# Account Security - Friendly Reminder!



## Dragoneer (Dec 16, 2006)

Just a friendly reminder to all those out there in Affinity land! Fur Affinity has recently celebrated it's one year anniversary since coming back, and we'd just like to remind people about a few easy steps to keeping your account safe and secure! We're focused on making the community fun and prosperous, and we want to sure it stays safe at that!

[size=medium]*NEVER *[/size]give your password out to anybody. Ever. This includes best friends, mates and lovers, family or anybody claiming to be Fur Affinity staff. _*FA and its staff members will NEVER ask you for your password.*_ Also, please note that while FA staff members CAN reset or change your password, they are not able to see what your password currently is. Passwords are stored in hashed, encrypted databases which admins DO NOT have access to.

*[size=medium]KEEP [/size]*your e-mail address on Fur Affinity updated and current. If you forget your password, recovering your access to your account is a few clicks away! Without an up-to-date email, recovering your account becomes a more time consuming process where we have to manually verify your identity to perform a reset.

*[size=medium]ROTATE[/size]* your passwords, and do not use the same password on every site. Rotate where you use your passwords, and try not to use the same one for everything, especially your e-mail accounts and highly important information (bank, Paypal, etc). It's a good safety practice, and you can never be too secure! Remember: if one password gets compromised on ANY site, everything becomes fair game on any other site that uses the same passwords.

*[size=medium]CHANGE [/size]*your passwords on a regular basis! Every 90 days is a good average and is easy enough to remember. When the season changes, so should your password!

_*When's the last time you changed your password? If you can't remember, it's probably good time to change it!*_

[size=medium]*SECURE *[/size]your password! Use mixed characters, numbers or symbols when creating your password. NEVER, NEVER EVER use simple dictionary passwords like "dragon" "qwerty" or "password" to secure your account. Ever. Instead, mix up your password with alternating caps, numbers and symbols. For example, "security" could easily become "$Ecur1ty!" which offers higher security.

For more information on strong passwords, check out our Wiki article!
http://wikiffinity.net/index.php?title=Creating_a_Strong_Password

If you guys have any questions, feel free to ask! And remember to stay safe this holiday season as well! We care about you guys just as much offline as we do in the digital world.


----------



## Dragoneer (Dec 16, 2006)

http://www.ghettowebmaster.com/myspace/phished-myspace-accounts/

The above link contains some interesting information from MySpace's recent hacking in which over 26,000 accounts had their passwords stolen. Which is further reason to change your password regularly. If your MySpace got hacked it would leave your FA account, e-mail or Paypal wide open if they shared the same common password!


----------



## starlite528 (Dec 16, 2006)

Ultra High Security Password Generator:
http://www.grc.com/password.htm


----------



## Dragoneer (Dec 16, 2006)

Wow, why the hell did I emphasize the first words of each point I wanted to make? I feel like one of those lame bosses who puts out memos that have "team building" catchphrases on them that everybody hates.

*ACCOUNT*
*A*lways
*C*onsider
*C*runchy
*O*rganic
*U*nsweetened
*N*inja
*T*ampons

But either way, that doesn't excuse not following the security tips!


----------



## Taralack (Dec 16, 2006)

Dragoneer as my boss for the ultimate win. XD


----------



## CaptainSaicin (Dec 16, 2006)

I haven't changed any of my passwords since I created them, some years ago. Since they are impervious to brute force attacks and have never been compromised by phishing, hacking or theft, there has been no need to.

20 random characters of 72 states = 1.40x10^37 combinations

http://www.randomnumbers.info/

Yea, I'm a security freak... It's what I do for fun, and plan to do for a living.


