Subeta security risk

For discussion of the Subeta pet site, including new colours and other features.
Fjorab_Teke
Posts: 1716
Joined: 28 Jan 2006 10:38 am
Human Avatar: 271433
Location: Tennessee or Georgia, take your pick
Contact:

Re: Subeta security risk

Post by Fjorab_Teke »

Wow, yuck! *makes a bunch of changes, like PW and shop name* I'm still on semi-hiatus from Subeta anyway.
Officer 1BDI
Posts: 1641
Joined: 16 Jan 2007 10:14 pm
Gender: Female
Human Avatar: 150891

Re: Subeta security risk

Post by Officer 1BDI »

lavender wrote:If your shop name has an ' in it, change it so people can GET the items they're trying to buy from you ;)
Thanks for the notice; I just changed it. Luckily my shop was already pretty empty so I don't think anyone lost sP on my account.
Image
Kamil
Not the nice one
Posts: 1788
Joined: 08 Jan 2006 02:47 am
Gender: Female
Human Avatar: 72834
Location: the comfy chair
Contact:

Re: Subeta security risk

Post by Kamil »

I've always wondered about something. So now seems a good time to ask.

If you never type in a password, and never have the site save it, are you safe from grabbers and key-loggers?

I keep all of my passwords - well, somewhere I don't think anyone poking around would think to look for them - and when I change them, I drag and drop the old ones (combos of upper and lower case letters, numbers, and special characters) around until I have a new string of gibberish.

When I log in to my accounts I then copy and paste the password.

Mind, I scurried around last night (thanks, Seerow) and changed everything again, and while I may not do that every month, I probably do it every two or so.

But I still don't know if going to all that extra work does me any good or not. >.>
Image Image
MM and Twofold rock, yo.
TCStarwind
Posts: 1119
Joined: 26 Jul 2008 09:56 am
Gender: Female
Human Avatar: 99635
Location: USA
Contact:

Re: Subeta security risk

Post by TCStarwind »

Thanks for the heads up on the ' shop thing. I took it out of mine's name just in case (I don't have anything in my shop priced, so no one can buy anything anyway).

I finally have a reason to change my passwords for everything, and I've changed most of them now. I never saw the jellyneo news post that started this, but I'm going to change those passwords, too. Except I can't because of something funky with neo's lookup coding not allowing the word "display" to be used. Which means I have to clear my super awesome lookup, and I don't want to do that.

I don't know anything about coding. Do you guys know any way to get around that?
Cranberry
Posts: 1871
Joined: 30 Jan 2006 10:04 am
Gender: Female
Human Avatar: 183848
Location: Canada

Re: Subeta security risk

Post by Cranberry »

I've always wondered... why are we supposed to change our passwords for everything once a month? It seems that unless you have someone actively trying to crack your password (which is difficult on most sites, since they allow only a few tries per day), you should be safe with the really secure one that's been working for you all along. And changing your password once a month won't protect you from a cookie grabber halfway through the month, or from someone hacking a site and getting everyone's passwords, anyway. There's probably something I'm missing, though.
Image
Wingsrising
Posts: 2682
Joined: 18 Jan 2006 09:31 pm
Gender: Female
Human Avatar: 157670
Location: Iowa, USA, trying to stay warm

Re: Subeta security risk

Post by Wingsrising »

The idea is to change your passwords so often you can't remember them. Then in order to get into anything, you have to write the passwords down on a Post-It note stuck to your computer monitor, thus making it really easy for anyone who wanders by to break in.

Hee, your guess is as good as mine! I don't know why you're supposed to change your password so often. I just know that I don't do it and presumably neither does anyone else. :-)

I do understand why you're not supposed to re-use passwords, but given how many passwords everyone has these days, I don't understand how you're supposed to remember them all.
Image
Cranberry
Posts: 1871
Joined: 30 Jan 2006 10:04 am
Gender: Female
Human Avatar: 183848
Location: Canada

Re: Subeta security risk

Post by Cranberry »

...And I would bet a lot of money that when people are forced to change their passwords every month (like at work or whatever), they just add a number or letter to the end of their old one so they can remember it more easily... making it no more secure at all. Or they start using easy-to-crack ones like birthdays or pets' names because those are easy to remember.

