# It's Time for Real Account Security



## Chrontius (May 20, 2016)

I'd like to see FA adopt two-factor authentication.

If you're familiar with Battle.Net authenticator tokens, you know what I mean.  If you use smartcard-and-PIN to log into computers at work, you do too.

If you don't, I use Yubikeys to secure my accounts elsewhere.  Unlike smartcards, Yubikeys work with anything that has a USB port - iOS and Android phones, with an adapter, plus Android devices with NFC.  Also, since it only cares about keyboard drivers, you don't need a special client app, and it works with Linux, Chrome OS, Mac, and not just Windows.  I've set up a PGP smartcard, and it's not anything I'd wish on anyone who's not a six-figure IT guru.  PIV is even worse.

FIDO authentication lets you use far cheaper tokens - some as little as $5 or $6 - but only works with Chrome, at the moment.  Still, as an open standard, other browsers are likely to get support for it in the near future.

I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.


----------



## Wither (May 20, 2016)

It was time for real account security a loooong time ago, mate. It shouldn't have been put off until shit hit the fan. That said...


Chrontius said:


> I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.


You're taking your fur porn a little too seriously, mate.

Just properly encrypt user data.


----------



## Gem-Wolf (May 20, 2016)

There is no way I'm paying for anything on FA unless I'm buying art! 
This whole suggestion is stupid


----------



## PatrickQuin (May 20, 2016)

Wither said:


> You're taking your fur porn a little too seriously, mate.





Gem-Wolf said:


> There is no way I'm paying for anything on FA unless I'm buying art!


These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts.

Finances aside, even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to less privileged people dealing with the brunt of such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.


----------



## Wither (May 20, 2016)

PatrickQuin said:


> These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts. Even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to people dealing with such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.


One would not expect a popular website to be coded as badly as it is.


----------



## Gem-Wolf (May 20, 2016)

PatrickQuin said:


> These things tie together. Financial information may not be handled by FA, but arrangements are made often via FA, be it personal contact info or actual accounts. Even as someone who has no porn on his profile (yet) I'm personally rather miffed that the email I registered my FA handle under may be public now. In doing so it ties my personal sensitive matter handle (dealing with the brunt of gender and sex politics, and relating to people dealing with such on a more personal level) with my more publicly facing handle. My mistake for not making a burner email account, possibly, but still.


Doesn't matter! It's not my responsibility to pay for things that the site can't afford themselves. If they can't afford it then they shouldn't offer such services. I have children to feed so I can't afford to pay to use the site, and I still have a right to use it like anyone else does.


----------



## Samandriel Morningstar (May 20, 2016)

Military grade security to protect Animals dongs and fetishists from A-Z
Nah,no thanks.


----------



## Wither (May 20, 2016)

Gem-Wolf said:


> Doesn't matter! It's not my responsibility to pay for things that the site can't afford themselves. If they can't afford it then they shouldn't offer such services. I have children to feed so I can't afford to pay to use the site, and I still have a right to use it like anyone else does.


Actually, that's not how luxuries work. If they ask for money you can't give, you don't get it. You're not entitled to anything.

That said, it'd be a bad move on their part as they'd lose a lot of traffic and money.


----------



## Dragoneer (May 20, 2016)

I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").


----------



## Gem-Wolf (May 20, 2016)

Dragoneer said:


> I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").


That sounds great Neer, but if we have to start paying for FA I'll have to leave and I don't want that


----------



## Samandriel Morningstar (May 21, 2016)

Gem-Wolf said:


> That sounds great Neer, but if we have to start paying for FA I'll have to leave and I don't want that


Same.


----------



## Dragoneer (May 21, 2016)

Gem-Wolf said:


> That sounds great Neer, but if we have to start paying for FA I'll have to leave and I don't want that


There are no plans to charge people. I'd rather rebuild trust and sell FA merch and items that people can wear to make money than slap a subscription on a site like ours.


----------



## Wither (May 21, 2016)

This is a good step.


----------



## Gem-Wolf (May 21, 2016)

Dragoneer said:


> There are no plans to charge people. I'd rather rebuild trust and sell FA merch and items that people can wear to make money than slap a subscription on a site like ours.


This I what I love about you  for all the shit people spill about you, you still have our best interests at heart!


----------



## Moderator-Gazelle (May 21, 2016)

2FA is always a great idea, and the Google Authenticator app has become very approachable as a solution over the last year or so

Regardless these are great suggestions!

Smartcard may be a bit too far though  DoD uses them, but like @Samandriel Morningstar said I dont need that for my animal dongs~


----------



## Dragoneer (May 21, 2016)

Gem-Wolf said:


> This I what I love about you  for all the shit people spill about you, you still have our best interests at heart!


The situation, frankly, is awful. But we live in a world where attacks like this are common place. Sometimes it's large companies like Target and LinkedIn getting hacked, sometimes it's small guys like us. You can do a lot of things to protect your borders and improve code and security, but unfortunately, if a vulnerability comes along and you can't find it before the bad guys do... it can hurt. And badly.