----------



## kjorteo (Dec 16, 2006)

May I also recommend PasswordMaker:
http://www.passwordmaker.org


----------



## Shira (Dec 18, 2006)

Dragoneer said:
			
		

> For more information on strong passwords, check out our Wiki article!
> http://wikiffinity.net/index.php?title=Creating_a_Strong_Password



Actually, don't, as it appears that the Wiki was hacked and rendered unusable. Does anyone else find it strangely ironic that an article about account security links to a hacked webpage? :roll:


----------



## uncia2000 (Dec 18, 2006)

Shira said:
			
		

> Actually, don't, as it appears that the Wiki was hacked and rendered unusable. Does anyone else find it strangely ironic that an article about account security links to a hacked webpage? :roll:



Oh well, there goes our FAQ, too.

Guess that was within the past 24 hours and not sure whether anyone's in a position to fix.
Will flag, anyhow.... Thanks.

d.


----------



## Dragoneer (Dec 18, 2006)

Shira said:
			
		

> Actually, don't, as it appears that the Wiki was hacked and rendered unusable. Does anyone else find it strangely ironic that an article about account security links to a hacked webpage? :roll:


Blah. I'll get that fixed asap. Mediawiki must have had some bug that let people re-write the index. I was running 1.8.2, which IS the latest version... 

And yeah, there's a bitter irony to it. Eh well. No real harm done. People can still use the forums. =P


----------



## sixclaws (Jan 3, 2007)

CaptainSaicin said:
			
		

> I haven't changed any of my passwords since I created them, some years ago. Since they are impervious to brute force attacks and have never been compromised by phishing, hacking or theft, there has been no need to.
> 
> 20 random characters of 72 states = 1.40x10^37 combinations
> 
> ...



Someone hacked my yahoo account some months ago, and the damn thing had a 13 character long password...


----------



## CaptainSaicin (Jan 3, 2007)

sixclaws said:
			
		

> CaptainSaicin said:
> 
> 
> 
> ...



They didn't "hack" it. This issue with Yahoo is a very common and very successful social engineering ploy: Rather than brute forcing your password (which would indicate that it was too weak or easy to guess), they use another victim to link you to a page that appears to be a legit Yahoo page requiring a login (this is a form of phishing). When you attempt to login, the page (Such as this one) steals your password and uses it to sign into your account, making you the next victim and sending the link to people on your contact list. If the attacker is particularily malevolent, they can change your password, deface your profile, or commandeer your account for their own use.

The First Rule of Social Engineering: The Weakest Link in Any Security System is the User.

There is a way to prevent this from happening, but it involves a modification in behavior rather than in security procedures. To keep from becoming a victim of social engineering, *NEVER INPUT A USERNAME, PASSWORD OR OTHER ACCOUNT INFORMATION ON ANY PAGE THAT DOES NOT HAVE A 100% PERSONALLY TRUSTED HTTPS URL, AND ALWAYS BE SKEPTICAL OF THE SECURITY OR LEGITIMACY OF LINKS SENT VIA IM OR EMAIL*


----------



## cesarin (Jan 3, 2007)

honestly, if people after being warned to change their password, stilldont change it, they should be BLOCKED, smart users should not suffer for the stupidity of others.. :/


----------



## CaptainSaicin (Jan 3, 2007)

cesarin said:
			
		

> honestly, if people after being warned to change their password, stilldont change it, they should be BLOCKED, smart users should not suffer for the stupidity of others.. :/



That's probably the most self-contradictory opinion I've ever read on the subject of account security.

So you're saying people with the good sense to use a solid password and keep it secure should be punished by being forced to redo it with completely unecessary frequency under penalty of banning, just so that less intelligent people are slightly less likely to have their account hijacked?

There is no patch for human stupidity. You're wasting your time.

If stupid people keep getting their acounts hijacked because they can't take some good advice, that's their own problem, not the advice-givers', and certianly not the people who are smart enough to not need it.


----------



## Arshes Nei (Jan 3, 2007)

No, he's agreeing with you. He's saying referring to users that use weak passwords that get hacked.


----------



## uncia2000 (Jan 3, 2007)

Arshes Nei said:
			
		

> No, he's agreeing with you. He's saying referring to users that use weak passwords that get hacked.



