# "Your account has been hijacked/disabled."



## net-cat (Feb 26, 2009)

Let me tell you a little story.

Some years ago, there was a site called "Fur Affinity." It was an obscure site that catered to an obscure subculture.

At some point early in its history, this site went down. As is characteristic of the subculture it serves, this was surround by more than its fair share of drama. At some point in the shuffle, the database for the site was leaked and someone ran a dictionary attack against the passwords, compromising 4,823 accounts."

Fast forward to a couple of years later. Yesterday, in fact. This list of passwords is still floating around on the internet. On a whim, I wrote a script to compare our current user database against this list.

Do you know what I found? I found that of the 4,823 accounts on this several year old list, *738 of them were still using the exact same password.*

So, during the downtime, we reset them. All 738 of them.

Now, less than eight hours after coming back online, it appears that 29 of those 738 users have reset their passwords to the *exact same thing.*

This is not acceptable. If your password was reset during the recent outage, it means you were on the list and your password matched. Please do not set your password to what it was.

Because I will gleefully continue to reset it and make insulting, sardonic shouts on your page. It takes me three minutes to run the script with the "--clobber" option. 

Thank you,
Have a nice day.

PS. The message I used was:


> Your account has been hijacked. However, you're lucky that I am such a nice guy and am letting you take your account back. Just use the "Reset Password" feature. And don't use the same password. I will be happy to make an example of you if you do.



*EDIT*

If your account is on this list, you were one of the 738 users whose password matched the list. Changing it back to what it was is a bad idea, especially since we're issuing bans to people who do it multiple times.

*ANOTHER EDIT*

Since I've linked to this from the main site, I'll explain the unofficial procedure for handling this. The first time we find someone resetting their password to what was on the list, we simply corrupt it and force a logout. The second time it happens results in a ban, which will be lifted after you've talked with an admin.

*YET ANOTHER EDIT*

It should be noted that I am no longer actually reading this thread. If you need help recovering your account, please contact me or one of the admins.


----------



## Nylak (Feb 26, 2009)

*Re: "Your account has been hijacked."*

Clever people make me lawl.

Wow.  xD


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*

Also, please don't use your same old passwords on other gallery sites. There are incidents of users using not only the same password from the list net-cat mentioned, but they're using that very password on other gallery sites.

Guys, just please don't do it.


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> Please do not set your password to what it was.



Not cool. If this actually affected me, I'd be quite insulted and thoroughly pissed.


----------



## Ainoko (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Also, please don't use your same old passwords on other gallery sites. There are incidents of users using not only the same password from the list net-cat mentioned, but they're using that very password on other gallery sites.
> 
> Guys, just please don't do it.



I am in the process right now of changing all passwords on accounts that require a password to access them. I have 15 completely different passwords that will be used on all 150+ sites and email accounts.


----------



## net-cat (Feb 26, 2009)

*Re: "Your account has been hijacked."*

If I get permission from the higher-ups, I'm going to edit my original post and add a link to the password list.


----------



## Anuv (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Also, please don't use your same old passwords on other gallery sites. There are incidents of users using not only the same password from the list net-cat mentioned, but they're using that very password on other gallery sites.
> 
> Guys, just please don't do it.



why is it surprising that people use the same password for different sites? i don't see why it's a shock or why people are blaming the users for using the same password and stuff when none of this is their fault.


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Anuv said:


> why is it surprising that people use the same password for different sites? i don't see why it's a shock or why people are blaming the users for using the same password and stuff when none of this is their fault.



Yes, yes it is their fault. Surprising or not people using the same passwords from a list published *years* ago of dictionary passwords *is their fault*


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Yes, yes it is their fault. Surprising or not people using the same passwords from a list published *years* ago of dictionary passwords *is their fault*



It's also something that - barring an administrative accident - will only affect them.

Every single web site needs an "I know what I'm doing (and take full responsibility for the consequences)" option. And Windows does, too. Hell, the whole _world_ needs a dummy-switch. Needlessly complex password requirements (why must my password for a forum be more complex than the one for my bank?), monthly password changes, being logged out of a site after 15 minutes, warning messages that I'm leaving a site, pop-ups asking if I'm really, _absolutely_ sure I want to execute the program I just deliberately double-clicked - I don't need it. I don't want it. I don't appreciate the effort. And if something goes horribly awry, I know exactly who is to blame. And also, for that matter, probably have triple-redundant failsafes to prevent any damage from occuring (why bother with antivirus if I can do a full reformat and restore in a few hours?)


----------



## AlexInsane (Feb 26, 2009)

*Re: "Your account has been hijacked."*

But thinking up new passwords is too hard.

Seriously.


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> It's also something that - barring an administrative accident - will only affect them.
> 
> Every single web site needs an "I know what I'm doing (and take full responsibility for the consequences)" option. And Windows does, too. Hell, the whole _world_ needs a dummy-switch. Needlessly complex password requirements (why must my password for a forum be more complex than the one for my bank?), monthly password changes, being logged out of a site after 15 minutes, warning messages that I'm leaving a site, pop-ups asking if I'm really, _absolutely_ sure I want to execute the program I just deliberately double-clicked - I don't need it. I don't want it. I don't appreciate the effort. And if something goes horribly awry, I know exactly who is to blame. And also, for that matter, probably have triple-redundant failsafes to prevent any damage from occuring (why bother with antivirus if I can do a full reformat and restore in a few hours?)



Well yes, I mean if someone wants to use the same password and username to 50 different sites, that's on them. We can't take responsibility if something bad happens. I agree with you on the annoyance how far now sites need to make sure users have secure passwords. 

I do like the password strength checker though. That's not necessarily a bad thing.


----------



## Whitenoise (Feb 26, 2009)

*Re: "Your account has been hijacked."*

Or you could just point and laugh at them when their accounts get hacked :V .


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Whitenoise said:


> Or you could just point and laugh at them when their accounts get hacked :V .



We're put in a damned if we do and damned if we don't. I feel it's the user's responsibility when password hacks happen if they're not following safety precautions. On the other hand we still have to deal with people crying over their accounts being hacked and help them get it back.

Nor am I totally not understanding, shit happens...there are times one wrong click can get you infested with spyware or other nasty trojans. 

However, net-cat is saying these people are using really old passwords that have been stated for years as unsafe since the last big hack when the site's passwords were leaked through a javascript exploit used during the time FA had customizable pages with css. The ones that were cracked were because they were either just all numbers, or a dictionary password.

Just because it's not "yiff" ..."donkeyhumper" is still not a safe password.


----------



## LizardKing (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Just because it's not "yiff" ..."donkeyhumper" is still not a safe password.



Fuck


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*



LizardKing said:


> Fuck



The above is not a safe password either


----------



## AxlePerri (Feb 26, 2009)

*Re: "Your account has been hijacked."*



			
				net-cat said:
			
		

> This is not acceptable. If your password was reset during the recent outage, it means you were on the list and your password matched. Please do not set your password to what it was.



You need a password system that will enforce this automatically. It is the only solution. People will not listen to recommendations, or they will forget and this will happen many time again.


----------



## jayhusky (Feb 26, 2009)

*Re: "Your account has been hijacked."*

Alike to MSN hotmail sign-ups you should have a little Weak, Okay and Strong bar on the screen and have the user registration rejected if the password doesn't meet a certain level on the bar.


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



AxlePerri said:


> You need a password system that will enforce this automatically. It is the only solution. People will not listen to recommendations, or they will forget and this will happen many time again.



Oh, yeah, that's just what the world needs. _More_ automatic enforcement of rules that smart people should be exempt from entirely. We certainly don't have enough of that.


----------



## Leasara (Feb 26, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> ... And also, for that matter, probably have triple-redundant failsafes to prevent any damage from occuring (why bother with antivirus if I can do a full reformat and restore in a few hours?)



Fdisk, Format, Reinstall
Doo dah, Doo dah
Some folks think it's a fix-all
Oh de doo dah day.


----------



## AxlePerri (Feb 26, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> Oh, yeah, that's just what the world needs. _More_ automatic enforcement of rules that smart people should be exempt from entirely. We certainly don't have enough of that.



Ha ha, I have heard that before 

However, you are saying "Smart" people should be exempt of intelligently calculated and enforced security practice, which if they were "smart" they would already be following, in which case the system would affect them the least?

When it come to computer security, most people are not "smart". It is often irresponsible to consider the average user "smart" to begin with. Even "smart" people do not follow "smart" computer security practices, and that is the reality.


----------



## cesarin (Feb 26, 2009)

*Re: "Your account has been hijacked."*

net-cat, how about if you add a small java script that shows the "streght" of the password?, similar when you create an account in yahoo mail or hotmail.

also, forcing the passwords to never be the same one  as you had.

*edit*
nevermind, didnt notice someone else had suggested it before.
but yeah...


furries, plz.. stop being completely stupid!
if something happened once, dont let it happen again!


----------



## Kesteh (Feb 26, 2009)

*Re: "Your account has been hijacked."*

GUYS GUYS GUYS.
Shit.
Use this.
https://addons.mozilla.org/en-US/firefox/addon/469

You enter in a master, hit Alt `, then tada. Instantly generated password specific to the master you put in and the website.
Now it's not so hard to dig a password up.


----------



## net-cat (Feb 26, 2009)

*Re: "Your account has been hijacked."*



AxlePerri said:


> You need a password system that will enforce this automatically. It is the only solution. People will not listen to recommendations, or they will forget and this will happen many time again.


We don't have one of those, nor would it be easy to add one to the current codebase.

But we will be handing out bans for people who don't heed this warning. We seriously don't need that as a vector of attack.



cesarin said:


> net-cat, how about if you add a small java script that shows the "streght" of the password?, similar when you create an account in yahoo mail or hotmail


That shouldn't be too difficult. I'll see what I can dig up.


----------



## Toaster (Feb 26, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> Let me tell you a little story.
> 
> Some years ago, there was a site called "Fur Affinity." It was an obscure site that catered to an obscure subculture.
> 
> ...



People who never change passwords are retarded

CHANGE YOUR ****ING PASSWORD!


----------



## krisCrash (Feb 26, 2009)

*Re: "Your account has been hijacked."*

1: smash fist in keyboard
2: 098u4jl5ls32a
3: ???
4: PROFIT!

but it's nice to have memorable ones of course. But I'm sure writing it on a piece of paper on your desk is relatively safe, unless the people who look at your desk know your FA username. Or try to use something you can remember and butcher up the word, I guess that works.

A password security gauge is also neat.


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



AxlePerri said:


> However, you are saying "Smart" people should be exempt of intelligently calculated and enforced security practice, which if they were "smart" they would already be following, in which case the system would affect them the least?



There's two kinds of "smart" there. There's the kind that applies time and effort to create really secure passwords, keep them safe, change them regularly, etc. This is what most people should probably do. I fully support this kind of thing, because when people do such things all on their own, people like me are less apt to be restricted as a punishment for their actions.

Then there's people like me. People who will play the odds, knowing first and foremost they're not a primary target (no art to take down, and even more generally, not a cent in the bank to steal) - _but_, with multiple hard-copy backups of all data (one kept in a fireproof safe) and various non-standard methods to make sure that, in the extremely unlikely event of an attack, absolutely _nothing_ is lost, and any damage can be repaired with what amounts to the snap of a finger. And far more importantly, smart enough not to bitch and whine if I do something that screws me over.

There is one forum I recently signed up for that demanded a capital letter and a number. This is retarded. Resetting the passwords on this site was also pretty stupid, though nowhere near the same degree. But didn't anyone stop to think that maybe, just _maybe_, not everyone will die of a freaking heart attack if their (quite possibly no longer in use) account is compromised?

Go on, hack my account. Webster's pocket dictionary is far more than enough to figure out the incredibly simple password. All you'll accomplish is a whole lot of wasted time


----------



## cutterfl (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Just because it's not "yiff" ..."donkeyhumper" is still not a safe password.


 

Oh please tell us who had donkeyhumper for a password


----------



## Nequ (Feb 26, 2009)

*Re: "Your account has been hijacked."*



AlexInsane said:


> But thinking up new passwords is too hard.
> 
> Seriously.


I know, right? Most of my non-critical passwords are variations on the same word, and even then it's hard to remember which version I've used where. I save the uniques for stuff like my Amazon and PayPal accounts.


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Nequ said:


> I know, right? Most of my non-critical passwords are variations on the same word, and even then it's hard to remember which version I've used where. I save the uniques for stuff like my Amazon and PayPal accounts.



Yes, exactly. People should be free to do this as they please - as long as they agree not to complain about it if it gets hacked.

Really, the difference between "smart" and "dumbass" isn't in whether they get hacked, but on who they blame if they do.


----------



## TehSean (Feb 26, 2009)

*Re: "Your account has been hijacked."*

I don't see what is so difficult about writing down a password or three and tucking a small list away in your wallet or purse.


----------



## Whitenoise (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> We're put in a damned if we do and damned if we don't. I feel it's the user's responsibility when password hacks happen if they're not following safety precautions. On the other hand we still have to deal with people crying over their accounts being hacked and help them get it back.
> 
> Nor am I totally not understanding, shit happens...there are times one wrong click can get you infested with spyware or other nasty trojans.



While there are certainly situations where this is totally understandable the idiots mentioned above must be a pain in the ass to be civil with. This is why I could never administrate anything, I'd want to punish them for this kind of stupidity instead of trying to talk them out of it :V .


----------



## Winter Tw Wolf (Feb 26, 2009)

*Re: "Your account has been hijacked."*

I can only assume this is what has been done to my account. How does one go about getting their accounts _back_?


----------



## Carenath (Feb 26, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> Do you know what I found? I found that of the 4,823 accounts on this several year old list, *738 of them were still using the exact same password.*
> 
> So, during the downtime, we reset them. All 738 of them.
> 
> Now, less than eight hours after coming back online, it appears that 29 of those 738 users have reset their passwords to the *exact same thing.*


Oh thats just made my day, Im honestly not surprised given most people these days, but still you just made my day with this post.


----------



## SDWolf (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Winter Tw Wolf said:


> I can only assume this is what has been done to my account. How does one go about getting their accounts _back_?



The answer to your question is in the first post of this thread.  Thank you for reading it.



net-cat said:


> Your account has been hijacked. However, *you're lucky that I am such a nice guy and am letting you take your account back. Just use the "Reset Password" feature. And don't use the same password.* I will be happy to make an example of you if you do.


(Emphasis added)


----------



## Dragoneer (Feb 26, 2009)

*Re: "Your account has been hijacked."*

*Here's the reason people got hacked:*
This stretches back to not just this week, but to the past month, past year, even longer. Users who got on the leaked password list _*over three years ago* _didn't change thier passwords, and because of that, the "hackers" were able to access there e-mail. From within said e-mail, the individuals performed password resets to sites like FA, da and others.

When the original hacking took place, we alerted all users involved and changed their passwords the moment we found out about. However, some users chose to _reset their passwords back to what they were before the hacking._ This is bad. Very bad. In addition to account security, we posted notices on the site and made several attempts to alert people. But we can only do so much. Of the problems highlighted in this recent issue is that people have not changed their passwords regularly. Or at all. For years. And because of that, unfortunate things happened and people's accounts were compromised.

Fur Affinity's security has improved dramatically over time, however, basic account security still starts on the user level. While we take every precaution to ensure account safety on FA basic security still needs to happen with the individual. *Change your passwords regularly.* Do not use the same password that you user for your banks/e-mail that you'd use for sites like like FA, MySpace, deviantArt. Your password is like your passport. Safeguard it, update it and keep it safe.

Some of the recent events on FA have been resultant of people not taking password security seriously. As has been proven here it only takes a minute for malicious intent to do irreparable damage.


----------



## Ralesk (Feb 26, 2009)

*Re: "Your account has been hijacked."*

in b4 â€œweâ€™re using plain HTTP and thus the passwords go unprotected on the wire anywayâ€.

donâ€™t use stupid passwords, but also please, for the sake of all that is holy, donâ€™t use precious ones either.


----------



## Arshes Nei (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Dragoneer said:


> *Here's the reason people got hacked:*
> This stretches back to not just this week, but to the past month, past year, even longer. Users who got on the leaked password list_*over three years ago* _didn't change thier passwords, and because of that, the "hackers" were able to access there e-mail.



If you want to know the date is was June of 2005 when that password file was leaked.


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Dragoneer said:


> As has been proven here it only takes a minute for malicious intent to do irreparable damage.



And whose fault is that? Not yours. And thus, I beg of you, please don't make it your job to fix it.


----------



## Dragoneer (Feb 26, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> And whose fault is that? Not yours. And thus, I beg of you, please don't make it your job to fix it.


I'm not going to sit around and do nothing at all, either.


----------



## WarMocK (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Dragoneer said:


> I'm not going to sit around and do nothing at all, either.


The only thing you can do in this case is to force users to use better passwords, ie checking if the PW is already in use by someone else, and test it if it meets the minimum standards (like 8 chars minimum length, mixed letters and numbers). That would probably prevent a site account from being hacked with a brute-force attack, but if someone's mail account is hijacked and the cracker resetted the PW there's little you can do. :-(
Of course you could introduce recovery questions like paypal, but I guess that would be too much for many users on FA (PEBKAC at it's best ... ).