Unfortunately, people chose to be destructive and hurt the community. They hurt the artists, writers, crafters, suiters, fans, posters... and for what? If people don't like me, don't like the site, that's one thing. Go after us. Don't hurt the people trying to make some extra cash to pay rent, buy food or share their creations.


----------



## Resua (May 21, 2016)

I think people misunderstand 2fa.  Something you are, something you have, something you know.  Those are your 3 factors.  For FA, 2 factor could be as simple as something you know (password) and something you have (send an email when you login, with a code in it to complete the login.)  Yes, they COULD use google authenticator, they could EVEN use google or facebook authentication.  There ARE good reasons to do this (for example, not having to keep people's login information, just a token.) but in the end, it is a tradeoff between ease of use, and security.

@Dragoneer, I much appreciate all the hard work your team puts in.  I'm a big fan of FA< and have hundreds of commissions, supporting the community and artists at large when I can.  I do have a question (and I know there are many, you're a busy man today and this week, unfortunately.)  Were the passwords stored as a hash?  If so, did they have a seed? (md5, SHA1, SHA256), I suspect it wasnt done with bcrypt.  Were they stored using reversible encryption?  Like all good security minded individuals, I used a long, unique password, but I would like to know so we can put an end to the FUD and fearmongering.


----------



## Dragoneer (May 21, 2016)

Resua said:


> I think people misunderstand 2fa.  Something you are, something you have, something you know.  Those are your 3 factors.  For FA, 2 factor could be as simple as something you know (password) and something you have (send an email when you login, with a code in it to complete the login.)  Yes, they COULD use google authenticator, they could EVEN use google or facebook authentication.  There ARE good reasons to do this (for example, not having to keep people's login information, just a token.) but in the end, it is a tradeoff between ease of use, and security.
> 
> @Dragoneer, I much appreciate all the hard work your team puts in.  I'm a big fan of FA< and have hundreds of commissions, supporting the community and artists at large when I can.  I do have a question (and I know there are many, you're a busy man today and this week, unfortunately.)  Were the passwords stored as a hash?  If so, did they have a seed? (md5, SHA1, SHA256), I suspect it wasnt done with bcrypt.  Were they stored using reversible encryption?  Like all good security minded individuals, I used a long, unique password, but I would like to know so we can put an end to the FUD and fearmongering.


We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.


----------



## Wither (May 21, 2016)

Dragoneer said:


> We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.


I can appreciate this. 
I realize that the vulnerability had less to do with FA and more to do with ImageMagick. However, when you own up to the parts the FA team could have done to mitigate the damage (and hopefully learn from the mistakes), I can actually respect you more. As long as you don't stay in your own bubble of praise and can see the problems that you need to fix, you could easily earn my respect back, as well as others.


----------



## Resua (May 21, 2016)

Dragoneer said:


> We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.



Being hashed and salted is all I was concerned about!  (i meant salted, not seed, sorry, ESL)  Thank you for the answer.  That should make any rainbow tables or pre-computed attacks impossible.  SO no cheaters doing haslookups!  Doesnt mean people with wicked cracking rigs (er... hi..) couldn't run oclHashcat if they were bored, but even on a psycho rig would need an absurd amount of time to exhaust the keyspace for 9 digit+ passwords with the basic rules of uppercase, lowercase, and punctuation, with good entropy.

As long as people had a sound password, this leak isnt particularly bad.  For weak passwords well... mandatory resets site-wide with a double check to prevent people form reusing bad or weak passwords (force some rules, 8+, upper and lower case with a number or puncutation at least.) would be a good idea.

I feel for you @Dragoneer, keep on soldiering on!  Been there before, and it's certainly brutal.  Good luck to the FA staff!

While ImageMagik/ImageTragik was the source of the leak, there appears to have been a weakness somewhere in the code that was exploited later. While security by obscurity is no good, what happened was basically every last detail of the site was laid bare to people who would abuse it.  This is essentially showing everyone EXACTLY how your lock works, every single detail, and your onley saftey is how well the lock is deisgned and trusting your key.  The site wasn't developed in the open, codebase widely deployed, and regularly audited by the community from start to finish, so that's a hell of a battle to fight.  I do not envy FA's or the Team's position.  Having been there, I REALLY feel for em!  Good luck guys. (and gals.)


----------



## Gem-Wolf (May 21, 2016)

Dragoneer said:


> The situation, frankly, is awful. But we live in a world where attacks like this are common place. Sometimes it's large companies like Target and LinkedIn getting hacked, sometimes it's small guys like us. You can do a lot of things to protect your borders and improve code and security, but unfortunately, if a vulnerability comes along and you can't find it before the bad guys do... it can hurt. And badly.
> 
> Unfortunately, people chose to be destructive and hurt the community. They hurt the artists, writers, crafters, suiters, fans, posters... and for what? If people don't like me, don't like the site, that's one thing. Go after us. Don't hurt the people trying to make some extra cash to pay rent, buy food or share their creations.