Are _*more* likely_ to get hacked, yes... Rainbow and dictionary attacks are the first approach that's likely to be used.
A STRONG password with lower case, upper case, numeral (and even symbols) with a minimum length of ~10 characters is a good start point for relative safety, but it's easy to go beyond that length.


----------



## cesarin (Jan 3, 2007)

Arshes Nei said:
			
		

> No, he's agreeing with you. He's saying referring to users that use weak passwords that get hacked.



glad to see theres still people around, that DIGEST and try to "understand" .... than just jumping to conclusions.
Thx Arches!

anyway let me still re-write to put my point more clear...


1.- Idiot user uses too easy passwords ( Ie, YIFFY.. FOX )
2.- Idiot user gets hacked...
3.- Admins rush to block and recover the account.
4.- Admins tell Idiot user to use a strong password (and give clear instructions to the idiot user  on HOW TO DO IT )
5.- Idiot user (cause he's an idiot or a moron.. ) ignores this and goes directly, inserting another easy to break password ( IE, vixen or Yiff )
6.- Admins cant handle the number of idiot users that gets hacked, even after the warnings and suggestions...
7.- Admins assxplodes and blocks everyone's option to erase or modify content.

so it  means: Normal users who are smart.. GET BLOCKED, and AND THEIR BENEFITS REVOKED thanks to random Idiot users who dont give a damn , nor read instructions...

so I was refering on this: WHY NORMAL USERS HAVE TO PAY, FOR THE ERRORS OF CERTAIN INDIVIDUALS?
just block these individuals, period!


----------



## uncia2000 (Jan 3, 2007)

cesarin said:
			
		

> 1.- Idiot user uses too easy passwords ( Ie, YIFFY.. FOX )
> 2.- Idiot user gets hacked...
> 3.- Admins rush to block and recover the account.
> 4.- Admins tell Idiot user to use a strong password (and give clear instructions to the idiot user  on HOW TO DO IT )
> ...



It's far from being as simple as that, Cesarin:
Not /only/ the easy passwords are hacked.
Some are delved from PCs that were shared with "friends".
Others are misused by former mates or visitors to people's houses...

Anyhow. Password gets caught; account hacked and wiped.
You're saying we should then just ban them rather than let them reupload their subs, regardless of how they were hacked?
And what if they have 500 subs which will take a long time to reupload and cause possible grief to other people whilst those "flood" back on?

On the other side of the coin...
How many people are *dying* to be able to delete a given submission that won't raise a trouble ticket or ask here to request that instead? "Urgent" requests can be managed.
And, anyhow, people are used to not being able to delete shouts or comments on submissions...

The best option was deemed to be hold until recoded and there has been virtually no drama over people complaining that they are unable to delete their submissions. Yes, that was a value judgement with a guesstimated timescale that's fighting other priorities.
And grateful for people's patience whilst that gets fixed, new server installed, etc.

Please give my tail a bite if any of that requires further clarification. Will answer as best I can.

Thanks,
David.


(right, that's a better reply, phps, having had enough time whilst multi-tasking... still ymmv).


----------



## Hanazawa (Jan 4, 2007)

Just one point, Uncia - 


> How many people are *dying* to be able to delete a given submission that won't raise a trouble ticket or ask here to request that instead? "Urgent" requests can be managed.



How about people who accidentally upload tens or twenties of "ghost" submissions because of 502 errors?


----------



## uncia2000 (Jan 4, 2007)

Hanazawa said:
			
		

> Just one point, Uncia -
> 
> 
> > How many people are *dying* to be able to delete a given submission that won't raise a trouble ticket or ask here to request that instead? "Urgent" requests can be managed.
> ...



Not a huge number and we're tidying up the vast majority interactively. Let me know if you spot any others, please, although we'll still have a bit of a check-through to do for the past 2-3 days.

