HWZ Forums

Login Register FAQ Mark Forums Read

[IMPORTANT] HWZ Account Security Advisory

Like Tree5Likes
Reply
 
LinkBack Thread Tools
Old 26-02-2018, 05:37 AM   #31
Junior Member
 
Join Date: Dec 2016
Posts: 2
As much as HWZ should be improving its security practices to prevent future breaches, the immediate focus should be to fully inform members on what exactly has been compromised, so we can all take prudent steps to make sure our other information or online accounts elsewhere are not hacked.

I find it unbelievable that the moderators haven't been fully transparent on this front. We deserve to be told whether our passwords were accessed/stolen in this incident.
shakeandbake is offline   Reply With Quote
Old 27-02-2018, 05:15 PM   #32
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,842
Yes, we can assure you that we're discussing with all relevant parties, just as indicated in our press release.

Thank you.

i will be worried of internal covering up. Hope there are independent parties involved in the investigation. like PDPA and SPF.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 27-02-2018, 05:30 PM   #33
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,842
Dear all,

Among the ongoing internal discussions to beef up security measures, here are two items that we've recently rolled out:-

  1. Password complexity rules (you'll see these details upon updating your password)
  2. Captcha implemented during login process (kindly enable JS if you don't see it, else you won't be able to login to the forum)

There will be more ongoing updates and we'll update here as soon as we've implemented them, as well as when there are more findings to update.

Thank you for your kind patience.
smith2006 likes this.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 27-02-2018, 06:31 PM   #34
Supremacy Member
 
Join Date: Nov 2005
Posts: 9,881
Dear all,

Among the ongoing internal discussions to beef up security measures, here are two items that we've recently rolled out:-

  1. Password complexity rules (you'll see these details upon updating your password)
  2. Captcha implemented during login process (kindly enable JS if you don't see it, else you won't be able to login to the forum)

There will be more ongoing updates and we'll update here as soon as we've implemented them, as well as when there are more findings to update.

Thank you for your kind patience.
Thank you for the update, was shocked seeing the captcha while logging in just now.

Password complexity rules, can share here? Just updated my password last week, so no chance to see.
smith2006 is offline   Reply With Quote
Old 27-02-2018, 06:45 PM   #35
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,842
Sure.
It's currently checking to ensure you've 8 characters at minimum, with at least 1 upper case character and 1 numeric character.


Thank you for the update, was shocked seeing the captcha while logging in just now.

Password complexity rules, can share here? Just updated my password last week, so no chance to see.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 27-02-2018, 07:52 PM   #36
Supremacy Member
 
Join Date: Nov 2005
Posts: 9,881
Sure.
It's currently checking to ensure you've 8 characters at minimum, with at least 1 upper case character and 1 numeric character.
Thank you, mine should be very safe

smith2006 is offline   Reply With Quote
Old 27-02-2018, 07:55 PM   #37
Great Supremacy Member
 
BlackCube's Avatar
 
Join Date: Jul 2003
Posts: 67,641
Sure.
It's currently checking to ensure you've at 8 characters at minimum, with at least 1 upper case character and 1 numeric character.

This complexity rule is already outdated.
Why implement something that is outdated?
BlackCube is offline   Reply With Quote
Old 27-02-2018, 08:50 PM   #38
High Supremacy Member
 
amazingone's Avatar
 
Join Date: Jan 2015
Posts: 46,327
Captcha is good, prevents bot also
amazingone is offline   Reply With Quote
Old 27-02-2018, 08:57 PM   #39
Supremacy Member
 
heng_ah's Avatar
 
Join Date: Sep 2015
Posts: 5,598
Sure.
It's currently checking to ensure you've at 8 characters at minimum, with at least 1 upper case character and 1 numeric character.
Heng ah, my new password is:

Passw0rd


I bet it satisfies the new requirement
heng_ah is online now   Reply With Quote
Old 28-02-2018, 06:53 AM   #40
Greater Supremacy Member
 
lemondrink's Avatar
 
Join Date: Jan 2012
Posts: 76,596
Dear all,

Among the ongoing internal discussions to beef up security measures, here are two items that we've recently rolled out:-

  1. Password complexity rules (you'll see these details upon updating your password)
  2. Captcha implemented during login process (kindly disable JS if you don't see it, else you won't be able to login to the forum)

There will be more ongoing updates and we'll update here as soon as we've implemented them, as well as when there are more findings to update.

