Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Iridium Banner AMIStore App Store A1200/A600 4xIDE Interface

AuthorTopic: Change your passwords  (Read 8983 times)

0 Members and 1 Guest are viewing this topic.

Offline Karlos

Change your passwords
« on: January 14, 2012, 01:23:25 AM »
Dear all,

Several accounts here have been compromised in recent days. We have no evidence at this time to suspect that the server itself has been compromised. So far the issue appears to be one brought about through the use of weak passwords used across multiple forums as all of the known compromised accounts have been misused on other forums already.

With that in mind, please change your passwords for this and every other amiga forum you visit, making sure each one is unique and as strong as possible (use mixed case, numbers and symbols where you can, the longer the better).

We apologise for any inconvenience.
int p; // A
 

Offline Tripitaka

Re: Change your passwords
« Reply #1 on: January 14, 2012, 01:46:33 AM »
Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD
Falling into a dark and red rage.
 

Offline Matt_H

Re: Change your passwords
« Reply #2 on: January 14, 2012, 01:49:58 AM »
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.
 

Offline orange

Re: Change your passwords
« Reply #3 on: January 14, 2012, 01:55:08 AM »
Quote from: Tripitaka;675702
Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD


I hope its not 'hunter2' :)
Better sorry than worry.
 

Offline LoadWB

Re: Change your passwords
« Reply #4 on: January 14, 2012, 02:24:21 AM »
Web security is fun.  After reaching a total of 40-some passwords of my own I had to memorize, on top of customer passwords, I let Firefox save my passwords.  In and of itself this is not secure, but I also encrypt my profile so obtaining the files without my private key is useless.  Then each website uses a different password generated by apg, which creates NIST standard pronounceable passwords of whatever parameters you want, like 32 characters with special symbols and numbers, etc.

Default config (with -t to show pronunciations) creates something like this:

   CrobOkus (Crob-Ok-us)
lidMuenn (lid-Muenn)
ciQuegsId9 (ci-Quegs-Id-NINE)
ubcorak$ (ub-cor-ak-DOLLAR_SIGN)
athGhakfum (ath-Ghak-fum)
dodMiuv[ (dod-Mi-uv-LEFT_BRACKET)


Or more complex, 32 character passwords which must contain capitals, lower-case, numbers, and special characters:

   TafApJekAdd$ocealavwycsodbekcor9 (Taf-Ap-Jek-Add-DOLLAR_SIGN-oc-eal-av-wycs-od-bek-cor-NINE)
ucQuipsurrakbuzopp4ovVajDinchaj# (uc-Quips-urr-ak-buz-opp-FOUR-ov-Vaj-Dinch-aj-CROSSHATCH)
ScijyotNoimyatyeydPoodEwon1cylf& (Scij-yot-Noim-yat-yeyd-Pood-Ew-on-ONE-cylf-AMPERSAND)
~Ozvaujkent8OzdiCoiljevpanwogLoi (TILDE-Oz-vauj-kent-EIGHT-Oz-di-Coilj-ev-pan-wog-Loi)
TydTeogvalegHywridik/odJatovjan5 (Tyd-Te-og-val-eg-Hy-wrid-ik-SLASH-od-Jat-ov-jan-FIVE)
uskingAg3KigByldEegEdReejOckcur< (usk-ing-Ag-THREE-Kig-Byld-Eeg-Ed-Reej-Ock-cur-LESS_THAN)


I love this utility.  If I forget a password (yeah, I'm not remembering 32 character passwords, for the most part,) or Firefox's save password is defeated (it happens,) then I just go through the process to create a new one.  (And I didn't use any of the above here hehehe)
 

Offline bbond007

Re: Change your passwords
« Reply #5 on: January 14, 2012, 02:31:40 AM »
Who is trying to hack Amiga sites anyway? Atari ST users?
 

Offline save2600

Re: Change your passwords
« Reply #6 on: January 14, 2012, 02:47:08 AM »
Quote from: bbond007;675707
Who is trying to hack Amiga sites anyway? Atari ST users?

The Atari SF354 is the greatest, most useful and most reliable drive on the planet!

I also love the fact it requires it's own external power supply. So kewl!
« Last Edit: January 14, 2012, 02:53:43 AM by save2600 »
 

Offline Duce

  • Off to greener pastures
  • Hero Member
  • *****
  • Join Date: Jul 2009
  • Posts: 1699
  • Total likes: 0
    • http://amigabbs.blogspot.com/
Re: Change your passwords
« Reply #7 on: January 14, 2012, 02:57:51 AM »
Thanks for the heads up, Karlos.  Changed mine.

