Security Breach

I didn't get any nasty messages about other sites that I visit getting penetrated, but then including this forum, I only frequent three. This is the only one I use for games, so it was a quiet week for me!

I hope you all spent the time wisely

Wisdom eluded me through much of my youth, but I believe I've improved in my dotage. Maybe!

Originally Posted by JDR13
You forced me to hang out at that cesspool for a few days, and now I feel dirty.

There is that whole Steam area, you know.

Originally Posted by JDR13
You forced me to hang out at that cesspool for a few days, and now I feel dirty.

I thought you enjoyed their Atom RPG review

All in all, I missed hanging around Watch as well, and glad its back!

I had to make a new account because that email i had used when I registered (aeons ago) is no longer active.

Originally Posted by purpleblob
I thought you enjoyed their Atom RPG review

My comment was well received there.

Originally Posted by redman
I had to make a new account because that email i had used when I registered (aeons ago) is no longer active.

I don't think you need access to the email adress to reset the password. You only need the old password.

I absolutely love this site, and I generally try to make a habit of not posting anything negative or critical. However, I'm going to make an exception here since it might be constructive to make the following point.

Since there is the suggestion that user login details may have been accessed, it strongly implies that this site wasn't hashing its user's passwords. I believe this is completely unacceptable and amateurish. Password hashing is a basic security feature, and should be implemented as an absolute minimum. I find it extremely disappointing that any site would not bother not to do this properly.

Obviously, no one should be using their most secure passwords on a small site like RPGWatch, and you could argue that if they do, it's their own fault if their login details are then compromised. However, I am unconvinced by this argument. People are flawed, and passwords are easy to forget; it's only human nature to make mistakes and maybe re-use passwords that they they shouldn't. For this reason, I believe that such a reckless policy to it's user's data is unforgivable. All websites should have an obligation to secure sensitive data, if only out of basic courtesy and respect for their users.

If anyone is unfamiliar with password hashing, then I would suggest they read a little about it. There are plenty of resources out there. When implemented properly (with salting) it essentially renders password information (as stored in the database) completely useless to a hacker. It's not difficult to implement and has few draw backs, and there is absolutely no reason why this site couldn't have protected its user's login details in this way.

Originally Posted by Kyrer
Obviously, no one should be using their most secure passwords on a small site like RPGWatch

To me, this sounds like the usual argument : What private people own is not worthy to be protected; instead, only property of corporations and firms are worthy to be protected.

This created a social inbalance in what can be easily dismissed, it can be shown, for example, in Windows 10 Home users being the de facto beta testers for corporate versions of Windows 10 updates.

I've often seen this : Firms develop sophisticated protection only for where money can be receibved from; private home users don't have money, so they don't need any sophisticated protection. They don't even have anything worthy to protect, compared to the immense property of mega-corporations.

The social message of this is clear : We, the home users, are expendable; corporations are not.

And, by the way, how do I hash my own home passwords ? How do I salt them ?
See ? There's no implementation for that for home users. *facepalm*

By the way, I invent new passwords every time I need them, using my creativity I developed as someone who makes new RPG character names every now and then.

I think you are being a bit harsh with your comments. To be honest for myself I consider most forums non essential with regards to information and all information I provide tend to be er non-essential. What information i provide to sites like banks is obviously different for legal reasons. I would never provide a forum site in this day and age true pi (personal information) data other than a working email. This is just common sense with the number of sites being hacked. Having said that I have a friend that uses a hash algorithm to produce passwords for all sites. The basic algorithm allows him to produce very strong unique passwords and to rotate things systematically. I'm not quite thta diligent myself but i do use different passwords on most sites with sites of stronger 'concern' such as banks having much stronger unique passwords (as well as two factor authentication). Sadly one bank I am required to use has very weak access (no two factor and a limit of 8 character case insensitive password). They claim they check ips still it is extremely weak (i'm require to use them because the company i work for use them for certain required transactions).
-
Btw and no I do not provide MS PI information beyond what I am required and keep nothing personal on my windows 10 machine (I use Unix for all significant internet activity).