----------



## DigitalMan (Feb 26, 2009)

*Re: "Your account has been hijacked."*

I think you are too kind.

Here's a good analogy: those god damned seat belt laws. Accidents are rare, but they do happen, can't really be prevented too well, and people get hurt. Seat belt laws are made to _force_ people to wear a safety belt. But on the internet, it's a bit different. Some people might just have a dummy in the seat, with nothing of value to lose in an accident. While a few others like myself have some sort of quantum-inertial-damping system that prevents any damage from being done in an accident to begin with. I never said it was a perfect analogy.

This leaves us with two questions. A) Why should people with special circumstances be required to obey the same rules as everyone else, if they don't need it? But more importantly, B) Why are we even _trying_ to protect the stupid people? It's called natural selection! If people want to unbuckle their seat belt and then ram into a telephone pole, I only want them to make sure there's a camera rolling first. Stupidity ought to be punished, it's the only way mankind as a whole will get smarter.

And one more point! ... How'd you make that Achievement banner in your sig? >.>


----------



## AxlePerri (Feb 26, 2009)

*Re: "Your account has been hijacked."*



			
				net-cat said:
			
		

> We don't have one of those, nor would it be easy to add one to the current codebase.
> 
> But we will be handing out bans for people who don't heed this warning. We seriously don't need that as a vector of attack.



Ok.

Well, ban is decent motivator, it is unfortunate you must do this work manually, but good luck 




DigitalMan said:


> Then there's people like me. People who will play the odds, knowing first and foremost they're not a primary target (no art to take down, and even more generally, not a cent in the bank to steal) - _but_, with multiple hard-copy backups of all data (one kept in a fireproof safe) and various non-standard methods to make sure that, in the extremely unlikely event of an attack, absolutely _nothing_ is lost, and any damage can be repaired with what amounts to the snap of a finger. And far more importantly, smart enough not to bitch and whine if I do something that screws me over.



Yes, every one would like to choose their own level of security for every account  . First, in reality, most user do not know how to evaluate the level they need, or remember the proper routines (not to mention they change). Since all accounts are usually same priority, not having lower bound on security puts many less experienced users at risk, to the slight convenience of some <- security is pessimistic, you have to see it the other way around. Your freedom can be hurtful to others. Second, what you suggest is simply not an option if system administrator wants to keep general minimum level of security for his user accounts. It becomes a weak link, the absolute strength of the system, and users gravitate toward it, because it is easier. Only admin knows full extent of permissions user accounts have in his system, only he can decide _minimum_ security he needs/wants for his users, for his system internally, and in system's reputation. If it exists, then must be enforced.


----------



## Aurali (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> Also, please don't use your same old passwords on other gallery sites. There are incidents of users using not only the same password from the list net-cat mentioned, but they're using that very password on other gallery sites.
> 
> Guys, just please don't do it.



Seriously.. admins of other sites( like myself >.> <.<) can easily look at password lists.


----------



## Winter Tw Wolf (Feb 26, 2009)

*Re: "Your account has been hijacked."*



SDWolf said:


> The answer to your question is in the first post of this thread.  Thank you for reading it.



Thanks for contributing nothing useful to the thread. The reason I can't do that has been expressed in an unrelated thread, and I require another venue of approach.


----------



## Dragoneer (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Eli said:


> Seriously.. admins of other sites( like myself >.> <.<) can easily look at password lists.


FA admins can not see user passwords. Nor should they need to. Ever.

Good security prevents insecurity.


----------



## PriestRevan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> If you want to know the date is was June of 2005 when that password file was leaked.


 
Haha, thank God I've only been at FA for like... a year.


----------



## Aurali (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Dragoneer said:


> FA admins can not see user passwords. Nor should they need to. Ever.
> 
> Good security prevents insecurity.



Very smart move. Does FA encrypt passwords server side?

However, other sites are not as cautious, I used to help a site where there was an open file called "passwords.txt" that held the password list of users (I was hoping for non malevolent intent)

Of course I head desked after that.


----------



## kamunt (Feb 26, 2009)

*Re: "Your account has been hijacked."*

I'm guilty of using the same password on multiple websites. However, different websites have different restrictions on minimum/maximum characters that passwords can have, what characters, a minimum required amount of numbers or underscores, etc. I have about three bass passwords, but through all the different restrictions, I have about 13 different passwords total. And that's only counting websites I can rattle off the top of my head.

Just little modifications can go a long way. Say your password is "starbux". On Facebook, change this to "starbuxfb0" or something like that. For FA, do "starbuxfa". dA could be "starbuxda". Notice how it starts to not even really look like a word or anything comprehensible once you add those characters. I honestly had to double-take after I typed "starbuxfb0" because it looked like something I'd find in a spam e-mail. :? Add abbreviations related to the website or other account you're using to keep everything different. A small way to add exponential layers of security to your passwords.

Just a tip for something I've found works.


----------



## WarMocK (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Dragoneer said:


> FA admins can not see user passwords. Nor should they need to. Ever.
> 
> Good security prevents insecurity.


If they are stored as MD5 / SHA1 hashes you could compare them with the hashes of PWs that are considered insecure. That would do the trick as well since chances that two different PWs have the same hash are almost nil.


----------



## PriestRevan (Feb 26, 2009)

*Re: "Your account has been hijacked."*



kamunt said:


> I'm guilty of using the same password on multiple websites. However, different websites have different restrictions on minimum/maximum characters that passwords can have, what characters, a minimum required amount of numbers or underscores, etc. I have about three bass passwords, but through all the different restrictions, I have about 13 different passwords total. And that's only counting websites I can rattle off the top of my head.
> 
> Just little modifications can go a long way. Say your password is "starbux". On Facebook, change this to "starbuxfb0" or something like that. For FA, do "starbuxfa". dA could be "starbuxda". Notice how it starts to not even really look like a word or anything comprehensible once you add those characters. I honestly had to double-take after I typed "starbuxfb0" because it looked like something I'd find in a spam e-mail. :? Add abbreviations related to the website or other account you're using to keep everything different. A small way to add exponential layers of security to your passwords.
> 
> Just a tip for something I've found works.


 

I do something like that. Works pretty well. I admit, some sites (although the hacker would have to figure out which ones) share the same weird password.


----------



## SnowFox (Feb 26, 2009)

*Re: "Your account has been hijacked."*

I'm curious... Aren't passwords stored in encrypted form anyway? How was this password list ever produced in the first place?

EDIT: ok nevermind, it's sort of been asked in the 13 posts I was ninjad by


----------



## Aurali (Feb 26, 2009)

*Re: "Your account has been hijacked."*



SnowFox said:


> I'm curious... Aren't passwords stored in encrypted form anyway? How was this password list ever produced in the first place?



Websites evolve. FA  used to be *gags* a much less secure site.


----------



## lolcox (Feb 26, 2009)

*Re: "Your account has been hijacked."*

If only more people used passphrases instead of passwords, or at least inject some special characters into them. (caveat: I know it's hard to change from the whole mindset of using a single _word_ for a passwordphrase after so long -- I'm working on that myself.)

I have to change 'passwords' at work every 21-30 days, and it won't let you do something inane like cycle through the same five you always used. Oh, no. Even if you used it 10 months ago, you ain't using it again for another year and two months (average).

I'm thinking that a system that compares against the last X passwords/passphrases, and forbids the user to change to the last X would be a nice change of pace. Just don't release the number of changes needed to get the oldest one bumped off the list, so people actually have to change it to something.

Even if the password has to go from 'doghumper' to 'dog69humper' before they can go back to 'doghumper', it should help a little, at least.


----------



## net-cat (Feb 26, 2009)

*Re: "Your account has been hijacked."*

UPDATE (Added to original post.)

If your account is on this list, you were one of the 738 users whose password matched the list. Changing it back to what it was is a bad idea, especially since we're issuing bans to people who do it multiple times. Password have been elided. People whose passwords didn't match were excluded.


----------



## Whitenoise (Feb 26, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> UPDATE (Added to original post.)
> 
> If your account is on this list, you were one of the 738 users whose password matched the list. Changing it back to what it was is a bad idea, especially since *we're issuing bans to people who do it multiple times*. Password have been elided. People whose passwords didn't match were excluded.



Jesus fuck people are actually doing that D: ?


----------



## AshleyAshes (Feb 26, 2009)

*Re: "Your account has been hijacked."*

It seems to me that a compromised account is only a threat to FA if someone makes that account an administrator.

Otherwise, the greatest damage is someone's stuff getting deleted and their profile being changed to 'DISREGUARD THAT I SUCK COCKS'.


----------



## Winter Tw Wolf (Feb 26, 2009)

*Re: "Your account has been hijacked."*

Now I'm confused more than anything. My accnt is unaccessable but not on the list.

Curious.


----------



## Adelio Altomar (Feb 26, 2009)

*Re: "Your account has been hijacked."*



Arshes Nei said:


> If you want to know the date is was June of 2005 when that password file was leaked.



Wait...
I'm really confused... 
When was FA first started...?
Wasn't it started in December of that same year or am I gettin' my facts wrong...? 

Or was there something I missed...?


----------



## Konda (Feb 27, 2009)

*Re: "Your account has been hijacked."*

I have a question. Some of you mentioned periodically changing your password. But why is that necessary?

Also and just one other thing.. do anyone suppose is it a bad idea to store your passwords on the computer?


----------



## net-cat (Feb 27, 2009)

*Re: "Your account has been hijacked."*

UPDATE (Added to the original post)

Since I've linked to this from the main site, I'll explain the unofficial procedure for handling this. The first time we find someone resetting their password to what was on the list, we simply corrupt it and force a logout. The second time it happens results in a ban, which will be lifted after you've talked with an admin.


----------



## yoshi000 (Feb 27, 2009)

*Re: "Your account has been hijacked."*

Ha ha ha ha! THank god I only ben here for almost a year soon.


----------



## Caution_Cat (Feb 27, 2009)

*Re: "Your account has been hijacked."*

I had changed my password, but I guess it was found out anyway!
Oh well xD
I'll change it to something more complicated when I get it back


----------



## Brooklyn (Feb 27, 2009)

*Re: "Your account has been hijacked."*

This is exactly why I use a 72^10 cryptographically strong password that uses upper-, lower-, numeric and special characters (where available) in it.

Now if server admins were nice enough to encrypt the password file. Â¬.Â¬

For the curious...

72^10: 3,743,906,242,624,487,424 possibilities.

72!: 6.1234458376886086861524070385275e+103

....I should really use one of THOSE...but I doubt systems like 72-character length passwords.


----------



## RedHeron (Feb 27, 2009)

*Re: "Your account has been hijacked."*

Something to think about, a bit of a cliched saying but whatever. 

Think about the exact average intelligence of a person. Then think, half the people  in the world have a lower intelligence than that. Then you'll see exactly what the problem is. >.>


----------



## Arcturus (Feb 27, 2009)

So uh.. because someone's setting their password to something you don't like, you're BANNING THEM.

Wow, that is simply great. More "Wonderful Administration" from FA!


----------



## tsawolf (Feb 27, 2009)

Arcturus said:


> So uh.. because someone's setting their password to something you don't like, you're BANNING THEM.
> 
> Wow, that is simply great. More "Wonderful Administration" from FA!


Someone's setting their password to one which IS PUBLICALLY KNOWN.

This is a problem, because these same users will come whining to us when their account gets broken into.

Because they gave away their password.

Yes. We are banning them if they refuse to change it to something else.  Is it so much to ask, in this day of the password manager, for a user to add a single letter or number to a password which was made public *years* ago? Or, heaven forbid, actually use a different one?

God, the pain! The suffering!


----------



## Dragoneer (Feb 27, 2009)

Arcturus said:


> So uh.. because someone's setting their password to something you don't like, you're BANNING THEM.
> 
> Wow, that is simply great. More "Wonderful Administration" from FA!


You're actually complaining because we're taking steps to protect users' data, accounts and security. Am I reading this right?


----------



## Arcturus (Feb 27, 2009)

I'm complaining because you're banning a user for refusing to change a password.


----------



## rwpikul (Feb 27, 2009)

lolcox said:


> I have to change 'passwords' at work every 21-30 days, and it won't let you do something inane like cycle through the same five you always used. Oh, no. Even if you used it 10 months ago, you ain't using it again for another year and two months (average).



The irony is that systems running at that level actually ends up reducing security, because people use simpler passwords and are far more likely to write them down and leave them somewhere convenient.



Konda said:


> I have a question. Some of you mentioned periodically changing your password. But why is that necessary?



The idea is to assume that it is possible that your password has been compromised and you just don't know it yet, (attacker is being quiet, hasn't gotten around to doing something to you, /etc/shadow has been stolen, etc.).  The probability of this goes up over time, and drops to 0 when you change your password.


----------



## Arcturus (Feb 27, 2009)

tsawolf said:


> Someone's setting their password to one which IS PUBLICALLY KNOWN.
> 
> This is a problem, because these same users will come whining to us when their account gets broken into.
> 
> ...



So you send the user a note saying, "Your password is one which is known, bla bla bla" and if they get hacked and erased, go "I'm sorry, you should've changed it, we can't help get your stuff back."


----------



## Aden (Feb 27, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> UPDATE (Added to original post.)
> 
> If your account is on this list, you were one of the 738 users whose password matched the list.



Of course they're going to go after someone named "YiffyFox". :V



Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



Don't be a whiny bitch.


----------



## Adelio Altomar (Feb 27, 2009)

*Re: "Your account has been hijacked."*



Aden said:


> Of course they're going to go after someone named "YiffyFox". :V



I think I saw Rilvor's FA as well. X3
Lol


----------



## tsawolf (Feb 27, 2009)

Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



Actually, we're banning them for changing it back to what it was before. Twice. They get a warning the first time.

There's no reason for them to happily let them create more work for us. We're not exactly asking much.


----------



## wildrider (Feb 27, 2009)

Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



Refusing to change a password that has been compromised.  Why are you complaining anyways?  It's an open door for people to cause trouble.  It's plainly obvious.


----------



## Verin Asper (Feb 27, 2009)

eh...I use the same password for everything, just spelt differently for each place


----------



## Verin Asper (Feb 27, 2009)

Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.


Then keep the same password I say...just they dont have no right to whine when their account is hacked into I say. 
Its gonna be these same folks who dont change their pass that will bitch, whine, groan, etc... about how their account was hacked into.

Them banning the person is like them smacking them upside the head saying they are morons for putting back the same password that is on a list for Gaia's Sake.


----------



## TheFabFurry (Feb 27, 2009)

I think a case sensitive pass option would help...


----------



## CaptainSaicin (Feb 27, 2009)

Personally I rarely change my password on sites like FA... and use the same password for the majority of low-level stuff (except for IRC, for the obvious reason that mistakes happen), which I change only occasionally, maybe once every 2 years, or if I get a notice that a site may have leaked personal info. Main reason is I don't care, and if someone goes through the trouble of braking my password and hijacking my account, it only serves to give me an excuse to abandon it and spend less time online on sites like this.

Anything of significant personal value or 'security value' of course is a different matter, and I use 20-character passwords that I change at least bimonthly... including any personal or financial sites, email things are registered to, or that financial or personal information might pass through.

However I highly approve of mocking people who fail to change their password after they KNOW it's been compromised.


----------



## lzeringue (Feb 27, 2009)

I KNOW ONE OF THESE PEOPLE.
HE WORKS IN THE TECHNOLOGY FIELD.
I WILL BITCH AT HIM MIGHTILY.  >:E


----------



## Pawfan (Feb 27, 2009)

I agree with Net-Cat to a point. Where my thought comes in is....This is the 
first time that I have been made aware of such a dictionary of passwords. I am
sure, I'm not the only one naive to this, since I don't spend much time on the 
internet. I did check the list, and I'm glad my password(s) was not listed. But I will
pay closer attention to this and hopefully, get a friendly warning to make an ajustment
on site usage before getting in real trouble.


----------



## kamperkiller (Feb 27, 2009)

Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



I love people like you....
now the number 1 password is still  123  and god...

oh more http://blog.taragana.com/index.php/archive/most-common-myspace-passwords-from-20-000-passwords/
http://www.threadwatch.org/node/14095
http://boingboing.net/2009/01/02/top-500-worst-passwo.html
http://blog.jimmyr.com/Most_Common_Passwords_20_2008.php


----------



## Dragoneer (Feb 27, 2009)

TheFabFurry said:


> I think a case sensitive pass option would help...


Passwords already are case sensitive on FA.


----------



## kamperkiller (Feb 27, 2009)

I use passwords like (this isn't one of them but still) 
Dancingwith0utb@5 lets see a cracke take this one...


----------



## krisCrash (Feb 27, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> Yes, exactly. People should be free to do this as they please - as long as they agree not to complain about it if it gets hacked.


I actually had this argument with Livejournal staff once, and to them, my account being compromisable makes my friends' info compromisable, makes LJ compromisable. This is irritating but probably true; in that case you are not only responsible for yourself. And the same can be said for people who have actually built a network on FA.



