BC Sport Bikes Forum banner

41 - 57 of 57 Posts

·
Beer League Racer/Asshole
Joined
·
5,206 Posts
You guys are not reacting with your heads. Ten character passwords with upper case, lower case, numbers and symbols does not increase security. It pushes the vulnerability into the browser.

Hire some people who understand user online security. This is not state of the art.
How so? Passwords at 8 characters or less, can easily be subjected to rainbow table attacks. A rainbow table is *every* combination of uppercase, lowercase, numbers, and symbols from 1 to 8 characters that can be tried on an offline database. 8 character rainbow tables can fit on a thumbdrive, so are also very fast to go through. At about 10 characters, a rainbow table is exponentially bigger and not really practical to use anymore. Use a pass phrase or if you wish, use two passwords hyphenated, like [email protected] Easily remembered for those that don't use a password vault (not SAVING passwords in a browser). Better yet, get a password vault.
 

·
Registered
Joined
·
165 Posts
How so? Passwords at 8 characters or less, can easily be subjected to rainbow table attacks. A rainbow table is *every* combination of uppercase, lowercase, numbers, and symbols from 1 to 8 characters that can be tried on an offline database. 8 character rainbow tables can fit on a thumbdrive, so are also very fast to go through. At about 10 characters, a rainbow table is exponentially bigger and not really practical to use anymore. Use a pass phrase or if you wish, use two passwords hyphenated, like [email protected] Easily remembered for those that don't use a password vault (not SAVING passwords in a browser). Better yet, get a password vault.
What you are describing is theoretically true. Longer passwords have the potential for more entropy. However, when you make people follow along they insist of fucking it up.

Using words linked with punctuation is what people tend to do when asked to create long strings of characters. It leads to much weaker passwords than we expect. I made a self-deprecating joke about it earlier about how insecure it is. I don’t think everyone got it.

There are fewer than 10,000 5-letter English words. Mix some capitalization and simple substitutions (a -> @ and the like) and you get somewhere around 50,000 combinations. You wasted a possible search space of 6.5b from 5 random characters by using a word.

Link some words, add some punctuation as suggested to create a 10 character password, and your password is at best equivalent to 6 character random password.

Let’s look at what else might be a security problem. The site is not encrypted and susceptible to intercept and redirect. There is no green lock in the browser bar that protects the content and verifies the identity of the site. If someone wanted your password they would have it without having to resort to brute force methods and you would never know. Let’s carry on though.

When you submit your password, it is sent in the clear over the internet to the BCSB server. The password is encoded with a MD5 hash. This is a brutal choice for cryptography. It is simple and quick to brute force attack. There is no hope if these hashes are stored in the database. It is just too easy to compute without dedicating months of time. I suspect this is what happened in the original breach and why the concern now.

So the original 10 characters, was cut to 6 because people are dumb. Then it is cut by at least 1/2 from using MD5, which is dumb. Which puts us at 3 character equivalent passwords. Ten character passwords turn out to be weak when your security policies and systems allow them to be. Too many people are nodding their head and not thinking.

This is why someone who knows user security needs to help.
 

·
Self-proclaimed VIP
Joined
·
875 Posts
Firstnamelastname1? that's way less secure than my old password. Why not let people keep their insecure passwords if they choose to? Seriously, if someone hacked my bcsb, I wouldn't give a shit. Why have such a strong password policy for a FORUM? Let US make the decision whether or not we want to keep it secure or not
 

·
Wanderer of the Wastes
Joined
·
6,796 Posts
Why not let people keep their insecure passwords if they choose to? Seriously, if someone hacked my bcsb, I wouldn't give a shit. Why have such a strong password policy for a FORUM? Let US make the decision whether or not we want to keep it secure or not
Nothing stopping the users from changing passwords BACK to 'fluffybunnyR1'. The issue has never been about protecting your BCSB account. No one gives a shit if your profile gets overrun and starts shit-posting top 10 lists and out-of-closet confessions.

The issue is; the overwhelming laziness of users, and the need for 'the administration' to protect THEMSELVES.

Chances are, if you're the sort of bloke to have a pass like fluffybunnyR1 (just guessing: but it's not unreasonable to think that perhaps as much as 60%+ of users here have passwords related to their bike of choice), you're also the lazy sort of bloke who maybe - just maybe - has also re-used this password elsewhere - surely no one would be so daft as to have the _same_ password set for their email or e-banking; but ok, let's say someone does; users are clearly proud of being ignorant and lazy after all... so perhaps it's not too far fetched to imagine a scenario where attackers are able to gleam enough info to get access to your email account itself. They then lock you out of said email account, and leverage 'your e-dentity' there to go about gaining access to your banking, your bitcoins, your .. whatever. So some ignorant bloke gets robbed, and then comes back here to lambast administration and point fingers for his 'getting hacked'.

