Poster: A snowHead
|
As part of the continued program of improvements to the security of the forum, I have now activated a couple of changes which will hopefully go unnoticed by many people
The security breach that Snowheads suffered in November 2020 disclosed a large number of passwords and associated email addresses, which were able to be extracted from the system in encrypted form and then decrypted elsewhere because the encryption system used by the forum software was pretty good when the forum started back in 2004 but has not withstood the passage of time and the improvement in processing power and techniques since then. While these details alone are not enough to login to the forum (you need to enter a username, not an email address), @admin contacted all of the registered users of the forum to inform them of what had happened, and recommended that users whose details were disclosed should reset their password.
To address this, we have improved the perimeter security on the servers running the site, and have also implemented a more modern encryption system for all password data. Accounts have been automatically migrated over to this new method as they have logged in to the system, so most of the active users now have this in place.
To assist with choosing more secure passwords, we have now implemented the following changes after a period of extended testing with a small group of volunteers:
- the password change facility (which can be found under User Facilities/Forum Profile in the menu at the top left of the page) now requires that any new password meets some minimum complexity rules. Passwords must be at least 8 characters in length, and should contain upper and lower case, numbers, and symbols. Rather than require all of these, 3 out of 4 will be enough, or alternatively a password of 12+ characters which meets 2 of the other rules will be accepted. The strength of your new password will be indicated as you enter it, and it should not be possible to submit the form until the complexity requirements are met.
- on login, if your current password does not meet the complexity rules, you will see a warning to that effect which gives some details of what complexity classes are missing. For now, this is advisory - you can continue into the forum, but we would recommend that you set a more secure password when you can. In the near future, this may become a mandatory requirement to protect the forum and the other users of it.
- also on login, if you are found to still be using a password which we know was breached in the November attack, a warning about this will be shown, and you will be invited to change your password. Again, this is not yet mandatory, but it is strongly advised as the password you are using has definitely been compromised, and this could put you at risk of further attacks either on your Snowheads account, or anywhere else you may have used that password.
- the password entry forms have now been updated to provide a Show Password toggle, which will reveal what you have typed into the box so far. This is an Eye icon to the right of the password box - click it to reveal what you typed, and again to hide the password.
We will of course be monitoring the system during this introductory period, but if you have any problems with the system please send a PM to the security_hamster and I will investigate.
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
OK Hammy -- thanks for your hard work - have a Carrot !
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
I (NickyJ) changed my password but not can’t sign back in. I know what I changed it to though and even if you don’t believe that - I let my phone save the new password, and that also won’t let me in.
So I clicked into he forgotten password and filled in those details but have yet to have an email through.
Using hubby’s account for the moment.
Thanks!
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
I had the same problem Nicky. Turned out my auto fill was putting in my email instead of my user name on the top line. I changed that and it worked.
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
Think it may have been similar issue! I am back in the reset password think eventually came through. Though the password the forgotten password reset to was not inline with new password policy....
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
@NickyJ, sounds like a fun start to the day, apologies for the stress.
The password reset value is not something I’d thought about - thanks for spotting that! I should be able to fix it relatively quickly.
|
|
|
|
|
|
@dode, thanks, I may also be able to prevent the auto fill of an email address into the username field, which would also be useful for new registrations as we get a regular trickle of people who put their email address as their username and are then horrified to see it published on their first post, which leads to a username change request.
|
|
|
|
|
|
Only FYI, but the only way that I managed to change my password after being told that it's not secure this morning was to press the "duh I forgot" button and proceed via a new password via email then a password change - all previous attempts were as users above but about 7 attempts to change password were rejected.
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
I have just changed mine (which was previously generated by the forum), it was a painless experience
|
|
|
|
|
|
Just changed my password with no problems
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
Thank you admin for pointing me to the big yellow update password button thing - duly sorted
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
Also just changed mine with no problems. Thanks for the gentle nudge.
|
|
|
|
|
|
@NickyJ, the password reset now produces a password which should meet the complexity requirements, and be in a format which is relatively easy to type if needed. For those who use a password manager, they can use the auto-generated password permanently if they wish. Those remembering the password value would do better to generate something more memorable
|
|
|
|
|
You know it makes sense.
|
Having problems creating a new password. I create one that matches the required criteria (I get a "good" rating) but when I enter the exact same password to confirm I get a "mismatched password fields" message. Even copying and pasting the new password into that field does not solve it. The submit button disappears with this message. I have received and used a Snow Heads generated password in case that helped but for obvious reasons I want to change it.
Any ideas?
