I have a nice 8 letter password with upper and lower and numbers in it.
If you want I can post a link to a website that generated truly random passwords for you like that - you can set the length of the passwords too I beleive.

Friendly advice to all. NEVER EVER use your email password twice.
What I mean is, the password for your main email address should not be used on any other site/on-line account/computer account EVER

gulp* i use the same pass for two things what's wrong with that wat happens??

The same user/pass on multiple sites allows someone to steal your facebook, myspace, furaffinity, bank account, penis...whatever.

yur penis too ? O.O shit Imma change mine ASAP then O.O

Kinda what Naumova said. The main problem with using your MAIN email password for another account is that if that account is hacker your most important on-line stuff - the MAILBOX, will be compromised.

It's not quite as bad as these comments make out. Just using the same password by itself will not cause a problem, because (in all serious sites) the password is hashed before being stored, so that it cannot be directly retrieved. However, if they do somehow find the password for one site - perhaps through a dictionary attack, or by snooping an unsecured connection - this gives them access to the other accounts that use it.

Oh, and you better hope one of the accounts isn't Facebook.

I'm sorry, but I really have to disagree with you on this one. It is as bad as we make out. Completely. If you use the same login/pass across all the websites you visit, if one is compromised, they're ALL compromised. It's very serious.

Think about that for a moment.

THEY ARE ALL COMPROMISED.

Ever see the movie "Swordfish" with John Travolta?

Mhmm...

Yes, if. It doesn't magically happen just through using the same username and password twice, which is what you said. :-)

Where did I say "using the same username and password twice"? At what point?





At no point did I specify a number other than "multiple sites" or "all" ...

And no, it doesn't "magically happen" ... but you bet your sweet ass if a black-hat knows your user name and password that hacker is going to try facebook, myspace, a few of the national banks, second life, world of warcraft, etc... Notice a pattern? How many of those sites can you yank credit card off of... and if the hacker gets into a bank... you can forget that 401k and anything else. It's going to a Nigerian Prince.

Quit talking out of your ass and make some sense.

Let me clarify what I meant: Just using a username and password combination on two sites doesn't magically give a hacker that username and password.

This is what I meant by "if". You said "The same user/pass on multiple sites allows someone to steal your facebook, myspace, furaffinity, bank account, penis...whatever.". And it doesn't. They can only do that if one of the accounts is compromised.

And in reply to "where did I say . . .". You did not say, but it is what was asked:
"i use the same pass for two things what's wrong with that wat happens?"

What he means is that, there are two methods for gaining access to an account, typically - a hash attack, in which the hacker gains access to the server that authenticates passwords, and social engineering, in which the hacker gets the actual password.

The passwords for every account are not stored anywhere on any decent server - instead, they are "hashed", or converted into a unique (or semi-unique) string of characters that can be reliably matched against what you put into your login screen. They -cannot- be converted back, reliably - at best you can get a list of possible strings a hash may represent (which will probably be easier to brute-force at that point, but anyway) These hashes can be (and should be) different for every website. So even though you may use 'blarghlefarb' on two different sites (the same passwords), you can end up with 'AAA37123D221' and 'EEF125A3BB62' as the hashes.

Note that there's probably nothing preventing a hacker that gained access to the authentication system at this level from removing it entirely and collecting a huge list of people's login attempts. So yeah. Don't use the same password everywhere.

It's a bit more complex actually. Aside from social engineering, there are several options for a hacker to gain access to your password.

1) dumb Brute forcing: Plain and simple, but takes a long time even for relatively simple passwords

2) dictionary attacks: Very effective thanks to so many passwords out there being crap, like "dragon8".

3a) getting your md5 hash via sql injection. That doesn't give him the password right away but he can then use brute force methods on his machine or several machines in parallel.

3b) Rainbow tables. Once a hacker has your hash he can try to look it up on rainbow tables on the net and see if someone cracked that hash before. This is what is prevented with salted passwords like the ones on sofurry. And yes, unsalted password hashes are the same for every website.

3c) Hash collisions. This is where the fact that md5 is considered "broken" comes into play. But as you can see, option 1, 2, 3a and 3b are much easier to pull off.

Naughty :P Using unsalted hashes. Oh well, no damage done this time.

Well our hashes are salted now ^_^
And if you have a good password, an unsalted hash doesn't mean the end of the world either.

Good password manager if you're interested: http://keepass.info/

If you use it remember to create a key file together with the master password and keep both safe :)

Hehe. Keep Ass Info.

Thanks for the heads up.

ive changed mine hmmm now to remember it >.

I have already changed mine and I will probably change it again a few times just to be sure.

thanks for the heads up T

Splendid the Super Squirrel is a hacker? Hmm...
HAX! *Throws a computer monitor*

But yes, It is very important that you change your password to something complicated but easy to remember.

