# New administration security measures



## 2ndVenus (Aug 13, 2007)

A set of 3 passwords or more, each one containing 25 or more letters and numbers mixed.

Then even still, proper administration should not be made accessible until they verify and match a specific MAC address of your network card hardware (multiple mac addresses set for different admins and site coders), thus allowing you to change your mac address to the appropriate one to then grant access as a very unique and stronger way of tightening your hacking guard, since not everyone is advanced enough to know what a mac address is and how to change it.

Just a suggestion, a tighter lock and locks in more quantities is anoying to get through yourself, but youll know what i mean the hackers again say "i told you so".

Think about it, see you back in FA! xxx

In short (especially for your wireless connections in the place?) i strongly suggest. *Mac address matching.*
~Snake xXx


----------



## Silver R. Wolfe (Aug 13, 2007)

2ndVenus said:
			
		

> A set of 3 passwords or more, each one containing 25 or more letters and numbers mixed.
> 
> Then even still, proper administration should not be made accessible until they verify and match a specific MAC address of your network card hardware (multiple mac addresses set for different admins and site coders), thus allowing you to change your mac address to the appropriate one to then grant access as a very unique and stronger way of tightening your hacking guard, since not everyone is advanced enough to know what a mac address is and how to change it.
> 
> ...



I don't know if I could remember 75 mixed characters.


----------



## TheGru (Aug 13, 2007)

Silver R. Wolfe said:
			
		

> I don't know if I could remember 75 mixed characters.



Yea that is a little much, my current password is 10 mixed characters.

My advice key each one to a eaisly remembered, (and personal) phrase.


----------



## CaptainSaicin (Aug 13, 2007)

Oui... weakest link, people, weakest link. Unless you're technologically inept when it comes to security, the password is not it.

Unless a password can be brute forced easily (and just ten characters is enough to stop that), people just find another way around.

There are a lot of ways around... from scripts to social engineering, and anything else between.


----------



## Janglur (Aug 13, 2007)

Or, better yet, don't use a fucking stupid password.

iamtheverymodelofamodernmajorgeneral can be force cracked in under 40 minutes.
supergoober can be in under 14 seconds.


Make GOOD passwords.  UPPERANDlowercaseandNumb3r2.  And $ymbols if possible.


Common Sense Computing.


----------



## Janglur (Aug 13, 2007)

CaptainSaicin said:
			
		

> Oui... weakest link, people, weakest link. Unless you're technologically inept when it comes to security, the password is not it.
> 
> Unless a password can be brute forced easily (and just ten characters is enough to stop that), people just find another way around.
> 
> There are a lot of ways around... from scripts to social engineering, and anything else between.




BTW, password WAS it.  Preyfar's PW got hacked.  He was on an unsecured wifi network.  He said this himself.
We've yet to hear whether his PC was password-free infiltrated, force cracked, passguessed, or phyjacked, however.


----------



## SDWolf (Aug 13, 2007)

Janglur said:
			
		

> BTW, password WAS it. Preyfar's PW got hacked. He was on an unsecured wifi network. He said this himself.
> We've yet to hear whether his PC was password-free infiltrated, force cracked, passguessed, or phyjacked, however.



Actually, we _do_ know how his password was obtained.  He was using a public, unencrypted, non-secure wireless connection, which means his password was transmitted for all to see with no protection whatsoever.  His password could have been 4096 random unicode characters, and it still would have been cracked.  It may as well have been written on a wall somewhere.

As I said in the other thread, let's file this incident under "Why Not to Use Unencrypted Wireless Connections for Admin Purposes." That's basically broadcasting your password for all to see, and that is what happened here.  Oops!

At a minimum, strong passwords should be at least 8 characters long, with a mix of upper and lower case letters, numbers, and punctuation (15 characters if you're dealing with Windows so the password isn't stored using LM).  But, _the strongest password in the world is worthless if it's not protected in transit!_

Also, I still think FA should consider using some flavor of HTTPS (SSL3 or TLS) for secure logins.

Take care.


