Hi all.
We've been having problems with 'credential stuffing' on this site, where a spammer will do a brute force attack on the login page with known, previously breached usernames and passwords to try to get access to accounts to spam us with.
This kind of attack has a high success rate and relies on users neglecting their security ( and a lot of people do that, so.. )
Many members ( 100% so far who don't use the site much and have just a few posts ) set a weak password on this site, or never changed theirs after a breach and have been re-using that username/password on other sites/ours. This makes the spammers' job really easy because anyone can buy or download list of compromised passwords from all kinds of sites these days.
To temporarily stem the tide of these accounts from being unlocked and used for spammage, i've added the have i been pwned service to our system which checks hashed partial password input against databases of known hacked passwords. It's similar to how the hacked password protection works in google chrome, and in this instance, because irreversible hashes of partial passwords are being sent, and compared, we don't accidentally end up compromising our user's security in order to gain security.
If you have a username/password combination known to be hacked on another website, the system will eventually require that you reset your password.
In addition, we now set a minimum password length and complexity for all new passwords going forward. And also added much stricter server-level protection against brute force attacks.
If this doesn't clear out spammers' use of long inactive accounts, i will escalate our security while doing my best to not reduce the convenience level we currently have.
If you wish to increase your account's security level, i recommend turning on the email-based 2FA. We have tried that feature at the moderator team level and found it to work pretty well. You can change those settings here: https://endless-sphere.com/sphere/account/security
We've been having problems with 'credential stuffing' on this site, where a spammer will do a brute force attack on the login page with known, previously breached usernames and passwords to try to get access to accounts to spam us with.
This kind of attack has a high success rate and relies on users neglecting their security ( and a lot of people do that, so.. )
Many members ( 100% so far who don't use the site much and have just a few posts ) set a weak password on this site, or never changed theirs after a breach and have been re-using that username/password on other sites/ours. This makes the spammers' job really easy because anyone can buy or download list of compromised passwords from all kinds of sites these days.
To temporarily stem the tide of these accounts from being unlocked and used for spammage, i've added the have i been pwned service to our system which checks hashed partial password input against databases of known hacked passwords. It's similar to how the hacked password protection works in google chrome, and in this instance, because irreversible hashes of partial passwords are being sent, and compared, we don't accidentally end up compromising our user's security in order to gain security.
If you have a username/password combination known to be hacked on another website, the system will eventually require that you reset your password.
In addition, we now set a minimum password length and complexity for all new passwords going forward. And also added much stricter server-level protection against brute force attacks.
If this doesn't clear out spammers' use of long inactive accounts, i will escalate our security while doing my best to not reduce the convenience level we currently have.
If you wish to increase your account's security level, i recommend turning on the email-based 2FA. We have tried that feature at the moderator team level and found it to work pretty well. You can change those settings here: https://endless-sphere.com/sphere/account/security
Last edited: