Putting the 'role' back in role-playing games since 2002.
Donate to Codex
Good Old Games
  • Welcome to rpgcodex.net, a site dedicated to discussing computer based role-playing games in a free and open fashion. We're less strict than other forums, but please refer to the rules.

    "This message is awaiting moderator approval": All new users must pass through our moderation queue before they will be able to post normally. Until your account has "passed" your posts will only be visible to yourself (and moderators) until they are approved. Give us a week to get around to approving / deleting / ignoring your mundane opinion on crap before hassling us about it. Once you have passed the moderation period (think of it as a test), you will be able to post normally, just like all the other retards.

PUBLIC SERVICE ANNOUNCEMENT: 2FA NOW MANDATORY - YOU DON'T NEED A PHONE NUMBER FFS

Crispy

Crispy

I feel... young!
Patron
Staff Member
Joined
Feb 16, 2008
Messages
1,877,123
Location
Future Wasteland
Strap Yourselves In
patron3.gif


You already did.
 
SharkClub

SharkClub

Prophet
Patron
Joined
May 27, 2010
Messages
1,582
Strap Yourselves In
If only vatniks could be trusted to not break into people's accounts and sabotage the post database by mass deleting everything for teh epic lulz then maybe we wouldn't have to be 2FAcucked.
 
Alex

Alex

Arcane
Joined
Jun 14, 2007
Messages
9,180
Location
São Paulo - Brasil
Shadowfang said:
I couldn't log in the codex, on my phone, for 2 weeks, because every code sent to me didn't work until today.

Yay...
Click to expand...
You know, I have kind of a crazy idea...

How about we remove this 2fa silliness or whatever it is called and let this long-standing troll go? I mean, even that time we lost our usernames didn't last anywhere this long.
 
Hobknobling

Hobknobling

Learned
Joined
Nov 16, 2021
Messages
445
King Crispy said:
Ol' Willy said:
amazing shit with 1.7/5 rating on playmarket
Click to expand...
You'd rather rely on the retard ratings of an app than the direct advice of this site's administrator?

Authy is extremely easy to use, 100% free, and, so far, infallible.

Whatever.
Click to expand...
Authy just had a massive data leak:

https://www.securityweek.com/twilio...er-hackers-leak-33m-authy-user-phone-numbers/

Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers

Twilio this week confirmed suffering a data breach after hackers leaked 33 million phone numbers associated with the Authy application.

The notorious ShinyHunters hackers announced on the relaunched BreachForums website in late June that they were leaking 33 million random phone numbers associated with Twilio’s two-factor authentication app Authy.

The leaked information also included account IDs and some other non-personal data associated with Authy users.

In a security alert posted on its website, Twilio confirmed the data breach.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said.

Twilio found no evidence that the hackers gained access to its systems or that they obtained other sensitive data, but as a precaution urged Authy users to install the latest Android and iOS security updates.

“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio said.
Click to expand...
 
Taluntain

Taluntain

Most Frabjous
Staff Member
Joined
Oct 7, 2003
Messages
5,500
Location
Your Mind
Good thing that we're listing a number of available authenticator apps if anyone doesn't want to use Authy for one reason or another. Obviously every data breach is a fail for Twilio, but in this case random phone numbers were leaked, not any identifiable information. Short of those phone numbers potentially being targeted by phishing attacks as a consequence, that's about it. Most if not all other authenticators don't require saving your phone number with them at the expense of a bit less convenience.
 
Taluntain

Taluntain

Most Frabjous
Staff Member
Joined
Oct 7, 2003
Messages
5,500
Location
Your Mind
It works across the most platforms compared to the rest, which is an advantage for many users. And the breach wasn't critical, which would obviously get it removed from the list.
 
Alex

Alex

Arcane
Joined
Jun 14, 2007
Messages
9,180
Location
São Paulo - Brasil
Taluntain said:
It works across the most platforms compared to the rest, which is an advantage for many users. And the breach wasn't critical, which would obviously get it removed from the list.
Click to expand...

Taluntain, a honest question: Is there any point to the 2FA other than stopping people who use passwords stolen from some leak? Because, if that is the point, can't you just run once a week a script that matches the (hashed) passwords with those on the list of stolen ones and see of anyone is using a bad one? Then you could remove access to those who do until the create a new one. Would avoid all this trouble and be almost as safe, I think.
 