----------



## yak (Aug 13, 2007)

*nods*
We will be getting an SSL certificate soon, so any form of authentication could, and will be encrypted.


----------



## uncia (Aug 13, 2007)

SDWolf said:
			
		

> Also, I still think FA should consider using some flavor of HTTPS (SSL3 or TLS) for secure logins.


*nods over to SD*. Thanks, again. 

Has been in the pipeline for some time but is still neither a catch-all (lack of common FA gateway doesn't help, I suspect) nor the only one (per Nathaniel's challenge/response code post on LJ, for example).
Will leave all that to the tech gurus, though. ^^

Cheers,
David.


----------



## uncia (Aug 13, 2007)

Silver R. Wolfe said:
			
		

> I don't know if I could remember 75 mixed characters.



Make that a new test for prospective admins, in that case? 

*g* sry, Silver... But, joking aside, TheGru's ten characters mixed is a pretty decent standard to aim for, IMHO.


----------



## Arshes Nei (Aug 13, 2007)

Yeah this isn't really an FA problem, but rather a problem with WI FI networks. I think if Preyfar weren't in a hotel at a furry con about this site, most people wouldn't have cared about FA's data. They'd go after better stuff, like if he logged into paypal or his bank account.


----------



## creaturecorp (Aug 13, 2007)

Admins should use ssl.


----------



## cesarin (Aug 13, 2007)

TheGru said:
			
		

> Silver R. Wolfe said:
> 
> 
> 
> ...




sorry dud, but thats a very dumb suggestions..
they will be easily broken with dictionary based attacks..
or if the hacker knows the user's behavior (like personal tastes.. ideas..etc..)

in other therms.. who the hell went to FA:U just to hack FA?
I still say it smells like arcturus and his "I hacked FA"'s t-shirt XD


----------



## Damaratus (Aug 13, 2007)

creaturecorp said:
			
		

> Admins should use ssl.



Is being integrated as we speak.


----------



## Ron Overdrive (Aug 13, 2007)

Honestly I agree passwords should be a mixed set of numbers, letters, and special characters for the best security. If you can't remember something like that use what I use: KeePass (well I use KeePassX which is the *nix version that works for Mac OSX & linux/bsd). My passwords are 20 characters long for the FA site & forums and look something like this: 

pdA6z!6kNr$nL@mjK2^

And no that is not a password I'm currently using. But the nice thing about KeePass is no one can copy your password by looking over your shoulder because the password is *'d out on the screen and uses Copy & Paste as the way to enter your password. Both me and Cray use this program and we love it. The database the passwords are stored in are also encrypted using both the Twofish and AES algorithms for added security so you'll only need one master password to access the database (recommended to also use a key file as well for added security).


----------



## timoran (Aug 14, 2007)

Arshes Nei said:
			
		

> Yeah this isn't really an FA problem, but rather a problem with WI FI networks. I think if Preyfar weren't in a hotel at a furry con about this site, most people wouldn't have cared about FA's data. They'd go after better stuff, like if he logged into paypal or his bank account.



This would not have happened on PayPal or a bank, because those connections use SSL.

I think everyone on an unsecured wireless network ought to have the option of using an SSL login form for FA. Also, anytime someone does anything "risky" (delete pictures, delete account, change password/email, admin functions) there should be a force logon so stale sessions aren't used. We've been saying this for years...


----------



## Dragoneer (Aug 14, 2007)

Arshes Nei said:
			
		

> Yeah this isn't really an FA problem, but rather a problem with WI FI networks. I think if Preyfar weren't in a hotel at a furry con about this site, most people wouldn't have cared about FA's data. They'd go after better stuff, like if he logged into paypal or his bank account.


Well, this problem affects a LOT more furry sites than just FA -- other art communities have the same exact loophole that we do, too. But because we're the biggest (and best! HA) we are naturally a big target.


----------



## net-cat (Aug 14, 2007)

Out of curiosity, are the passwords in FA's database salted? That basically kills off any dictionary attack.

(Although it wouldn't have solved this latest issue.)