Originally Posted by Alrik Fassbauer
To me, this sounds like the usual argument : What private people own is not worthy to be protected; instead, only property of corporations and firms are worthy to be protected.

This created a social inbalance in what can be easily dismissed, it can be shown, for example, in Windows 10 Home users being the de facto beta testers for corporate versions of Windows 10 updates.

I've often seen this : Firms develop sophisticated protection only for where money can be receibved from; private home users don't have money, so they don't need any sophisticated protection. They don't even have anything worthy to protect, compared to the immense property of mega-corporations.

The social message of this is clear : We, the home users, are expendable; corporations are not.

And, by the way, how do I hash my own home passwords ? How do I salt them ?
See ? There's no implementation for that for home users. *facepalm*

By the way, I invent new passwords every time I need them, using my creativity I developed as someone who makes new RPG character names every now and then.

Originally Posted by Kyrer
Since there is the suggestion that user login details may have been accessed, it strongly implies that this site wasn't hashing its user's passwords. I believe this is completely unacceptable and amateurish. Password hashing is a basic security feature, and should be implemented as an absolute minimum. I find it extremely disappointing that any site would not bother not to do this properly.

You might want to consider verifying your opinion before jumping to conclusions, otherwise you look a bit stupid.

Of course the passwords are hashed, so if they actually retrieved the passwords they only get hashed passwords. Even I can't see who has what password. The system cannot send you your password because it can only compare two hashed passwords, Also passwords are not sent by mail as it is not save, only temporary passwords are sent by mail, which need to be changed on first access and need to be approved by email as an extra security measure.

As you are an apparent expert on hashing passwords, you probably also know that even when only hashed passwords are retrieved, they can still be unhashed, if they spent enough time on it and want to spent that time on it. Not making your members change their passwords just because someone had access to hashed passwords, like you apparently would do, would definitely be a disappointing course of action.

If you aren't already, you might consider investigating SHA-3 for secure hashing, although SHA-2 is still pretty good.

Originally Posted by Myrthos
You might want to consider verifying your opinion before jumping to conclusions, otherwise you look a bit stupid.

Of course the passwords are hashed, so if they actually retrieved the passwords they only get hashed passwords.

I apologise. I was obviously making an assumption as to the lack of password hashing on this site. Thanks for clarifying the situation, and for the reasons behind asking us to reset our passwords. It sounds like you've acted very reasonably in this situation, and I'm sorry if my original post sounded a bit harsh.

*IF* your assumption had been correct, Kyrer, that would have been one of the more restrained responses.

I did discover that our passwords can be quite long, though, if we want. That makes pass phrases possible which really helps security.

Which type of hashing is used? Some types can't be easily be brute-forced in a sensible amount of time, but some are pretty trivial to break, and hackers do often make the effort. AFAIK, the SHA family aren't recommended against brute-forcing, and these days it should be bcrypt or scrypt.

One of their favourite tricks is to find the passwords and email addresses from a hacked DB dump, and simply try them to log in to the big websites, like Amazon. I'd say it's more important to worry about changing your passwords on other sites, if there's any chance you've used the same details.

Originally Posted by JDR13
You forced me to hang out at that cesspool for a few days, and now I feel dirty.

"He who fights with monsters should be careful lest he thereby become a monster. And if thou gaze long into an abyss, the abyss will also gaze into thee." (Friedrich W. Nietzsche)

Originally Posted by purpleblob
I thought you enjoyed their Atom RPG review

I know you didn't ask me, but I couldn't finish that review. I thought it was a load of pretentious tripe. And the Codex turns my stomach. It's just chock full of toadies so desperate to appear undenIably clever but not really having the chops. It's like 6th-grade chess club over there.

I mostly lurk the Codex forum for news. Guess that means I let the darkness take me, and that officially makes me a half -troll. Anyway it''s fun trolling the Codex.

trollface photoshop meme troll face fan art internet online media.jpg
Anyway I support the change of passwords as you never know with hackers nowadays. Seems since the site changed servers it's been getting attacked and hacked.

We've returned at last! Glad to see the Watch back online.

I did not resort to visiting the, well, other place. Though oddly, I made it a habit of checking back every 3 hours or so.