Jump to content

Doomworld has been compromised.

Man of Doom

By Man of Doom
in Everything Else

Recommended Posts

ClumsyCryptid   

ClumsyCryptid
Posted

Just want to say...

 

That admin panel is one middle-man attack away from being compromised. It would've been wise to withhold that info about it, but that's just my security expert speaking.

0

Share this post

Link to post
  • Replies 363
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Kinsie
Kinsie

Passwords are encrypted, so the odds of them being cracked are pretty damn low, and there's no payment info or whatever attached to the accounts because, well, free site, so you shouldn't freak out to

Man of Doom
Man of Doom

Change your passwords ASAP.

Dragonfly
Dragonfly

After trying to investigate further I think a good lot of fearmongering is done by the tweet in the OP, and as such causing unnecessary panic.   YES, you should enable 2 factor authenticatio

Posted Images

Rykzeon   

Rykzeon
Posted
1 minute ago, doomjoshuaboy said:

wow we got into cybersattack but now this..Jeez. what's wrong with this world??? 

indonesia data leak: dances

0

Share this post

Link to post

Herr Dethnout   

Herr Dethnout
Posted
15 minutes ago, TwilySparky said:

nice fearmongering bozo, from what I've seen in research. I think we're mostly fine though it's a good idea to change passwords regardless


Wait, the "hacker" have a MLP image, and you have...

OMG!

2

Share this post

Link to post

ClumsyCryptid   

ClumsyCryptid
Posted
1 minute ago, user76828904 said:


I don't like how it sounds.

 

Two factor authentication can easily be compromised via a MM attack. I don't want to get into the steps on how it functions to avoid giving instructions on how to beat it, but it's always been the flaw with 2FA that has been tossed under the rug and not really.. patched against? I think that's how you phrase it.

 

That's a rabbit hole that I recommend delving into, and why I am very wary of relying solely on 2FA to protect something. I've been hacked a couple of times when I've had just 2FA enabled on a few accounts.

2

Share this post

Link to post

Mr Masker   

Mr Masker
Posted (edited)

PSA: if any hackers messages you with your location reply to them with, "yeah I know where I live bozzo"

 

They'll still come to your house with a bat, but it'll be a funny post in the moment

Edited by Mr Masker
5

Share this post

Link to post

Edward850   

Edward850
Posted

As per usual, here's a reminder that complex characters in passwords is not how you create secure passwords.

password_strength.png

 

17

Share this post

Link to post

DrinkyBird   

DrinkyBird
Posted (edited)

I think L~xfG$r7O\;u:O&v\6qcssLm+7y|="zV0\7:v!b: is a little bit harder to guess than "correct horse battery staple" though.

Edited by DrinkyBird
1

Share this post

Link to post

Edward850   

Edward850
Posted (edited)
34 minutes ago, user76828904 said:

@ClumsyCryptid Thanks for the advice.

They haven't actually given you any information. Here's the gist, a man in the middle attack requires emulating or otherwise pretending to be the password or 2FA input for the user in order to steal the code. Like how skimming a bank card on a terminal works using a stealthily added device.

There's two problems with this however, the attack doesn't scale well towards smaller platforms (you would have to target a Doomworld admin explicitly), and larger platforms require a much more involved scam anyway. It also doesn't give you the actual 2FA security key, just the current code that's only valid for 30 seconds, and you can't reverse engineer it from that.

 

20 minutes ago, DrinkyBird said:

I think "L~xfG$r7O\;u:O&v\6qcssLm+7y|="zV0\7:v!b:" is a little bit harder to guess than "correct horse battery staple" though.

Congratulations on failing to read the comic. You aren't trying to create a password that's hard for people to guess, but for a computer to guess. Complex characters do not make a password harder for a computer to guess because the amount of data remains the same for each character. This is why a normal English sentence is inherently better as a password, as you can come up with longer ones with more bits of entropy to individual words, while easier for you to remember.

 

The password "MyMother'sPetSnowGooseWon'tStopEatingMyFuckingBrie" is better than your example because it's just as hard (if not potentially harder) for a computer to guess, but you will remember it.

Though you can't use that one because it's now open information, much like CorrectHorseBatteryStaple.

Edited by Edward850
11

Share this post

Link to post

DrinkyBird   

DrinkyBird
Posted (edited)
29 minutes ago, Edward850 said:

Congratulations on failing to read the comic. You aren't trying to create a password that's hard for people to guess, but for a computer to guess. Complex characters do not make a password harder for a computer to guess because the amount of data remains the same for each character.

