|
|
|
|
Login security changes, You shall not pass |
|
Feb 21 2015, 13:52
|
Tenboro
|
Due to a large increase to the number of brute-force login attempts against member accounts, there have been some hardening changes made to the login mechanism to thwart this. For most of you this will never come into play, but if you fail multiple login attempts or connect from what the site considers a suspect IP, you will now also have to solve a captcha for every login attempt. Hosts that fail a large number of attempts may be shut out entirely. Note that if you are using a weak password, one that closely resembles your login username, or one that you've reused on other sites, you may want to change it just to be safe. If you keep getting 7-day bans, your account is likely compromised, and you need to reset your password to restore functionality.
|
|
|
|
|
|
Feb 21 2015, 14:28
|
xmagus
Group: Members
Posts: 1,042
Joined: 16-July 12
|
Hmm, interesting.
Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?
|
|
|
Feb 21 2015, 14:32
|
Tenboro
|
QUOTE(xmagus @ Feb 21 2015, 13:28) Will there be a move towards using SSL/TLS on the various EH-operated sites (which, presumably, might mean enabling SSL on H@H as well) at some stage?
Probably not for H@H, at least not before HTTP/2 is implemented, but possibly for the site itself.
|
|
|
Feb 21 2015, 14:41
|
EsotericSatire
Group: Catgirl Camarilla
Posts: 11,256
Joined: 31-July 10
|
Pony authenticator?
|
|
|
Feb 21 2015, 15:25
|
uareader
Group: Catgirl Camarilla
Posts: 5,550
Joined: 1-September 14
|
As long as it doesn't make sad pandas even more deadly, it should be ok (IMG:[ invalid] style_emoticons/default/ph34r.gif)
|
|
|
Feb 21 2015, 15:55
|
Tenboro
|
QUOTE(EsotericSatire @ Feb 21 2015, 13:41) Pony authenticator?
Not really usable for a login page since the chance for success by picking randomly is too large.
|
|
|
Feb 21 2015, 18:00
|
Binglo
Group: Catgirl Camarilla
Posts: 9,691
Joined: 16-December 09
|
Big T, keeping us all safe.
|
|
|
Feb 21 2015, 18:03
|
Spectre
Group: Global Mods
Posts: 8,530
Joined: 8-February 06
|
Probably what happened to bunbun a couple nights ago... *shrug*
|
|
|
Feb 21 2015, 18:40
|
digons
Lurker
Group: Lurkers
Posts: 1
Joined: 25-October 13
|
Well at least it's a good news to me.... lol
|
|
|
Feb 21 2015, 18:55
|
blue penguin
Group: Gold Star Club
Posts: 10,044
Joined: 24-March 12
|
If one wants to login from an unsafe network he can always go to https://forums.e-hentai.org and login through there, right? (this does not prevent session hijacking, but prevent password spoofing)
|
|
|
Feb 22 2015, 00:25
|
Tenboro
|
QUOTE(blue penguin @ Feb 21 2015, 17:55) If one wants to login from an unsafe network he can always go to https://forums.e-hentai.org and login through there, right? (this does not prevent session hijacking, but prevent password spoofing) That is the only way to log in, the other login forms all direct you there to complete the process.
|
|
|
Feb 22 2015, 00:52
|
chivoef
Group: Gold Star Club
Posts: 4,063
Joined: 12-January 10
|
Is there some easy way to tell your account has been compromised? Just in case.
<-- paranoid
|
|
|
|
|
|
Feb 22 2015, 00:55
|
blue penguin
Group: Gold Star Club
Posts: 10,044
Joined: 24-March 12
|
Ops... my mistake, i haven't monitored my EH login with wireshark (or something similar) since it changed last time.
Given that the authentication takes some time the brute force attacks must have been very directed, i.e. they must have known the password (or a likehood of the password) from another source. I cannot find a hash of my password in my cookies so there must be some salt on EH side. I do not believe that whoever got the passwords got some hash to compare against.
BTW Tenb, when you change your password do all your sessions are invalidated? The session time on EH is quite long (i never managed to expire it myself, i always cleaned cookies) therefore someone that managed to get hold of an account may open a session and use it for a long time.
This post has been edited by blue penguin: Feb 22 2015, 00:59
|
|
|
|
|
|
Feb 22 2015, 02:28
|
mozilla browser
Group: Gold Star Club
Posts: 2,131
Joined: 22-December 11
|
What happened to bunbun a few days ago?
Are the attacks directed (specific account names, rich/high level accounts etc ) or generally random and hitting lotsa accounts including non-existent ones?
What do they do once they get in?
|
|
|
Feb 22 2015, 02:31
|
hzqr
Group: Gold Star Club
Posts: 4,672
Joined: 13-May 09
|
Any educated guesses on the motive behind the mass brute-forcing? I can think of HV and one other reason, but in both cases it would still be rather excessive
|
|
|
Feb 22 2015, 02:36
|
Maximum_Joe
Group: Gold Star Club
Posts: 24,074
Joined: 17-April 11
|
QUOTE(tiap @ Feb 21 2015, 17:31) Any educated guesses on the motive behind the mass brute-forcing?
China; they're coming for our hentai money!
|
|
|
Feb 22 2015, 02:39
|
Tresik
Newcomer
Group: Members
Posts: 16
Joined: 13-March 13
|
Well, as always, keeping same passwords in multiple services or otherwise easy to guess password is very bad idea. Because people tend to do that it is also good idea to sometimes remind them about that.
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
|
|
|
|
|
|
|