Security Breach - Page 2 - RPGWatch Forums
|
Your donations keep RPGWatch running!
RPGWatch Forums » General Forums » RPGWatch » Security Breach

Default Security Breach

January 13th, 2019, 01:38
I didn't get any nasty messages about other sites that I visit getting penetrated, but then including this forum, I only frequent three. This is the only one I use for games, so it was a quiet week for me!
Carnifex is offline

Carnifex

SasqWatch

#21

Join Date: Oct 2011
Location: Ormond Beach, FL.
Posts: 9,495
Mentioned: 25 Post(s)

Default 

January 13th, 2019, 02:03
I hope you all spent the time wisely
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#22

Join Date: Aug 2006
Location: Netherlands
Posts: 9,061
Mentioned: 73 Post(s)

Default 

January 13th, 2019, 03:03
Wisdom eluded me through much of my youth, but I believe I've improved in my dotage. Maybe!
Carnifex is offline

Carnifex

SasqWatch

#23

Join Date: Oct 2011
Location: Ormond Beach, FL.
Posts: 9,495
Mentioned: 25 Post(s)

Default 

January 13th, 2019, 04:03
Originally Posted by JDR13 View Post
You forced me to hang out at that cesspool for a few days, and now I feel dirty.
There is that whole Steam area, you know.
--
The very powerful and the very stupid have one thing in common: instead of altering their views to fit the facts, they alter the facts to fit their views….
-- Doctor Who in "Face of Evil"
Zloth is offline

Zloth

Zloth's Avatar
I smell a… wumpus!?

#24

Join Date: Aug 2008
Location: Kansas City
Posts: 6,280
Mentioned: 22 Post(s)

Default 

January 13th, 2019, 05:39
Originally Posted by JDR13 View Post
You forced me to hang out at that cesspool for a few days, and now I feel dirty.
I thought you enjoyed their Atom RPG review

All in all, I missed hanging around Watch as well, and glad its back!
--
Favourite RPGs: Baldur's Gate II, NWN: The Aielund Saga, Pathfinder: Kingmaker, Icewind Dale I, Stardew Valley
purpleblob is offline

purpleblob

purpleblob's Avatar
Princess

#25

Join Date: Nov 2007
Location: Sydney
Posts: 3,445
Mentioned: 73 Post(s)
+1:

Default 

January 13th, 2019, 06:57
I had to make a new account because that email i had used when I registered (aeons ago) is no longer active.
redman is offline

redman

Traveler

#26

Join Date: Jan 2019
Posts: 3
Mentioned: 0 Post(s)

Default 

January 13th, 2019, 06:58
Originally Posted by purpleblob View Post
I thought you enjoyed their Atom RPG review
My comment was well received there.
JDR13 is offline

JDR13

JDR13's Avatar
SasqWatch
Original Sin Donor

#27

Join Date: Oct 2006
Location: Florida, US
Posts: 26,467
Mentioned: 46 Post(s)

Default 

January 13th, 2019, 11:47
Originally Posted by redman View Post
I had to make a new account because that email i had used when I registered (aeons ago) is no longer active.
I don't think you need access to the email adress to reset the password. You only need the old password.
Cacheperl is online now

Cacheperl

Cacheperl's Avatar
Keeper of the Watch
RPGWatch Donor

#28

Join Date: May 2012
Posts: 1,475
Mentioned: 10 Post(s)
+1:

Default 

January 13th, 2019, 12:03
I absolutely love this site, and I generally try to make a habit of not posting anything negative or critical. However, I'm going to make an exception here since it might be constructive to make the following point.

Since there is the suggestion that user login details may have been accessed, it strongly implies that this site wasn't hashing its user's passwords. I believe this is completely unacceptable and amateurish. Password hashing is a basic security feature, and should be implemented as an absolute minimum. I find it extremely disappointing that any site would not bother not to do this properly.

Obviously, no one should be using their most secure passwords on a small site like RPGWatch, and you could argue that if they do, it's their own fault if their login details are then compromised. However, I am unconvinced by this argument. People are flawed, and passwords are easy to forget; it's only human nature to make mistakes and maybe re-use passwords that they they shouldn't. For this reason, I believe that such a reckless policy to it's user's data is unforgivable. All websites should have an obligation to secure sensitive data, if only out of basic courtesy and respect for their users.

If anyone is unfamiliar with password hashing, then I would suggest they read a little about it. There are plenty of resources out there. When implemented properly (with salting) it essentially renders password information (as stored in the database) completely useless to a hacker. It's not difficult to implement and has few draw backs, and there is absolutely no reason why this site couldn't have protected its user's login details in this way.
Last edited by Kyrer; January 13th, 2019 at 12:04. Reason: typo
Kyrer is offline

Kyrer

Kyrer's Avatar
Watchdog
RPGWatch Donor
Original Sin 1 & 2 Donor

#29

Join Date: Oct 2011
Posts: 188
Mentioned: 0 Post(s)

Default 

January 13th, 2019, 15:26
Originally Posted by Kyrer View Post
Obviously, no one should be using their most secure passwords on a small site like RPGWatch
To me, this sounds like the usual argument : What private people own is not worthy to be protected; instead, only property of corporations and firms are worthy to be protected.