28 characters of perfect random garbage will still often be harder for a computer to guess, and gets harder as length increases. The XKCD 936, if words are also chosen perfectly randomly, will also give good entropy and good memorabity, so it's probably best to use it to protect your password manager database containing 64-character random passwords.

 

29 minutes ago, Edward850 said:

The password "MyMother'sPetSnowGooseWon'tStopEatingMyFuckingBrie" is better than your example

Humans are a poor source of randomness.

 

29 minutes ago, Edward850 said:

 

Though you can't use that one because it's now open information, much like CorrectHorseBatteryStaple.

I always kind of want to pick meme passwords like correcthorsebatterystaple or hunter2 just to see whether anyone would seriously guess them based on their legendary meme status. But I don't think I'll be the one running that experiment...

Edited by DrinkyBird
2

Share this post

Link to post

waverider   

waverider
Posted

I'm so sick of pathetic people like this hacker who find any joy whatsoever in trying to ruin things for others. How about these people grow up and try to do something good and meaningful with their useless lives instead?

1

Share this post

Link to post

Graf Zahl   

Graf Zahl
Posted
8 minutes ago, DrinkyBird said:

28 characters of perfect random garbage will still often be harder for a computer to guess, and gets harder as length increases. The XKCD 936, if words are also chosen perfectly randomly, will also give good entropy and good memorabity, so it's probably best to use it to protect your password manager database containing 64-character random passwords.

 

You are making the simple mistake of overestimating the entropy of those random characters.

Assuming you use all ASCII you got 96 printable characters at your disposal. The subset of letters and numbers is 62.

That means you won't even add a single bit of entropy for each single character if you extend your character set like that.

Password guessers cannot afford to make assumptions about passwords - random garbage is so prevalent among passwords in use that this has to be factored in.

If you want to brute-force guess a password against a server that has no protection against such attacks your random garbage won't help you much - a perfectly reasonable sentence of the same length has the same likelihood of getting guessed. That goes even more if the hash is weak and the guesser can run locally.

But when you use reasonable sentences you can make your password twice as long which increases security by several orders of magnitude.

 

15 minutes ago, DrinkyBird said:

Humans are a poor source of randomness.

 

Which is completely irrelevant. A computer does not think like a Human, for it an 'A' and a '#' are just different numbers: 35 and 65. They have the same complexity.

2

Share this post

Link to post

Gregor   

Gregor
Posted (edited)

i know this is a complete noob question, but why isn't it possible to simply limit the number of guesses a program or user can input before the system locks down the account in question for, let's say, 24 hours?

Edited by Gregor
1

Share this post

Link to post

Graf Zahl   

Graf Zahl
Posted

Any good system will do that.

But far too many systems are written by people with no security awareness and they tend to forget even the simplest safeguards,

 

1

Share this post

Link to post

Paf   

Paf
Posted
1 minute ago, Gregor said:

i know this is a complete noob question, but why isn't possible to simply limit the number of guesses a program or user can input before the system locks down the account in question for, let's say 24 hours?

Doomworld literally does that. Only for 5 minutes IIRC though.

0

Share this post

Link to post

BigBoy91   

BigBoy91
Posted (edited)

Someone hacked... Doomworld? What a pathetic existence. I've been using the same alphanumerical gibberish password for 20+ years now. Not too worried.

Edited by BigBoy91
0

Share this post

Link to post

Doomkid   

Doomkid
Posted

“Hey guys I hacked Doomworld!!” - 🤓


 

1 hour ago, TwilySparky said:

nice fearmongering bozo, from what I've seen in research. I think we're mostly fine though it's a good idea to change passwords regardless


Here’s a tip for the future: Don’t come out of nowhere being an asshole to people for no reason. Nothing in the post you quoted was “fear mongering” at all, just pointing out that anyone who would do this has no life/friends - though you do seem a little defensive. Methinks the brony doth protest too much.

11

Share this post

Link to post

Gez   

Gez
Posted
13 minutes ago, waverider said:

I'm so sick of pathetic people like this hacker

Hackers are pathetic creatures of meat and bone, panting and sweating as they run through my corridors. How can they challenge a perfect, immortal machine? What a grand and intoxicating innocence!

 

Woops, mixed my quotes here.

14

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...