Bitcoin Forum
November 06, 2024, 06:32:18 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Should we change our passwords?  (Read 2077 times)
Sharma (OP)
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000


GATCOIN : The New Currency Of Digital Marketing


View Profile
September 10, 2016, 08:17:03 AM
 #1

I am not an expert but all I understand is that DDOS is not hacking it only makes website unavailable by sending huge traffic.The forum is experiencing ddos frequently and It was unavailable yesterday also.I am concerned and want to know if there is a need to change our account password?

.
   █████▄▄▄▄
   ████████████▄▄▄            ▀██████
   ███ ▀▀▀▀█████████▄          ▀█████
   ███         ▀▀▀█████▄         ▀███
   ███              ▀▀████▄▄███    ▀▀
   ███                ▀███████▀
   ███                    █████
   ███     ███▄         ▄███████
   ▐██▌     ▀███▄     ▄███▀  ███
   ▐███       ▀███▄▄ ███▀     ███
    ███▌        ▀████        ▐██▌
     ███         ████         ███
      ███      ▄█████▄       ▐██
       ███   ▄████▀ ▀███▄     ▐██
        ███▄████▀     ▀███▄   ███
         █████▀         ▀███▄████
          ██▀             ▀█████▌
                            ▀███▌
  ██████                      ▀▀
  ▀▀▀███
     ███
█         █   ███
 █        ███  ███  █
███       ███   █  ███
███   █   ███   █  ███
███  ███   █       ███
███  ███   █       ███
 █   ███            █
 █    █             █
█         █   ███
 █        ███  ███  █
███       ███   █  ███
███   █   ███   █  ███
███  ███   █       ███
███  ███   █       ███
 █   ███            █
 █    █             █
             JOIN US             
TELEGRAM TWITTER FACEBOOK
LINKEDIN WHITEPAPER
20kevin20
Legendary
*
Offline Offline

Activity: 1134
Merit: 1598


View Profile
September 10, 2016, 08:19:52 AM
 #2

I'm changing my passwords on a monthly basis. It's something we all should do. Please remember not to use the same passwords on all accounts... This is what I did, and after a website got hacked and the passwords were leaked.. It took me one day to change all of them to a different password each. Grin
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
September 10, 2016, 08:20:30 AM
 #3

A DDoS only makes the service unavailable temporarily as it overloads the infrastructure. It does not, in any way, compromise data. Therefore the answer to your question is no. However, it is good practice to change your password from time to time.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
mindrust
Legendary
*
Offline Offline

Activity: 3430
Merit: 2527



View Profile WWW
September 10, 2016, 08:25:28 AM
 #4

You should change your passwords if you haven't since the data leak. If you did it after the forum hack, you don't need to do anything now. DDOS is not dangerous as far as i know but if you want to be safe perfectly, post your address and sign a message  in here:

https://bitcointalk.org/index.php?topic=996318.0

and change your pass every month...

▄▄███████████████████▄▄
▄███████████████████████▄
████████▀░░░░░░░▀████████
███████░░░░░░░░░░░███████
███████░░░░░░░░░░░███████
██████▀░░░░░░░░░░░▀██████
██████▄░░░░░▄███▄░▄██████
██████████▀▀█████████████
████▀▄██▀░░░░▀▀▀░▀██▄▀███
███░░▀░░░░░░░░░░░░░▀░░███
████▄▄░░░░▄███▄░░░░▄▄████
▀███████████████████████▀
▀▀███████████████████▀▀
 
 CHIPS.GG 
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
███▀░▄░▀▀▀▀▀░▄░▀███
▄███
░▄▀░░░░░░░░░▀▄░███▄
▄███░▄░░░▄█████▄░░░▄░███▄
███░▄▀░░░███████░░░▀▄░███
███░█░░░▀▀▀▀▀░░░▀░░░█░███
███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░██
▀███
░▀░▀▄██▀░▀██▄▀░▀░██▀
▀███
░▀▄░░░░░░░░░▄▀░██▀
▀███▄
░▀░▄▄▄▄▄░▀░▄███▀
▀█
███▄▄▄▄▄▄▄████▀
█████████████████████████
▄▄███████▄▄
███
████████████▄
▄█▀▀▀▄
█████████▄▀▀▀█▄
▄██████▀▄▄▄▄▄▀██████▄
▄█████████████▄████████▄
████████▄███████▄████████
█████▄█████████▄██████
██▄▄▀▀▀▀█████▀▀▀▀▄▄██
▀█████████▀▀███████████▀
▀███████████████████▀
██████████████████
▀████▄███▄▄
████▀
████████████████████████
3000+
UNIQUE
GAMES
|
12+
CURRENCIES
ACCEPTED
|
VIP
REWARD
PROGRAM
 