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
@Pukkascott, sorry to hear you're having problems - the submit button is hidden whenever the password is not valid, so that's expected as otherwise you could submit something which then fails the back-end checks, and that would be frustrating and/or confusing.
I'm not aware of anyone else having this problem, so I presume the issue is something in the specific password you are trying to use. If it has any of the more obscure symbols in it that could be part of the issue, though it was tested with a large variety of password values which were accepted OK - does the password contain a percent sign and then some numbers, or anything like that? If you are happy to share the value you tried to use by PM, I can do some testing to work out why it is failing
|
|
|
|
|
Poster: A snowHead
|
Solved it. Turns out you can't have a ? (questionmark) in the password but you can have a ! . Don't think a ? is an obscure symbol! There were no numbers before of after the ? just letters.
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
Ah, thanks - that explains it. The checking code reacts differently to a ? and a * and also a + because those are Javascript pattern modifiers, so it looks like I need to change the way we compare the password values to account for those. Working on it now...
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
Great. Might be worth a bit of script to tell you that the password entered is unsuitable rather than just hiding the submit button. Might be worth saying certain special characters are not acceptable.
Also the 8+ (required) and 12+ words (recommended) confused me.
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
I kept getting the hamster, with it telling me that there was an SQL issue with my signature, so I deleted the signature and my new password was accepted.
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
@Pukkascott, the code is now fixed and will correctly match for passwords which contain *, ? and + and will permit them to be entered. There is a check on the password suitability, but the behaviour of Javascript's string comparison on seeing those characters was unexpected - to the right of the password fields is a text indication of the progress, which as well as the password strength will show warnings for invalid characters, a mismatch, or when it is waiting for more characters before checking that the two values match. The bottom section of the password complexity requirements list does say that single and double quotes and semi-colons are not permitted, which are the only characters we specifically block because they can mess with the database on the back end if all of our other checks fail for some reason.
@marodo2712, yes, that's an issue we have with the profile update section of the site - when you try to change anything in your profile, including password or email address, all of the profile information is loaded into the form and then all of it is returned to the server after you've made your changes, so if there is anything unusual in the current profile values (including location, interests and signature if you have used those), then they may trigger a rule which wasn't in force when they were originally created months or years ago. Hopefully the error message is helpful in tracking these down, plus we do tweak the security rules to allow some of the less risky stuff. in your case it was the repeating hyphens which caused it, and removing those alone would have resolved the problem.
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
Oh, and you may have to clear your browser cache or do a forced reload (Shift+F5 for most browsers) to see the new behaviour, as your cache may have the old Javascript file.
|
|
|
|
|
|
lol @ pattern matching characters
wonder how many have tried to change their password to the "little Bobby Tables" SQL injection command string?
|
|
|
|
|
|
@andy, if you start trying passwords like ";DROP%20ALL%20TABLES;" then I will have to come round and chew through some of the control cables in your place of work while you're not looking. It will of course be blocked if you try, but it's rude to poke the hamster...
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
careful @andy, you don't want to end up on @security_hamster's I Gnaw list
|
|
|
|
|
|
Hi, somewhat concerned on registering that password is sent in plain text via email (Who knows what system that has gone through and now leaked the password. I'd suggest on registering, change password immediately on getting email and don't use a password used elsewhere for initial and changed password).
Registration email states: "Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you"
Is it really encryption (two-way so potentially decryptable no matter how secure you may think), or is it one-way hash (hopefully salted PBKDF2, bcrypt etc)?
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
@tjmoore, the initial password email is a feature of the forum software the site uses, but is in the ToDo list for the summer. If your email server supports TLS then the email can be sent over an encrypted channel from end to end.
The password in the database is a 1-way hash, salted, and significantly improved from the default settings and original software.
Also, the forum has no personal data about you other than your email address, unless you choose to add more later.
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
Quote: |
Hi, somewhat concerned on registering that password is sent in plain text via email
|
I just signed up and was also quite shocked to see this awful practice in place in 2023...and almost 2 years after you said it was on the to-do list.
|
|
|
|
|
|
If you're shocked then you don't understand/haven't considered the processes involved very well.
The only place it could present a problem is if you don't have secure control over your own email inbox so I suggest that be your immediate priority.
For the avoidance of doubt: it is not on the ToDo list
|
|
|
|
|
You know it makes sense.
|
oh, and Welcome to snowHeads
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
@spannerpidgey, surely you would use a unique password. Even if someone got a hold of your password all they would do is post sh1te on a ski website. You will soon be an expert at posting Sh1te after 6 months so being hacked will save you a lot of time.
|
|
|
|
|
|