EFUSL PWs Compromised

Started by Howlando, February 27, 2016, 03:06:38 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Howlando

February 27, 2016, 03:06:38 AM
Players are advised to reset their EFUSL Passwords. This can be done by simply typing "/c password " in game with the relevant account. Given that there is basically no useful information that can be accessed through your private EFUSL account, it probably is not a big deal if you don't bother to do this. HOWEVER -

I know I've mentioned this before, but it bears repeating. You should definitely not be recycling passwords among different services, and you DEFINITELY should not use any kind of EFU password for anything more serious and you should DEFINITELY DEFINITELY not use your EFUSL password for anything else at all.

If you foolishly used your EFUSL password for any other service, you should change that as soon as possible.

I am posting this because I (very sadly) learned today that a former member of our community with an apparent enthusiasm for hacking received unauthorized access to various EFU stuff. Anyone with information about this is welcome to come forward; otherwise we must deal with it as always - get over the sadness/demoralization and move on.

I believe it is also important to correct the record that the forums being hacked some months ago was not due to the person we thought it was at the time, but rather an active member of the community who has now been banned.

That's all for now.
 

Snoteye

#1
February 27, 2016, 10:08:32 AM
I'm very sorry about this.

We've followed up by resetting all EFUSL passwords. For dumb technical reasons we can't easily encrypt EFUSL passwords safely: that has to be done at the application level and NWScript is rather lacking in that respect, so we would need to invert the registration process to happen outside the game. And that's pointless as long as we don't have HTTPS. This is not an excuse, I just want to make clear that your EFUSL passwords are not secret and should not be treated as if they are.

I would like to restate the importance of changing passwords on any service where you may have used the same password as on EFUSL, and to never reuse that password anywhere else. For that matter, treat your forum password the same way. In fact, treat all your passwords that way.

I would also like to draw attention to https://haveibeenpwned.com/ as well as encourage you to adopt a password manager if you haven't already. Think of it this way: if you don't need to write down your password, your password is not strong enough.
Print
Go Up Pages1
User actions