Eli said:


> Seriously.. admins of other sites( like myself >.> <.<) can easily look at password lists.


Yes, same. Or fairly easily look it up per user.



RedHeron said:


> Think about the exact average intelligence of a person. Then think, half the people  in the world have a lower intelligence than that. Then you'll see exactly what the problem is. >.>


Not how a statistic normal distribution works  Luckily. The majority of people should have roughly normal intellect.



Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.


If a site decides that a user must follow rule A and user does not follow rule A, it should be fine to ban them. Rules are rules  you can't moderate a site where rules aren't always rules.

#100 ;o


----------



## Konda (Feb 27, 2009)

rwpikul said:


> The idea is to assume that it is possible that your password has been compromised and you just don't know it yet, (attacker is being quiet, hasn't gotten around to doing something to you, /etc/shadow has been stolen, etc.).  The probability of this goes up over time, and drops to 0 when you change your password.



I see.. thanks.


----------



## ohtar (Feb 27, 2009)

See, now there is where my password is amazing. Its not a word. 
I had an account on a site back in jr high that when I signed up, gave me a default password consisting of a seemingly random assortment of letters. Instead of setting it to something that wasn't retarded to the nth degree, I spent the next 4 years memorizing the sequence. Now, even if i ramble it off aloud to someone I usually loose them after the 3rd or 4th character.
XD


----------



## foozzzball (Feb 27, 2009)

Okay. That's scary. I was on the list, but I hadn't been notified anywhere - nor did I get booted off FA.


----------



## Whitenoise (Feb 27, 2009)

Arcturus said:


> So uh.. because someone's setting their password to something you don't like, you're BANNING THEM.
> 
> Wow, that is simply great. More "Wonderful Administration" from FA!





Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



If you're a troll 6/10, if you're actually that stupid, please never breed :V .


----------



## Mikau (Feb 27, 2009)

Sometimes it helps remembering your old passwords during your high school years when you were in computer class.


----------



## Danza (Feb 27, 2009)

LOL dragonmaws was the same, now there is no surprise xD

OMFGQUICKCHANGEPASSNAO


----------



## Niran (Feb 27, 2009)

ohtar said:


> See, now there is where my password is amazing. Its not a word.
> I had an account on a site back in jr high that when I signed up, gave me a default password consisting of a seemingly random assortment of letters. Instead of setting it to something that wasn't retarded to the nth degree, I spent the next 4 years memorizing the sequence. Now, even if i ramble it off aloud to someone I usually loose them after the 3rd or 4th character.
> XD



Oh yeah, I remember those passwords... I really hated typing them in when they gave them to me so I could change my old password when I forgot them...

But you do have a point that your password is stronger than a lot of people's, but (not to make you feel bad or anything, just using that type of passphrase as an example to post a fact for other users to read while they swim through this topic) are not entirely safe. A password consisting of all random numbers or letters are definitely safe from people outside of the internet, however, which is nice. This is because an exploiter can easily use programs that... well, I'm not good at explaining, but here's a slightly visual representation:

Say the password limit is 6 characters, that gives the exploiter/hacker person a base to start with. Now, an unfortunate user is using a password that consists of all numbers during this time and is the unintentional target of this event.
So the process begins: (it can also begin at 0)
"111111" ... failed attempt
"111112" ... failed attempt
"111113" ... failed attempt
and so forth until the passphrase is found. Don't get me wrong, this is faster than it seems since they're just making the computer count: what they were made to do in the first place. This also works for letters as well, but takes much longer because they have to cycle through 26 different symbols (obviously much longer than the numeric 9 [or 10 with 0]) or more if something is capitalized, effectively increasing the count to 52 different symbols per space.

Programs such as these are most often used in sites that allow an unlimited number of passphrase checks upon logon without a sort of time limit. Websites that enforce a passphrase check limit before incurring logon downtime make the use of said programs slow, and are highly unfavourable compared to other, less secure, sites.

Of course this is still MUCH safer than dictionary passwords people often use. These consist of common words or combinations of words or a word backwards... and requires only a simple tool that contains a dictionary's worth of words in it to check for passwords forwards, backwards, and in combinations. Slight, common alterations to the words (such as capitalizing the beginning letter) can also be easily checked if Mr. Exploiter sees that as a possibility.

Of course, this means no password is permanently safe, which is probably the whole point of this discussion, and dictionary passwords are probably the least safe (even in other languages). I personally recommend adding numbers or letters or corrupting the base word of the passphrase, but try not to make it too obvious (e.g. your birthyear after your password, a single number/letter afterwards, etc.). This will make your password saf-ER for a longer period of time (so you don't have to change it every 5 days. ... Ew.).

Really, like the administrators and good people said, the best way to prevent this from happening is to change your password now and then, which, admittedly, I don't even do (on purpose, anyway. Although my password changes sometimes, especially when I forget my last password...).

#####

Sorry for the long post, but I really wanted to throw this info out. Not to insult anyone, but to inform the uninformed (they're not stupid, they just don't know!) of what they can do to improve their passwords. See? Isn't information nice when no one beats on other people by calling them dumb? This isn't the subject to be doing that: passphrases are a serious matter and the un/misinformed public needs to be dealt with immediately in order to keep our glorious community safe from harm. _GLORIOUS._

Also, please, do not complain about the administrators "banning" people for using the same password. They're not actually being banned, but are being given a sturdier warning than a message telling them that their passphrase is unsafe, of which then they can still regain access to their account. Especially don't denounce the admins if you don't have any other particular problems with it than "liberties" and/or that you are already safe or allegedly safe, just for the sake of attacking other people. There is no need to bemoan the administration for doing that they believe is best in this large community, and personally they're doing much better than some of the admins I've seen dealing with the exact same problem.

Last paragraph in short: Please do not argue for the sake of arguing, this is not the time to do so. Instead, be more constructive to the uninformed and show them what to do, instead of grieving upon something they are unwittingly doing. Thank you!


----------



## Toaster (Feb 27, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> UPDATE (Added to original post.)
> 
> If your account is on this list, you were one of the 738 users whose password matched the list. Changing it back to what it was is a bad idea, especially since we're issuing bans to people who do it multiple times. Password have been elided. People whose passwords didn't match were excluded.



thats alot of dumb people >.<


----------



## reddragon420 (Feb 27, 2009)

In my opinion those who don't change hacked/stolen/guessed/ect passwords are asking to be hacked again and again or they just plain don't give a shit ... i think this is pretty dumb on their part because they invite more people (hackers/hijackers whatever the hell ya wanna call em) to keep attacking the site that the passwords are used on or even give them the idea that other stuff may be possibly borkable ... basicly what i am trying to say is change the stolen password so not only you (those that this applys to know or will know who they are) but the site itself is more safe from hacking ... i myself am not on this list as far as i can tell but i do feel bad for those that are however there is only one thing they can do and that is change their login info ... those that keep using the old password i dont feel sorry for you if and when you get banned


----------



## WarMocK (Feb 27, 2009)

reddragon420 said:


> In my opinion those who don't change hacked/stolen/guessed/ect passwords are asking to be hacked again and again or they just plain don't give a shit ...


... but start whining and insult the BAD admins from FA because they didn't protect them. 
Unfortunately, this is a common habit these days. :-(


----------



## ohtar (Feb 27, 2009)

Niran said:


> So the process begins: (it can also begin at 0)
> "111111" ... failed attempt
> "111112" ... failed attempt
> "111113" ... failed attempt



id feel bad for someone who takes the long way with mine. 10 characters, all letters, no numbers, allowance for repeating letters... that's what... 26 to the power of 10? (grade 10 math. never passed it. couldn't pass it. hate it.) then multiplying the whole thing by 2 to allow for case sensitivity...
christ thats a LOT of possible combinations. 
Hell, Id give the hacker a freaking trophy. 

or at least a cookie. 

I know im not perfectly safe. there's no such thing in this day and age. No matter what precautions you take, no matter how careful you are, there are holes in every security procedure once you know where to look.
But be damned if I'm not making things harder for the little fuckers along the way >

Now I'm curious. I'm gonna go exhume my TI83+ from the exile of the second drawer from the bottom and find out how many combinations there are in my password. o.0


----------



## Repiotou (Feb 27, 2009)

Well, I'm not on the list. *Phew* Feeling sorry for the people whom are though.


----------



## SerFox (Feb 27, 2009)

You know, I think it's a bit unfair to keep resetting it.

I mean, they obviously don't want the account... Why make the admins go to all this trouble?


----------



## Delphinidae (Feb 27, 2009)

*Re: "Your account has been hijacked."*



DigitalMan said:


> Oh, yeah, that's just what the world needs. _More_ automatic enforcement of rules that smart people should be exempt from entirely. We certainly don't have enough of that.


Smart people don't share your stance.


----------



## BlueCathedral (Feb 27, 2009)

shit o.o I'm on that list.....I'll fix my password when fur affinity is back online. Thanks for the warning.


----------



## Vore Writer (Feb 27, 2009)

Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.



If people are too damn lazy to change their password, then they shouldn't be allowed to use the site.


----------



## YoungHickory (Feb 27, 2009)

> Because I will gleefully continue to reset it and make insulting, sardonic shouts on your page.



You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.

The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.


----------



## Strawkitty (Feb 27, 2009)

YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.



Not complying after four times I think they deserve what ever's coming their way...


----------



## AuroraBorealis (Feb 27, 2009)

YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.



um, hes helping them all out, if they have a bad password, and the admin tries to help them out and they STILL set their password back to the bad one, they deserve to be yelled at cause they are obviously not getting the message.

im sure hes being sarcastic...but come on. people should have the intelligence to listen to people who know what they are talking about the _first_ time. Not after the admin has threatened to ban you


----------



## Aurali (Feb 27, 2009)

Arcturus said:


> So uh.. because someone's setting their password to something you don't like, you're BANNING THEM.
> 
> Wow, that is simply great. More "Wonderful Administration" from FA!



The admins here are just being protective.. they'd rather have the bawwing now then down the road when someone else hacks someones account..

saves trouble IMO



YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.


 It's called a joke >.> most of the admins here are pretty good at handling things without being condoning..


----------



## CaptainSaicin (Feb 27, 2009)

*Re: "Your account has been hijacked."*



Eli said:


> Seriously.. admins of other sites( like myself >.> <.<) can easily look at password lists.



I'm sorry, I have to call you out on this one... it SHOULD be FALSE. Any REAL authentication system does NOT store passwords in plaintext on the site... this is what got FA in trouble to begin with. If you're admin, it's your job, so DON'T DO IT. REAL authentication systems salt and hash the passwords with one-way algorithms. The password is stored then as a long string of characters that can't be used to find the original password. When the user inputs their original password, it looks up the salt, re-hashes, and compares one hash to the other. 

The reason this is so important is that access to stored information is NOT limited to administrators. It's available to anyone who can successfully breach the site's security and obtain the file used to store them. It happens all the time; just as it happened to FA, it happens also to banks, etc... anything is vulnerable to hacking, be it by weak admin passwords or social engineering.



ohtar said:


> id feel bad for someone who takes the long way with mine. 10 characters, all letters, no numbers, allowance for repeating letters... that's what... 26 to the power of 10? (grade 10 math. never passed it. couldn't pass it. hate it.) then multiplying the whole thing by 2 to allow for case sensitivity...
> christ thats a LOT of possible combinations.
> Hell, Id give the hacker a freaking trophy.
> 
> ...



10 characters isn't hard to break. Allowing for both cases of letters, and numbers, and top-row symbols, you have a total of 72^10 possible combinations. To a human, that's an insurmountable number, but not to a computer. Restricting it to case sensitive letters you have 52^10, which is even easier to crack. My home PC could bruteforce a 6-character password in under an hour... in a few seconds if it's not case sensitive.


----------



## tsawolf (Feb 27, 2009)

*Re: "Your account has been hijacked."*



CaptainSaicin said:


> I'm sorry, I have to call you out on this one... it SHOULD be FALSE. Any REAL authentication system does NOT store passwords in plaintext on the site... this is what got FA in trouble to begin with. If you're admin, it's your job, so DON'T DO IT. REAL authentication systems salt and hash the passwords with one-way algorithms. The password is stored then as a long string of characters that can't be used to find the original password. When the user inputs their original password, it looks up the salt, re-hashes, and compares one hash to the other.
> 
> ...
> 
> 10 characters isn't hard to break. Allowing for both cases of letters, and numbers, and top-row symbols, you have a total of 72^10 possible combinations. To a human, that's an insurmountable number, but not to a computer. Restricting it to case sensitive letters you have 52^10, which is even easier to crack. My home PC could bruteforce a 6-character password in under an hour... in a few seconds if it's not case sensitive.



OK, a few points here.

We do store passwords as hashes. We have since I started working for FA - which, admittedly, wasn't far enough back that I was a staffer when this password disclosure breach happened.

As for your combinations, you are quoting very, very overstated brute force numbers for a local attack. Bruteforcing a user account login on FA is quite a different matter.  Even taking the conservative number that you said, taking a pageload time approx. half that what is actually required (I assume no images would be loaded, no pagination would happen, which would minorly cut down on time), to brute force a 6 character password would take 7.2 x 10^16 seconds. Also known as 2 million millennia. Far longer than the age of the Universe. More than five million times as long, actually.

I'm pretty sure we'd catch it by then.


----------



## net-cat (Feb 27, 2009)

*Re: "Your account has been hijacked."*



Arcturus said:


> I'm complaining because you're banning a user for refusing to change a password.


You do realize that some jobs would fire you if you did that, right? FA is hardly the NSA, but we don't ignore security concerns.



Pawfan said:


> I agree with Net-Cat to a point. Where my thought comes in is....This is the
> first time that I have been made aware of such a dictionary of passwords.


That's why we're warning people first.



YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.


I should point out the obvious and say that I am not an admin. I am a coder. And none of the coders are known for being the nicest people on earth, especially when blatant stupidity is involved.


----------



## YoungHickory (Feb 27, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> I should point out the obvious and say that I am not an admin. I am a coder. And none of the coders are known for being the nicest people on earth, especially when blatant stupidity is involved.



Probably not very wise to let people with no social skills a) set policy and b) talk directly to the users instead of going through the actual appointed staff for that purpose.

A basic level of politeness could have avoided so much difficulty.


----------



## Aurali (Feb 27, 2009)

*Re: "Your account has been hijacked."*



CaptainSaicin said:


> I'm sorry, I have to call you out on this one... it SHOULD be FALSE. Any REAL authentication system does NOT store passwords in plaintext on the site... this is what got FA in trouble to begin with. If you're admin, it's your job, so DON'T DO IT.



having good practice and actually following it are two different things.. but like I previously said.. I've seen systems that just don't do anything.. just because something is what you expect don't mean people aren't just gonna be too lazy to do it.

(Just to note.. that site is no longer in existence :3)


----------



## Armaetus (Feb 27, 2009)

738 users with the same password?? XD

That's rather sad to hear, I changed my password from one long password of several words to a slightly shorter but more random letters/numbers/etc earlier last year.

I see Syrinoth is on the list XD


----------



## Arshes Nei (Feb 27, 2009)

*Re: "Your account has been hijacked."*



CaptainSaicin said:


> I'm sorry, I have to call you out on this one... it SHOULD be FALSE. Any REAL authentication system does NOT store passwords in plaintext on the site... this is what got FA in trouble to begin with. If you're admin, it's your job, so DON'T DO IT. REAL authentication systems salt and hash the passwords with one-way algorithms. The password is stored then as a long string of characters that can't be used to find the original password. When the user inputs their original password, it looks up the salt, re-hashes, and compares one hash to the other.



The incident over 3 years ago used an exploit in the CSS scripting ability of people's user pages. From what I remember they weren't plaintext but hashed. The ones cracked were done through simple dictionary attack. That's why most of the passwords cracked were dictionary passwords. So basically someone put in a clever javascript in their User page that was snagging sessions as people logged in. 

I'm sure Arcturus can give you the confirmation of that, he was in charge of the servers during that time. He also remembers me bitching at him to turn the damn javascript css option off, until that hole was fixed.


----------



## YoungHickory (Feb 27, 2009)

If a person gets access to a large number of hashed passwords, there's no real need to brute force anything.  A simple birthday attack, hashing common passwords and then comparing with the hashes acquired, will yield results with minimal CPU cost.

So unless you start requiring real, random passwords from the get-go, hashing is not a cure to the threat in question.


----------



## Armaetus (Feb 27, 2009)

To add to my previous post, thank you for publically posting and rediculing the people in that list, as it is a wakeup call for those who do not take PASSWORD SECURITY seriously.

http://www.pctools.com/guides/password/ - Here is something that creates strong passwords. What I do after I have all the needed stuff jotted down, I take snapshots of the my passwords in Firefox and save them to my external drive.

Strong password = serious business


----------



## Arshes Nei (Feb 27, 2009)

YoungHickory said:


> If a person gets access to a large number of hashed passwords, there's no real need to brute force anything.  A simple birthday attack, hashing common passwords and then comparing with the hashes acquired, will yield results with minimal CPU cost.
> 
> So unless you start requiring real, random passwords from the get-go, hashing is not a cure to the threat in question.



