# Account hacking



## Bakensobek (Apr 1, 2007)

The last couple days I have seen two people on my Watch list get their accounts hacked -- first it was SpiritRaptor, now Agro. Is this the same bug that was caused by the submission deletion problem?

I much rather have to pester an admin to delete something than have some a$$holes get the satisfaction of causing much damage. And wasn't "some infamous person" supposed to be looking into these security holes due to his constant hacking of the site?


----------



## Dragoneer (Apr 1, 2007)

This is a different issue now than it was before. Trust me when I say we take issues like this seriously. Unfortuantely, "hackin" can occur multiple ways and via multiple methods. Exploits, social engineering and more. That, and the leaked password list from 2005 that is still floating around. We've taken steps to ensure we can keep accounts as safe as possible, and will continue to ensure that they're as safe as can be.

It honestly saddens me to see these happen, and I do everything I can to ensure that they stop... but it's not always possible. =/


----------



## m2pt5 (Apr 2, 2007)

Would it be possible to get a list of the names from the leaked password list, so people on it know to go change all their passwords?


----------



## Hanazawa (Apr 2, 2007)

m2pt5 said:
			
		

> Would it be possible to get a list of the names from the leaked password list, so people on it know to go change all their passwords?



It's public info. It's been leaked several times. Everyone should change their password from time to time whether their name is on the list or not. People were told for months to change their passwords.

If they still haven't paid attention, bad on them.


----------



## Bakensobek (Apr 2, 2007)

Hanazawa said:
			
		

> It's public info. It's been leaked several times. Everyone should change their password from time to time whether their name is on the list or not. People were told for months to change their passwords.



I changed mine not long ago, but then it was a rather short mix of numbers and letters. I changed it yesterday to such a long string I hope it is impervious to any attempts to have a computer guess it.


----------



## Dragoneer (Apr 2, 2007)

My day job is working as an admin for the United States government maintaining Top Secret-level SIPR computers at the Manas Air Force base in Kyrgyzstan. I can tell you everything you need to do in order to secure your account, ensuring your security and privacy, and I can gaurantee you that few people would listen. Why do I say that? It's hard to even look around the internet without seeing "cyber security" warnings of some nature. They're so common, and yet most people STILL do not listen. 

Which leads us to having some of the problems we have today.

On that note, let me re-iterate what I have said before: people should use a password with mixed characters, at least eight in total.

*Bad:* yourword
*Better:* Y0urW0rd!
*Best:* aP@ssw0rdPhr@s3

Any password that is just a simple word, e.g. "dragon" is highly vulnerable and is asking to be hacked, and there is nothing we can do short of forcing and requiring all users to use strong password, ala Google. 

Use a strong, moderately complex password. Avoid using words whose spelling can be found in the dictionary. Include at least one number, one symbol, one capital.
Never give your password out, not even to a mate, a lover, a friend, no matter HOW MUCH YOU TRUST THEM.
[* Never ever ever write it down - not on paper, not in a text file on your desktop. ESPECIALLY not on your desktop.
I won't go so far as to say that there isn't a possible security hole in Fur Affinity - I'd have to be stupid to even imagine that. Hell, I'd go so far to say there's quite a few potential holes. But that doesn't diminish my faith in the site as both a user or admin. Why? Look around the net. Even the most secure and well known of sites occassionally have security problems. It's in the media, the news, the papers at least once a week. Nor am I going to water shit down as far as my opinion goes because, frankly, what good would it do?

However, while stating that, let me also state this: the amount of hackings is very small overall and does not lead me to believe there is a mass breaking going on. It may be related to the old password list, coincidence or even a small group of people trying to use the most common passwords to break into accounts. I can't say for sure, but I can say that we are aware of the problem and doing what we can to monitor and ensure user security.

This site means a lot to me, and I want to protect it. I helped up the site from damn near nothing and I've sunk a lot of money and time with the crew here into providing the single best art gallery for the entire fandom. We want to keep it that way.

RANDOM FACT: On FA's leaked password list from 2005, did you know the single most commonly used password for furries was "dragon"? No shit. Using a password so simple as that is almost like *ASKING* for your account to be broken into.


----------



## yak (Apr 2, 2007)

Another random facts

1. for the past month 15 people have changed their passwords to "dragon", 7 to "password" 
2. more then 85% of current FA's passwords are dictionary-based. Yes, just letters, no digits or even CamelCase .


----------



## Blackwing Dragon (Apr 2, 2007)

CamelCase lol.
I've had my password for 11 years straight now, and nobody ever cracked it. The only one that got cracked was my LJ pass which is the only exception to this universal pass .
11 years, damn. And it's so f*cking simple, too! (Admins, feel free to take a look XD)


----------



## yak (Apr 2, 2007)

It is a well known fact that l33t passwords are being the next best thing out there on the intarwebs.


----------



## Blackwing Dragon (Apr 2, 2007)

Mine's not leet, which is what makes me bawl over laughing. I've seen professional passwords cracked and it made me gasp...
*scritches a coder dude*


----------



## Xyinull (Apr 2, 2007)

Blackwing Dragon said:
			
		

> CamelCase lol.
> I've had my password for 11 years straight now, and nobody ever cracked it. The only one that got cracked was my LJ pass which is the only exception to this universal pass .
> 11 years, damn. And it's so f*cking simple, too! *(Admins, feel free to take a look XD)*


Actually, I hope they can't. The passwords are stored as an MD5 hash I presume? Were they not back in 2005?


----------



## Blackwing Dragon (Apr 2, 2007)

Well I think they can. Say, if someone gets hacked, the idiot doing it might want to change my pass. If a pass change is recorded around the time of an account going stupid, they could set it back automatically, or something...

Anyway, my suggestion is to include your cell phone's PIN # in your pass. Why?Because only technically you know that. The second part can include your name - in numbers. Like If your name begins with A, you type in 1, etc - use the phone if you are confused :-D.
That should get you safe.


----------



## cesarin (Apr 2, 2007)

yak said:
			
		

> Another random facts
> 
> 1. for the past month 15 people have changed their passwords to "dragon", 7 to "password"
> 2. more then 85% of current FA's passwords are dictionary-based. Yes, just letters, no digits or even CamelCase .



thats actually ... SCARY!!! >_<


----------



## Wolf-Bone (Apr 2, 2007)

There was a security hole in the site. It's gone now.


----------



## Pica Delphon (Apr 2, 2007)

Oh you want to go and Find some old tracking softwate in Archive.org from years back..


----------