A-Men to that


----------



## LyrrenClock (May 21, 2016)

Dragoneer said:


> I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").


actually I'm all for this I would love to see FA have the same notification system like you can find on sofurry it makes keeping track of comments and bids so much easier and safer too! as for buying hardware I would not want that but will if I must cause its where I get most my business however why not adopt the idea Battle.net has and make a phone app for the authentication you dont have to have a physical token for this method to work properly!


----------



## Resua (May 21, 2016)

ShadowFur said:


> Honestly being in IT and how FA is now owned by IMVU the police and FBI should of been notified. If this site keeps getting hacked it's just a matter of time until a user files a lawsuit against FA and IMVU.



That's not how the internet and the laws around it work.

We can set those aside, and lets take a look at the FBI.  I have worked with the FBI many times, and they have what's called the 'investigation loss amount threshold.'  Basically, a certain amount of money, value, or assets must be lost.  While you can say 'My data is worth X' the FBI has its own standards.  The threshold at many field offices is 100,000 dollars in REALIZED losses.  Some offices are set at 500,000.  I doubt you can prove, to the FBI's standards, that 100k in damage has occured, let alone 500k.

As for the police, which department do you notify?  If you have literally 0 leads to offer the police, then there isnt much you or they can do.  If there ARE leads, then we, the public at large, should NOT be made privy to them.  Not even their very existence, as that would compromise any investigation.  There may already be law enforcement involved, and if done correctly, we would not be permitted to know.

The basic requirement of a lawsuit is having a 'standing' with which to file.  Unless you are specifically harmed, for an actual amount or other verifiable damage, you could not even articulate a lawsuit, let alone file it.  You have to ACTUALLY be harmed.

Now, stop stirring stuff up and scaremongering for attention.


----------



## Wakboth (May 21, 2016)

Tangential reminder to anyone reading this: Never re-use passwords between sites / services / systems. Get a password manager program that allows you to generate and use unique, random, high-entropy password for every single site and account you use, and never look back.


----------



## Gem-Wolf (May 21, 2016)

Resua said:


> That's not how the internet and the laws around it work.
> 
> We can set those aside, and lets take a look at the FBI.  I have worked with the FBI many times, and they have what's called the 'investigation loss amount threshold.'  Basically, a certain amount of money, value, or assets must be lost.  While you can say 'My data is worth X' the FBI has its own standards.  The threshold at many field offices is 100,000 dollars in REALIZED losses.  Some offices are set at 500,000.  I doubt you can prove, to the FBI's standards, that 100k in damage has occured, let alone 500k.
> 
> ...


----------



## Chrontius (May 21, 2016)

Wakboth said:


> Tangential reminder to anyone reading this: Never re-use passwords between sites / services / systems. Get a password manager program that allows you to generate and use unique, random, high-entropy password for every single site and account you use, and never look back.



+1 to this!  LastPass has a free tier, and there's FOSS programs that run locally on a PC.

You have no excuse now.  Just stick your encrypted blob in Dropbox (or Spideroak, if you're paranoid) so you have a backup, and boom.


----------



## Nerts (May 21, 2016)

Are those authenticator devices still a thing? I figured most would just use a smartphone app for it now.


----------



## Deleted member 82554 (May 21, 2016)

Mmm, yus, gotta keep that pOrnz under high secruity, mang. 

While I'm not against the idea of having better security protocols in place, you need to know what extremes to go to for a site like FA.

You're idea seems overkill.


----------



## LyrrenClock (May 21, 2016)

Mr. Fox said:


> Mmm, yus, gotta keep that pOrnz under high secruity, mang.
> 
> While I'm not against the idea of having better security protocols in place, you need to know what extremes to go to for a site like FA.
> 
> You're idea seems overkill.


you are right if you think of the site purely as a gallery to view however alot of people on the site are there for business and profit gains and if we get locked out or comprimised it can effects us a great deal more than the average gallery viewer. So I would like to see an authentication process for log in as an "optional" choice for those who want or need the extra security on their individual accounts of which I feel most if not all the artists will opt into I know I would


----------



## Chrontius (May 21, 2016)

LyrrenClock said:


> you are right if you think of the site purely as a gallery to view however alot of people on the site are there for business and profit gains and if we get locked out or comprimised it can effects us a great deal more than the average gallery viewer. So I would like to see an authentication process for log in *as an "optional" choice* for those who want or need the extra security on their individual accounts of which I feel most if not all the artists will opt into I know I would



I never said anything about making this _mandatory._  Just like Google allows you to use U2F but doesn't require it…

It's a good model for people who want the extra security because FA pays their rent - or already own the token because they use it for Gmail or Lastpass or whatever…


----------



## Chrontius (May 21, 2016)

Nerts said:


> Are those authenticator devices still a thing? I figured most would just use a smartphone app for it now.


Some people don't have smartphones, for one.  For two, Steam Guard fails more often than it works.  For three, Blizzard Authenticator and Mog Station won't let you back up your secret, so if your phone shits itself or ends up in the toilet, you're locked out for … about two weeks, while you slog through the claims process.  And if that fails, you're locked out forever.

Smartphone apps aren't the end-all be-all.


----------



## kisuka (May 21, 2016)

Dragoneer said:


> we'll be looking into how to implement two-factor authentication.").