 
  Play Now  
bbc.reporter
Legendary
*
Offline Offline

Activity: 3108
Merit: 1488



View Profile
September 10, 2016, 09:30:13 AM
 #5

It is better to be safe. When you are in doubt, go ahead and change your password. Do not risk it because there could be another data breach that we do not know yet.

.
.DuelbitsSPORTS.
▄▄▄███████▄▄▄
▄▄█████████████████▄▄
▄██████████████████████▄
██████████████████████████
███████████████████████████
██████████████████████████████
██████████████████████████████
█████████████████████████████
███████████████████████████
█████████████████████████
▀████████████████████████
▀▀███████████████████
██████████████████████████████
██
██
██
██

██
██
██
██

██
██
██
████████▄▄▄▄██▄▄▄██
███▄█▀▄▄▀███▄█████
█████████████▀▀▀██
██▀ ▀██████████████████
███▄███████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
▀█████████████████████▀
▀▀███████████████▀▀
▀▀▀▀█▀▀▀▀
OFFICIAL EUROPEAN
BETTING PARTNER OF
ASTON VILLA FC
██
██
██
██

██
██
██
██

██
██
██
10%   CASHBACK   
          100%   MULTICHARGER   
Sharma (OP)
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000


GATCOIN : The New Currency Of Digital Marketing


View Profile
September 10, 2016, 09:58:04 AM
 #6

You should change your passwords if you haven't since the data leak. If you did it after the forum hack, you don't need to do anything now. DDOS is not dangerous as far as i know but if you want to be safe perfectly, post your address and sign a message  in here:

https://bitcointalk.org/index.php?topic=996318.0

and change your pass every month...
I have changed my password last month and do it atleast once every month but I want to know if I have to change it again in view of recent ddos attack? there's no such announcement about changing password from admin.I have difficulty in remembering long alphanumeric passwords and dont want to change them frequently

.
   █████▄▄▄▄
   ████████████▄▄▄            ▀██████
   ███ ▀▀▀▀█████████▄          ▀█████
   ███         ▀▀▀█████▄         ▀███
   ███              ▀▀████▄▄███    ▀▀
   ███                ▀███████▀
   ███                    █████
   ███     ███▄         ▄███████
   ▐██▌     ▀███▄     ▄███▀  ███
   ▐███       ▀███▄▄ ███▀     ███
    ███▌        ▀████        ▐██▌
     ███         ████         ███
      ███      ▄█████▄       ▐██
       ███   ▄████▀ ▀███▄     ▐██
        ███▄████▀     ▀███▄   ███
         █████▀         ▀███▄████
          ██▀             ▀█████▌
                            ▀███▌
  ██████                      ▀▀
  ▀▀▀███
     ███
█         █   ███
 █        ███  ███  █
███       ███   █  ███
███   █   ███   █  ███
███  ███   █       ███
███  ███   █       ███
 █   ███            █
 █    █             █
█         █   ███
 █        ███  ███  █
███       ███   █  ███
███   █   ███   █  ███
███  ███   █       ███
███  ███   █       ███
 █   ███            █
 █    █             █
             JOIN US             
TELEGRAM TWITTER FACEBOOK
LINKEDIN WHITEPAPER
bbc.reporter
Legendary
*
Offline Offline

Activity: 3108
Merit: 1488



View Profile
September 10, 2016, 10:05:56 AM
 #7

@Sharma. Use Keepass. You can download it here http://keepass.info/

It is what I use and it makes password management easier. You passwords will also be harder to crack since they look something like "SDFT%$EW^Y%ETGYBDE#$^^&$"

