Help D:

[Lucifer]

I ended up banning the username for an hour because I don't want to chase proxies. I *can* just ban theaccount forever and y'all can pass the message that he just needs to make a new account. Is it feasible? How much has he used this login?

He uses it quite a bit. :X The only person I have logged under his @forums account is Swag (besides him of course). If he changes the pass, he should be good to go. If you can recover, he should probably change his email password as well.

Now would be a good time to know if bans on the forums also prevent armathentication from armathenticating a forum user. Looks like a rare situation where that might be desirable.

Resetting his password requires Tank Program. I don't have those powers. I can keep the username banned until then if it helps somehow.

[Light]

I ended up banning the username for an hour because I don't want to chase proxies. I *can* just ban theaccount forever and y'all can pass the message that he just needs to make a new account. Is it feasible? How much has he used this login?

He uses it quite a bit. :X The only person I have logged under his @forums account is Swag (besides him of course). If he changes the pass, he should be good to go. If you can recover, he should probably change his email password as well.

Now would be a good time to know if bans on the forums also prevent armathentication from armathenticating a forum user. Looks like a rare situation where that might be desirable.

Resetting his password requires Tank Program. I don't have those powers. I can keep the username banned until then if it helps somehow.

Ban me for like 5 mins and we can find out? He don't really seem to have ever used the forums (for posting), so if he can log in in-game he should be fine.

/e Idk how to tell if someone is banned .. so that wouldn't work. I wouldn't know if I was banned. lol Unless I spammed posts to test.

[Lucifer]

Now would be a good time to know if bans on the forums also prevent armathentication from armathenticating a forum user. Looks like a rare situation where that might be desirable.

Resetting his password requires Tank Program. I don't have those powers. I can keep the username banned until then if it helps somehow.

Ban me for like 5 mins and we can find out? He don't really seem to have ever used the forums (for posting), so if he can log in in-game he should be fine.

/e Idk how to tell if someone is banned .. so that wouldn't work. I wouldn't know if I was banned. lol Unless I spammed posts to test. [/quote]
Oops, sorry, went to try to get the wife interested in a movie. The shortest interval I have is 30 minutes. Then there's 1 hour and 6 hours. Sooo..... pick one? I'll check back periodically tonight, but unless we both jump into irc I don't have a realtime way to manage this. Friend me on facebook? And then.... when the wife gets back with wine andstuff, I'm starting a movie, which occupies my laptop.

[Z-Man]

How the hell did he get your password?

Well, assuming it's Swag .. He now has a server, so if he made the mistake of doing something like:

Code: Select all

/login TheDFR@forums myPassword

Does the server actively encourage that? If so, we need to remove it from the master lists, IMHO. Which server is it?

[Light]

How the hell did he get your password?

Well, assuming it's Swag .. He now has a server, so if he made the mistake of doing something like:

Code: Select all

/login TheDFR@forums myPassword

Does the server actively encourage that? If so, we need to remove it from the master lists, IMHO. Which server is it?

It was just a guess. I see people do it all the time on my servers, so it's not that far out there.

[Word]

How the hell did he get your password?

Well, assuming it's Swag .. He now has a server, so if he made the mistake of doing something like:

Code: Select all

/login TheDFR@forums myPassword

Does the server actively encourage that? If so, we need to remove it from the master lists, IMHO. Which server is it?

If this happens as often as Light says, I'd rather surpress these messages in chatlogs and treat them as an actual login. Or is that a bad idea? This way of logging in is very common anyway.

[Z-Man]

If this happens as often as Light says, I'd rather surpress these messages in chatlogs

Yes, if it does not already happen. And warn the user. Unless the /login command is supposed to treat spaces as part of the GID (dunno right now), that is, in which case we kind of have lost.

and treat them as an actual login. Or is that a bad idea?

Bad idea. That way, the password can always be read by a malicious server owner, not the regular way. We definitely do not want people getting used to an insecure procedure.

Edit: banning the account again for a bit because there is nothing else we can do right now to avoid the spam. Sucks to be him.

[Word]

Oh, I hoped you could somehow do both

[Z-Man]

Well, yes, but that only makes it marginally better. As if users would heed a warning if the operation succeeds anyway.

[Tank Program]

I have no idea what the story here is, but the account e-mail, password, and profile have all been reset along with the account being deactivated. Someone will need to convince me this is their account to get it back.

[Ratchet]

in theory, is it impossible for a server owner to code his/her server in the way that logins are viewable to them?

can the code be edited to make the login not as secure as it should be?

[Z-Man]

in theory, is it impossible for a server owner to code his/her server in the way that logins are viewable to them?

can the code be edited to make the login not as secure as it should be?

In the standard procedure, if the user only enters the password in our password form, only a nonced hash of a (possibly salted, depends on the authority) hash. The nonce and salt make mass brute force attacks impossible, you can't collect a bunch of hashes and efficiently try to guess the passwords for them all. But if you are really determined and the password is weak, and you would be amazed what counts as weak password to the cracking experts, you can still simply run a couple billion passwords through the algorithm and look for matches for a single hash you collected. We should switch to a more expensive hashing algorithm in the near future. It does not hurt regular use if the hash calculation takes about a millisecond, but puts a huge damper on all sorts of brute force attacks.

Or you could try simple phishing. "For added security, please log in using /login GID password".

And of course there is the possibility we screwed up somewhere.