No you're correct, it was actually a dictionary crack on reference to my post above, not brute. Will fix.


----------



## net-cat (Feb 27, 2009)

YoungHickory said:


> Probably not very wise to let people with no social skills a) set policy and b) talk directly to the users instead of going through the actual appointed staff for that purpose.
> 
> A basic level of politeness could have avoided so much difficulty.


I have plenty of social skills. I just don't suffer fools gladly.



Glaice said:


> 738 users with the same password?? XD


They didn't all have the same password. But they all had the same password that they had when it was revealed by a dictionary attack. Three year ago.


----------



## Armaetus (Feb 27, 2009)

The same users with passwords back then I presume using the SAME password or slightly altered ones?


----------



## ponyguy (Feb 27, 2009)

*Re: "Your account has been hijacked."*



YoungHickory said:


> Probably not very wise to let people with no social skills a) set policy and b) talk directly to the users instead of going through the actual appointed staff for that purpose.
> 
> A basic level of politeness could have avoided so much difficulty.



Good lord, he's already a lot politer than most HR departments would be, and they're paid for their supposed skill with dealing with people.

You have a point, though.  Ridiculing people and publicly exposing their stupidity isn't really the most efficient way of dealing with the problem, because it's more work than it needs to be.  A coder's solution to the violation would be just to flush compromised accounts, as an energy+time minimizing strategy.  Don't you think warning people is slightly politer?  Warning them twice is saintly.  Warning them a third time is absurd.  This isn't kindergarten.

It was very gracious to do the work of resetting the passwords the first time.  Most places I've seen, the accounts would have been locked the very first time, and the USERS would have been forced to come up with secure passwords before getting back in.

For those who think it affects only those whose account is hacked, DeviantArt is going through a problem right now, where hijacked accounts are being used to spam other accounts, and send out faked messages trying to phish more DA passwords.  If you don't mind having a few thousand new shouts in your page every day, filled with spam and phishing attempts, then sure, you can say it only affects the stupid user.  But it makes work for the admins, trying to clean up the mess, which is why they lose their sense of humor about it.


----------



## Arshes Nei (Feb 27, 2009)

*Re: "Your account has been hijacked."*



ponyguy said:


> For those who think it affects only those whose account is hacked, DeviantArt is going through a problem right now, where hijacked accounts are being used to spam other accounts, and send out faked messages trying to phish more DA passwords.  If you don't mind having a few thousand new shouts in your page every day, filled with spam and phishing attempts, then sure, you can say it only affects the stupid user.  But it makes work for the admins, trying to clean up the mess, which is why they lose their sense of humor about it.



Tell me about it, I've seen that stupid spam on my front page asking me to click a link and people were crying they clicked on it. If I don't know who it is, better safe than sorry.


----------



## net-cat (Feb 27, 2009)

*Re: "Your account has been hijacked."*



Glaice said:


> The same users with passwords back then I presume using the SAME password or slightly altered ones?


We aren't actually checking the "slightly altered" case. Though I'd imagine that a lot of them are doing that.



ponyguy said:


> But it makes work for the admins, trying to clean up the mess, which is why they lose their sense of humor about it.


This.

And it's rapidly going from "amusing" to "face-paw inducing" at how stuck in their ways people can be. It's like that guy who lived on Mt. St. Helens in 1980 who refused to leave because "the mountain wouldn't hurt him." He fucking died when his house was buried in a volcanic mud slide.


----------



## Kio (Feb 27, 2009)

First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.

On your todo list should be:

encrypt password using MD5 in database,
enforce at least a digit and a special character in the password field when registering.


----------



## WarMocK (Feb 27, 2009)

*Re: "Your account has been hijacked."*



net-cat said:


> It's like that guy who lived on Mt. St. Helens in 1980 who refused to leave because "the mountain wouldn't hurt him." He fucking died when his house was buried in a volcanic mud slide.


Talk about human stupidity ... :shock:
*sigh* Some peoples' habits concerning (in)security gives me a slight headache. -.-


----------



## Arshes Nei (Feb 27, 2009)

Kio said:


> First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.
> 
> On your todo list should be:
> 
> ...



Umm. We're talking about a password leak *3 years ago*, not now.


----------



## Maikeru (Feb 27, 2009)

YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.



Personally, I think they should go even farther with the defacing of the pages of users who absolutely refuse to switch their password to something new.   I mean, if they're seriously using the same three year old password that any troll can find with some effort, they should be given a pretty harsh lesson.


----------



## WarMocK (Feb 27, 2009)

Maikeru said:


> Personally, I think they should go even farther with the defacing of the pages of users who absolutely refuse to switch their password to something new.   I mean, if they're seriously using the same three year old password that any troll can find with some effort, they should be given a pretty harsh lesson.


Well, the admins could reset the password and send a mail to the user telling him that - including that if he wants to change his PW again he may NOT use the old one as it had been blacklisted.
The user would have 2 options: either use the PW generated for him or change it to a new one that meets some common password standards. And those standards do not include PWs like 12345 ... ;-)


----------



## Armaetus (Feb 27, 2009)

Why not make a blacklist of commonly used passwords?

http://www.threadwatch.org/node/14095
http://blog.jimmyr.com/Most_Common_Passwords_20_2008.php


----------



## WarMocK (Feb 27, 2009)

Glaice said:


> Why not make a blacklist of commonly used passwords?
> 
> http://www.threadwatch.org/node/14095
> http://blog.jimmyr.com/Most_Common_Passwords_20_2008.php


This, and whenever a user attempts to change his PW it is checked to see if it is in that list. If it isn't, then it's ok, if it is - BUZZ, please try again.


----------



## Valerion (Feb 27, 2009)

Kio said:


> First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.



Two words.  Rainbow tables.  And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes.  I just need a single hit from the entire list, unless I am targeting a specific user.  That's above and beyond MD5-insecurities and dictionary attacks.


----------



## DigitalMan (Feb 27, 2009)

Dragoneer said:


> You're actually complaining because we're taking steps to protect users' data, accounts and security. Am I reading this right?



Well... yeah, that's about it.



YoungHickory said:


> You know, if you don't want people to complain about you, you shouldn't deliberately be a condescending, insulting twerp.
> 
> The site admins here should realize that when they're being being worthless jerks _on purpose_, complaining when everyone doesn't praise them for it is pretty dang dumb.



I thoroughly concur with this.

If people want to use whatever password, then let them. Just... let them. I think everyone should have that basic right, in places it doesn't affect a whole company. And if it's a stupid password, and it gets hacked, then maybe they'll learn. And if they complain to you... _then_ you ban them, because they're idiots.

I did not ask for security. I did not ask DA to have that retarded warning page. I did not ask AT&T to log me out after 15 minutes. *I don't want it.* So whatever it is you may be thinking of - _anything_, no matter how good an idea it may seem to you (since your current bright idea is already well into unacceptable territory) - just _stop_. Leave me the hell out of it.

And people wonder why humanity is in such a sad state...


----------



## net-cat (Feb 27, 2009)

Kio said:


> First of all, why aren't passwords hashed into MD5? If they are, even someone who gets the leaked database won't be able to figure out the passwords. And also ensures the privacy of the members as some of them may be using passwords they use in other sites/messenger etc as well.


They are salted, and hashed using several different algorithms. This leak was years ago. And even then, it was straight up MD5 hashed. That's why all the leaked passwords were words you might find in /usr/share/dict/words or a sequence of numbers.



Maikeru said:


> Personally, I think they should go even farther with the defacing of the pages of users who absolutely refuse to switch their password to something new.   I mean, if they're seriously using the same three year old password that any troll can find with some effort, they should be given a pretty harsh lesson.


Well, they get a warning the first time. The second time, they get a ban. This is so they are forced to come talk to us so we can make it clear that ignoring the problem won't make it go away. People who continue to use the same password even after all that, in all likelihood, would be outright banned. But it hasn't actually gotten that far yet.



valerion said:


> Two words.  Rainbow tables.  And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes.  I just need a single hit from the entire list, unless I am targeting a specific user.  That's above and beyond MD5-insecurities and dictionary attacks.


I'm reasonably certain the original leak was a straight-up dictionary attack. But yes. Ferrox is using either salted Whirlpool or salted SHA256 for the password database. (I forget which, though.)


----------



## foozzzball (Feb 27, 2009)

> Well, they get a warning the first time. The second time, they get a ban. This is so they are forced to come talk to us so we can make it clear that ignoring the problem won't make it go away. People who continue to use the same password even after all that, in all likelihood, would be outright banned. But it hasn't actually gotten that far yet.



I didn't _get_ a warning. I never even knew about the first password fiasco years ago. I first found out about this in this exact thread by clicking the list of names and seeing myself on it.


----------



## selth (Feb 27, 2009)

Dear sir admin,

I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..." 

Those kinds of script are used everywhere and I'll be more than happy to help you come up with valid regular expressions for your site.

~a FA fan, Selth Blackwings


----------



## net-cat (Feb 27, 2009)

foozzzball said:


> I didn't _get_ a warning. I never even knew about the first password fiasco years ago. I first found out about this in this exact thread by clicking the list of names and seeing myself on it.


What you're missing is that someone was _actively using this list to exploit accounts_. If I hadn't reset all the passwords, yours might have been next.


----------



## net-cat (Feb 27, 2009)

selth said:


> Dear sir admin,
> 
> I enjoy that you spend your time over password details and I ensure you you could be using a simple script with a regular expression to check passwords against "does it have X letters, does it has at least 1 number, ..."
> 
> ...


We will be implementing this check. That will take slightly more time, though.


----------



## foozzzball (Feb 27, 2009)

net-cat said:


> What you're missing is that someone was _actively using this list to exploit accounts_. If I hadn't reset all the passwords, yours might have been next.



That's just it. My password hadn't been reset, I didn't get logged out of FA, nothing had changed. I had to look at the list to find out, and I've changed things now, but you probably have a lot of people who still have no idea about this if I slipped through the cracks.


----------



## WarMocK (Feb 27, 2009)

net-cat said:


> We will be implementing this check. That will take slightly more time, though.


Would you add a routine to check the new PW against a blacklist as well, please? ;-)


----------



## DigitalMan (Feb 27, 2009)

Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.

And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.


----------



## Arshes Nei (Feb 27, 2009)

I'm trying to figure out how people didn't get the warnings when: 

1. I remember when FA was down, there were points to the Livejournal community page at the time. It had all the nasty details. When the site went back up people were flooding journals with that password list. 

2. Dragoneer had stated on FA news on the front page, please change your passwords. He also stated it on his personal journals on FA, and stated on this forum. They may have been sticky at one time because they aren't now.

3. I also remember nags on the control panel on the main site about passwords.


----------



## net-cat (Feb 27, 2009)

foozzzball said:


> That's just it. My password hadn't been reset, I didn't get logged out of FA, nothing had changed. I had to look at the list to find out, and I've changed things now, but you probably have a lot of people who still have no idea about this if I slipped through the cracks.


Actually, I just checked. It has been. If you try to log out and log in, you won't be able to. The initial round of changes was a bit rushed, so we didn't blank the session cookie. (Which is something I'm considering going back and doing.) If you need your email changed, PM me on the main site before you try to reset your password.



WarMocK said:


> Would you add a routine to check the new PW against a blacklist as well, please? ;-)


Yes, yes. We're working on strengthening our password requirements.



DigitalMan said:


> Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.


Your bank doesn't take action against people whose account details have been publicly leaked?

... might I suggest you find a new bank?



DigitalMan said:


> And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.


No, this problem is separate from that incident.


----------



## Arshes Nei (Feb 27, 2009)

DigitalMan said:


> Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.
> 
> And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.



That accidental admin thing has less to do with it than you think. 

Ebony Leopard's account was compromised through the same list. So it looks like the guy went through as many as he could and kept getting hits. Takes a lot of patience I suppose but hey, if he found more than one he could get to....

A password strength checker I think is better, I don't think it necessarily means you get booted out for deliberately choosing a weak password, but at least you weren't warned for using it.

And I've *still* seen more security than the banks when it comes to passwords/site log-in security.


----------



## foozzzball (Feb 27, 2009)

net-cat said:


> Actually, I just checked. It has been. If you try to log out and log in, you won't be able to. The initial round of changes was a bit rushed, so we didn't blank the session cookie. (Which is something I'm considering going back and doing.) If you need your email changed, PM me on the main site before you try to reset your password.



!

Okay. That'd be the session cookie then. I think it let me think I was changing my password, too, or it got reset again, since what I switched it to didn't stick.


----------



## DigitalMan (Feb 27, 2009)

net-cat said:


> No, this problem is separate from that incident.



That is bull and you know it. One hacked account, or even 10, would not have even caught the attention of most people, and would have been dealt with quietly.

But a catastrophic flub that ended up bringing down the entire site caused hysteria. I figured things would just go back to normal when things are fixed, that the only changes would be on the administrative side - but apparently not.

You absolutely can not honestly tell me that, in all the time that leaked list has been out there, you are just now spontaneously deciding to make stricter password requirements for reasons completely unrelated to the security scare that just occurred.


----------



## Arshes Nei (Feb 27, 2009)

DigitalMan said:


> You absolutely can not honestly tell me that, in all the time that leaked list has been out there, you are just now spontaneously deciding to make stricter password requirements for reasons completely unrelated to the security scare that just occurred.



I haven't seen an actual requirement other in place than a password strength checker suggestion. It was requested you do not use the same one off the list. I also haven't seen where it was said specifically where it said that you'll get locked out if a password checker were in place and you used a weak password. The only lockout that's happening are to the users using the same passwords from the leaked list 3 years ago. So you know that thing how you said "well that affects them, and not you" Same situation, it doesn't affect you at all Digitalman. So please stop trying to make it sound otherwise. 

It was recently realized and confirmed people are still using the same old passwords that are getting their accounts compromised. Since it was more than one user compromised this way, went through a check and discovered this number was the one net-cat posted.


----------



## net-cat (Feb 27, 2009)

DigitalMan said:


> Blah blah blah blah.


You've made up your mind, and there's nothing I can say that'll change it. So I'm not going to bother.


----------



## Armaetus (Feb 27, 2009)

DigitalMan said:


> Wow. So this is what the world is coming to. A god-damned furry art site with delusions of grandeur, that has tighter security than my bank.
> 
> And all because someone on staff accidentally made some jerk an admin. That minor human error I was so quick to forgive suddenly has me seething with rage.



Don't come crying to the staff if your account becomes compromised.


----------



## DigitalMan (Feb 27, 2009)

Glaice said:


> Don't come crying to the staff if your account becomes compromised.



... Have you read any of my other posts, at all? I have repeatedly stated over and over again that I take _full_ responsibility for my account security or potential lack thereof, and everyone else should have to do the same. That's kind of the whole thing I've been rambling on about.


----------



## Devious Bane (Feb 27, 2009)

Shoot, I was actually expecting to be on that list.
As for everyone on it:


> lolhax


----------



## Ralesk (Feb 27, 2009)

In after countless bickering and no reaction to using HTTPS if you care anything about password security.



> And I've still seen more security than the banks when it comes to passwords/site log-in security.



Nei, are you really sure?


----------



## CaptainSaicin (Feb 27, 2009)

*Re: "Your account has been hijacked."*



tsawolf said:


> OK, a few points here.
> 
> We do store passwords as hashes. We have since I started working for FA - which, admittedly, wasn't far enough back that I was a staffer when this password disclosure breach happened.
> 
> ...



Bruteforces are carried out on the hashes (obtained by other means) typically, not the site. Most sites will block an account if more than 3 or so failure audits occur.

I'm referring to the processing time taken to hash a string, compare it to an existing hash, and increment to the next string.

I have a program that will do it for things like tripcodes. You can crack the first 6 characters in no time at all, though to crack all 10 could take up to several weeks, it is by no means impossible.


----------



## CaptainSaicin (Feb 27, 2009)

Ralesk said:


> In after countless bickering and no reaction to using HTTPS if you care anything about password security.
> 
> 
> 
> Nei, are you really sure?



It is a sad, sad fact, that every bank in the U.S., has lower online security standards than World of Warcraft.

Most of them limit passwords to 6-8 characters, and NONE of them offer two-factor authentication or OTP tokens.

This is why I don't use online banking. AT ALL.


----------



## m2pt5 (Feb 27, 2009)

Edit: Never mind.


----------



## Liko (Feb 27, 2009)

Luckily I'm not among them. My bet is the password was something like "qwerty" or "password."


----------



## Arshes Nei (Feb 27, 2009)

Ralesk said:


> Nei, are you really sure?



The password itself is not the best, but there's the image tokens, and if you're logged onto another location, it starts asking you certain questions before even letting you log on, and making sure that it's your bank token being displayed (an image you chose). It can be rather annoying. And more stuff than a simple password strength checker.


----------



## reian (Feb 27, 2009)

I call this the best social experiment ever...