Here you go: 
1) Make sure server time is synced always.
2) When the user enables 2FA generate a secret with generate_secret()
3) Generate a QR code with generate_qr()
4) Ask the user the scan the code and fill out the code they get.
5) Confirm the code with generate_passcode()
6) If it's correct then store the user's generated secret into the database.
7) When user logs in, check if 2FA is enabled and remember me for 30 days not set then ask for the code after successful login attempt. Check code with generate_passcode() using the stored secret.

I'll leave you the work for the 'remember this PC for 30 days' to you guys. 

No need to thank me.


----------



## Gem-Wolf (May 21, 2016)

Scanning a code????


----------



## HTML (May 21, 2016)

kisuka said:


> Here you go:
> 1) Make sure server time is synced always.
> 2) When the user enables 2FA generate a secret with generate_secret()
> 3) Generate a QR code with generate_qr()
> ...


Maybe I'm wrong, but isn't this just effectively having two passwords, one which is randomly generated? Also isn't using rand() not cryptographically secure?


----------



## Fordoxia (May 21, 2016)

Can't we just, like...  Use a Public/Private Key Pair?


----------



## xTwilightStarx (May 21, 2016)

Some of these ideas just seem a bit far-fetched to me.
While yes, I agree that better security measures should be implemented, I also think that users should take some responsibility to ensure safety of their stuff.
And this isn't exactly a huge website that needs such drastic security, I mean what are hackers gonna do with a bunch of porn?
If you're the type of person who uses different passwords for everything and doesn't put important info all over your FA profile, then you should be fine.
And I think people are looking way too deeply into the hackers intentions; as far as I see it, they just wanted to mess with the site because they don't like it.


----------



## DravenDonovan (May 21, 2016)

I love when I hear people on DeviantArt saying how FA should be more like DA.  Why?  Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks?  At least FA staff acts like they care :/  Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything.  Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead.  Was..kind of frightening so many sites are allowed to exist..


----------



## CreideikiStormbringer (May 21, 2016)

Chrontius said:


> I'd like to see FA adopt two-factor authentication.


That would be good, though for those of us who already have long (and I mean _long_) passwords, 2FA is being a bit redundant. Also, many people don't really have the ability to use hardware token two-factor authentication.



Chrontius said:


> I'd like to see FA adopt some military-grade account protection so I don't have to worry about this stuff any more.


I don't think that means what you think it means. I do not see FA or the users of the site purchasing KIV-7 circuit crypto units (you said "military grade"; nothing more mil spec than what they're actually _using_); nor do I see the FA staff willing to deal with rekeying the bastards or re-synchronizing a dropped connection.




Dragoneer said:


> I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").


Thank you very much for the hard work you and the rest of the staff do on the site. Though _please_ don't use the word "encryption" and "password" in the same sentence; it makes anyone who has dealt with the un-fun task of password storage and authentication go to full "Oh dear lord no." mode. Highly iterated salted/keyed hashes (English: PBKDF2 with a large number of iterations) or a specific algorithm like scrypt are the preferred methods; salted hashes have become outmoded now, especially with the proliferation of hardware designed for very fast hashing (thanks cryptocurrencies we really wanted the ability for people to break hashes in minutes...). Anyway, Computerphile has a good video (from 2013 so it's a bit outdated) of how NOT to store passwords, which many people might find quite informative (hence why I'm linking it).




Fordoxia said:


> Can't we just, like...  Use a Public/Private Key Pair?


Would be nice, but I don't see it being very friendly for users. Plus; who'll generate the keypairs? FA, the user, some third party? If FA generates the keypair how do you trust the site isn't holding onto a copy of the private key, or how do you make sure the RNG is secure? If the user generates the keypair, how do you make sure the key is really coming from the user? Most furs aren't going to have a signing certificate that can be verified, and those that do have a cert probably have no wish to associate their real information with their FurAffinity login; if you accept self-signed well what's stopping RandomHaxx0r1234 from going "Hey yeah, I'm 'Neer; lost my key here's the new one." you'd have to authenticate the user with a password _anyway_ to stop stuff like that happening. And if we're letting a third party generate and sign the keypairs... both problems now exist: How does the user trust the third party not to hold onto the private key, and how does the site verify that the generate key really did come from who it claims to be from?

What would be "neat" would be if someone could start a sort of "VeriSign for Furries"; i.e. being a trusted third party to create signing certs that users could use to sign their public key. Only problem I really see with that is since the service would be giving out identify proving certificates, said service would need to check and verify that the person really is who they say they are.  The certificate itself would not have any of this personally identifiable information, instead it would be the username/alias the person would choose. (Said "VeriSign for Furries" would also need to pay for a cert from VeriSign and/or other trust brokers, that way the chin of trust can be easily verified with a standard browser. Since the user's key is signed with the VSfF cert, check if VSfF acknowledges it, they do; who signed the VSfF cert? Oh VeriSign did, is it right? It is, good! KEY ACCEPTED.)

As an aside, the other nice thing about public/private keypairs, and verifiable certificates is that it'll mitigate problems with art theft. Artist signs their original work, and when they see it appear somewhere else: "Yeah that's mine, here's undeniable proof."