Thank you for your kind patience.
Disable or Enable?

I don't see the recaptcha, but can still login ..


Last edited by lemondrink; 28-02-2018 at 06:57 AM..
lemondrink is offline   Reply With Quote
Old 28-02-2018, 07:05 AM   #41
High Supremacy Member
 
Join Date: May 2001
Posts: 28,798
Thank you, mine should be very safe

Long complex password is useless if it is stored in the server as plain text or easy to crack encryption. Seem the case as the hacker can access account of 600k users and used the email address password combo to fish social media cloud storage accounts in less than 3 months.
jeff79 is offline   Reply With Quote
Old 28-02-2018, 08:43 AM   #42
Supremacy Member
 
Join Date: Nov 2005
Posts: 9,881
Long complex password is useless if it is stored in the server as plain text or easy to crack encryption. Seem the case as the hacker can access account of 600k users and used the email address password combo to fish social media cloud storage accounts in less than 3 months.
Precisely

I always take measures to mitigate the risks, whatever in this forum will stay in this forum.

Strong password - Check
Email address only meant for this forum - Check
Different strong password for different forums/sites - Check

smith2006 is offline   Reply With Quote
Old 28-02-2018, 09:54 AM   #43
Arch-Supremacy Member
 
Pyre's Avatar
 
Join Date: Jan 2000
Posts: 19,847
captcha or it's derivatives are fine for bots and other brute force intrusion. but against sophisticated programs or even another human, we need something better (not something cheaper).

surprised no one mention optional 2FA with address location and login duration limits. that way user can control not only where but how long their logins are allowed eg: in the event that they are working on public terminals, they can allow access for just that login session only etc.

and HWZ admins please have some process or workflow to announce security announcements via member PMs. i found out about the breach via CNA instead of from HWZ itself (they kept it in some announce sub-forum which i rarely visit). yet i always get advertisement PM spam easily. kinda ironic.
Pyre is offline   Reply With Quote
Old 28-02-2018, 11:33 AM   #44
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,842
Sorry about that - I meant to say Enable.
I've edited the posts above.


Disable or Enable?

I don't see the recaptcha, but can still login ..

__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 28-02-2018, 01:31 PM   #45
Moderator
 
galapogos's Avatar
 
Join Date: Aug 2000
Posts: 29,859
Good work on upgrading the user password requirements. This will hinder hackers trying to guess users' passwords based on social engineering. However, have any server side improvements been made? For example, just off the top of my head
1. Storing user passwords on the server securely, e.g. PBKDF2/bcrypt? Or, minimally salted hash (SHA-2 and stronger). This will greatly slow down attackers who have successfully gained access to the server passwords in trying to brute force/build rainbow tables to obtain user passwords in clear.
2. Sending the user an email whenever his/her account is accessed (either successfully or unsuccessfully) from an unknown machine. Google does this. Facebook does this. It ensures that even if an attacker has access to the user's credentials, the user will be notified of such illegitimate access, and hopefully will be prompted to change his/her password.

I would stop short of enforcing 2FA (from say, Google Authenticator or any other OATH compliant token) since I think this is kinda overkill and inconvenient for an Internet forum, but I know some forums do this.
__________________
Remember that no matter how strong you think you are there's a little Chinese girl warming up with your max...

HWZ lifting Stats


PM me for iherb discount code

Last edited by galapogos; 28-02-2018 at 01:39 PM..
galapogos is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On