Twiglard

Twiglard

Poland Stronk
Patron
Staff Member
Joined
Aug 6, 2014
Messages
7,443
Location
Poland
Strap Yourselves In Codex Year of the Donut
Alex said:
Taluntain said:
It works across the most platforms compared to the rest, which is an advantage for many users. And the breach wasn't critical, which would obviously get it removed from the list.
Click to expand...
Taluntain, a honest question: Is there any point to the 2FA other than stopping people who use passwords stolen from some leak? Because, if that is the point, can't you just run once a week a script that matches the (hashed) passwords with those on the list of stolen ones and see of anyone is using a bad one? Then you could remove access to those who do until the create a new one. Would avoid all this trouble and be almost as safe, I think.
Click to expand...
Not when passwords are stored using different hashing algorithms, and possibly salt.
 
Taluntain

Taluntain

Most Frabjous
Staff Member
Joined
Oct 7, 2003
Messages
5,500
Location
Your Mind
Alex said:
Taluntain, a honest question: Is there any point to the 2FA other than stopping people who use passwords stolen from some leak? Because, if that is the point, can't you just run once a week a script that matches the (hashed) passwords with those on the list of stolen ones and see of anyone is using a bad one? Then you could remove access to those who do until the create a new one. Would avoid all this trouble and be almost as safe, I think.
Click to expand...
There isn't a single list of stolen logins. There are literally dozens if not hundreds of such lists at this point. Some known and public, some not. Websites and various forums have been getting hacked left and right for years now, so the amount of user databases floating out there is huge and expanding every week, basically. So there's really no way to do what you suggest; some stolen databases are revealed only much later after the breach occurs and others are never posted publicly anywhere. Only checking against what's public would be ineffective, even if we ignore other problems with this idea.

The likelihood of at least one of your logins that you've used somewhere being in a breach and made public rises significantly with each year that you've been online. And since people tend to reuse logins, one stolen login usually unlocks the doors in a number of other places. 2FA safeguards against this and also against brute force attacks, which can also be used to extract logins with software that doesn't employ safeguards against it. It doesn't help if your password hasn't been breached yet if it's simple enough that it can be cracked with brute force attempts relatively fast.
 
Alex

Alex

Arcane
Joined
Jun 14, 2007
Messages
9,180
Location
São Paulo - Brasil
Twiglard said:
Alex said:
Taluntain said:
It works across the most platforms compared to the rest, which is an advantage for many users. And the breach wasn't critical, which would obviously get it removed from the list.
Click to expand...
Taluntain, a honest question: Is there any point to the 2FA other than stopping people who use passwords stolen from some leak? Because, if that is the point, can't you just run once a week a script that matches the (hashed) passwords with those on the list of stolen ones and see of anyone is using a bad one? Then you could remove access to those who do until the create a new one. Would avoid all this trouble and be almost as safe, I think.
Click to expand...
Not when passwords are stored using different hashing algorithms, and possibly salt.
Click to expand...
Those lists have the untransformed password (they are, after all, compromised). Just hash and salt using the same algorithm that is used on the codex.

Zombra said:
pictures one huge public list with all stolen passwords in the history of the internet
Click to expand...
If you used the same one Chrome uses to check your stored passwords, I think it would be good enough for government work. Although I admit I didn't consider the computational cost of checking every password on the list against all the stored passwords on the database. 2FA is still a pain and way overkill for an old discussion board.
 
SharkClub

SharkClub

Prophet
Patron
Joined
May 27, 2010
Messages
1,582
Strap Yourselves In
At this point, the second they remove 2FA some retard is going to try and do exactly what was already done to multiple peoples' accounts because they disagree with their opinion in the political sub forum, even if mass deletion is removed it's probably just as easy to cuck an account by mass editing every post they've made, and the moment you start applying bandaid fixes over bandaid fixes to stop that from being an issue is when the forum ceases to be usable for its proper purposes (for example, removing the ability to edit old posts, means that any thread with an opening post that gets updated is just not a thing anymore). Zero remorse or accountability has been shown by the people responsible the first time (on the contrary, it is commonly celebrated and everyone who points this out is screeched at) so why would anyone trust them to not do it again now that everyone knows how easy it is, even if the original retard who started it is no longer around (someone will make sure to tell him if 2FA gets removed as well, I'm sure).
 
Last edited:
You must log in or register to reply here.

As an Amazon Associate, rpgcodex.net earns from qualifying purchases.
Back
Top Bottom