This created a social inbalance in what can be easily dismissed, it can be shown, for example, in Windows 10 Home users being the de facto beta testers for corporate versions of Windows 10 updates.

I've often seen this : Firms develop sophisticated protection only for where money can be receibved from; private home users don't have money, so they don't need any sophisticated protection. They don't even have anything worthy to protect, compared to the immense property of mega-corporations.

The social message of this is clear : We, the home users, are expendable; corporations are not.

And, by the way, how do I hash my own home passwords ? How do I salt them ?
See ? There's no implementation for that for home users. *facepalm*

By the way, I invent new passwords every time I need them, using my creativity I developed as someone who makes new RPG character names every now and then.
--
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction." (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is online now

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR
Original Sin 1 & 2 Donor

#30

Join Date: Nov 2006
Location: Old Europe
Posts: 18,637
Mentioned: 15 Post(s)

Default 

January 13th, 2019, 15:39
I think you are being a bit harsh with your comments. To be honest for myself I consider most forums non essential with regards to information and all information I provide tend to be er non-essential. What information i provide to sites like banks is obviously different for legal reasons. I would never provide a forum site in this day and age true pi (personal information) data other than a working email. This is just common sense with the number of sites being hacked. Having said that I have a friend that uses a hash algorithm to produce passwords for all sites. The basic algorithm allows him to produce very strong unique passwords and to rotate things systematically. I'm not quite thta diligent myself but i do use different passwords on most sites with sites of stronger 'concern' such as banks having much stronger unique passwords (as well as two factor authentication). Sadly one bank I am required to use has very weak access (no two factor and a limit of 8 character case insensitive password). They claim they check ips still it is extremely weak (i'm require to use them because the company i work for use them for certain required transactions).
-
Btw and no I do not provide MS PI information beyond what I am required and keep nothing personal on my windows 10 machine (I use Unix for all significant internet activity).

Originally Posted by Alrik Fassbauer View Post
To me, this sounds like the usual argument : What private people own is not worthy to be protected; instead, only property of corporations and firms are worthy to be protected.

This created a social inbalance in what can be easily dismissed, it can be shown, for example, in Windows 10 Home users being the de facto beta testers for corporate versions of Windows 10 updates.

I've often seen this : Firms develop sophisticated protection only for where money can be receibved from; private home users don't have money, so they don't need any sophisticated protection. They don't even have anything worthy to protect, compared to the immense property of mega-corporations.

The social message of this is clear : We, the home users, are expendable; corporations are not.

And, by the way, how do I hash my own home passwords ? How do I salt them ?
See ? There's no implementation for that for home users. *facepalm*

By the way, I invent new passwords every time I need them, using my creativity I developed as someone who makes new RPG character names every now and then.
you is offline

you

Lazy_dog
RPGWatch Donor
Original Sin 2 Donor

#31

Join Date: Oct 2006
Location: usa - boston
Posts: 6,766
Mentioned: 42 Post(s)

Default 

January 13th, 2019, 15:54
Originally Posted by Kyrer View Post
Since there is the suggestion that user login details may have been accessed, it strongly implies that this site wasn't hashing its user's passwords. I believe this is completely unacceptable and amateurish. Password hashing is a basic security feature, and should be implemented as an absolute minimum. I find it extremely disappointing that any site would not bother not to do this properly.
You might want to consider verifying your opinion before jumping to conclusions, otherwise you look a bit stupid.

Of course the passwords are hashed, so if they actually retrieved the passwords they only get hashed passwords. Even I can't see who has what password. The system cannot send you your password because it can only compare two hashed passwords, Also passwords are not sent by mail as it is not save, only temporary passwords are sent by mail, which need to be changed on first access and need to be approved by email as an extra security measure.

As you are an apparent expert on hashing passwords, you probably also know that even when only hashed passwords are retrieved, they can still be unhashed, if they spent enough time on it and want to spent that time on it. Not making your members change their passwords just because someone had access to hashed passwords, like you apparently would do, would definitely be a disappointing course of action.
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#32

Join Date: Aug 2006
Location: Netherlands
Posts: 9,061
Mentioned: 73 Post(s)

Default 

January 13th, 2019, 19:55
If you aren't already, you might consider investigating SHA-3 for secure hashing, although SHA-2 is still pretty good.
rjshae is offline

rjshae

rjshae's Avatar
Periapt vs Paronomasia
RPGWatch Donor

#33

Join Date: Mar 2012
Location: Seattle
Posts: 4,634
Mentioned: 7 Post(s)

Default 

January 13th, 2019, 21:01
Originally Posted by Myrthos View Post
You might want to consider verifying your opinion before jumping to conclusions, otherwise you look a bit stupid.

