 18:55
|
blue penguin
Group: Global Mods
Posts: 10,027
Joined: 24-March 12
|
If one wants to login from an unsafe network he can always go to / and login through there, right? (this does not prevent session hijacking, but prevent password spoofing)
--------------------
QUOTE(blue penguin @ Jun 21 2021, 17:24) For 10 years of my life I have refused to add if-else blocks in order to support internet explorer idiocy, am not going to start doing it now in order to support google chrome's idiocy. Sorry folks. As harsh as the advice sounds my advice will be: use a browser that follows IETF standards.
|
|
|
|
|
|
Feb 22 2015, 00:25
|
Tenboro
|
QUOTE(blue penguin @ Feb 21 2015, 17:55) If one wants to login from an unsafe network he can always go to / and login through there, right? (this does not prevent session hijacking, but prevent password spoofing) That is the only way to log in, the other login forms all direct you there to complete the process.
|
|
|
Feb 22 2015, 00:52
|
chivoef
Group: Gold Star Club
Posts: 4,061
Joined: 12-January 10
|
Is there some easy way to tell your account has been compromised? Just in case.
<-- paranoid
|
|
|
|
|
|
Feb 22 2015, 00:55
|
blue penguin
Group: Global Mods
Posts: 10,027
Joined: 24-March 12
|
Ops... my mistake, i haven't monitored my EH login with wireshark (or something similar) since it changed last time.
Given that the authentication takes some time the brute force attacks must have been very directed, i.e. they must have known the password (or a likehood of the password) from another source. I cannot find a hash of my password in my cookies so there must be some salt on EH side. I do not believe that whoever got the passwords got some hash to compare against.
BTW Tenb, when you change your password do all your sessions are invalidated? The session time on EH is quite long (i never managed to expire it myself, i always cleaned cookies) therefore someone that managed to get hold of an account may open a session and use it for a long time.
This post has been edited by blue penguin: Feb 22 2015, 00:59
--------------------
QUOTE(blue penguin @ Jun 21 2021, 17:24) For 10 years of my life I have refused to add if-else blocks in order to support internet explorer idiocy, am not going to start doing it now in order to support google chrome's idiocy. Sorry folks. As harsh as the advice sounds my advice will be: use a browser that follows IETF standards.
|
|
|
|
|
|
Feb 22 2015, 02:28
|
mozilla browser
Group: Gold Star Club
Posts: 2,131
Joined: 22-December 11
|
What happened to bunbun a few days ago?
Are the attacks directed (specific account names, rich/high level accounts etc ) or generally random and hitting lotsa accounts including non-existent ones?
What do they do once they get in?
--------------------
|
|
|
Feb 22 2015, 02:31
|
hzqr
Group: Gold Star Club
Posts: 4,671
Joined: 13-May 09
|
Any educated guesses on the motive behind the mass brute-forcing? I can think of HV and one other reason, but in both cases it would still be rather excessive
|
|
|
Feb 22 2015, 02:36
|
Maximum_Joe
Group: Gold Star Club
Posts: 24,074
Joined: 17-April 11
|
QUOTE(tiap @ Feb 21 2015, 17:31) Any educated guesses on the motive behind the mass brute-forcing?
China; they're coming for our hentai money!
--------------------
Try to fill your life with good things.
|
|
|
Feb 22 2015, 02:39
|
Tresik
Newcomer
Group: Recruits
Posts: 14
Joined: 13-March 13
|
Well, as always, keeping same passwords in multiple services or otherwise easy to guess password is very bad idea. Because people tend to do that it is also good idea to sometimes remind them about that.
|
|
|
1 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
|
|
|
|
|
|
|