It's never YOUR fault, you see...
 

·
Wanderer of the Wastes
Joined
·
6,796 Posts

·
Registered
Joined
·
3,411 Posts
I'm ok using Taptalk but not on the other site. I can't seem to change it on that site. I'm not sure I will bother just yet.


Sent from my iPhone 5 using Tapatalk
 

·
lover of twins
Joined
·
6,068 Posts
10 fucking characters?!?! with all the ads and how shitty/slow some of your other sites run (RC51 forums) i'm tempted to use FUCKYOUverticalscope01! as a password.

10 characters plus everything else is a bit of an over reaction guys. this is bcsb we're talking about, not the pentagon.
 

·
Registered Abuser
Joined
·
20 Posts
So.... my password was reset... but I didn't receive an e-mail since I have no idea what old e-mail account I used to sign up back in the day... so not being able to log in, or have a new password sent to me, I had to re-register under a new username... with a new password that I've likely already forgotten. Why does the internet need to be so difficult?*:surrender
 

·
Administrator
Joined
·
315 Posts
Discussion Starter #52
So.... my password was reset... but I didn't receive an e-mail since I have no idea what old e-mail account I used to sign up back in the day... so not being able to log in, or have a new password sent to me, I had to re-register under a new username... with a new password that I've likely already forgotten. Why does the internet need to be so difficult?*:surrender
If you are unable to get your password resets properly sorted out due to old emails on your account still after the notice was sent out, we ask that you go down to the contact us area, and with the subject line of "password reset" add the following contents for me:

- Account Name
- Email On the account
- Email You need it changed to if need be

add all this, then hit send, and someone on our team will answer that email and fix your account up no problem.

You can do the same and send us a PM privately to have it manually changed, but due to the influx and us tackling a lot of issues, this would be a slower way of getting it reset. we recommend you use the contact us form to get it resolved if you can. If that does fail though and you have waited too long, send us a PM and we will Manually reset it. Just make sure you supply the information above for a quicker fix.

Also, If you do have the right email on your account, I would ask you to please check your spam/junk folders as sometimes with certain email providers, it tends to land in there.

if you all need anything else, please let me know.

~Shane
 

·
Registered
Joined
·
1,329 Posts
You want us to use complicated passwords but you do not supply a httpS connection for logins. Pretty dumb. Talk about closing the barn door after the cows ran off.
 

·
Wanderer of the Wastes
Joined
·
6,796 Posts
fwiw, at the time of the password reset, the email was so botched I had to go out and find the direct password reset link myself - (http://www.bcsportbikes.com/forum/login.php?do=lostpw)

fortunately I was able to do this on the day of the change. If I wasn't able to manually request the reset I'd still be locked out. However, It now looks like the reset script is checking referral headers, which completely fucks anyone without a current login coming in from google. By clicking the link as listed here the referral domain should atleast be 'correct'

I also had to dig up an older browser that still supports flash, as the reset 'captcha' was flashed based. So that's also fucked right up....
 

·
Administrator
Joined
·
315 Posts
Discussion Starter #56
You want us to use complicated passwords but you do not supply a httpS connection for logins. Pretty dumb. Talk about closing the barn door after the cows ran off.
Hey there

Https and SSL connections are something tech is looking in to, however it would take time to implement across our network, and the resets had to happen more quickly than that.

The use of O and 0 in an e-mailed password?
These passwords are auto-generated and do not take in to consideration the similar looking and easily confused characters. This is why we strongly suggest you copy and paste these passwords, and not try to manually type them out.

fwiw, at the time of the password reset, the email was so botched I had to go out and find the direct password reset link myself - (http://www.bcsportbikes.com/forum/login.php?do=lostpw)

fortunately I was able to do this on the day of the change. If I wasn't able to manually request the reset I'd still be locked out. However, It now looks like the reset script is checking referral headers, which completely fucks anyone without a current login coming in from google. By clicking the link as listed here the referral domain should atleast be 'correct'

I also had to dig up an older browser that still supports flash, as the reset 'captcha' was flashed based. So that's also fucked right up....
Could you expand on what you mean by the email being botched? Did you receive something that was illegible? Or are you referring to the email providers slotting us as spam and delaying, or not delivering the messages.

For captcha, I've heard we are looking in to alternatives, but at the moment there is nothing set in stone about it.

Dayle
 
41 - 57 of 57 Posts
Top