----------



## Traveller800 (May 21, 2016)

Dragoneer said:


> We'll be posting a FAQ about what we were using when all is said and done. I know they were hashed and salted, but I don't have the specifics off hand.


how bad could this get?  I know from reading news articles on hacks that hackers can decrypt passwords if they try...so how bad could this get?  Shopuld I change my email password too or watch out for suspicious emails?


----------



## Vrghr (May 21, 2016)

Traveller800 said:


> how bad could this get?  I know from reading news articles on hacks that hackers can decrypt passwords if they try...so how bad could this get?  Shopuld I change my email password too or watch out for suspicious emails?



1) If you use the same password on other sites that you used on FA before the hack, you should immediately change those other sites' passwords!
2) You should always watch for suspicious emails, even if FA wasn't hacked.  But you should be even more careful now if you get an email from an FA user (Hackers can spoof email senders from the FA list). And you should be cautious of Phishing or other similar emails sent to the email account that was listed in your FA information, as hackers can try to target those users.


----------



## Traveller800 (May 21, 2016)

Vrghr said:


> 1) If you use the same password on other sites that you used on FA before the hack, you should immediately change those other sites' passwords!
> 2) You should always watch for suspicious emails, even if FA wasn't hacked.  But you should be even more careful now if you get an email from an FA user (Hackers can spoof email senders from the FA list). And you should be cautious of Phishing or other similar emails sent to the email account that was listed in your FA information, as hackers can try to target those users.


ok, thanks


----------



## Volvom (May 21, 2016)

DravenDonovan said:


> I love when I hear people on DeviantArt saying how FA should be more like DA.  Why?  Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks?  At least FA staff acts like they care :/  Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything.  Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead.  Was..kind of frightening so many sites are allowed to exist..


Nailed! I have, err.. 5 different hacked accounts in dA, which I couldn't restore because I was so kid and I didn't know how to write even shitty english, so I just made always new one. 
More or less, my account nowadays was also few times attacked, but I sent mails etc. to the admins and got my account back.
Not to mention, I think that more or less DeviantART's so called improvements are really going to too far.

But back to thread. I think that better security is always welcome, I just don't really wanna pay too much (ideal thing is free) for keeping all safe, but if it's not too high priced or there is another ways to make security better, that should be enough for us.


----------



## mcdoga (May 21, 2016)

I like the idea
What i don't like is paying for services that were free in the past


----------



## zilchfox (May 21, 2016)

Dragoneer said:


> I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").


I believe Google Authenticator is free. It doesn't use SMS per se, but anyone can just download the Google Authenticator app on the smart phone and enter a code to login. It'd be a nice opt-in feature I'm sure.


----------



## HTML (May 21, 2016)

DravenDonovan said:


> I love when I hear people on DeviantArt saying how FA should be more like DA.  Why?  Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks?  At least FA staff acts like they care :/  Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything.  Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead.  Was..kind of frightening so many sites are allowed to exist..


Eh, not so sure about that. There is some history with the administration not acting on information they knew for a while in regards to security exploits. One of the ex-developers, Eevee, demonstrated this back in 2010. He also made a giant write up with a list of known vulnerabilities, some which weren't fixed until years later. However, that is in the past. I have reason to believe they may have changed their priorities. So hopefully security won't be as big of an issue in the future. As for the DA hacking sites, I am a bit skeptical of how reliable those are.


----------



## DravenDonovan (May 21, 2016)

HTML said:


> Eh, not so sure about that. There is some history with the administration not acting on information they knew for a while in regards to security exploits. One of the ex-developers, Eevee, demonstrated this back in 2010. He also made a giant write up with a list of known vulnerabilities, some which weren't fixed until years later. However, that is in the past. I have reason to believe they may have changed their priorities. So hopefully security won't be as big of an issue in the future. As for the DA hacking sites, I am a bit skeptical of how reliable those are.


They probably aren't reliable on the least, but I do know DA gets hacked all the time.  They have the same level of security that FA currently has, so I just don't get where these people who try and say DA's security is better, is all.  Of course these are the same people who like to complain about pretty much everything xD. 
Only difference I've noticed, at least with this case, with DA and FA is at least FA made it public and are trying to fix the issue, even if it means losing members.  
They could have easily kept us in the dark, tried fixing it on the side, let people's accounts be screwed up or lost, and try to play it off as, "we're doing the best we can"


----------



## Saokymo (May 21, 2016)

DravenDonovan said:


> They probably aren't reliable on the least, but I do know DA gets hacked all the time.  They have the same level of security that FA currently has, so I just don't get where these people who try and say DA's security is better, is all.  Of course these are the same people who like to complain about pretty much everything xD.
> Only difference I've noticed, at least with this case, with DA and FA is at least FA made it public and are trying to fix the issue, even if it means losing members.
> They could have easily kept us in the dark, tried fixing it on the side, let people's accounts be screwed up or lost, and try to play it off as, "we're doing the best we can"


I think the difference here is DA is a lot bigger than FA, and stands to lose a whole lot more in terms of their user base should something like this happen to them. That alone makes it more likely for the DA staff to keep the hacking situations under wraps just to avoid the bad press that comes along with it.
FA, for having a much smaller and more intimate user base, probably did the right thing by making a public announcement letting us all know what was going on.