Ouch didnt know that.

Oh, that explains why I had to login lots of times...well, time to create a VERY difficult password! Thanks for the advice ^^

now what pass i could have this time. i got it *types in on sofurry and word so i don't forget it* and all this talk has reminded me to change my computer password *changes it and adds it to word and saves* now no-one can see my work

muahahah...64 bits and very strong rating using PCtools random password generator

might be overkill, but nearly impossible to guess (which is why its stored on my hard drive and KeePass)

NAH, 64 bits is pretty tame, mine's about 763.8 bits.

That's cause it's hard enough to guess already...and it's not like this is a bank account or something.

Oh no toumal turned into a squirrel!! I use many passwords so im pretty good and safe

I'm having issues with the system taking my new password.

ditto, it won't let me change it

Same here,

it clams to have changed, but when I log out and try to log back it keeps saying Wrong Password. I tried the new and old passwords and it says the same thing.

I managed to log back in, but I Guaranty that if I log out it won't let me back in.

(Even if I changed it right now)

Can you please try again now? Email me on toumaltheorca at gmail.com if you still have troubles and can't get back on please.

I just had to create a new profile, just to post a message here. My Scotia Bernard profile WILL NOT let me log in. I have recovered 5 times, and it still denies any password.

I'm logged in just fine, after I changed my password. Weird.

I just asked him not to do anything to me, he seemed reasonable enough to comply...mmmm sense of security.

correct me if i am wrong but i think i probably went overkill with my new password, 60 characters letters and didgets, non repeating. i may be on an ego trip here but i may have the longest password on sofurry, when something like this happens i get paranoid. as long as the hacker cant hack into the password database i think i am ok

Sorry, but you will have to double that to get to my password size! (128 to be exact.) Also another tip is to use misspellings in the password that are NOT in the dictionary! (Like MidnighFox or Axl instead of Midnight Fox of Axle.) A tip for remembering long passwords, make it a phrase of something that only you would know that is not out there on the web. I have a 40 character that I know by heart and my 128, which is the highest windows can take, I think, is stored in a TrueCrypt file container that needs a keyfile. That added to the fact that my laptop has system encryption says that I am one PARANOID Kitsune!

I am not going to use it here because until we have verification that this problem is resolved, I am not changing it! This is the second time that this has happened and am not going to use one of my real good passwords until it is fixed!

Actually not having any real words is better. Make it easy to remember with phonetics, but hard to guess.

im using misspelt sayings from my favorite wwe superstars and half of them are in what i guess is a foriegn language, all combined into one word and with numbers in there too.

i have my passwords locked in a password protected word document that i do not even keep on my computer (i keep it in my flash drive) i cant even type it in by hand right, i have to copy and paste it in

Let's just hope a hacker doesn't take a look at your clipboard data, gasp!

For the really paranoid, copy something after you copy paste to clear the clipboard. XD

eep never thought of that!

The guy hacked the site and told you about it. Now he's helping you fix it!? You're seriously feeding us that bullshit? That in and of itself destroys any and all trust I once had for the security of this site. How the fuck do I know that you are not the hacker telling us to change our password so that you can monitor those changes and get ALL our passwords? Hell the fuck no.

If he wanted your password he would have it already.

Exactly. And just so you know WHY I want you to change your passwords:
When you change your password, the password will be "salted" before it's hashed. This is a security measure that prevents so-called "rainbow table lookups".

You can read up on it on wikipedia here: http://en.wikipedia.org/wiki/Salt_%28cryptography%29


And as for hackers helping the site... Uildiar broke into our old forums back on yiffstar a year ago, and helped me fix the problem. Since then he's on our team.

You got your hiring tips from 80's movies, didn't you? :P

err perhaps because there are people out there that like to help point out security flaws some people don't hack for shits and giggles.

yeah, i halfway support greyhat hackers(he's not a whitehat hacker cause they ask first) because they help security. though i would have liked some warning beforehand. and silvador, if he wanted you use your password he would have it in half a second because if i am correct all the account info is stored on a database, that is accessible to toumal.

im gonna have to ask jon to stop fucking around again *facepalms*

Well this is disturbing but oh well then, changed.

This announcement makes it sound a lot like passwords were stored unhashes (or with a weak hash like MD5)? Can you confirm this?

It was MD5, we never stored passwords in plaintext. And the usual dictionary and brute force attacks on passwords don't care if it's MD5 or SHA1 or whatever. If your password is weak it can be cracked in a short time.

In general, MD5 and SHA1 are considered broken, but for 90% of the passwords out there it's not the weakness of the hash that's a problem, but the password itself.