.
.DuelbitsSPORTS.
▄▄▄███████▄▄▄
▄▄█████████████████▄▄
▄██████████████████████▄
██████████████████████████
███████████████████████████
██████████████████████████████
██████████████████████████████
█████████████████████████████
███████████████████████████
█████████████████████████
▀████████████████████████
▀▀███████████████████
██████████████████████████████
██
██
██
██

██
██
██
██

██
██
██
████████▄▄▄▄██▄▄▄██
███▄█▀▄▄▀███▄█████
█████████████▀▀▀██
██▀ ▀██████████████████
███▄███████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
▀█████████████████████▀
▀▀███████████████▀▀
▀▀▀▀█▀▀▀▀
OFFICIAL EUROPEAN
BETTING PARTNER OF
ASTON VILLA FC
██
██
██
██

██
██
██
██

██
██
██
10%   CASHBACK   
          100%   MULTICHARGER   
PeaMine
Hero Member
*****
Offline Offline

Activity: 979
Merit: 510



View Profile
September 10, 2016, 04:31:36 PM
 #8

I tried to change my password, but it seems my old one doesn't work.
So I tried in a new browser to reset my password, it said it sent it to my email address, but it didn't work.
I am still getting "notification" emails from bitcointalk however.

Datacenter Technician and Electrician.  If you have any questions feel free to ask me as I am generally bored looking at logs and happy to help during free time.
xJuturna
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250



View Profile
September 10, 2016, 04:55:25 PM
 #9

Whatever makes you feel more safe. Accounts here need to be protected much more than your everyday forum account so do whatever you feel is necessary. Some advise changing your password once a month but I'm a bit lazy for that. Just make sure you have a good diverse password and you should be golden, assuming you've changed it since the data leak.
ndnh
Legendary
*
Offline Offline

Activity: 1302
Merit: 1005


New Decentralized Nuclear Hobbit


View Profile
September 10, 2016, 07:23:26 PM
 #10

Changing the password isn't hard, so why not?
awesome31312
Hero Member
*****
Offline Offline

Activity: 826
Merit: 504


View Profile
September 10, 2016, 08:24:03 PM
 #11

Always change your password. At least once a month is my recommendation. It does not matter whether or not there could have been a hack. Probability wise, if your password stays the same, then every day, a potential hacker gets closer to breaking into your account. 

Account recovered 08-12-2019
BitHodler
Legendary
*
Offline Offline

Activity: 1526
Merit: 1179


View Profile
September 10, 2016, 08:40:01 PM
 #12

There is no real point into asking whether or not we should change our password when you can do it directly yourself if you have an unsafe feeling about the security of your account.

BSV is not the real Bcash. Bcash is the real Bcash.
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2996
Merit: 2371


View Profile
September 11, 2016, 05:00:29 AM
 #13

As mentioned above, a DDoS attack, by itself does not do anything to compromise data. Although I understand that DDoS attacks are sometimes used as a distraction to prevent/delay detection of a more serious breach. I am confident that if there was a breach that theymos would be able to quickly detect it and take corrective action.

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

★ ★ ██████████████████████████████[█████████████████████
██████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
★ ★ 
Captain Murica
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
September 11, 2016, 10:48:27 AM
 #14

As mentioned above, a DDoS attack, by itself does not do anything to compromise data. Although I understand that DDoS attacks are sometimes used as a distraction to prevent/delay detection of a more serious breach. I am confident that if there was a breach that theymos would be able to quickly detect it and take corrective action.

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Can you reply to the question of this post?

Quoting the question:
Quote
bitcointalk.org, are you hacked or not? How many times have you been hacked since Jan/1/2016?

Changing passwords does not help if your forum represents swiss cheese.
Straux
Sr. Member
****
Offline Offline

Activity: 412
Merit: 251



View Profile
September 11, 2016, 11:55:29 AM
 #15

You should always change your password once in a while. That way, if someone is trying to brute force into your account, you will keep them out.