----------



## KimButt (May 21, 2016)

DravenDonovan said:


> I love when I hear people on DeviantArt saying how FA should be more like DA.  Why?  Because DA staff doesn't let the public know there are hacks happening to people's accounts every day, and the staff are normally the last to know nor do they do anything to try and prevent future hacks?  At least FA staff acts like they care :/  Sad part, same people that are saying this are the same people who complain about DA's Staffs lack of caring about anything.  Hell, if you google DeviantArt hack you have all these websites telling you how to hack a DA account xD All I wanted to know was how many times DA was hacked, and discovered all that instead.  Was..kind of frightening so many sites are allowed to exist..



The DA Staff, honestly. Could care less about their members unless they get the greens from them.

Honestly, I think FA is a lot more better to be around. At least the admins try and protect members


----------



## Volvom (May 21, 2016)

KimButt said:


> The DA Staff, honestly. Could care less about their members unless they get the greens from them.
> 
> Honestly, I think FA is a lot more better to be around. At least the admins try and protect members



I agree and there is other difference too; people in FA are mostly more nicer than in dA >A>


----------



## KimButt (May 21, 2016)

Volvom said:


> I agree and there is other difference too; people in FA are mostly more nicer than in dA >A>


Indeed, from all the whiny babies I dealt with who rip off other people's species and such, I can sure tell you FA is WAYY more friendlier

Amen to that, my friend!


----------



## DravenDonovan (May 21, 2016)

Saokymo said:


> I think the difference here is DA is a lot bigger than FA, and stands to lose a whole lot more in terms of their user base should something like this happen to them. That alone makes it more likely for the DA staff to keep the hacking situations under wraps just to avoid the bad press that comes along with it.
> FA, for having a much smaller and more intimate user base, probably did the right thing by making a public announcement letting us all know what was going on.


Aye, it is bigger.  I don't have anything personal against DA.  I like them both (FA and DA).  Just wanted to see if there was anyone else who agreed with me that DA's security wasn't any better haha. 
  I think they did do the right thing.  It's inconvenient if you are trying to get commissions or have a commission or two in the works and the artist needs to get ahold of, but can't.  However, I'm sure we can all afford to have patience :3


----------



## inactive (May 21, 2016)

Gem-Wolf said:


> There is no way I'm paying for anything on FA unless I'm buying art!
> This whole suggestion is stupid





mcdoga said:


> I like the idea
> What i don't like is paying for services that were free in the past



Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.


----------



## Wither (May 21, 2016)

tranceguy said:


> Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.


They saw a $ sign in the OP.
They also didn't bother using common sense.
One of them didn't even read past the OP to see 'Neer's post.


----------



## DravenDonovan (May 21, 2016)

KimButt said:


> The DA Staff, honestly. Could care less about their members unless they get the greens from them.
> 
> Honestly, I think FA is a lot more better to be around. At least the admins try and protect members


Aye!  I do have to agree :3


----------



## AsheSkyler (May 21, 2016)

One thing I wish all websites would do would be to go to a forced password change after a certain length of time. Irritates the heck out of me that my bank does it, but it really is a decent security measure.

But my phone is completely off-limits. I do NOT want any text messages with codes or whatever. I get enough creeps and losers calling me without having to worry about the site getting hacked again and all new creeps and losers calling me about credit cards and other useless scams.


----------



## Chrontius (May 22, 2016)

tranceguy said:


> Are y'all reading the same thread I am? I'm not seeing any suggestions to implement a subscription model, or to require the purchase of a physical token, or anything else that would require a user to pay money in order to use the site.


_I never said anything even _*tangentially*_ related to subscriptions._  As for the $ part, I suggested the use of cheap hardware to secure accounts - a one time purchase of six dollars - and a hardware security module for the login servers to process the logins.  The YubiHSM is $500, and the Nitrokey HSM costs 50€ ($56.11, at current exchange rates).  Either one can store the master encryption keys in a way that prevents their being stolen in a breach - the computer provides the cryptographic module the input, and receives the output - by design, keys can be loaded into the HSM, but not retrieved.



Fordoxia said:


> Can't we just, like... Use a Public/Private Key Pair?


That would be the PIV model, and in my experience working with it is a bag of hurt.*  Compared to the ease of enrolling FIDO tokens, I had to use UNIX command line to start setting up the PIV token in my Yubikey Neo.  I still haven't gotten around to flashing my PGP keys into it, since that also requires a lot of command-line use (Okay, mostly because I have only one chance to decide what pithy quote is going to be forevermore associated with my signing keys, and I can't make up my mind!)  If I may quote a vendor of smartcards…





			
				PIVkey™ said:
			
		

> PIVKey enables you to securely store your digital certificates and associated cryptographic keys. Digital Certificates support PKI applications like logon to Windows, Signing, Encryption as well as remote logon using VPN, RDP or HTTPS.