----------



## MissEbony (Feb 28, 2009)

Not a problem here.
I hope it gets fixed soon!
Ah, Internet...


----------



## SnowFox17 (Feb 28, 2009)

DigitalMan said:


> Well... yeah, that's about it.
> 
> 
> 
> ...



Christ the site Admin tells you how to secure your account by not using a password thats been hijacked and you crucify them. Atleast you have the choice of changing the bloody thing, they could of locked it as rainbowlorikeetcrap and said deal with it, but no they gave you a clear reason as to why they needed them changed, a chance to change them and you tell them to fuck off and keep to their own business.

Hate to be the bearer of bad news, it is their business, its their site, its their rules. If you dont like it, leave it or learn to live with it.

They are trying to secure YOUR accounts. Listen to them when they try to help, it might be a whole lot easier in the long run. Sure you can voice your ideas on how to safe guard against future mass hacking or improve password integrity, but dont critisise them when they give you the heads up on how to fix a problem.

Christ you say humanity is in a bad state, its just the minority of numb skulled twats who see a problem in a solution.


----------



## YoungHickory (Feb 28, 2009)

SnowFox17 said:


> Christ the site Admin tells you how to secure your account by not using a password thats been hijacked and you crucify them.



You'd better correct your comment before he flips out at you. He's a coder, not an admin, and he apparently thinks that such a title excuses him from any social courtesies.

He just might hijack your account and leave insulting remarks on your page.


----------



## coolkidex (Feb 28, 2009)

Hey, i belive that my friend was one of those who were hacked...

Wait, a simple dictionary attack got all that? We need to work on security.


----------



## Aurali (Feb 28, 2009)

YoungHickory said:


> He's a coder,



Yep, Coder.. 

Socially Awkward. Hygenically unsound. hard to get along with and usually have the strangest obsessions.


----------



## Ralesk (Feb 28, 2009)

Arshes Nei said:


> The password itself is not the best, but there's the image tokens, and if you're logged onto another location, it starts asking you certain questions before even letting you log on, and making sure that it's your bank token being displayed (an image you chose). It can be rather annoying. And more stuff than a simple password strength checker.



This goes right against what you said earlier.  You said that banks have less secure log-in systems than FA, yet now you mention all kinds of interesting security measures they seem to be using.  Graphical passwords are nice though, I took part in testing them once at my university.

I think using a system like the one you just described will be very uncomfortable for the users, albeit indeed more secure than just a simple password.
I already hate that I have to log in all the time for my laptop and my desktop machine.

I think for such a non-crucial site such as FA (in terms of... well, heck, a bank or your universityâ€™s e-bureaucracy system is much more crucial in terms of consequences on your life) doesnâ€™t need to use tokens and such stuff.  We need to implement the log-in over a secure channel (optionally also the entire traffic over said secure channel â€” drawback is that that requires quite a bit of computing power; I think thatâ€™s a bit of an overkill anyway, especially since most of the site is intended to be viewed for unregistered users as well), we need to implement a password blacklist based on this leaked list, and we need to implement a password strength meter with minimum requirements clearly and consistently enforced.

None of these is extremely hard to do 



coolkidex said:


> Wait, a simple dictionary attack got all that? We need to work on security.



No matter how secure you are, a dictionary attack will always work if their dick, I mean dictionary is bigger than yours.



valerion said:


> And in any event, if I have a list of MD5-hashed passwords I can put a device to work on it spitting out hashes.  I just need a single hit from the entire list, unless I am targeting a specific user.  That's above and beyond MD5-insecurities and dictionary attacks.



I donâ€™t see how   Seeing that (not counting the now known, but still not particularly easily applicable vulnerabilities of MD5) a cryptographic hash is about being preimage resistant, so itâ€™s extremely hard to hit a known hash _h_ with a random message _m_ so that hash(_m_) = _h_.  MD5â€™s collision resistance is what has been questioned, which is about finding an _mâ€²_ to a known _m_ so that they have the same hash.

Of course, youâ€™re correct that if thereâ€™s already a list of passwords and their hashes, thereâ€™s nothing stopping anyone from using the list as a reverse dictionary and thus feeding the password to the site or whatever thatâ€™s asking for it.  Salting does alleviate this problem however.


----------



## ArielMT (Feb 28, 2009)

Ralesk said:


> In after countless bickering and no reaction to using HTTPS if you care anything about password security.



You're not familiar with a risk mitigation cost/benefit analysis, are you?

The benefit of banking and paying over a secure connection through an untrusted network has a much lower cost than its associated risks: having those banking and payment credentials compromised en route over an insecure connection through an untrusted network.

The benefit of browsing FA over a secure connection through an untrusted network does not have nearly as low a cost in relation to its associated risks.  Why are you browsing porn at an open wi-fi hotspot, anyway?  (Not an accusation, just a thought experiment to drive the point home.)

SSL by itself may not be difficult or costly to implement, but it has a number of associated requirements which can't help but cost money.  One of those costs is an annual renewal from a certificate authority recognized as trusted by every SSL-aware Web browser.



Ralesk said:


> This goes right against what you said earlier.  You said that banks have less secure log-in systems than FA, yet now you mention all kinds of interesting security measures they seem to be using.



They enhance annoyance without enhancing security.



Ralesk said:


> We need to implement the log-in over a secure channel (optionally also the entire traffic over said secure channel ... ), ... .



All or nothing.  The same man-in-the-middle attack that could steal a password in transit could just as easily steal a session cookie in transit, which is just as valuable.


----------



## Sinister Exaggerator (Feb 28, 2009)

I posted in the site support forum and got no responses, so I'll post the same message here, too, whether it's unrelated or not: 

I don't know if I'm overlooking something here, but I changed my password and now I can't log in. Tried the password recovery system, but it doesn't recognize the e-mail address that's associated with my account.

The new password I used is ENTIRELY DIFFERENT from the old one, yet I am still unable to log in. 

Answers?


----------



## GrayscaleRain (Feb 28, 2009)

(Edited for douchbaggery, sorry I've had a bad day)

Hey, you could have sent a PM or something, you don't have to treat us like we're morons.

Okay, maybe I forgot.  It's been some number of years and I've reset my password like three times since then, maybe I changed it back without knowing.

Also, I was never required to reset my password on 2/26, so something didn't work there.  I got logged out, but I never had to reset my password. 

Anyway, I just reset mine, and sorry for foaming at the mouth the first time, but you really do sound like a dick.  I know you're an admin or whatever, but anyway, not an excuse.  You still could have sent me an e-mail or something... whatever.  Anyway, everyone reset your passwords, just in case.


----------



## Zionia (Feb 28, 2009)

i have had this happen on another site that I admin because hackers have come in and messed with the site. We required all members to change because the hacker could potentially still have the list and come in through someones account. If that account has any admin abilities, they could do some serious damage to the entire site as they did the first time. Dont complain if you were on this list. You got your warning and were told what to do. Just do it. If not for your own security, then for the rest of the site.


----------



## tsawolf (Feb 28, 2009)

Bathos said:


> I posted in the site support forum and got no responses, so I'll post the same message here, too, whether it's unrelated or not:
> 
> I don't know if I'm overlooking something here, but I changed my password and now I can't log in. Tried the password recovery system, but it doesn't recognize the e-mail address that's associated with my account.
> 
> ...


That would because you put down your email address as "Bathos". 

Not very helpful. 

Private Message me with your real birthdate, and I can help you.


----------



## Sinister Exaggerator (Feb 28, 2009)

tsawolf said:


> That would because you put down your email address as "Bathos".
> 
> Not very helpful.
> 
> Private Message me with your real birthdate, and I can help you.



No idea how the hell that happened. I am retarded. Hurrr.

PMing and whatnot. Thanks.


----------



## Armaetus (Feb 28, 2009)

Using at least ONE number should be required for all those accounts who were listed in the OP textfile.


----------



## SilverTail (Feb 28, 2009)

Recommending I change my password via public callout?
Dick move, Fur Affinity and net-cat.
Dick move.


----------



## Armaetus (Feb 28, 2009)

http://www.verix-the-cat.net/fap.html

Yes you should.


----------



## SnowFox17 (Feb 28, 2009)

YoungHickory said:


> You'd better correct your comment before he flips out at you. He's a coder, not an admin, and he apparently thinks that such a title excuses him from any social courtesies.
> 
> He just might hijack your account and leave insulting remarks on your page.



Ok, a FA STAFF member.

Wanna get nitty gritty with details T_T


----------



## Eevee (Feb 28, 2009)

ArielMT said:


> The benefit of browsing FA over a secure connection through an untrusted network does not have nearly as low a cost in relation to its associated risks.  Why are you browsing porn at an open wi-fi hotspot, anyway?  (Not an accusation, just a thought experiment to drive the point home.)
> 
> SSL by itself may not be difficult or costly to implement, but it has a number of associated requirements which can't help but cost money.  One of those costs is an annual renewal from a certificate authority recognized as trusted by every SSL-aware Web browser.


- Only the login POST page needs to be SSL to avoid password sniffing.
- I assume people like to check their PMs etc at wifi hotspots, and FA sucks and has no other way of delivering them.
- There are a handful of very cheap or free CAs that are recognized.



ArielMT said:


> All or nothing.  The same man-in-the-middle attack that could steal a password in transit could just as easily steal a session cookie in transit, which is just as valuable.


Clearly you haven't been paying attention.

Session cookies are fleeting and only work on FA.  Passwords last until you get noticed, and have a strong chance of being reused across sites.


----------



## Aden (Mar 1, 2009)

SilverTail said:


> Recommending I change my password via public callout?
> Dick move, Fur Affinity and net-cat.
> Dick move.



What, did they mention you by name?

Cry more.


----------



## ArielMT (Mar 1, 2009)

Interesting, that stats page.



Eevee said:


> - Only the login POST page needs to be SSL to avoid password sniffing.
> - I assume people like to check their PMs etc at wifi hotspots, and FA sucks and has no other way of delivering them.
> - There are a handful of very cheap or free CAs that are recognized.



True, true (d'oh), and I forgot that some free CAs were recognized.



Eevee said:


> Clearly you haven't been paying attention.



Sorry for the resulting OT drift.



Eevee said:


> Session cookies are fleeting and only work on FA.  Passwords last until you get noticed, and have a strong chance of being reused across sites.



Session cookies are site-specific but not necessarily all that fleeting, though making them that way is as simple as logging out frequently.

The hearts of the problem are, as y'all are trying to make clear, weak passcodes and cross-site passcode reuse.


----------



## Taris (Mar 1, 2009)

My account was locked out and im not on that list, nor have i done anything on FA for a while, (much less anything ban worthy).  I tried to use the password reset but that didnt work.  What am i supposed to do?


----------



## DigitalMan (Mar 1, 2009)

ArielMT said:


> The hearts of the problem are, as y'all are trying to make clear, weak passcodes and cross-site passcode reuse.



And because of this, the solution being forged is along the lines of, "How can we use our resources to think for the users so they don't have to."


----------



## Dragoneer (Mar 1, 2009)

Taris said:


> My account was locked out and im not on that list, nor have i done anything on FA for a while, (much less anything ban worthy).  I tried to use the password reset but that didnt work.  What am i supposed to do?


PM me with the error you got.


----------



## Armaetus (Mar 1, 2009)

Aden said:


> What, did they mention you by name?
> 
> Cry more.



Yes, his name is in the table net-cat posted. He deserves the redicule because of his lax password.


----------



## Shiakarn (Mar 1, 2009)

Okay, firstly I admit I haven't read the entire thread, but based on the first 3 pages or so I'm not sure I want to.

Let me introduce FurAffinity to a concept called privacy law.

Privacy law means that when someone makes an account on a site, the contract is not only the terms of use the user agrees to when they make that account, but also the implied contract that the service provider is also responsible for preventing the data from falling into the wrong hands.

Privacy laws are in force in most US States, US federal law, International law, the UK, EU, etc.

The law *does not* recognise the user's responsibility to change their password, this is merely an informal recommendation.

The law recognises that allowing databases with personal information to fall into the public hands is a breach of privacy laws.

The law recognises that the FurAffinity staff merely posting a link to this database is a breach of privacy law.

The law recognises that FurAffinity is legally liable to anyone who's password was disclosed to the public, and are now liable to people in multiple jurisdictions.

Be glad you're not an actual for-profit business, I assure you, you'd already be in a class-action lawsuit by now.


----------



## Toaster (Mar 1, 2009)

I don't even know why this thread is still open, the issue is being/has been fixed right? good. not get over it.


----------



## Aurali (Mar 1, 2009)

Shiakarn said:


> Okay, firstly I admit I haven't read the entire thread, but based on the first 3 pages or so I'm not sure I want to.
> 
> Let me introduce FurAffinity to a concept called privacy law.
> 
> ...



shut up and go back to yiffstar.. no one disclosed any password on their own.


----------



## yak (Mar 1, 2009)

Shiakarn said:


> Okay, firstly I admit I haven't read the entire thread, but based on the first 3 pages or so I'm not sure I want to.
> 
> Let me introduce FurAffinity to a concept called privacy law.
> 
> ...



Let me introduce you to the concept of reading.


----------



## oniontrain (Mar 1, 2009)

yak said:


> Let me introduce you to the concept of reading.



Surely that's an exercise in futility, I assume he's passed third grade by now. If he didn't learn it then he's not gonna learn it now.


----------



## Niros (Mar 1, 2009)

The administration should not be taunting users who keep their old passwords when it was the administration who had designed such a retardedly insecure database to begin with. Arn't the admins supposed to know what they are doing?

Oh wait... this is FA.


----------



## yak (Mar 1, 2009)

Niros said:


> The administration should not be taunting users who keep their old passwords when it was the administration who had designed such a retardedly insecure database to begin with. Arn't the admins supposed to know what they are doing?
> 
> Oh wait... this is FA.



The citizens should not be displeased with their government seeing it blowing out billions of tax dollars  out of their asses on useless retarded shit when it were the citizens that chose that government in the first place. Isn't the government supposed to represent the needs and the opinion of it's citizens?

Oh wait... this is the United States of America.

_Listen buddy, why didn't you blame Adam for the first sin?
Why stop on ancient history?  Let's go to prehistoric!_


----------



## Shiakarn (Mar 1, 2009)

oniontrain said:


> Surely that's an exercise in futility, I assume he's passed third grade by now. If he didn't learn it then he's not gonna learn it now.



Touche.

Posting the user list of insecure accounts *still* falls foul of most privacy laws in nearly all Western jurisdictions.

And Yak, pointing out the shortcomings of others isn't a good way to point the finger away from your own.


----------



## Niros (Mar 1, 2009)

We can elect our government. I don't see Dragoneer's position. Or yours Mr Yak, being up for debate.


----------



## WarMocK (Mar 1, 2009)

Shiakarn said:


> And Yak, pointing out the shortcomings of others isn't a good way to point the finger away from your own.


An interesting statement from someone who lives in a country that practically declared encryption illegal (either tell them the password or get busted for 5 years), covered the country with surveillance cameras in the name of "war against terrorism" (and now uses them to go after people who spit out their chewing gum onto the streets), and whose government frequently "loses" usb sticks and CDs cramped with the sensitive data from their citizens. ^^


----------



## Aurali (Mar 1, 2009)

Shiakarn said:


> And Yak, pointing out the shortcomings of others isn't a good way to point the finger away from your own.



If you read the thread Shiakarn, you wouldn't be having this issue... >.>

Once more. Go back to YS..


----------



## tsawolf (Mar 1, 2009)

Well, this thread is going nowhere fast.

Chill out or it'll get locked. Stop being bratty imbeciles, and act your age.


----------



## Toaster (Mar 1, 2009)

the list only shows names, and theses have had their password resetted, so now they must pick a new one. Also dosn't the tos say fa isn't liable for such things?


----------



## verix (Mar 1, 2009)

Niros said:


> The administration should not be taunting users who keep their old passwords when it was the administration who had designed such a retardedly insecure database to begin with. Arn't the admins supposed to know what they are doing?
> 
> Oh wait... this is FA.



if you really think they're taunting you perhaps you may be projecting _just a teeny bit_


----------



## Xaerun (Mar 1, 2009)

Ornias said:


> the list only shows names, and theses have had their password resetted, so now they must pick a new one. Also dosn't the tos say fa isn't liable for such things?


We have a winner.



Niros said:


> We can elect our government. I don't see Dragoneer's position. Or yours Mr Yak, being up for debate.


Who needs a position when he has a BIG ASS MOTHERFUCKING BANHAMMER, amirite? XP

Basically, quitcha whining, go somewhere else, Niros.



I do however find it damn near laughable that the FA staff in trying to protect quite a large number of users' privacy/accounts are copping a lot of flak for it. You people need to realise when you're at fault, and when you're being helped. It's ridiculous.


----------



## Ceceil Felias (Mar 1, 2009)

Xaerun said:


> You people need to realise when you're at fault, and when you're being helped. It's ridiculous.


Furries.

Does it _really_ need to be noted?