Thanks for the heads up "T", I'll change mine today.

Umm...I have a pass that is seventy something characters long, is that OK?

So, wait...does this mean that our forum passwords will have to be changed as well? I'm just confused as to how far this actually goes.

You mean the old forums?

I mean the ones that are under "www.yiffstar.forum", so I suppose that yes, the old ones.

They are already salted.

Gotcha; just wanted to know for sure. Thanks for your time Toumal, and your effort. ^_^

Well, I use a password acroos the net. Although, I am sure to not use the same for my VITALs. You know....E-mail, other such things. I feel that I'm safe If I back my stuff up on my computer^^ If anything happens, I can get a new profile in about 2 mins.
your call? Should I bother, then?

I hate HAXXORZ!I only hax in Garry's mod or for Smash Bros.Brawl with Gecko...Thanks for the advice though!

Great, just what I need to do when the password I already use is considered 'strong' on other sites!

As long as you md5 the password against a random salt when someone creates a new password, you should never have an issue of someone stealing them.

MD5 can be broken quite quickly with today's computers.

Brute-forcing the usual passwords is usually not a big problem with any hash.

Aye, having your password set to "God" or "1234" or "Password" is just plain stupid.

I see a considerable amount of people revealing the specific length of their password and the general method they've used for picking it. This amuses me.

yes i see that as a complete epic fail. i am surprised no one decided to post their actual new password here. *repeated facepalm*

Well now. Mine would be normally impossible to follow with standard logic, as im insane, but yes, i should change mine.

Dammit, I'm running out of memorable passwords thanks primarily to you guys. :(

Thanks for Info and Warning!!

Now:
My new password is now active.
It has 21 characters
(Numbers, letters and special characters).

After many password recoveries I was FINALLY able to log back in. YAY!!!

Thanks for the heads up, I'll change it now.

yak did you delete your comment or did I press the wrong button?

In response to your question:


We lock out people trying too many logins within a certain timespan. There's no login delay since that wouldn't prevent someone from just sending 500 requests in parallel, then the next 500, etc.

Another possibility would've been to increase the delay with each consecutive login attempt, but that still leaves the server "busy" with the request. Much more effective to just tell them to sod off and be done with it ;)

You must have pressed the wrong button.... again. I didn't delete neither this nor my original comment here.

Actually, there is a way to prevent people from sending 500 parallel requests, nginx does it and I'm sure lighty should be able to do that as well. That, coupled with the artificial delay is a sure way to prevent dictionary attacks by making them unfeasible. Five requests per IP, each with a 5 second delay is a show stopper, and you don't even need to keep track of how many times this particular fellow has failed to enter their password correctly.

You need to implement the requests/IP limit anyway since your number of FastCGI backends are limited, and I can use them all up and make the site inaccessible by simply running `ab` off a dialup connection to a page on this site that requires heavy processing. You can partially mitigate this problem with clever caching, but only to a degree.

I prolly hit the wrong button on my android phone, it's an old G1 that's quite slow at times x.x

Yes lighty does indeed allow per-IP connection limits, but it's also dangerous to set such limits too low. We're not using delays on logins. They're nice if you don't want to keep track of individual requests, but our system allows us to limit repeated requests of expensive operations.

So no, for the time being I see no need to put up a delay on logins. We've weathered the last few DDOS attacks pretty nicely, with our cache making most site operations a matter of 0 to 5 queries.

SQL Injection? Server Side/PHP Include exploit? Will we know more later?

It was an XSS vulnerability in the PM system, because for some reason I forgot to XSS-filter a string. That bug was there since Yiffstar actually.

Oh god what. I hate using different passwords, yeah, I use one for them all, with a couple variants, I'm doomed. D':

If someone is gonna waste their time hacking this website just to get a hold of an account then they are retarded..what do they have to gain from hacking this site unless people are stupid enough to keep finical info on this website. If someone hacked my account i'd just create a new account and re-upload my stories and stuff i have it all backed up on my HD anyways so they would accomplish NOTHING by hacking me. i am confident in my account not being hacked of course but just as precaution i'll change it. course as i repeat it would be retarded to hack this website.

i keep my accounts in three different categorys. expendable, important, and vital
my expendables have similar passwords. my importants have about unique passwords that i store on my computer, and vitals have unique passwords that i never store on my computer, i change them often and they are very long. expendables are like game sites, youtube accounts, my sofurry account, ect. my importants are my minor email adresses, and such things. my vitals are my bank accounts, my main email, my paypall, and other things that people can do some serious damage if they get ahold of. i find this system convinient for my minor accounts, and secure for my vitals. do you guys find this system convinient and secure

i use sentances for my passwords and there all dif for some reason i never forget for one of my old runescapes my pass was Whygreenhatesu lol thats so long ago ago

20+ Digits, Numbers And Letters, Different Password For Every Site~ :3
Lolz, I'm A Security Freak, Haha.