  Fortunately, Chromebooks just gained support for smartcards this week, but Mac users will require third party software to interface smartcards with your web browser.

*(Windows includes native support for PIV and smartcards, but I was using a Mac.  This may explain the difficulty I had with this attempt.)



CreideikiStormbringer said:


> That would be good, though for those of us who already have long (and I mean _long_) passwords, 2FA is being a bit redundant. Also, many people don't really have the ability to use hardware token two-factor authentication.


If they have a USB port, they can use a hardware token.



CreideikiStormbringer said:


> I don't think that means what you think it means. I do not see FA or the users of the site purchasing KIV-7 circuit crypto units (you said "military grade"; nothing more mil spec than what they're actually _using_); nor do I see the FA staff willing to deal with rekeying the bastards or re-synchronizing a dropped connection.


I was thinking of the common access card - CAC - which is adequate for securing sensitive-but-unclassified data.  Much less of a pain in the dick than using NATO keyfill equipment, though I do like the form factor of those CIK keys.




CreideikiStormbringer said:


> Would be nice, but I don't see it being very friendly for users.


Try the FIDO support built into Google now, and I bet you'll change your mind.  It's really quite easy, now.



CreideikiStormbringer said:


> Plus; who'll generate the keypairs? FA, the user, some third party? If FA generates the keypair how do you trust the site isn't holding onto a copy of the private key, or how do you make sure the RNG is secure? If the user generates the keypair, how do you make sure the key is really coming from the user?


CAcert is an option.  Let'sEncrypt is another.  StartCom issues free certificates trusted by default by Microsoft.  Alternately, keypairs can be generated inside the token if it includes a secure cryptoprocessor (as does the Yubikey Neo and Yubikey 4, as well as many smartcards).  By forcing the user to generate a keypair at registration, you can be sure that the key was made by the person doing the registering, though the requirements for that are probably a bridge too far.  FIDO is much less of a pain in the dick.



CreideikiStormbringer said:


> What would be "neat" would be if someone could start a sort of "VeriSign for Furries"; i.e. being a trusted third party to create signing certs that users could use to sign their public key. Only problem I really see with that is since the service would be giving out identify proving certificates, said service would need to check and verify that the person really is who they say they are.  The certificate itself would not have any of this personally identifiable information, instead it would be the username/alias the person would choose. (Said "VeriSign for Furries" would also need to pay for a cert from VeriSign and/or other trust brokers, that way the chin of trust can be easily verified with a standard browser. Since the user's key is signed with the VSfF cert, check if VSfF acknowledges it, they do; who signed the VSfF cert? Oh VeriSign did, is it right? It is, good! KEY ACCEPTED.)





CreideikiStormbringer said:


> As an aside, the other nice thing about public/private keypairs, and verifiable certificates is that it'll mitigate problems with art theft. Artist signs their original work, and when they see it appear somewhere else: "Yeah that's mine, here's undeniable proof."


… I never thought of that.  That's a great point!  I think I'm going to have to finish making GPG work, if only to test whether I can make that work.


----------



## ZX6R (May 22, 2016)

Chrontius said:


> _I never said anything even _*tangentially*_ related to subscriptions._  As for the $ part, I suggested the use of cheap hardware to secure accounts - a one time purchase of six dollars - and a hardware security module for the login servers to process the logins.  The YubiHSM is $500, and the Nitrokey HSM costs 50€ ($56.11, at current exchange rates).  Either one can store the master encryption keys in a way that prevents their being stolen in a breach - the computer provides the cryptographic module the input, and receives the output - by design, keys can be loaded into the HSM, but not retrieved.
> 
> That would be the PIV model, and in my experience working with it is a bag of hurt.*  Compared to the ease of enrolling FIDO tokens, I had to use UNIX command line to start setting up the PIV token in my Yubikey Neo.  I still haven't gotten around to flashing my PGP keys into it, since that also requires a lot of command-line use (Okay, mostly because I have only one chance to decide what pithy quote is going to be forevermore associated with my signing keys, and I can't make up my mind!)  If I may quote a vendor of smartcards…  Fortunately, Chromebooks just gained support for smartcards this week, but Mac users will require third party software to interface smartcards with your web browser.
> 
> ...


The "VeriSign for furries approach" could be done without actually buying a CA certificate from VeriSign, someone would just have to have it secure enough and prove to all the browsers/OS's that they are serious and can securely generate certificates. It's really easy to run your own CA, anyone can do it, it's just whether or not it's trusted.


----------



## Chrontius (May 22, 2016)

Well, damn - I can't believe I forgot to mention SQRL.  This has the benefit of working with smartphones and PCs, and Steve Gibson built this to beat the pants off anything that came before.


----------



## stormydragon (May 22, 2016)

If they're going to go with two factor authentication, they should use and open standard like TOTP (RFC 6238) so we're not locked in to a particular vendor's hardware.

Another good idea would be to implement something like Secure Remote Password Protocol (RFC  2945).  This is the second time they've had their password file compromised.  That can't happen again if the server doesn't actually ever have the passwords.