*Lurk mode reactivated*


----------



## Eevee (Mar 1, 2009)

verix said:


> if you really think they're taunting you perhaps you may be projecting _just a teeny bit_


eh I think it was a dick move too

especially given that FA has no password policy (it allowed 'yiff' in the first place), violated user trust when it allowed the list to be compromised in the first place, the notice was placed in public in a place where people are not particularly likely to look, and there was no warning so people would have time to perhaps update their emails or just change their passwords on their own

_especially_ considering it immediately followed *accidentally admining a miscreant* and getting a good chunk of a very popular artist's gallery deleted

"oh, fuck.  hey guys look over there at these morons!  -->"


I was wary of saying anything publicly but the responses here are getting a bit obnoxious


----------



## DigitalMan (Mar 1, 2009)

Xaerun said:


> You people need to realise when you're at fault, and when you're being helped. It's ridiculous.



I'm not included in that list at all, and haven't even been here that long. I'm complaining that they're putting time and resources into helping those people.

If people just plain don't give a damn whether their account is secure - let them. The only problem that can come from this is if a hacker is accidentally made an admin. Users should not be held responsible for such things, nor should they have to pay in any fashion for such mistakes.

As for people who do care, but don't take proper measures... So? There's a damn good chance that these are the same people who have gotten through every other part of their lives by having other people think for them. I'm sick of watching it happen. "Oh, you don't feel like learning to do it yourself? That's okay, we'll do it for you!" It is a horrible waste of time and effort. What have they accomplished to deserve such babying and hand-holding?


----------



## yoshi000 (Mar 1, 2009)

I want to ask something. Why did FA didn't told us about this for three years, made this list about the users, going on a "We are doing the best thing for the users" shit? It just seem odd they hide it for this long. I don't get it that FA is actting like kings about something that they did wrong. I think FA team it to put this on, not the users.


----------



## StainMcGorver (Mar 1, 2009)

yoshi000 said:


> I want to ask something. Why did FA didn't told us about this for three years, made this list about the users, going on a "We are doing the best thing for the users" shit? It just seem odd they hide it for this long. I don't get it that FA is actting like kings about something that they did wrong. I think FA team it to put this on, not the users.


No matter what point you're trying make, you could use an _itsy bitsy teeny weeny little_ touch up on your grammar.


----------



## KusacWolf (Mar 2, 2009)

Hey, I changed my password last night, and now can't even log in anymore. What's going on?


----------



## Niran (Mar 2, 2009)

DigitalMan said:


> I'm not included in that list at all, and haven't even been here that long. I'm complaining that they're putting time and resources into helping those people.
> 
> If people just plain don't give a damn whether their account is secure - let them. The only problem that can come from this is if a hacker is accidentally made an admin. Users should not be held responsible for such things, nor should they have to pay in any fashion for such mistakes.
> 
> As for people who do care, but don't take proper measures... So? There's a damn good chance that these are the same people who have gotten through every other part of their lives by having other people think for them. I'm sick of watching it happen. "Oh, you don't feel like learning to do it yourself? That's okay, we'll do it for you!" It is a horrible waste of time and effort. What have they accomplished to deserve such babying and hand-holding?



_Sorry my head is going in multiple directions with this so bear with me if my thoughts and personalities seem to contradict each other:_

[Optimism/Understanding] Well, the thing is, your argument only takes into account the people who don't care about their security. What about those people who just don't know? I mean, not everyone is computer savvy and has intelligence in this matter. Knowledgeable people in this field who are denouncing this cause need to take this into account.Not everyone who goes online knows how to use it or is particularly knowing of the insecurities present in password systems. To them, these systems are completely secure since the only thing going through their minds is "how is anyone going to figure out my password unless I tell them myself?". Obviously they are completely unaware of the nature and hostility of exploitation. Even if their account was hacked back then doesn't mean that they'll understand; they don't know what a dictionary attack is or brute force attacks or anything of the sort. The only thing they are concerned with is getting online to a website, looking at art, reading stories, listening to music, posting, and then leaving. You don't need an extensive knowledge of coding to be a member of this site, or even this forum; it needs to be understood that there are many other reasons out there than just two causes... then the argument would be subject to be an either/or fallacy. And yes, there are people who don't _care_ about their security, (assuming that they are already knowledgeable about computers) but if you think about it, it's only a minor part of the group. And some others don't seem to "care" because they don't know or they are misinformed about the subject. To make a valid argument, all these reasons must be taken into account or you will suffer heavy opposition from a separate party with neither side listening to the other until a third-party breaks both up (i.e. admin closes the forum thread).

[Note of Some Importance] Also, everyone, take note that this event happened three years ago. Three years is a long time you know, and over this period of one-thousand-nintey-five days (and counting), Fur Affinity has rapidly evolved from this insecure state. The site is not as nearly insecure now as it was back then... though people still don't make it a priority to read before they respond, causing a lot of grievance.

[Pessimism/Futility] Why are you all even complaining about this? Can't you see that it's futile to be arguing with the admins? Especially the coders? Your opinions can bother them, they can snap at you, and you can repeatedly snap at them back, but they _don't_ need to change anything they're doing; demonstrated by the principle: If one refuses to listen, another cannot force him to listen (unless cornered that is). But these people are _by no means_ in a position where they would be cornered by your comments. They have the power to do things, they will use them, no matter what you say or do. They are a higher power than you and are obviously less easily swayed than your peers, of whom you are probably used to talking to. But in the end, it really is your choice: You can keep wasting your energy denouncing them and throwing mental rocks at their Windows*, but know that if you don't have a valid argument and you are not calm and collected (e.g. prone to being a douche), they will not listen and only continue upon their business and wave off all your comments.

[Mockery] It's funny. I really enjoy browsing through this thread to read how people bicker and complain about things and laugh at their inability to make a valid, serious argument (i.e. all their fallacies). I wonder if people even go back to read their own posts to check it, see how they sound... a inquiry that applies to users and admins alike. In reality, I personally don't go into this post for the information they have; I am not a user on the list nor do I know anyone on it... But the drama that is attainable in this environment is priceless, only fueled more by the random, highly-opinionated people who find it fit to stumble upon this thread, not read its full contents, and post a debilitating comment against the administration or to a particular user/group of users... resulting in more near hilarious fighting.

#####

_* That was supposed to be a joke, assuming that they run on Windows.

#####

_


> Recommending I change my password via public callout?
> Dick move, Fur Affinity and net-cat.
> Dick move.



I don't believe anyone thinks any less of you (besides, I wouldn't even have known that you were one of them on the list until you commented in public about how you need to change your password... [you made yourself known by your own complaint]). This thread was made to be purely informal, not to denounce anyone for any sort, although it apparently is happening anyway. Besides, if we were to laugh at everyone or anyone who is on that list, we would be lower than...

...

I fail at insults, so use your imagination on the end of that last sentence there.


----------



## DigitalMan (Mar 2, 2009)

Here's a phrase that covers my thoughts: "Learn or Burn." If these people _do_ care about security, then they should be _forced_ to learn for themselves. Do you tie your own shoes? Do you know how to add 3 and 5 without a calculator? For that matter, do you know how to use a calculator? I bet you do, without aid (giant graphing calculators excluded). Same applies to driving, if you're of that age. You wanted and/or needed it done, so you had to learn to do it yourself. You were taught, and now you do it on your own. This is the year 2009 - there is *no* excuse for continued ignorance on this subject, _period_. We can not afford to be understanding. If we do not stop progressively lowering our standards and utilizing a small group of higher-ups (the admins, coders, and machines at their disposal in this case) to take over thought process for the general populace, mankind is going to keep getting even dumber.

You are right. Not everyone is as intelligent as myself. And I'm pretty sure that everyone, especially those who think I'm not very intelligent to begin with, can agree than that needs to change.


----------



## CyberLeo (Mar 2, 2009)

If the site decides to implement password strength enforcement, it would be a very good idea to actually list the ruleset used to check the password strength, so that users don't have to endlessly guess what obscure and esoteric combination might bypass the enchantment, whenever a password is entered; including the account login page.

Many times have I reset my password because I could not remember what limitations a given website required, and thus the password I had conjured to fulfill those requirements.



> ...One of those costs is an annual renewal from a certificate authority...


What is it with this pervasive assumption that security must be expensive?


----------



## Niran (Mar 2, 2009)

Hmmm, you are rather uppity about yourself. Not a very extroverted person at all I presume. All logic, no feeling. Like a machine. Going for only what is optimal, never taking into consideration the side views: a linear way of thinking. There is much reason to be understanding however, and I do presume you live in or close to a big city, yes? Your chosen alias even reminds me of the one-track logical processing of computers. There's an importance to collaborative thinking that you do not seem to comprehend. Helping is another way to teach someone, and is much more constructive to both sides, not only to one. When one is forced to learn by other, then the subject may only learn from the teacher, while the teacher learns nothing in return. Helping is different, and if nothing else, you learn social skills from helping other people, unlike forcing your views on a populace. When you help, people are able to ask questions, sometimes even on subjects that slip past the mind of the instructor; a fact that should be learned before comming unto a choice whether to force knowledge or slowly teach it.
I'm not saying that the admins are learning anything from this, for in some ways they seem to be doing what you believe in doing: forced learning. You may just be advocating a cause that may be the same as your opponents, although you claim yours to be different.

As in the phrase "learn or burn", its unwise to go by such a black and white philosophy. Also, if there is no one to teach, then how does one learn? By themselves with great mistake? There's a reason why you had a teacher in your classrooms in school. Maybe instead of bemoaning that they are to be forced to learned things, maybe you can do the service already and help teach them. People need leaders, DigitalMan, and these leaders cannot just sit back and complain that their lessers aren't learning it without even trying to teach them.

You must see that understanding is not lowering standards per say, but it does make it easier to get through conflicts such as these and resume a process in helping each other out. You act as if it's possible to do everything by letting others just figure things out by themselves. It's like asking you to code a program in brainfuck without any knowledge of the subject at all and without any resources. It is important to see this concept where it's near impossible to learn non-basic skills without assistance, and for those who can, it will no doubt take too long and take up precious time where the same person, if taught, could have done something much more productive during the extra time learning by himself.

As in discussing your intelligence, I do believe you are well-versed in data and facts, but I believe you don't have enough experience and knowledge in seeing the larger picture and not enough wisdom to see your potential in the assistance of these matters, instead of only bickering about it. This tiny smudge in the tapestry of FA, no the common person's understanding of password protection or even computers in general, does not look so large when you take down the curtain that's covering the rest of the artwork. Personally, I don't believe in non-intelligent sentient life forms (yes that means humans). What they don't know in one subject, they know much more in another subject. We only believe they are dumb because their lack of knowledge in the current environment makes them easy to single out in contrast with everyone else. But I do believe it to be rather asnine when someone who has the potential to help only sits there and complains. Like a lifeguard watching someone drown but won't jump into the water because he doesn't want his shoes to get wet. It's not only ignorant, it's destructive to your image, your wisdom, and to everyone else around you. That, my friend, is not intelligent.
#####
Understand that I do not try to instigate insults on purpose, and if it's an insult, I would say sorry. But with your current attitude on this thread, you are one of the prime examples of those people who do not listen to others and only stick to their own beliefs without giving any thought to anything else. Though it probably won't do anything to alleviate your negativity, it is important to write this, if not to be read to its fullest extent by you, then to be read by someone else so that they may gain another insight to add to their repertoire of wisdom. Listen to others, it's important if you wish to gain a greater extent of knowledge than mere facts and personal opinions, those of which may not be even true.

Also...
... you are now breathing manually.


----------



## Toaster (Mar 2, 2009)

that it, im going around fa posting shouts on the dangers of passwords


----------



## The_real_Oni (Mar 2, 2009)

How do I change my password back to what I had it before, without having someone mess up my account again because they don't like my old password?


----------



## DigitalMan (Mar 2, 2009)

People do not need teachers per-se - they need sources of information. Most of my treachers have been worthless, especially in high school, so I just gave up and then got one of the highest GED scores they'd ever seen. When I seek knowledge - which is most of the day - I ask for it. Either through Google, or through a forum. If you want me to learn Brainfuck, I know exactly where I'd go, which is roughly how I taught myself C++ and Java. Unsolicited help (usually when I ask, "How do I do this?" and the reply is, "You don't really want to do that, do this instead") just makes me want to hit things. One must never cut out input from outside sources, as this is where most information is - but one must learn how to seek and obtain that information on their own, not have it crammed down their throats. Not because people don't like it, but because they won't learn what they _really_ need to.

I do tend to be quite logical, at least when there is a problem at hand. That's why I'm an IT technician (and I share the topic creator's apparent sentiment that such a career/hobby should excuse one from social courtesies). And you know what? I don't know a whole lot about computers, compared to many other techs - just enough to pass certification exams. But I am nothing short of an expert when it comes to finding and implementing solutions. I have easily repaired problems that folks at Geek Squad deemed impossible, presumably because they only looked within themselves for a solution, where I looked to others. I also tend to think outside the box, to the point that it actually pisses people off a lot, for some reason - maybe that doesn't mix with logic.

I'm just so damn sick of people being complete idiots - and getting away with it. Not even just getting away with it, but actually assisted. Not the kind of help you described, but the kind of help that lets them do it all over again without having to _learn from their mistakes_. Imagine if a child were to try tying their shoes, and every time they failed they went to a parent and got the parent to do it. _Every time_, without anyone encouraging independent thought. Eventually the learned reaction would be, if you need your shoes tied, go get someone else to do it, and they will. In other words, "the higher-ups have it covered, I don't need to worry." This is roughly where humanity is headed. Not just this site, humanity as a whole. And I swear it's gotten a lot worse in the past decade. We may have a great deal of collective knowledge, but our actual _intelligence_ (which is not the same as "smartness") seemes to have dropped off a cliff. A world of only followers, unfit to lead, which puts more strain on those who can and do lead.

In this case, there should not be any password enforcement. By all means, you may legitimately educate users. A bright red link asking, "Is your password secure?" somewhere on the login, user, or main page, leading to a page that thoroughly explains it all, would be sufficient for that, hardly take any time at all, and not involve any coding. A requirement of a number, and a caps letter, and blah blah blah will indeed make their account quite secure! But... what have they learned from it? The entirety of their education is that FA now needs a more complex password than their bank. But if they're given a non-intrusive resource to research the matter themselves (via a password security page), then those who care will not only willingly make their FA password secure, but also other sites, and stop using the same password for all sites. And ta-dah, the world is a better place!

I am not offended. I disagree, but am not offended. And I also appreciate the time you took to write such a thorough opinion - it beats "You're wrong, shut up."

Edit: ... Okay, so maybe an explanation page won't get through to _everyone_... but, well, some people are just a lost cause anyway. Seriously.

Viva la evolution! *starts setting up bear traps baited with $5 bills*


----------



## krisCrash (Mar 2, 2009)

The_real_Oni said:


> How do I change my password back to what I had it before, without having someone mess up my account again because they don't like my old password?



This whole thread is about how you _should not do that_.
The admins of the site will not accept that any account is compromisable and I think you should follow that.



> Viva la evolution! *starts setting up bear traps baited with $5 bills*


Evolution doesn't affect modern humans much  we're nice. We take care of each other, let the weak survive and the stupid breed. That has its ups and downs, but most cannot accept it to be any different.

So, for quite a lot of people knowledge is not enough. They have to be told what to do, so they do not get too much in the way of everyone else's work.


----------



## ArielMT (Mar 2, 2009)

CyberLeo said:


> What is it with this pervasive assumption that security must be expensive?



You realize you're replying to a remark that has already been shown to be inaccurate at best, right?  Besides that, "expensive" is not the only word meaning "not free."



The_real_Oni said:


> How do I change my password back to what I had it before, without having someone mess up my account again because they don't like my old password?



You don't.  You shouldn't, and FA has finally had enough to stand up and say you can't.  The point is that you're not the only one who knows or can know your old password.  You should make your password a code that doesn't mean anything to anyone but you and that hasn't been used before, one that isn't known or easily guessable.

Also, I'm surprised that the thread "How to make a safe password" hasn't been mentioned here yet.


----------



## Niran (Mar 2, 2009)

Ah, now I see your argument, DigitalMan (which was a lot easier to see when you're not seething with rage and insulting everyone and everything, no offense). But to the point, instead of debating which side is right or wrong (lesson learned from Socratic seminars: there is no absolute truth, only maybe), it would be much more productive and whole lot more endearing for people to figure out a compromise. I do agree that there are people out there who would not learn for their mistakes, but it is also important to help those who are willing to learn who don't know yet. Taking your shoe-tying scenario, there are also some children who learn to tie their shoes by watching them be tied. Personally I was never taught how to tie my shoes by anyone, I figured it out on my own by watching my parents tie them. Sort of like "monkey see, monkey do" (except I don't like monkeys...). We must all agree that we cannot get a 100% truth on both our arguments: not every human is a moron who doesn't learn passively, but not every human has the ability to learn passively. I always presumed the password enforcement helped since, ten years ago (i.e. when I was 6), if I were to never have signed up online to a website requiring a capital letter and a number into their password, I could have been a victim of that dictionary attack three years ago (though I haven't been on here for that long... yay?). Personally, before then, I didn't even know passwords could be case sensitive, mostly because I always typed my password correctly in Windows 98 and never had the problem with case sensitivity (I taught myself how to type by watching my friend's dad as well, he was a computer technician so he had good form).