Of course the passwords are hashed, so if they actually retrieved the passwords they only get hashed passwords.
I apologise. I was obviously making an assumption as to the lack of password hashing on this site. Thanks for clarifying the situation, and for the reasons behind asking us to reset our passwords. It sounds like you've acted very reasonably in this situation, and I'm sorry if my original post sounded a bit harsh.
Kyrer is offline

Kyrer

Kyrer's Avatar
Watchdog
RPGWatch Donor
Original Sin 1 & 2 Donor

#34

Join Date: Oct 2011
Posts: 188
Mentioned: 0 Post(s)
+1:

Default 

January 13th, 2019, 21:58
*IF* your assumption had been correct, Kyrer, that would have been one of the more restrained responses.

I did discover that our passwords can be quite long, though, if we want. That makes pass phrases possible which really helps security.
--
The very powerful and the very stupid have one thing in common: instead of altering their views to fit the facts, they alter the facts to fit their views….
-- Doctor Who in "Face of Evil"
Zloth is offline

Zloth

Zloth's Avatar
I smell a… wumpus!?

#35

Join Date: Aug 2008
Location: Kansas City
Posts: 6,280
Mentioned: 22 Post(s)

Default 

January 13th, 2019, 22:09
Which type of hashing is used? Some types can't be easily be brute-forced in a sensible amount of time, but some are pretty trivial to break, and hackers do often make the effort. AFAIK, the SHA family aren't recommended against brute-forcing, and these days it should be bcrypt or scrypt.

One of their favourite tricks is to find the passwords and email addresses from a hacked DB dump, and simply try them to log in to the big websites, like Amazon. I'd say it's more important to worry about changing your passwords on other sites, if there's any chance you've used the same details.
--
"Where can the horizon lie, when a nation hides its organic minds in a cellar, dark and grim? They must be very dim." David Bowie, All the Madmen (1970)
Ripper is offline

Ripper

Ripper's Avatar
Ngikufisela iwela

#36

Join Date: Nov 2014
Posts: 8,342
Mentioned: 61 Post(s)

Default 

January 13th, 2019, 22:40
Originally Posted by JDR13 View Post
You forced me to hang out at that cesspool for a few days, and now I feel dirty.
"He who fights with monsters should be careful lest he thereby become a monster. And if thou gaze long into an abyss, the abyss will also gaze into thee." (Friedrich W. Nietzsche)
--
Sou tricolor de coração!

Sie sind das Essen und Wir sind die Jäger!
henriquejr is offline

henriquejr

henriquejr's Avatar
SasqWatch
RPGWatch Donor
Original Sin 2 Donor

#37

Join Date: Nov 2013
Location: Brasil
Posts: 2,062
Mentioned: 25 Post(s)

Default 

January 13th, 2019, 23:15
Originally Posted by purpleblob View Post
I thought you enjoyed their Atom RPG review
I know you didn't ask me, but I couldn't finish that review. I thought it was a load of pretentious tripe. And the Codex turns my stomach. It's just chock full of toadies so desperate to appear undenIably clever but not really having the chops. It's like 6th-grade chess club over there.
Capt. Huggy Face is offline

Capt. Huggy Face

Capt. Huggy Face's Avatar
Aging Gamer
Original Sin 1 & 2 Donor

#38

Join Date: Sep 2010
Posts: 2,971
Mentioned: 4 Post(s)

Default 

January 13th, 2019, 23:18
I mostly lurk the Codex forum for news. Guess that means I let the darkness take me, and that officially makes me a half -troll. Anyway it''s fun trolling the Codex.

trollface photoshop meme troll face fan art internet online media.jpg
Anyway I support the change of passwords as you never know with hackers nowadays. Seems since the site changed servers it's been getting attacked and hacked.
--
"Remember EA thinks Single-player games are dead & gamers are all basically idiots."

Check out my news Thread it's updated weekly.
Couchpotato is offline

Couchpotato

Couchpotato's Avatar
Anti-EA Supporter

#39

Join Date: Oct 2010
Location: New England
Posts: 21,274
Mentioned: 45 Post(s)

Default 

January 14th, 2019, 00:35
We've returned at last! Glad to see the Watch back online.

I did not resort to visiting the, well, other place. Though oddly, I made it a habit of checking back every 3 hours or so.
--
~Watching since 2007~
Ragnaris is offline

Ragnaris

Ragnaris's Avatar
Sentinel

#40

Join Date: Jul 2011
Location: California, USA
Posts: 456
Mentioned: 6 Post(s)
RPGWatch Forums » General Forums » RPGWatch » Security Breach
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 11:33.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
vBulletin Security provided by DragonByte Security (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging (Lite) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright by RPGWatch