Possible (though very unlikely) security leak

[jeshikat]

A short while ago, Cloudflare - a popular CDN - reported a possible memory leak on some sites that utilize their service. Because we use Cloudflare for SFF Forum, we are affected by this leak as well.

For those that are unaware, a CDN (or Content Delivery Network) is a service whereby certain web content is distributed to servers all over the world, in order to improve loading times for users, and reduce the load on the host server.

From the information they have disclosed, it is very unlikely to have caused an issue on SFF Forum's part, but as a precaution we are informing the community, and we recommend changing passwords if you are concerned about the potential security leak.

If you use the same password here as on other important sites (email, banking, Facebook, etc.) then it would be a good idea to change them as well. Though I'd like to take this opportunity to remind everyone that password reuse is very bad practice from a security standpoint, and strong, unique passwords for each site you use is highly recommended for this exact reason.

BTW, the forum also supports two-factor authentication for an extra level of account protection.

 

[HeroXLazer]

A short while ago, Cloudflare - a popular CDN - reported a possible memory leak on some sites that utilize their service. Because we use Cloudflare for SFF Forum, we are affected by this leak as well.

For those that are unaware, a CDN (or Content Delivery Network) is a service whereby certain web content is distributed to servers all over the world, in order to improve loading times for users, and reduce the load on the host server.

From the information they have disclosed, it is very unlikely to have caused an issue on SFF Forum's part, but as a precaution we are informing the community, and we recommend changing passwords if you are concerned about the potential security leak.

If you use the same password here as on other important sites (email, banking, Facebook, etc.) then it would be a good idea to change them as well. Though I'd like to take this opportunity to remind everyone that password reuse is very bad practice from a security standpoint, and strong, unique passwords for each site you use is highly recommended for this exact reason.

BTW, the forum also supports two-factor authentication for an extra level of account protection.

Okay, thanks for telling us.

 

[robbee]

I advice (urge, really) everyone to use a proper password manager that generates random passwords that are unique to each site. With the amount of hacks and leaks, it's pretty much guaranteed that they'll find your data sooner or later. There's too many sites still using weak algorithms to hash passwords. Having unique passwords is one of the best safeties to have if they find your password on another site.

 

[SumGhai]

I advice (urge, really) everyone to use a proper password manager that generates random passwords that are unique to each site. With the amount of hacks and leaks, it's pretty much guaranteed that they'll find your data sooner or later. There's too many sites still using weak algorithms to hash passwords. Having unique passwords is one of the best safeties to have if they find your password on another site.

Are there any specific password managers you would recommend?

 

[Phuncz]

I personally have used 1PassWord, LastPass and KeePass, I've had positive experiences with all of these. Use long, unique passwords per site/forum/app and use a very strong password to unlock access to it, with atleast Two Factor Authentication.
https://en.wikipedia.org/wiki/List_of_password_managers

I'm happy SFF.network comes forward with this so fast and clear, not everyone is jumping on this as swiftly. Luckily, it's a very off chance that something leaked (one in 3.300.000 HTTP requests apparently) but it shouldn't be much trouble with a password manager anyway.

 

[vluft]

I personally have used 1PassWord, LastPass and KeePass, I've had positive experiences with all of these. Use long, unique passwords per site/forum/app and use a very strong password to unlock access to it, with atleast Two Factor Authentication.
https://en.wikipedia.org/wiki/List_of_password_managers

I'm happy SFF.network comes forward with this so fast and clear, not everyone is jumping on this as swiftly. Luckily, it's a very off chance that something leaked (one in 3.300.000 HTTP requests apparently) but it shouldn't be much trouble with a password manager anyway.

I hang out a bit in infosec circles and the strongest recommendation from a security standpoint that I see most frequently is to use 1Password's offline mode (not the cloud service, though that's no worse than any of the other big PW people's cloud service) synced over dropbox or what have you. Has Mac, Windows, iOS & Android clients, as well as browser extensions &c. Don't know how it is on Android but on iOS it's pretty integrated into browser with extension so really easy to sign on with it. The crypto is fine and the data storage format is also sane & well documented and easy to extract if you want to or you can even export your passwords in the app.