But I digress on old..-ish memories of learning. Still, there must be a way where people who can learn to make a secure password will (without putting too much effort into it), but leave the process in such a way the people who wouldn't normally have learned anything be lured into thinking about it. 

I like the "Is Your Password Secure?" idea, but what if that isn't fast enough in educating people or completely ignored? Other sites still may not even mention or enforce secure passwords: the problem with this is that you must first understand the concept of having an insecure password; since, like what I said earlier, to many people, having a password, any password, is security in itself, period. They do not have the concept that words or numbers are easily guessed or even found out or brute forced. I cannot recount how many times I have personally guessed my friends' passwords by taking what they talk about most and/or using numbers that mean something to them (for _a fictional_ example: I was able to guess that my friend who talks about Inuyasha too much used the password inuyasha1990, where 1990 is this friend's birthyear. My other [obviously fictional] friend doesn't even use numbers and just uses the word english: because it's his/her favourite subject). Of course, being me, I quickly corrected their misunderstanding of password security (of which they also learned the concept of an unsecure password), but of course, live help for this sort of thing is rare unless one actually asks someone to help with it.

I think there should be some form of password enforcement, but it should not be left some autonomous system where the person is left unawares whether their password is strong or not. A visual representation (i.e. password strength checker) when typing in a new password along with an "Is your password secure" link below, should suffice I believe. Using this, the user is able to visually recognize the complexity of his password (and most importantly, begin an understanding to this concept), and if said user would like to learn more about security, he may follow the link and read.

#####

And comming back to your personality points, it's not wrong for a logical person to think outside the box. It is only the way you attempt to come unto the topic that angers people. Personally, at first you were appauling to me: the way your presented your argument made it rather foggy (before), your second post seemed to come out completely an uneccessary comment (along with what I deemed to be unneccessary boasting at the end), and it just sounded like you were there to just complain, and especially to an administration who was trying, in their own way, to rectify a problem. Like an needless hinderance to the solution; the brick wall that was built in front of the most easily viewed bridge across the canyon because someone just wanted to be a jerk and had a bad day. No offense... again. I think you just need to come on a little more gradual, your ideas, everone's ideas, are a great contribution, but only if the reader is willing to listen. Angering them, especially people online (i.e. some of the most stubborn people ever concieved. _Ever_.), will not only cause them not to listen, but also to vehemently protest against your incursion.

Also, you are wasting your $5 on l'evolution. You can lower it to $1. It'll do the same thing.*

#####



The_real_Oni said:


> How do I change my password back to what I had it before, without having someone mess up my account again because they don't like my old password?



No. No no no no no no. The reason you shouldn't do that is because your old password is still floating around in the web that you used three years ago, attached to the same username... but looking for your information (whereas I cannot find, so I am lacking knowledge of when you joined), I cannot see whether this argument is relevant to your question or not.

I am telling you not to do it under the assumption that you were one of the users from three years past, but even now I implore that you try to use a different password each time. However, it is possible to use your old password (as long as it's not one of the passwords that caused people to fail miserably three years ago), but I would still reccommend that you "jazz it up" a little. Add numbers, capitalize things, corrupt the word... but do not use only letters or numbers and definately do not use a single or combined word that you found lying in the dictionary (which, obviously, would make you prone to a dictionary attack).

*I joke. (Added so people won't bother me for being "mean". It is supposed to be a compliment, since I'm playing off someone else's joke... ah, hah, hah... it's a charisma thing that isn't supposed to be explained... yay, its effects have been ruined!)


----------



## Strawkitty (Mar 2, 2009)

DigitalMan, you seem to be entirely missing the point of all this. Rather than try to educate users or whatnot about password security(noble objective I'm sure) this is merely so that the staff here won't have to deal with possible whining of those 781 users about their account being 'hacked' over a great period of time. They'll rather take on the whining from those 39 stubborn people this week.


----------



## MewMew (Mar 2, 2009)

*Re: "Your account has been hijacked."*



yoshi000 said:


> Ha ha ha ha! THank god I only ben here for almost a year soon.



Ditto.  I'm glad I wasn't around back then, because I would be ROYALLY pissed if some jackass who thinks they know better than me started fucking with my account information.  My account is my account.  If I get hacked due to a stupid choice that's my problem.  I don't need some jerk screwing with my account without my permission.


----------



## Amethystine (Mar 2, 2009)

Well, not that it matters any longer, since I've changed my password to something new and different..

But up until now, my password somehow remained the same, without input from me. I just open the site and it was pretty much always logged in already. Due to the browser remembering the password and cookies being on, etc, I'm sure. I was never told by the system to reset it to something new, and if I had been, I would have changed it.

I would never have re-set it to be the same thing. It always just worked, making it seem like the system never had any problems or stolen passwords, etc.

I'm sure leaving this post here will probably open me up for attack by the all-knowing types who read it, but I felt like noting that it's possible a lot of users didn't knowingly choose the same password, and just came back to the site after the outages as if nothing had happened, without needing to even log back in or change their passwords. 

(Of course, I'm also sure there's plenty of people who would have been guilty of what Net-cat said happened.)


----------



## fastturtle (Mar 2, 2009)

11:19 <%net-cat|work> The difference here is how we look at users. Eevee and tsawolf look at them as stupid. I (and possibly yak) look at them as stupid, lazy and having ADD.
 ... don't you wish you had access to staff IRC?

You mean Adult Deficit Disorder? That's 95 percent of the United States Population and our congress critters are the worst victims of it.


----------



## Niran (Mar 2, 2009)

Amethystine said:


> Well, not that it matters any longer, since I've changed my password to something new and different..
> 
> But up until now, my password somehow remained the same, without input from me. I just open the site and it was pretty much always logged in already. Due to the browser remembering the password and cookies being on, etc, I'm sure. I was never told by the system to reset it to something new, and if I had been, I would have changed it.
> 
> ...


-Attack attack attack!- =D
But you do have a point in that, people do forget and lots of crazy things happen and it's understandable if and when such things occur. And yeah, what Net-Cat said is also a possibility, but seeing how we won't know the actual story without interrogating them ourselves, it is safer to assume that they just forgot instead of angering people by saying that they were just stupid and purposely used the same password. I have also read some account of which, unsurprisingly, people were not warned that they were using the same exact password as they did three years ago. I'm not sure exactly how Net-Cat warned them, but obviously the system was not bullet-proof. If it was through e-mail... well, then people use false e-mail account (for what reason, I have no clue)... though what would have been a good way to force them to read it is if they were redirected to a new screen when they attempted to log in again and had to read Net-Cat's message, whereas to get to the password change screen they must press a continue button (although, not being a coder, I am unaware of how much effort this could have taken).

#####

Also, I have reread the thread, and I have come unto the realization that in my lengthy reply to DigitalMan it seems that I have only restated a solution people have stated before, although I do believe that they were lost during the drama mid-thread, so it may change the pace a little if people read... I hope they read... if they don't drama will keep on piling up due to the ignorance of one person who didn't feel like reading.


----------



## fastturtle (Mar 2, 2009)

Setting a secure PW is pretty easy if the site cooperates and makes it easy. This doesn't require anything fancy such as special chars and such. Just a good use of the 62 possible combinations of Upper/Lower Case and 0-9 numbers. You can even get reasonable strength using just the 36 possible combinations if you ignore upper/lower case but it does require a longer PW field.

Simply put, restricting folks to a meager 6-8 chars and demanding a strong PW is not going to happen because there's not enough to make such a short PW memorable. Instead lengthen alloable PW's to at least 24 and even go as large as 32 chars and give folks a PW strength meter with a clue to use a Pass Phrase instead. This means something like 1fukw1tl00ser, which is easy to remember and yet still pretty strong.

Of course it's a matter of education and getting people to think, which is the problem in the States as too many people don't want to think and would rather the government take responsibility. (RANT) Let me be the first to say that if you want the government to be responsible for you, then we can reinstate slavery and make it voluntary. Then you don't have to think and will have someone else to blame for your stupidity as you desire while ensuring that those of us who are willing to accept responsibility for our actions get to vote in the next election.(/RANT)


----------



## Gar-Yulong (Mar 2, 2009)

You guys should introduce special FA "artist type" or whatevers for the people who did this.

The type?

Irreparable Moron.

Can be changed back once the user changes their password.


----------



## CyberLeo (Mar 2, 2009)

ArielMT said:


> You realize you're replying to a remark that has already been shown to be inaccurate at best, right?  Besides that, "expensive" is not the only word meaning "not free."



The statement was not directed towards any specific entity; merely towards the general trend I witness wherein most believe that, in order for something to be secure, it must cost lots of money.

But I digress...


----------



## Delphinidae (Mar 2, 2009)

DigitalMan said:


> I did not ask for security. I did not ask DA to have that retarded warning page. I did not ask AT&T to log me out after 15 minutes. *I don't want it.* So whatever it is you may be thinking of - _anything_, no matter how good an idea it may seem to you (since your current bright idea is already well into unacceptable territory) - just _stop_. Leave me the hell out of it.


Now look. You're entirely free to put yourself at risk like the stupid jerk that you are, but it's not exactly buena when you're trying to impose your lack of common sense on everyone else. People need security. You do, too.

When your mum held your hand for crossing the road, she didn't do it to piss you off. However, these are websites, and that means there's either handholding, or no handholding. And it's better to have complete security, than to let everyone "cross the road" the way they thought.

If you were in charge and specified that AT&T keeps you logged in for 30 days straight, I bet millions of people would sue you at the same time (or you'd possibly even get murdered before long) after they've suffered because you exposed them just because you're the cool guy and you know better. Sure you don't. After you've grown up, you'll learn a thing or two about general security.

Besides, if you're genuinely so smart, then security shouldn't impact you. You're at absolutely no position to complain to any degree.


----------



## Delphinidae (Mar 2, 2009)

Glaice said:


> http://www.verix-the-cat.net/fap.html


Apparently they could successfully infiltrate someone like ZEN, surprise, surprise.

I wonder if his password is Icelyon.


----------



## Oshimi2 (Mar 2, 2009)

I am not sure who to message on this.. but I cannot recall the email I had with Orig username (yes I created this one cos I can't get on >.<)

I did pm someone about it but any other help would be good to let me know if I am doing the right thing.


----------



## Tatsuyoujo (Mar 2, 2009)

I was confused at first ,but now i know what you're talking about. I think anything can be done about that ,but it's not really hurting anything. It's just alil annoying.


----------



## Tatsuyoujo (Mar 2, 2009)

Would it be a good idea to change you password?


----------



## leeter (Mar 2, 2009)

1. the login page is not HTTPS, therefore it doesn't matter what password I use BECAUSE IT IS BEING SENT IN PLAIN TEXT!!!!! therefore I use a THROW-AWAY PASSWORD, because there is no point in having a secure password when the authentication itself is not secure....

2. Password complexity is not enforced, length is not enforced, maximum age is not enforced. etc.

Seriously the security of this website is laughable, I wouldn't be surprised if you have SQL injection errors too.

FYI: To all those reading this post assuming I'm a troll, think again the two most common security flaws on the web are a lack of TLS (Transport Layer Security, you see this as the https:// protocol header versus the un-encrypted http:// header, and SQL injection. This XKCD explains it nicely: http://xkcd.com/327/). This is no laughing matter bad passwords and poor security practices get result in a website or accounts being hacked.


----------



## DigitalMan (Mar 2, 2009)

@Niran: I just woke up, and you haven't said anything I see as blatantly wrong, so I'll keep this short. By the way, you're remarkably mature for someone 16 years old. Again, a much better and more intelligent post than, say, "You're entirely free to put yourself at risk like the stupid jerk that you are."



Niran said:


> I think there should be some form of password enforcement, but it should not be left some autonomous system where the person is left unawares whether their password is strong or not. A visual representation (i.e. password strength checker) when typing in a new password along with an "Is your password secure" link below, should suffice I believe. Using this, the user is able to visually recognize the complexity of his password (and most importantly, begin an understanding to this concept), and if said user would like to learn more about security, he may follow the link and read.



Sounds like a viable compromise. I'm all for a password strength meter. Preferably one that is non-binding - that is, with perhaps a checkbox underneath that will allow the user to choose an insecure password, as long as they agree they have read some form of document. Like a ToS or submission agreement, except it says people using the option are taking complete responsibility for their password's security or lack thereof, and may not complain if something goes awry.

But even without the "I Know What I'm Doing" switch, it's viable, because the real key there is the link. A bright red link  People will see their password rates horribly low, and, _hopefully_, wonder why. And they will then have a resource with which to educate themselves on the matter, and take that knowledge with them throughout Teh Interwebs.

@Strawkitty: Well, they shouldn't tolerate whining to begin with. Give users a real chance to learn, without force - and if they don't, well, too bad. If they start whining, ban them. Have I mentioned I'm not a particularly nice guy? 

@Delphinidae: I think you missed a good 90% of the topic so far. Go back and read it all. Also:



Delphinidae said:


> When your mum held your hand for crossing the road, she didn't do it to piss you off. However, these are websites, and that means there's either handholding, or no handholding. And it's better to have complete security, than to let everyone "cross the road" the way they thought.



Logical fallacy of False Dichotomy (or False Dilemma).


----------



## Oshimi2 (Mar 2, 2009)

I did check, and the email on my account I cannot access any more (old ISP email). Any help would be good.


----------



## Delphinidae (Mar 2, 2009)

DigitalMan said:


> Logical fallacy of False Dichotomy (or False Dilemma).


It's not, when you consider the principles of foolproofing. A half-assed solution is no solution. I don't consider the security on bank sites invasive (or anywhere else), and it's best to make the net of security wide enough to capture even the dumbest user and have them abide by some rules and keep them safe.


----------



## Kiboe (Mar 2, 2009)

THANK GOD i have only been on fa for only two years!


----------



## Arshes Nei (Mar 2, 2009)

yoshi000 said:


> I want to ask something. Why did FA didn't told us about this for three years, made this list about the users, going on a "We are doing the best thing for the users" shit? It just seem odd they hide it for this long. I don't get it that FA is actting like kings about something that they did wrong. I think FA team it to put this on, not the users.



Uhh. FA did. There's a reason I remember the specific date it happened. FA's LJ had the epic posts of people's passwords being leaked. On top of that when FA came back online, word of mouth through massive amounts of EPIC FA Journals and the FA news system requested the passwords be changed *when this happened*. Golden Zoltan...weasel...names sound familiar? I'm quite sure someone still has the "I fucking FAIL IT" screencap when the previous owner's administrative account was hijacked.

Dragoneer made several posts about password security after FA was turned over to him even though it was a year or two later too (besides the previous fest pointed above).  To say there wasn't a warning is BS. I've been around the whole time it happened.


----------



## Emerald Skunk (Mar 2, 2009)

Um.. pardon me, but my FA profile in the gallery won't allow me to sign in anymore, I've checked, and my name isn't on the list that is being changed and I even changed my password anyway but it keeps giving me this message. 

_____________________________________________________________
You have typed in an erronous username or password, please try again...

I've tried everything I know how to do and it continues to give me this message and won't allow me to log in, and I don't know if I've been banned and I don't think I've broken any policies and I didn't get notified if I did, is their anything anyone can do to help?

I had an account here a while ago and something similar happened and deleted it and all of my pictures and if that happened again that totally sucks and I'd at least like to know. x.x 

Thank you if you can help me and still thank you for trying!


----------



## Cxulubcah (Mar 2, 2009)

O hai, I was one of those out of 738 who got hacked into.  Sorry.

But I didn't even get the FIRST warning of getting to reset my password and I've been locked out too, though I'm not banned yet so I guess somehow I didn't get the message somehow.

Can someone help me out here with getting back into my account again?  I WILL use a different password, you can believe me on that.


----------



## Kite (Mar 2, 2009)

My name is on the list in question,  Just wondering what I will have to do to get my account here back and change the password to something if you can help staff please pm me.


----------



## Armaetus (Mar 2, 2009)

To all that are asking about passwords, you should PM Dragoneer or another staff member that has upper level access to the site about it.


----------



## crazy_wirick (Mar 2, 2009)

i will freely admit that i didn't read **every** post so if this was suggested already i appologize.

one of the best ways i have found to create a memorable password is to use something that is easily recognizable... lets say that for whatever reason you happen to love ohhhh ... apples. well there are a few wonderful symbols on your keyboard.... so lets spell it like this @ppl3s and viola. you have a secure password. it fails dictionary attacks and it is easy to remember. how about bluestar - Blu3$tar, or greek - Gr3ek. you get the idea.... use something that catches your eye and then look at the symbols you have access to and make it l00k (that was with zero's) similar and make your life easier.. several symbols can overlap and it can make a very secure password with a mere minimum of effort.


there is my .02 $ worth...

peace ya'll


----------



## DigitalMan (Mar 3, 2009)

It's worth noting that Crazy Wirick's method also satisfies the number requirement where applicable. Someone earlier mentioned using the same _core_ password for all sites, adding something at the end depending on the site - like, cha0ticFA, cha0ticDA, and cha0ticLJ - which, if combined like that, also satisfies capitalization requirements.