----------



## NoahGryphon (May 22, 2016)

We dont need a fricken annoying 2 factor log in. many people dont have a smart phone also so it would make it so some people couldent use the site.


----------



## brawlingcastform (May 22, 2016)

No. Please, no. I can only afford so much every month, being able to talk to a friend that only uses FurAffinity instead of DeviantArt shouldn't be restricted.


----------



## Catya (May 22, 2016)

Dragoneer said:


> I agree. To start, we are working on stronger encryption for passwords, we are working towards full site-wide SSL and, yes, we'll be looking into how to implement two-factor authentication. Not only that, but I'd like to see the ability to have alerts (e.g. "Your account has been logged into from a Firefox browser with IP XXX.XXX.XXX.XXX").



Tumblr have that system where you can choose to receive emails when someone logs into your account (even if it's just yourself, I get emails whenever I log in), and it's free. You don't need extra hardware for it to work.


----------



## brawlingcastform (May 22, 2016)

Catya said:


> Tumblr have that system where you can choose to receive emails when someone logs into your account (even if it's just yourself, I get emails whenever I log in), and it's free. You don't need extra hardware for it to work.


I'm not sure I want to flood my inbox every time I log in, but I suppose that's the price I should pay to keep buying art.


----------



## Catya (May 22, 2016)

brawlingcastform said:


> I'm not sure I want to flood my inbox every time I log in, but I suppose that's the price I should pay to keep buying art.


You can tag it as Spam and it won't go in your Inbox if that makes you feel better about it.


----------



## inactive (May 22, 2016)

NoahGryphon said:


> We dont need a fricken annoying 2 factor log in. many people dont have a smart phone also so it would make it so some people couldent use the site.





brawlingcastform said:


> No. Please, no. I can only afford so much every month, being able to talk to a friend that only uses FurAffinity instead of DeviantArt shouldn't be restricted.



The OP has clarified their suggestion more than once in this very thread. Y'all need to read past the first post, for real. 



Chrontius said:


> I never said anything about making this _mandatory._  Just like Google allows you to use U2F but doesn't require it…


----------



## Daniel Arken (May 22, 2016)

Ehhh, I'm not a big fan of hardware (like WoW's USB token). I am, however, a fan of sites auditing my IP address, and requiring me to verify via e-mail or text that it's OK for me to log into the site from XYZ new IP address.

That is, if my IP address isn't able to be compromised, which based on the access granted in this last attack, seems like it would have happened.

I also like seeing bot checks. Not that I think any of this really helps in the grand scheme of a hacker attacker who knows what they're doing. It just makes me feel like security was a thought.

I honestly think that the new site just needs to get finished, and for the coding in it to be developed to significantly better standards and levels of security. I think this site (the one we currently use) is going to forever have issues now that the source is out there.


----------



## stormydragon (May 22, 2016)

NoahGryphon said:


> We dont need a fricken annoying 2 factor log in. many people dont have a smart phone also so it would make it so some people couldent use the site.



If they went with an open standard like RFC 6238, there are authentication clients that are both free and which can be run on a desktop instead of a smartphone:

Time-based One-time Password Algorithm - Wikipedia, the free encyclopedia


----------



## Zoichi (May 22, 2016)

stormydragon said:


> If they went with an open standard like RFC 6238, there are authentication clients that are both free and which can be run on a desktop instead of a smartphone:
> 
> Time-based One-time Password Algorithm - Wikipedia, the free encyclopedia



From that link:

"The use of shared-secrets means that customer tokens can be emulated by anyone who steals those secrets (e.g.: break-ins at the server side stealing customer database info)."


----------



## Necire (May 22, 2016)

Guy's don't worry, I got the best security ever!


----------



## stormydragon (May 22, 2016)

Zoichi said:


> From that link:
> 
> "The use of shared-secrets means that customer tokens can be emulated by anyone who steals those secrets (e.g.: break-ins at the server side stealing customer database info)."



Which is why I also said it should be coupled with use of the Secure Remote Password Protocol, but they ought to be doing that even if they don't go with two factor authentication.

The whole point of two factor authentication is that since there are weaknesses to any authentication method, you choose two with different weaknesses so that a compromise of one does not compromise the other.


----------



## wolfbeast (May 23, 2016)

If you are going to add 2FA, then please make it:

Optional and please don't push people with repercussions if they don't use it. People like myself use unique, strong passwords for every site that are impossible to brute-force, are stored securely on client machines, and don't need 2FA.
Real 2FA. Mobile authenticators are invariably 1-factor because smartphones can always do all the things these authenticators rely on for their "second factor" (are you paying attention, Steam?). Any combination of website, sms, e-mail, mobile app and certificate does not make for 2-factor.
Browser-agnostic. Don't even consider something that requires "new technology" that may or may not be available in certain browsers (like FIDO).


----------



## HTML (May 23, 2016)

So are they still using a static salt for the password hashes?


----------



## Resua (May 23, 2016)

HTML said:


> So are they still using a static salt for the password hashes?



bcrypt, if used with the standard password hashing functions under PHP, it generates a unique salt for each user.


----------



## SaturneKx (Feb 14, 2021)

2fa is just g o o d


----------