I don't re-use any passwords. That means I have approximately 100 passwords (and no, I'm not exaggerating). It would take me all month just to change them, and then I'd have to do it all over again. :P

P.S. I Googled the topic hoping to find more info, but all of these sites just say we should change our passwords once a month "for security." Someone explain how this helps with security! I need to know! ;)
Image
AngharadTy
Zombie Queen
Posts: 5251
Joined: 08 Jan 2006 05:20 am
Gender: Female
Human Avatar: 89833
Location: Tyland
Contact:

Re: Subeta security risk

Post by AngharadTy »

Kamil wrote:If you never type in a password, and never have the site save it, are you safe from grabbers and key-loggers?
Short answer: Yes, usually. Long answer: No, not really. Cookie grabbers grab the session, not your saved password (which is done in your browser; the site *has* to save your password, or else you'd never get in! but they ought to scramble the password so it's impossible/harder to read). And if you have a keylogger, some of the more advanced ones will save what text you've copied, so there goes that. But I don't believe that's common, so copy'pasting from a text document is still safer than typing it every time. It is, however, no guarantee. Especially if you edit that text document with your new password every month, because it'd grab those keystrokes, heh. I suppose you could use the Character Map to painstakingly create the password once a month, which would be the most annoying, secure way to save passwords, but it's still not 100% (because of the keyloggers that copy your clipboard).

Here is a good, fairly secure alternative to, say, Post-it notes, or even a text document on your computer. You might think it's not obvious to find, but how can you be certain? If it's a text document, it's easy to search for, say, all text documents edited within the last month, and then it's a simple matter to open each, one by one. Something more secure than that would be to edit your .txt file to .jpg, and then change it back to .txt when you want to retrieve a password. Hell, if you really want to be secure, there are biometric readers available to purchase. Technology is delicious.

Regarding the once-a-month thing, I'm not sure there's any one reason why it's a good practice. Mostly, anything that changes often is going to be more secure. For a biological example, think of viruses--the reason HIV is so difficult to eradicate is because it changes very quickly, making any vaccine (not to mention our antibodies) useless against it.

Another reason is that sometimes, a large network (e.g., your ISP) gets hacked, hundreds of thousands of passwords get stolen, and very few companies are going to tell 100,000+ members to change their password (if they even know it's happened). Hacks happen--it is certainly a mark of shame, but security and hacking techniques evolve side by side, like (once again, biological example) giraffes and acacias, which have evolved numerous techniques over time to eat/not be eaten. Acacias get taller, giraffes get taller. Acacias get thorns, giraffes get long tongues to avoid thorns. And so on. Many (if not most?) passwords that get stolen actually don't even get used by the thief. Sometimes it's hard to tell whose password is which. Sometimes Joe Shmoe isn't worth the effort (why rob $100 from a poor person's account when you can take thousands from someone else's). If you're changing your password often, the odds that yours has been secretly stolen are much lower.
Image Image
Jessi
Posts: 3412
Joined: 09 Mar 2006 06:29 pm
Human Avatar: 155904
Location: Seattle, Washington
Contact:

Re: Subeta security risk

Post by Jessi »

I'm one of those people that has all my passwords on a post-it note on my desk :P (actually, it's an index card). I put it away if anyone besides Lindsey is going to be here and I know she's not going to hack into my Neopets account, or my RO account, or anything like that xD Otherwise I can't remember my passwords for a hill of beans.

I don't change my passwords once a month, admittedly, especially for things like Neopets or RO or Gmail, but a lot of websites, like my bank - and even the portal we need to log in at work - make me change my password every 6-8 weeks or so.
mellaka
Posts: 1055
Joined: 11 Jun 2007 03:33 pm
Gender: Female
Human Avatar: 48736
Location: philly, usa

Re: Subeta security risk

Post by mellaka »

I've started to wonder if cookie grabbers could exist on other parts of Subeta - much like we're afraid of them in Neo shops/user lookups now and then. I mean if a big company like Neo can't prevent them, how likely is it that Subeta can. It's making me not want to do quests, which is the main thing I do on Subeta anymore, besides training. =/

And I have a handy password saving program that I need a password to get into. I guess it's no help against keyloggers but it feels more safe to me than having my pw written down on paper. Plus, my Neo pw is like 20 characters, upper/lowercase, symbols and numbers, and it would probably take me 5 tries just to type in in right. The program also generates random passwords for me, which is a great feature, except that I have to keep trying until it has only the symbols that Neo accepts.