----------



## yak (Mar 3, 2009)

Use the password recovery feature. 



Emerald Skunk said:


> Um.. pardon me, but my FA profile in the gallery won't allow me to sign in anymore, I've checked, and my name isn't on the list that is being changed and I even changed my password anyway but it keeps giving me this message.
> 
> _____________________________________________________________
> You have typed in an erronous username or password, please try again...
> ...





Cxulubcah said:


> O hai, I was one of those out of 738 who got hacked into.  Sorry.
> 
> But I didn't even get the FIRST warning of getting to reset my password and I've been locked out too, though I'm not banned yet so I guess somehow I didn't get the message somehow.
> 
> Can someone help me out here with getting back into my account again?  I WILL use a different password, you can believe me on that.





Kite said:


> My name is on the list in question,  Just wondering what I will have to do to get my account here back and change the password to something if you can help staff please pm me.


----------



## stealthferret (Mar 3, 2009)

I never got a first warning either, there's no way I'd keep the same password after that. But I am locked out... can I get some help with that?

The link at the top of FA says to contact admin, funny enough you can't do that without being logged in :l


----------



## WarMocK (Mar 3, 2009)

stealthferret said:


> I never got a first warning either, there's no way I'd keep the same password after that. But I am locked out... can I get some help with that?
> 
> The link at the top of FA says to contact admin, funny enough you can't do that without being logged in :l


Use the password recovery option and reset your password (I hope you used a valid email adress, otherwise you're really screwed right now. In this case you need to contact the staff of the forum with a PM).


----------



## Cyan (Mar 3, 2009)

To be honest.

Even this forum has a Bruteforce prevention.
To blame the user for a Password Wordlist is imho a bit to harsh.

Why is it so impossible to add a bruteforce prevention onto furaffinity?

Is the password on registering beeing checked against this wordlist?

Coming out of a business where i come accross user accounts i have to say that it "never" is done out of purpose to have a bad password.

The user just thinks the site is "safe" enough, so it doesn't matter that much.

I bet that only 10% actually know what a wordlist is and how a bruteforce works.

Imo it's the coders fault for making it actually possible to hack an account.

Does session hijacking work? I seen some info on lulz that it might be possible.
Seriuosly, such things should have been fixed.

This ban just goes way to far in my opinion.

And one thing: the passwords are saved plaintext? WTF!!!


----------



## T-Fox (Mar 3, 2009)

I use two different passwords on different sites.

One, is for sites I don't give a flying **** about if they get hacked. (FA, GameFAQs, Youtube, ETC.) This is unsecure, but easily rememberable.

One I use for important sites. (My two bank accounts, School E-Mail) And it's a royal pain to figure out.

No, I DON'T change my unsecure password. Ever. And I never intend to. Key here is I DON'T CARE if it gets hacked. "Oh No! The art is still on my computer! I'll make a new page and re-upload and tell all my watched users what happened! NOOO!" Come on, what is someone gonna do with my FA account that I only use to upload photos, host a few banners, and put up Comission work? I mean, the pont of having an unsecure, easy to remember password is that it's easy to remember. Cause I use it for everything. And I refuse to write down a list of passwords. "I wanna post meaningless drivel on x forum! Let me reach into my wallet and check my Password!" It's senseless for something that trivial.

After a hack, yes. I do make a variation on the password. Generally by one letter though. But that isn't really the point. At the same time, let the users who haven't changed their passwords get hacked. And if they complain to you, IP ban them for stupidity. It's your site, you can do that. I agree with the point made earlier, "smart" and "dumbass" are seperated by who the person blames when they get hacked.


----------



## yak (Mar 3, 2009)

*Cyan,*
Seriously, learn to read please.



Cyan said:


> Even this forum has a Bruteforce prevention.
> To blame the user for a Password Wordlist is imho a bit to harsh.
> 
> Why is it so impossible to add a bruteforce prevention onto furaffinity?


Bruteforce prevention is completely irrelevant to this topic.

What is being discussed here is the 3+ years old password list with basically uernameassword pairs, one per line. Do not try to bruteforce someone's password. Do not collect 200$ - proceed straight to the login page and use one of those pairs and attempt to log in.





Cyan said:


> Is the password on registering beeing checked against this wordlist?


No. We didn't think people were that irresponsible in order to do that.



Cyan said:


> Coming out of a business where i come accross user accounts i have to say that it "never" is done out of purpose to have a bad password.


The guy that replied right after you must be an exception.
People that put words like: apeshit, yummies, toonfox, automan, surfer, crossbow, herpetologist, timothy, polarbear, griffox  must not be doing that on purpose too, right?



Cyan said:


> I bet that only 10% actually know what a wordlist is and how a bruteforce works.





Cyan said:


> Imo it's the coders fault for making it actually possible to hack an account.


You are aware that everything in existence can be hacked, right? As long as one chump coded it, another chump will be able to hack it if he possesses enough determination.

According to you all programmers are at fault. You too.



Cyan said:


> Does session hijacking work? I seen some info on lulz that it might be possible.
> Seriuosly, such things should have been fixed.


What makes you think they haven't?



Cyan said:


> This ban just goes way to far in my opinion.


So it's better for us to just leave an account full of art who's password _we know_ is publicly available untouched, just like that?

Did you ever have a cat, or a dog? Did you ever had to repeatedly push them away from your bag of groceries you brought home, and were you ever annoyed by their blunt persistence? 
Project that situation on to what we were doing when banning people who repeatedly restored their old passwords even after we reset them and warned the users.



Cyan said:


> And one thing: the passwords are saved plaintext? WTF!!!


Seriously, you need to read before you post.


------------





T-Fox said:


> I use two different passwords on different sites.
> 
> One, is for sites I don't give a flying **** about if they get hacked. (FA, GameFAQs, Youtube, ETC.) This is unsecure, but easily rememberable.
> 
> ...


Except people would still blame us regardless of whether it was your fault, or ours.


----------



## Cyan (Mar 3, 2009)

> Bruteforce prevention is completely irrelevant to this topic.
> 
> What is being discussed here is the 3+ years old password list with basically uername:razz:assword pairs, one per line. Do not try to bruteforce someone's password. Do not collect 200$ - proceed straight to the login page and use one of those pairs and attempt to log in.



Yeah the topic page just sounded like:
We have a list of user password pairs, it's old, you can use it to log in, we did, we ban.

Still weird.



> No. We didn't think people were that irresponsible in order to do that.


Might prevent further problems? Hint, hint!



> The guy that replied right after you must be an exception.


No they are the norm.
And they are not really bad passwords on purpose. Peaople just have a bad sense of humor. 



> You are aware that everything in existence can be hacked, right?


No it can't. Even there are exceptions. But most can, i agree.
The key is to make it as hard as possible, and the data behind it as useless as possible.



> According to you all programmers are at fault. You too.


Since i am no god beeing therefor failable, yes even i fail.
Yet there are routines you can follow to reduce it to an acceptable level.



> What makes you think they haven't?


This was right out of the blue. I don't think it's pÃ¼ossible nor i don't think it's possible. Just said stuff like that should be fixed. 
There was no kind of request intended.



> So it's better for us to just leave an account full of art who's password _we know_ is publicly available untouched, just like that?


This list isn't here since yesterday i guess. Writing a PM would have been enough imho. It's the way i do things. Do as you like.
Just found it a bit harsh though.



> Project that situation on to what we were doing when banning people who repeatedly restored their old passwords even after we reset them and warned the users.


How many kittens and dogs have you killed by now going at your groceries?



> Seriously, you need to read before you post.


I did


> Do you know what I found? I found that of the 4,823 accounts on this several year old list, *738 of them were still using the exact same password.*


*
Just sounded like it was checked by database and yeah my fault it can be hash checked too. Sorry for that.
*


----------



## Arshes Nei (Mar 3, 2009)

Cyan said:


> How many kittens and dogs have you killed by now going at your groceries?



A Ban is nowhere near the equivalent of death. A note was left why the account was banned on their page. (at least it should have been). They're not dead, they can still contact the administrators to get unbanned.


----------



## Cyan (Mar 3, 2009)

Okay how about: Lock them out of the house for ever?
Must be fun in winter!

Btw. i wasn't the one bringing up that comparsion.

Just said it was a bit too harsh for my opinion.

That hard to accept other peoples opinions? Man ...


----------



## Aden (Mar 3, 2009)

Cyan said:


> Okay how about: Lock them out of the house for ever?
> Must be fun in winter!
> 
> Btw. i wasn't the one bringing up that comparsion.
> ...



Try going outside.


----------



## Arshes Nei (Mar 3, 2009)

yak said:


> Did you ever have a cat, or a dog? Did you ever had to repeatedly push them away from your bag of groceries you brought home, and were you ever annoyed by their blunt persistence?
> Project that situation on to what we were doing when banning people who repeatedly restored their old passwords even after we reset them and warned the users.
> 
> 
> *Seriously, you need to read before you post.*





Cyan said:


> How many kittens and dogs have you killed by now going at your groceries?



What the....yes you did bring up that crazy analogy. yak only is talking about being annoyed, and taking proper recourse... not killing 

I don't have to accept anyone's opinions, I accept reasonable counter-arguments. You weren't reasonable. A person can have the opinion that boobs grow on trees. That doesn't make it acceptable.

PS, also bad analogy about the house thing. They're not locked out forever either. I bolded that reading part yak posted, it's *very* important.


----------



## krisCrash (Mar 3, 2009)

yak said:


> Except people would still blame us regardless of whether it was your fault, or ours.



Truth.

But not something people learn until they try having the responsibility of a moderator or equivalent position


----------



## Delphinidae (Mar 3, 2009)

Arshes Nei said:


> boobs grow on trees


Shouldn't tell them about your dreams of the future.


----------



## Cxulubcah (Mar 3, 2009)

yak said:


> Use the password recovery feature.



Okay, where is i-......"Forgotten your password? [Click here!]".......oh my god I'm such a fucking IDIOT!


----------



## Arshes Nei (Mar 3, 2009)

Delphinidae said:


> Shouldn't tell them about your dreams of the future.



O/T I don't need them to grow on trees, I have my own pair, thank you very much.


----------



## WarMocK (Mar 3, 2009)

Arshes Nei said:


> O/T I don't need them to grow on trees, I have my own pair, thank you very much.


YMMD! xD
Thank you very much.

As for the complains about temporary bans of hacked accounts: Do you guys think it's that funny if the cracker start spamming other users' submissions and journals with troll posts and stuff? Even if they didn't do that THIS time, who can guarantee that something like this won't happen in the future if another "12345" user gets hacked? What do you tell those who got spammed with insulting troll posts that need to be wiped by the admins? "Meh, your fault, you shouldn't have allowed me to comment your pics"???
Thanks for that. </irony>


----------



## DigitalMan (Mar 3, 2009)

@T-Fox: Thanks for the backup. We should start a group or something. The League of People Who Don't Take This Crap Too Seriously. 

@Cyan: Death? Locked out of the house? Bad analogies. If you want to question their reasoning... why are they equating users to non-sapient household pets in the first place?


----------



## Delphinidae (Mar 3, 2009)

DigitalMan said:


> why are they equating users to non-sapient household pets in the first place?


There is an element of design practicality, generally referred to as the "lowest common denominator". Ever tried coding a site for 624 different types of users, what's more, making them choose their level (or determining it automatically by one way or another)? It's simpler and faster for everyone if they enforce the same bottom line throughout.

For someone who's so conceited about their own abilities (up to and including arrogance), you sure lack the turning of some wheels.


----------



## Akal Ashata Alis (Mar 4, 2009)

Nor did I, mind you, I didn't frequent often. However - my email address I had originally registered under became invalid at one point, and it looks like I never updated it - which means, bam... no password recovery feature will work.


----------



## Oshimi2 (Mar 4, 2009)

Same problem as Akal.. >.<


----------



## BarefootStallion (Mar 4, 2009)

The solution to this is simple.  If a furson gets their account hacked because they were using a newb password, then they lose their account and they have to make a new one.  Once those fursons learn that using ill-advised passwords will cause them to have to create new accounts and they are forced to make all of their uploads again (and possibly again and again and again!), then maybe they'll figure out that it's time to start listening to the admin, and start using more sound password strategies.

In the mean time, admin, just flush the corrupted/hijacked accounts and be done with it.  No muss, no fuss, no worry.  Admins got enough to do to run a site like this, without needing to worry about somebody not following sound advice.

Meh, my two cents at any rate.


----------



## SnowFox17 (Mar 4, 2009)

Shiakarn said:


> Okay, firstly I admit I haven't read the entire thread, but based on the first 3 pages or so I'm not sure I want to.
> 
> Let me introduce FurAffinity to a concept called privacy law.
> 
> ...



Good to see the twats rediculing the Admins are single digit postees.

The passwords wernt released for the public, only account names. Get off your freaking high horse, read the first post again and stop haveing a hissy fit.



> Okay, firstly I admit I haven't read the entire thread, but based on the first 3 pages or so I'm not sure I want to.


Read the first post again.



> Let me introduce FurAffinity to a concept called privacy law.


The concept of commensense would be needed to be introduced to you.



> Privacy law means that when someone makes an account on a site, the contract is not only the terms of use the user agrees to when they make that account, but also the implied contract that the service provider is also responsible for preventing the data from falling into the wrong hands.


Ok two things here.
#1 FA is in no way responsible if you lose your account to a outside source on your side. They are responsible if its on thier side. They TOOK responsibility for the hack against their Database and upped its security, replaced everyones account with the backups they had and told everyone to change thier passwords so they couldnt be hacked.

#2 They are taking responsibilty right now by trying to prevent users losing their accounts. Its just numbnuts like you who have no idea WTF is going on.



> Privacy laws are in force in most US States, US federal law, International law, the UK, EU, etc.



That is commensense. The same commensense used by the Admins by not POSTING ANY PRIVATE DETAILS about the user.



> The law *does not* recognise the user's responsibility to change their password, this is merely an informal recommendation.


The FA Administration are giving you the chance to change your passwords so it protects your accounts (FA, Bank, what ever else floats your boat) since they were all Dictionary hits. As i said in a previous post, they could of easily locked your password as rainbowlorrikeetcrap and told the user to live with it. 
Did they? 
No.
This isnt a informal recommendation, its a formal one. They released a public notice on the mian site and put up a thread detailing why its happening. They could of easily said "You guys stuffed up in your password choices, change it or get hacked/banned." but they gave you 3 chances to change it.



> The law recognises that allowing databases with personal information to fall into the public hands is a breach of privacy laws.


LOL? You think they allowed a hacker to come in, mess around with the DB until it was FUBAR amd steal passwords willingly? Your dumber then I thought.



> The law recognises that FurAffinity is legally liable to anyone who's password was disclosed to the public, and are now liable to people in multiple jurisdictions.



The law also recognises Accidental and Purposeful Disclosure. Since it was accidental, AND they didnt do it themselves, they aint liable for anything. In reality, they didnt even have to help its users with their passwords.



> Be glad you're not an actual for-profit business, I assure you, you'd already be in a class-action lawsuit by now.[/


I could imagine the Judge right now, I would fly from Australia just to see this.
"You want to file a class act against a website funded by its users, that is a medium to allow like minded people to interact with one another and share their talent, because the DB was hacked in its early days, has upgraded its security extensively and is trying to help its users secure their acounts?"

You would become the most stupid person in the world, its like sueing Mcdoanlds becuase they wouldnt tell you the recipe for its bigmac sauce.


----------



## net-cat (Mar 5, 2009)

You know, the funny thing about that diatribe about privacy laws...

(a) By the time I posted the list of affected accounts, I had already reset the passwords. Even if someone were to find the list and try to use it, it wouldn't do them any good. Unless you set you password back to what was on the list, of course.

(b) Our ToS excuses us from being responsible for any personal data you transmit to our servers. Whoops.

________________________________________

As for this whole issue, I'm done with it. Seriously. I've stirred up enough shit awareness on this issue. In the next few days, I'm going to do some housekeeping, clean everything up, and move on. Quite frankly, I've got more important things to worry about than whether or not Little Johnny Yiffs-a-Lot can access his porn or not.

Whether or not you're a fan of how I did this, it was quite effective. I've gotten many notes from users saying that they had no idea this had happened and are now using a different password.

For those of you bawwwwing about me not letting you have your precious insecure passwords, you can have them. I don't give a flying fuck. (Though if you account _does_ get hijacked, you won't see me in a rush to get it back under your control, since you'll just set the password back to what it was and get it hijacked again.)

On a closing note, I'd like to reiterate that our current password database _is_ secure and has not been compromised. (<3 verix) And in the next few months, it's going to get even more secure. (You probably won't even notice this happen, though.)

Have a nice whatever.


----------



## Arshes Nei (Mar 5, 2009)

No point in more arguing over it. Closing thread.


----------

