elective-stereophonic
elective-stereophonic
[WARNING] Some NxtForum accounts were compromised - change your passwords! singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Author Topic: [WARNING] Some NxtForum accounts were compromised - change your passwords!  (Read 5811 times)

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile

Hello all,

this is a call for everyone in the forums to update their NxtForum account password to a strong one, most particularly if your current password is a short string - less than 16 characters, and not including a variety of character types like mixed-case letters, numbers and symbols.

Recently it came to our attention that someone was able to gain access to one of the NxtForum staff accounts (and please do not ask whose account, since we do not have that information) due to a weak password. This person was able to access the control panel and sniff the database for user credentials, including the hashed version of the passwords stored in the forum database. This leak means that any weak passwords are now specially vulnerable to brute force attacks.

We have identified today two compromised user forum accounts, and although we have no sure way to tell if they are an isolated incident, it makes sense to connect them to the leak of password hashes. The forum admin access passwords, even those with already high entropy, were changed as soon as we found out about the leak, and the two compromised accounts have been locked and their owners informed.

So now, it is VERY IMPORTANT that you make sure your forum account password is strong. This means 16 random characters at least, more won't hurt. In case of doubt, change it. Tools like KeePass allow to easily generate strong passwords and store them in a password database, which you can also encrypt if you want. And please remember that using the same password for different sites or services besides the forum is a bad security policy.

Thank you for your attention and our apologies for the inconveniences,

The NxtForum Staff
« Last Edit: July 05, 2016, 03:51:44 pm by Damelon »
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile

A bit more of elaboration for whoever wants to understand details.

Although user passwords are stored in the forum database hashed and not in plain text, the current release of the Simple Machines Forum software uses a salted SHA1 algorithm to hash the passwords, which cannot be considered strong enough to protect weak passwords from brute force attempts. SHA1 requires relatively little computational power, and if one has the corresponding hash, obtaining the source password if the password string is vulnerable to rainbow tables/dictionary attacks is certainly feasible, and can be achieved in a relatively short processing time, particularly using GPUs.

As far as Nxtforum is concerned, and since this move has been pending for some time now, we'll be working to move to a fresh server soon, and we are looking into options to have the most secure forum environment available.

Simple Machines Forum have had their 2.1 release pending for some time now. This 2.1 release, among other things, changes the password encryption from SHA1 to bcrypt, which is good enough for current standards. But since SMF 2.1 is not tagged as "production ready" yet, we are contemplating other forum software alternatives for the upcoming Nxt/Ardor community. This will also keep in mind two-factor authentication as an optional feature.

In any case, and as bottom line, using strong, unique and securely safe passwords is essential and everyone's responsibility. If that fails, there's little that the software can do security wise. Additional steps to strengthen forum account security can be found here.
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

yassin54

  • Hero Member
  • *****
  • Karma: +240/-14
  • Offline Offline
  • Posts: 2498
  • I am Homer, Sorry my english is Bad!!
    • View Profile

Thanks, i have change my password!!  ;D

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Karma: +211/-18
  • Offline Offline
  • Posts: 2365
    • View Profile

Me too, just changed password again :)

beor

  • Jr. Member
  • **
  • Karma: +17/-2
  • Offline Offline
  • Posts: 73
    • View Profile

Done :/
Logged

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile

Thanks, done.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

Damelon

  • Administrator
  • Hero Member
  • *****
  • Karma: +792/-54
  • Offline Offline
  • Posts: 2314
    • View Profile
    • Nxt Inside

I've announced this message to all forum members.
It's important enough that we want everyone to know.

Thanks for being diligent :)

Logged
Member of the Nxt Foundation | Donations: NXT-D6K7-MLY6-98FM-FLL5T
Join Nxt Slack! https://nxtchat.herokuapp.com/
Founder of Blockchain Workspace | Personal Site & Blog

farl4bit

  • Global Moderator
  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3459
    • View Profile
    • Blockchain Twitter

Password changed
Logged

NxtSwe

  • Hero Member
  • *****
  • Karma: +124/-9
  • Offline Offline
  • Posts: 657
    • View Profile

I've announced this message to all forum members.
It's important enough that we want everyone to know.