Having discussed, the part-complete submissions were generally presumed to be "broken" by the uploader and then a new submission was attempted as it wasn't known about the "Edit" function. Hence my slight blitzing on those...
System has now (last hour or so) been stabilised somewhat albeit at the expense of speed. Rather fewer "Edit" comments or thumb rebuilds required now...

d.


[ed.] oh well, the slowing down is helping the uploads, but making the 502s elsewhere worse, it seems... New server, please...


----------



## WelcomeTheCollapse (Jan 4, 2007)

starlite528 said:
			
		

> Ultra High Security Password Generator:
> http://www.grc.com/password.htm



I _finally_ come in here to post something, and it's been taken.


----------



## cesarin (Jan 4, 2007)

uncia2000 said:
			
		

> cesarin said:
> 
> 
> 
> ...


not banning, block them deleting stuff , Ie, just block the constantly affected accounts, not all of 'em.


----------



## uncia2000 (Jan 4, 2007)

cesarin said:
			
		

> not banning, block them deleting stuff , Ie, just block the constantly affected accounts, not all of 'em.



Would be nice in theory but, recently at least, accounts were being impacted only ONCE... hacked and erased. And no way to tell in advance which one was going to be next.
There are no "constantly affected accounts", afaik.


----------



## cesarin (Jan 5, 2007)

uncia2000 said:
			
		

> cesarin said:
> 
> 
> 
> ...


and now for something completely diferent....

I feel insulted! *demands huggle from uncia* 

(I need to find new ways to sneak in a hug ! )


----------



## SageHendrix (Mar 7, 2007)

http://www.furaffinity.net/journal/93915/

As you can see, the passwords people had before our site hack last year are still up there.  

While I did trace back to the site's hosting provider (which means that the directory should be down within the hour along with another directory of hacked IM passwords), this is evidence that you definitly should not change your password back to one you previously used.  Some people still need bragging rights apparently.

-Kat


----------



## CaptainSaicin (Mar 26, 2007)

Catwoman69y2k said:
			
		

> http://www.furaffinity.net/journal/93915/
> 
> As you can see, the passwords people had before our site hack last year are still up there.
> 
> ...



passwords are back again on another mirror.


----------



## yak (Mar 27, 2007)

Catwoman69y2k said:
			
		

> http://www.furaffinity.net/journal/93915/


Thank you, it is greatly appreciated ^_^


----------



## fastturtle (Nov 23, 2007)

Sorry to bump this thread with a bit of a Rant:

Generating a secure PW isn't that hard but to many damn sites refuse to accept a decent PW mix of upper/lower case. Hell I've run across sites that simply say PW's are restricted to 6-8 lowercase characters. Bloody Damn Idiots. Why not drop any pretense at security and give everyone and their damn sibs full access to your host? since that's what you did.

In the case of secure PW's. It's an ongoing risk assesment and here's how I break it down:

Money
Business - Reputation/Email
Personal - forums/email/support/vendors
annoyances - Yahoo/Hotmail and such
Decending levels of security due to importance. Money of course being critical. Business is just as important while personal depends on the use. Places where I spend lots of time get fairly tough PW's or where I've developed a reputation (tech/support forums) though many others damn near fall into the annoyance list of Yahoo/Hotmail and others. 

Now vendors are in a different position as I only trust a CC online and since I don't trust any vendor I've not dealt with, I always take advantage of the single use card numbers (Visa/MasterCard/Dinners/AmEx) all offer such a tool. Damn nice and useful from the stand point of security. Finally, never allow vendors to retain your card number. It's usually in the damn cookie and thus completely exposed to anyone who can access them on your system and is why I don't mind entering them everytime I want to use them.


----------



## CaptainSaicin (Nov 23, 2007)

fastturtle said:
			
		

> Generating a secure PW isn't that hard but to many damn sites refuse to accept a decent PW mix of upper/lower case. Hell I've run across sites that simply say PW's are restricted to 6-8 lowercase characters. Bloody Damn Idiots. Why not drop any pretense at security and give everyone and their damn sibs full access to your host? since that's what you did.