In general, just randomly generate as long a password as the site will support and store in PW manager, though if you need to type it in by hand, consider a diceware password, i.e. 4-6 random words (examples from my pw generator: "bunker shall comb prayer assassination routed", "wilder point bas promptly sculptures exporters"). Plenty of entropy, enough to be very to secure, but easy to remember and type accurately.

 

[cmyk78]

Relevant XKCD

https://xkcd.com/936/

 

[vluft]

Yeah. I always get annoyed at developers who do dumb restrictions on password fields. Really doesn't help much to make everyone have their PW be Password1! instead of password. The correct thing to do is just require minimum length of 8 or so and otherwise don't care about input, then use a secure password hash. (In current order of preference, based on what's available to you, Argon2, scrypt, bcrypt, PBKDF2 – but really all of those are fine.)

 

[PlayfulPhoenix]

I hang out a bit in infosec circles and the strongest recommendation from a security standpoint that I see most frequently is to use 1Password's offline mode (not the cloud service, though that's no worse than any of the other big PW people's cloud service) synced over dropbox or what have you.

This is exactly what I use, because:

• The password container is encrypted by 1Password.
• The password container is transacted over Dropbox Sync (which is encrypted).
• The password container is never stored anywhere except my devices (which are encrypted).
• Neither 1Password nor Dropbox ever have any way to inspect my passwords (beyond just seeing encrypted gibberish that they have no way to unencrypt).

LastPass has had multiple instances of breaches (none disclosing unencrypted passwords thankfully), as well as hacks of their browser extension, and at the end of the day they have your (encrypted) passwords on their servers. This makes them a big target for attacks since they have those passwords for so many people.

Comparatively, 1Password's localized solution has never been publicly defeated (desktop client, mobile client, mobile integration or browser extension), and they don't have any of your passwords at any time if you don't use their bespoke cloud offering. I would have to be attacked specifically for my password store to be exposed.

Consequently, if someone wants to hack (for example) my online bank account, they'd need to do the following:

1. Hack one of my personal devices, breaking its encryption -or- break Dropbox's encryption for data either in storage or in flight
2. Break 1Password's encryption of the password container
3. Answer the security questions that I don't have stored anywhere
4. Do it quickly and ensure that I don't notice

For all my accounts with 2FA (which includes everything that offers it), they'd also have to break either Google Authenticator or access my SMS number.

Yeah, good luck with that.

 

[Kwirek]

Yeah, at that point it is probably easier to call your bank and impersonate you to get access that way.
I personally use lastpass+yubikey and additional 2fa on sites that allow it, except for certain things like my important e-mails (2fa) and bank account (2fa). But being no expert on the subject don't sue me if you do the same.

 

[nox]

The correct thing to do is just require minimum length of 8 or so and otherwise don't care about input, then use a secure password hash. (In current order of preference, based on what's available to you, Argon2, scrypt, bcrypt, PBKDF2 – but really all of those are fine.)

over 14 characters, otherwise it has the potential to be stored as lmhash which is relatively weak. it's becoming more and more common for the host servers to be breached these days, and we as end users have no way of knowing how they set up password storage we don't know if the databases are encrypted, if they have a terrible salt or anything really. Could even be running on Windows NT for all we know :/

then we find out, when it's too late... very good advice to keep different passwords for different sites too. especially for anything finance related.

wasn't aware this site supported 2fa - good show

 

[vluft]

over 14 characters, otherwise it has the potential to be stored as lmhash which is relatively weak.

Well, as a user you should use a unique randomly generated password as long as you can for each site, I was just talking from a developer standpoint where you can actually choose a strong password hash to store things, and what requirements you should impose on your users.

 

[nox]

true, from a dev perspective you can ensure where and how it's stored. From a user perspective we have no idea - for all we know it could be uploaded to dropbox in plain text

it's horrible the internet has come to this

The governments password guidance policy can be found here:

https://www.gov.uk/government/uploa...word_guidance_-_simplifying_your_approach.pdf

I think it's teaching many people here how to suck eggs as it were, but does actually have sensible suggestions for others. Like ignoring the password strength meters, password management software, changing defaults etc.

 

[jeshikat]

FWIW, XenForo by default uses bcrypt.