Anyone looking for a quick and easy complex PW generator, try:

https://www.grc.com/passwords.htm
 

Offline Tripitaka

Re: Change your passwords
« Reply #8 on: January 14, 2012, 04:00:17 AM »
Quote from: orange;675705
I hope its not 'hunter2' :)


Oh, you mean *******, hey that's odd, when I type it I just get stars. :/
Falling into a dark and red rage.
 

Offline amiman99

Re: Change your passwords
« Reply #9 on: January 14, 2012, 04:00:52 AM »
Quote from: Duce;675709
Thanks for the heads up, Karlos.  Changed mine.

Anyone looking for a quick and easy complex PW generator, try:

https://www.grc.com/passwords.htm
Yes, I use similar website to generate my passwords.
Just changed mine on this and other forums, just to be safe and of course they are different across forums.
A500 KS 2.1, 1MB Chip, 68000
A600 KS 3.1, 2MB Chip, ACA630 32MB RAM
A1000 KS 1.3, 8MB RAM
A1200 KS 3.1, Blizzard IV 50MHz 64MB RAM
A2000 KS 2.1, 68030 25MHz, 6MB RAM
A3000 KS 3.1, 68030 25MHz, 16MB RAM
A4000 KS 3.0, 68040 25MHz, 16MB RAM
CDTV KS 3.1, 4MB RAM
CD32
(AROS BOX) Dead :(
 

Offline tomazkid

Re: Change your passwords
« Reply #10 on: January 14, 2012, 04:11:13 AM »
Quote from: Matt_H;675704
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.



The obsolete part it the cms, the xoops is old and obsoleted, and will be replaced, it takes time though.
The OS the site runs on, was changed when aw.net moved to a new ISP, and is up to date.

Quoting Karlos regarding where the passwords come from:

"We have no evidence at this time to suspect that the server itself has been compromised. "

Same goes at aw.net, Sibbi has not found anything strange in the logs this far.
 

Offline Pyromania

Re: Change your passwords
« Reply #11 on: January 14, 2012, 04:52:55 AM »
Thanx Karlos
 

Offline Karlos

Re: Change your passwords
« Reply #12 on: January 14, 2012, 10:59:17 AM »
Quote from: Tripitaka;675713
Oh, you mean *******, hey that's odd, when I type it I just get stars. :/


:lol:

For those not following, see: http://bash.org/?244321
int p; // A
 

Offline Karlos

Re: Change your passwords
« Reply #13 on: January 14, 2012, 12:26:14 PM »
Quote from: Matt_H;675704
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes?

There were a number of issues. The version of XOOPS that this site used previously (which I believe was even more obsolete than the install at AW) had weak hashing for passwords. However, the main impetus for moving to vB was that the hosting provider was set to remove all support for older PHP versions and associated libraries as part of a managed update to 5 (again, for security reasons). The version of XOOPS that was installed, which was extremely outdated by then proved to be incompatible (bits worked, other bits didn't, basically a classic legacy PHP4 style application struggling with changes to the Zend engine since PHP5) with the updates.

The decision to move to vB was down to a choice between an updated version of XOOPS that would work after the update but be problematic for all the old amiga browsers, or some other platform. The only reason the site stuck with it's ancient version XOOPS for so long in the first place was for classic amiga browser compatibility (that and the fact that there was no upgrade path for most of the installed modules, either). With that consideration being out of the window regardless, alternatives were evaluated and vB was chosen as it scored better on a number of critical areas, including security.

Quote
Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Yes, we're in touch and cooperating on the problem.

Quote
Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.

That's for the best. No matter how strongly we salt and hash your password, if it is the same as you use on half a dozen other sites and one of those is the weak link, there's not a lot we can do other than reset it for you.

So once again folks, change your passwords if you haven't already and under no circumstances use the same password on more than one forum!
« Last Edit: January 14, 2012, 12:34:14 PM by Karlos »
int p; // A
 

Offline orange

Re: Change your passwords
« Reply #14 on: January 14, 2012, 01:11:05 PM »
thank God its not Doomy, or this would have turned into amiga2000.org ! :D
Better sorry than worry.