Lol, AOL.

Did they ever upgrade their account security to allow more than 6 characters? I wouldn't know, because I stopped using them for anything important as quickly as I started... you can brute force a 6-character alpha-numeric password in only a few minutes on a modern computer... as fast as 66 seconds at 3 billion FLOPS.

What I find particularly damning is when sites allow you to enter a long password, but then discard all but the first several characters of it without telling you, so you could be entering something like 'wienerschnitzel9236' and it will only read 'wiener,' which is hardly secure. You could enter anything you want, and as long as you get the first 6-8 letters right, you're in.


----------



## Brooklyn (Nov 25, 2007)

Friends and Family (mostly extended and visiting family) think me a jerk or stubborn, but I /never/ let /anyone/ on my computer, even locking it when no one is home but me. Even with physical access, it's very difficult (neigh, impossible) to break a password with 72^10 possibilities (that's 3,743,906,242,624,487,424 for you math whizzes  ) that only exists in my head.


----------



## CaptainSaicin (Nov 26, 2007)

I just lock up all of my secure data with 256-bit encrypted hidden virtual partitions and a 72^20 length pass, so even if someone goes on my computer, they can't find or access anything I don't want them to.  I find it to be a more elegant solution that provides plausible deniability - even if I have to provide access to someone, or something happens to me and they gain access, there's nothing for them to find, ever.


----------



## capthavoc123 (Nov 26, 2007)

I'm nowhere near as paranoid as any of you guys. I just use a fingerprint reader to secure my computer. Anytime the screensaver activates (after ten minutes of idle time), or when I start up my computer, you have to swipe the fingerprint reader.

EDIT: And of course, a scant three hours after I confidently type this, my electronic fingerprints would get corrupted and I would have to spend an hour figuring out how to re-enroll them.


----------



## CaptainSaicin (Nov 26, 2007)

capthavoc123 said:
			
		

> I'm nowhere near as paranoid as any of you guys. I just use a fingerprint reader to secure my computer. Anytime the screensaver activates (after ten minutes of idle time), or when I start up my computer, you have to swipe the fingerprint reader.
> 
> EDIT: And of course, a scant three hours after I confidently type this, my electronic fingerprints would get corrupted and I would have to spend an hour figuring out how to re-enroll them.



Yah, I will never depend on a biometric reader for security until they have one that operates on and can lockout at a firmware level.


----------



## yak (Nov 27, 2007)

I wonder if those things are vulnerable to that old James Bond hack of spraying dust on it, so it would stick to the grease left by your fingers, an putting blank thick sheet of paper on top, pressing it. 
If it's touchpad-like technology used there,  however, i dunno, but i guess there still is a way to get around it fairly easy - there has to be.


----------



## CaptainSaicin (Nov 27, 2007)

yak said:
			
		

> I wonder if those things are vulnerable to that old James Bond hack of spraying dust on it, so it would stick to the grease left by your fingers, an putting blank thick sheet of paper on top, pressing it.
> If it's touchpad-like technology used there,  however, i dunno, but i guess there still is a way to get around it fairly easy - there has to be.



They're currently all run on software... you just bypass or break the software.

They also have a failsafe method of a regular password, because they have a habit of breaking on their own.


----------



## yak (Nov 27, 2007)

I was refering to the sensor part, and the way it reads the data. I wonder is there is a (seemingly) easy way to bypass it without even having to break the fostware, by making thesensor read `correct` data.


----------



## CaptainSaicin (Nov 27, 2007)

yak said:
			
		

> I was refering to the sensor part, and the way it reads the data. I wonder is there is a (seemingly) easy way to bypass it without even having to break the fostware, by making thesensor read `correct` data.



Not easy, but simple on paper, yeah... similar to what you mentioned, but it would take more effort than that once you have the print.