----------



## yak (Aug 14, 2007)

Yes. And no it doesn't, it just prevents the passwords from being decrypted from their md5 form.


----------



## net-cat (Aug 14, 2007)

Yeah, that's what I meant.

It keeps people from being able to use a reverse lookup database for brain-dead passwords. It's still vulnerable to brute force, though.


----------



## Stratelier (Aug 16, 2007)

In theory, the simplest way to deal with a brute-force attack is to take the "brute" out of it, i.e. have some kind of flood control on logins.  Say three strikes, and temporarily suspend any further logins from the given IP (or bearing the given username).  Time is any hacker's enemy; with a login limit of 3 strikes and a 60-second timeout, even a random number between 01 and 99 would require (statistically) about 15 minutes to crack.

Bearing in mind, of course, that brute force is a relatively less-effective hacking strategy to begin with, nor was it behind the latest FA outage.


----------



## Ron Overdrive (Aug 17, 2007)

Stratadrake said:
			
		

> In theory, the simplest way to deal with a brute-force attack is to take the "brute" out of it, i.e. have some kind of flood control on logins.  Say three strikes, and temporarily suspend any further logins from the given IP (or bearing the given username).  Time is any hacker's enemy; with a login limit of 3 strikes and a 60-second timeout, even a random number between 01 and 99 would require (statistically) about 15 minutes to crack.
> 
> Bearing in mind, of course, that brute force is a relatively less-effective hacking strategy to begin with, nor was it behind the latest FA outage.



Actually I believe Net-Cat was refering to brute forcing the password file. If one downloads the password file they can run a dictionary attack against the file on their own machine.

Honestly though some form of encryption should be used for the logins. The staff has already started to get their SSL certificate for their SSL daemon so thats a start. Personally I would have setup a temporary SSH tunnel for the admins at least for logging in over insecure connections till the SSL is in place. If not they should at least try using a secure proxy service in their web browsers.


----------



## Janglur (Aug 17, 2007)

I beleive admin should have to use a 1024-bit synchronous block code cypher filter encrypted password with 25ms index frame, a voice recognition password login, and a traditional 16-digit MiXeD CaSe w1th Num83r2.

And only be allowed to access the server during three one-hour intervals throughout the day.



These are all entirely reasonable security requests.


----------



## AerusalePhoxJr (Aug 17, 2007)

only a genius admin would do that...


----------



## Stratelier (Aug 17, 2007)

Janglur said:
			
		

> I beleive admin should have to use a 1024-bit synchronous block code cypher filter encrypted password with 25ms index frame, a voice recognition password login, and a traditional 16-digit MiXeD CaSe w1th Num83r2.
> 
> And only be allowed to access the server during three one-hour intervals throughout the day.
> 
> These are all entirely reasonable security requests.



Er, yeah, whatever you say.  And then we'll all wonder why there's never an admin around when you need one....


----------



## Bokracroc (Aug 18, 2007)

Janglur said:
			
		

> I beleive admin should have to use a 1024-bit synchronous block code cypher filter encrypted password with 25ms index frame, a voice recognition password login, and a traditional 16-digit MiXeD CaSe w1th Num83r2.
> 
> And only be allowed to access the server during three one-hour intervals throughout the day.
> 
> ...


This ain't Uplink buddy. Who the hell would go to so much effort when FA could be hacked/crashed with other easier ways?


----------



## Stratelier (Aug 18, 2007)

Like exploiting an unencrypted Wi-fi connection?


----------



## Bokracroc (Aug 18, 2007)

Yeah, pretty much.


----------



## Janglur (Aug 18, 2007)

FA Users fail at sarcasm!


Everyone, point and nelson-laugh.

*points*  Ha-ha!


----------



## Bokracroc (Aug 18, 2007)

FA User fails to notice gaming reference.
http://www.introversion.co.uk/uplink/


----------



## Janglur (Aug 18, 2007)

I know what Uplink is.

I'm amazed you missed the original reference AND took my post seriously.

Now try to pick an e-fight.


FAIL_FAIL_*FAAIIILLL!*


----------