Thanks for being diligent :)
Just curious, in what way was this announced?
I have not recieved any email (checked junk folder) nor any message here on the forum.
Logged
Check out the NxtLib, the .NET Framework API for the Nxt platform.

HCLivess

  • Hero Member
  • *****
  • Karma: +121/-47
  • Offline Offline
  • Posts: 521
  • Hardcore Gaming CEO
    • View Profile

Thanks, my new password is something like this

»å`0æÌíÔÚTdBíf¨ULä>yaCVÞ´7£U$ú«Pá-d°nýx5Qþ°0íúÙ|b;²YgY³BΣ³×Òõ¾.
Logged
Producing, Lending, Mining, Trading, Forging, Staking

Damelon

  • Administrator
  • Hero Member
  • *****
  • Karma: +792/-54
  • Offline Offline
  • Posts: 2314
    • View Profile
    • Nxt Inside

I've announced this message to all forum members.
It's important enough that we want everyone to know.

Thanks for being diligent :)
Just curious, in what way was this announced?
I have not recieved any email (checked junk folder) nor any message here on the forum.

I sent out a message via the forum software and you should have received an email on your registered email.
That may not be active for you of course or it may have ended up in spam.
Logged
Member of the Nxt Foundation | Donations: NXT-D6K7-MLY6-98FM-FLL5T
Join Nxt Slack! https://nxtchat.herokuapp.com/
Founder of Blockchain Workspace | Personal Site & Blog

thezman007

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 10
  • Watchwords=Open source. Decentralized. Encrypted.
    • View Profile

Hey guys. THANKS for the heads up, but I have a problem. While updating my password I screwed up and updated my password in my password manager when it didn't go through on the NXT forum... So now I have no idea what my password *is*, therefore I can't change it. Luckily I am still logged in. Should I log out and try the old "Forgot password" link? I would respond via email, but that's a no reply address. Thanks everyone :)

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile

Hey guys. THANKS for the heads up, but I have a problem. While updating my password I screwed up and updated my password in my password manager when it didn't go through on the NXT forum... So now I have no idea what my password *is*, therefore I can't change it. Luckily I am still logged in. Should I log out and try the old "Forgot password" link? I would respond via email, but that's a no reply address. Thanks everyone :)

No worries, I will reset your password manually and send a new one to your email address, then you can change it to one you like.
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

thezman007

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 10
  • Watchwords=Open source. Decentralized. Encrypted.
    • View Profile

Hey guys. THANKS for the heads up, but I have a problem. While updating my password I screwed up and updated my password in my password manager when it didn't go through on the NXT forum... So now I have no idea what my password *is*, therefore I can't change it. Luckily I am still logged in. Should I log out and try the old "Forgot password" link? I would respond via email, but that's a no reply address. Thanks everyone :)

No worries, I will reset your password manually and send a new one to your email address, then you can change it to one you like.

Thanks a million!

Nextshares

  • Full Member
  • ***
  • Karma: +6/-1
  • Offline Offline
  • Posts: 152
    • View Profile

Thanks for inform, it will be helpfull to add help contact email in somewhere in case can't login to ask help.
« Last Edit: July 06, 2016, 09:10:30 am by Nextshares »
Logged

Rolo

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 2
    • View Profile

Lovely.
Logged

NxtSwe

  • Hero Member
  • *****
  • Karma: +124/-9
  • Offline Offline
  • Posts: 657
    • View Profile

I've announced this message to all forum members.
It's important enough that we want everyone to know.

Thanks for being diligent :)
Just curious, in what way was this announced?
I have not recieved any email (checked junk folder) nor any message here on the forum.

I sent out a message via the forum software and you should have received an email on your registered email.
That may not be active for you of course or it may have ended up in spam.
Ah, I had that disabled for some reason, thanx.
Logged
Check out the NxtLib, the .NET Framework API for the Nxt platform.
 

elective-stereophonic
elective-stereophonic
assembly
assembly