And I change my Neo password at least every few days. I'm constantly stocking from user shops to fill my mall shop, so I'm just obsessive about it. My other ones, not so much, which is kind of dumb now that I type it out.

And do things like NoScript for Firefox really work to prevent cookie grabbing? It seems too good to be true.
Iggy
Posts: 1627
Joined: 15 May 2006 01:53 pm
Gender: Female

Re: Subeta security risk

Post by Iggy »

All the reports I had from people being cookie grabbed were people that went to the link. Nowhere else.
Seerow
Posts: 2793
Joined: 19 Jan 2006 08:47 pm
Gender: Female
Human Avatar: 155383
Location: Mystery Island
Contact:

Re: Subeta security risk

Post by Seerow »

I'm rather annoyed that nothing has been said/done yet about the shop glitch. This is a rather severe glitch that a lot of people could easily exploit or get screwed with. Sticking a legendary in your apostrophed shop for cheap, tons of people not knowing about the glitch will try to buy it. You'll get the money and the would be ecstatic buyer gets screwed.

The lack of news is in no way surprising, but it still makes me angry. And I can potentially see a rollback happening.

Edit: Now that I think about it: Do the shop owners get the sp or does it just vanish? Either way, it screws people over and needs to be announced in the news or shops taken down/shop names changed until it can be fixed.
Wanna donate towards my drink gallery, the Golden Goblet.
Usul_Princess
Posts: 1191
Joined: 03 Mar 2006 12:19 am
Gender: Female
Location: Mars

Re: Subeta security risk

Post by Usul_Princess »

Iggy, I think mellaka means that it might be possible that this could happen again in a less obvious part of section of
Subeta, such as quests and whatnot. At least that's what I got out of it.

There's no way to be prepared as people are saying with password reset. Cranberry had a really good point about how a new password is not going to nessecarily protect you from a CG'er within that month. Seerow posted this "security risk" thread almost 24 hours before the one that happened yesterday, suggesting us to be careful just 2 days ago. So, theoretically a person could have changed their password 2 times in 2 days.

If the site is having so many problems with security, I echo the idea of that 5X/day attempt, to stop maybe a few people from specifically getting into your account.

I don't know much about how it works, but why is Subeta having more problems with security as opposed to any other site with password protection? This seems to be a bigger problem that the users themselves can't control for the most part.
ImageImage

Thank you TCStarwind for the lovely signature! ^_^

FC bets: http://www.neopets.com/~DazedBoy
mellaka
Posts: 1055
Joined: 11 Jun 2007 03:33 pm
Gender: Female
Human Avatar: 48736
Location: philly, usa

Re: Subeta security risk

Post by mellaka »

Sorry to be unclear. I was just hoping that CGs aren't possible on user-editable parts of the site such as shops and profiles. I already worry about that on Neo and don't like the idea of having to worry about that on Subeta too. I should just learn to keep quiet most of the time =P
Fjorab_Teke
Posts: 1716
Joined: 28 Jan 2006 10:38 am
Human Avatar: 271433
Location: Tennessee or Georgia, take your pick
Contact:

Re: Subeta security risk

Post by Fjorab_Teke »

Ugh, yeah, there are all sorts of ways to break and enter into stuff. I really wish that a) there were better ways to keep nasties from doing stuff and b) they wouldn't have to worry about that in the first place. Greedy people suck.

My various passwords are written on index cards, in pencil, so I can erase and rewrite without much stress on the paper. And they're easy to sort and keep in a tidy little container that doesn't look like anything important.
Post Reply

Who is online

Users browsing this forum: No registered users and 24 guests