Of course, a responsible user would clean the sensor after use, so you wouldn't get anything from it, but who are we kidding? The user is always the weakest link... biometrics don't fix that.

If the biometric sensor is a separate unit (USB, or just not built in to a laptop) you could also bypass the unit itself by using a datalogger to replicate the authentication signal it sends.  I doubt many of them have high-security firmware in the unit itself capable of biometric processing and instance salted signal encryptions... I think Microsoft designs the firmware on the most popular ones at this point.


----------



## Brooklyn (Nov 27, 2007)

Mythbusters broke biometric sensors (both windows versions and high-quality door sensors) with just a photocopier, a sharpie, and a piece of paper.


----------



## Ron Overdrive (Nov 27, 2007)

Honestly a good program to try using is KeePass (KeePassX for Mac and Linux/Unix). It can randomly generate passwords, apply experation dates, and store them in an encrypted database (uses both AES and TwoFish) that requires only a master password and/or key file to access it. There's even mobile versions of it that can run off of a USB stick.


----------



## CaptainSaicin (Nov 27, 2007)

I use TrueCrypt to lock down sensitive data in an encrypted file... the nice part about it is you can just mount the encrypted file as a volume using your pass or keyfile, and then all of your data becomes available for access on that volume without further authentication needed for applications, etc... then you just dismount and lock it again when you leave the computer, or set it to do it automatically. I can store things like my firefox application data, stored passwords and configuration in there as well, so it's all right there at my fingertips as soon as I mount the file.

I have a design plan for a good universal biometric security management device that solves the hacking problems, but I can't really share the details until I get it patented.


----------



## Ash-Fox (Dec 20, 2007)

Preyfar said:
			
		

> *[size=medium]CHANGE [/size]*your passwords on a regular basis! Every 90 days is a good average and is easy enough to remember. When the season changes, so should your password! And remember, don't just change your FA password. Change them all. Also of note: always keep a separate password for your e-mail accounts and other highly important information (bank, Paypal, etc). It's a good safety practice, and you can never be too secure!


Seriously, recommended security practices make me cringe.

I am registered and active on 100+ websites, admittedly, I do not have a unique password on all of them. They are all complex. I barely remember the passwords on each of them. On top of that, you would recommend I would rotate the passwords every 90 days.

I understand the reasoning for complicated passwords and password rotations. But honestly, there is only so much the human mind can do. Anymore than what I do currently would require I keep a log book of passwords and there is no way in hell I am doing that again.

It would be nice if sites supported security dongles (usb dongles that use biometric information [finger prints for example] to verify the user before signing a string of text to verify it is you), but seeing how there isn't even a standard to those, there is not much point at the moment.

Don't you think such recommended security practices to be a bit.. insane?


----------



## Ash-Fox (Dec 20, 2007)

After talking about this issue with some friends, one of them gave me a awesome solution:

http://supergenpass.com/


----------



## CaptainSaicin (Dec 20, 2007)

Ash-Fox said:
			
		

> Preyfar said:
> 
> 
> 
> ...



For true security? no...

If security really is critical to you, then they're not... but for most people, it's easier to stratify their security needs on different sites....

For example, there are some sites which are more critical to me, such as paypal, my master email, and sites which have access to information such as my credit card, social security number, etc... all of these sites I use strong security measures to keep under my control, including 20-character rotating passwords, the whole nine yards.

In the case of some accounts, having one compromised would automatically compromise all of the same information as is on another, so I see no point in using separate passwords for each of them... instead I use the same rotated password and change them at the same time.

However when I get down to social sites like FA, which really aren't critical to me, I use easier to remember passwords and don't bother rotating them... simply because if one is compromised, it's no big loss - anyone hacking into it wouldn't have access to anything of real importance to me, and fallback methods of reclaiming the account are either more than sufficient or not necessary. For the most part, that's not even a big worry, since most people wouldn't have any reason to try and break into them in the first place - the most they could do is spam a site from my user account until they get it banned.


----------