My favorite way of creating passwords? Semi-common word/sentence I'll remember, and add leet-speak. P455\/\/0R|) is a lot more secure than password if you ask me.

so i assume if all my usernames are different but use the same password, say twice, it should be a little more secure than same username and passwords all round?

for some reason when ever I change my password It works for maybe a day then when I try and log in at alater date it tells me wrong password. I'm using the new password, I know I'm doing it exactly as I laid it out but it still won't let me log in. It's rather frustrating since that means I have to file a recovery notice then try to change my password again.

And that seems rather messed up too half the time the new password just doesn't take. Am I doing something wrong.

omg im so pissed my other account with all my super awsome faves wont log in its just this name without the 2 i rememeber exactly what i put in and it wont let me log in and i had never decided to put my email on it.....

Should we change our passwords for the sofurry forum site too?

Just going to throw in a practical tip. There has to be some compromise between password integrity and your ability to remember it without writing it down. Personally, I suggest using your Social Security number or local equivalent; it'll be a bitch to brute-force and you'll have trouble forgetting it.
And before you ask, your SS number alone is of very little use for identity theft; they'd need your full name and address as well, and if some nefarious individual knows those then they can just go round there and break your fingers with a hammer until you tell them your password.

Using your ss number as a password? How about we just give them everything else too. Finding a person's full name and address is a piece of cake, practically all the info needed can be found from about an hour of searching. I know some 35Ms in the army (interrogators) and they could pick up all the vital information on just about anyone (besides their ssn) in less than 30 minutes.

Most hackers are pretty smart and really schooled in what they do. It would take them little time, if any at all to find your name and address.

Your SS number isn't exactly secret either, so far as I'm aware. (NB: There is no use of an SS number in my country that doesn't require me to produce photo ID at some point.) It's probably an acceptable risk for a site that's unlikely to attract the attention of a career black-hat, at any rate.

You know, even if a hacker does something to show a security flaw for the greater good and even if the hacker tells you what he or she did, even without having done any damage, it doesn't change the fact that the hacker illegally hacked this website. People have gone to prison for years for doing the exact same thing. The only exception would be if you had asked him to attempt it, but then that would simply mean you asked him to purposely put everyone's private information in possible jeopardy if the hacker turned out to be an ass. Even if you had immense trust in him, there wouldn't be a good justification for it. What the guy did was wrong, no matter what the reasons or effects were. =/

Considering this is a free site, has always been and hopefully will always be...expecting it to be the fort knox of websites is a bit unrealistic. Toumal does a great job with the little he has to work with, but ultimately it's up to you to decide what information to put here. Wrong or right, at least this time the person in question fell on the good side of the fence and is helping out, it's not often that happens these days, so kudos to him/her. Personally i take a stance of not using any personal information on things that could be related to me in the creation of my passwords, so even if someone knows me personally they wouldn't guess my passwords. I know they're not the most perfect passwords either, so if the person knew what they were doing they could get them. I just hope i'm uninteresting enough for them not to want to know a whole lot about me :P

Wow, at least this Splendid fellow is activly trying to help people with site security if doing so in a rather uncomfortable way. Could have been worse, at least it wasn't an activly malicious hacker doing the deed.

You absolute dipshit.

Excuse me?

wtf is your problem. He made a mistake, oh no. But guess what, he's taking care of it, or at least doing the best he can. I'm sure you've made your fair share of mistakes, so let me be the first here to pull you off your high horse. If that comment was towards Toumal or anyone of the other mods here who work hard to keep this site running, I'm gonna punch you in the face.

I've changed my password nu my problem is the site won't let me in it just goes back to the login screen.

Please tell me, what information was disclosed? Plaintext pwd? MD5 hash? With or without salt? Please give us more technical information.

According to the hacker it was possible to eventually get to the md5-hashes, without salt. If you have a bad password then it is possible to bruteforce them or use a rainbow table lookup. If you have a good password then it's a lot harder to get to the plaintext password. We do not store the plaintext password as such.

In any case, I'm informing you of this because it's better to be safe than sorry. If you change your passwords the new one will be salted, and the vulnerability has been closed.

Wouldn't it be a good idea to send PM to all members? I missed the news message for about 3 weeks. Furthermore the password strength test seems a bit weird to me. If I type a password, which is 16 chars long e.g. V0:ONOd,sGgi<'uB the test says its only "Reasonable". I had to type a 32 char, which is twice the size of the password bar, to get "Strong".

Just go use a site and type in a 32-64 digit password, be sure to include the alt key combos ;P