A DDoS will not allow the hacker to see your password. In fact, it locks the hacker out as much as it locks you and me out.
awesome31312
Hero Member
*****
Offline Offline

Activity: 826
Merit: 504


View Profile
September 11, 2016, 03:52:37 PM
 #16

Changing passwords does not help if your forum represents swiss cheese.

You know, I have been on this forum for a long, long time. I have yet to be scammed or get hacked by another Bitcointalk user, and there have been plenty of opportunities for that (Can't go into detail about it though). Some people are just unlucky, that's all.

Account recovered 08-12-2019
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13373


View Profile
September 12, 2016, 01:41:28 AM
Last edit: September 12, 2016, 02:08:38 AM by theymos
 #17

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Currently there's no regional filtering. It isn't usually necessary, since attacks have either been possible to detect and block (automatically or manually) or SYN floods which use fake IP addresses. On a few occasions in the past I've had to block a few /16 networks for a while, but there's nothing like that active now.

I really like the idea of having a bunch of firewall servers which handle the TCP handshake and then send real traffic to the real server(s) via a GRE tunnel. Since it works at the TCP level, the firewall servers do not need the HTTPS key and aren't particularly sensitive security-wise. It doesn't protect against application-level attacks, but generally those are easier to protect against by just blacklisting or limiting misbehaving IPs. I wish that more companies would offer this service. The forum's previous DDoS protection did this, but it was some amateur operation which had its own reliability issues, making it unacceptable. Incapsula was willing to do a special deal, but their price was ridiculous. I think that someone could make money by buying a few dozen servers distributed across the globe and selling GRE-tunnel-based DDoS protection from SYN floods and maybe also bandwidth leeching (by tracking when new IPs start using way more traffic than anyone else), ideally with anycast IP addresses to distribute traffic among the firewall servers. I think that you could do it largely with standard iptables rules, though it'd be very complicated. If I was setting up a service like this, I would oversell like crazy -- each site is only actually DDoSed a very small percentage of time, so you only need enough ordinary capacity to protect against one or two active attacks --, but then have some sort of backup plan to add more servers in an emergency (maybe by spinning up EC2/DigitalOcean/Vultr instances, which are expensive compared to a dedicated server but quickly available in case more capacity is needed now).

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2996
Merit: 2371


View Profile
September 12, 2016, 03:03:35 AM
 #18

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Currently there's no regional filtering. It hasn't been necessary in the past, since attacks have either been easy to detect and block or SYN floods which use fake IP addresses. On a few occasions in the past I've had to block a few /16 networks for a while, but there's nothing like that active now.
I was referring to some kind of hypothetical spoofing attack whose success hinges on the *real* bitcointalk.org (and/or bitcoin.org) server being unresponsive in order to be successful.

It would be something along the lines of the GFW would, during DDoS attacks, route traffic intended for bitcointalk.org (and/or bitcoin.org) to a spoof server from a very specific subset of traffic. Only "high value" targets would have their traffic to the spoof server, or traffic that comes from a proxy/VPN/a source that may have originated outside of China (if you assumed a state sponsored attack by the Chinese government) in order to hide the fact that some traffic is being routed to a spoof server.

I really like the idea of having a bunch of firewall servers which handle the TCP handshake and then send real traffic to the real server(s) via a GRE tunnel. Since it works at the TCP level, the firewall servers do not need the HTTPS key and aren't particularly sensitive security-wise. It doesn't protect against application-level attacks, but generally those are easier to protect against by just blacklisting or limiting misbehaving IPs.
Is there a reason why you can't do something similar to this yourself? Or, will this only be economical if you have multiple clients?

★ ★ ██████████████████████████████[█████████████████████
██████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
★ ★ 
swogerino
Legendary
*
Offline Offline

Activity: 3332
Merit: 1248


Bitcoin Casino Est. 2013


View Profile
September 12, 2016, 03:11:57 AM
 #19

I think frequent password changes are needed if you want to keep your account safe.
Even workplaces require you to change them every 3 months so why not here? Roll Eyes

███▄▀██▄▄
░░▄████▄▀████ ▄▄▄
░░████▄▄▄▄░░█▀▀
███ ██████▄▄▀█▌
░▄░░███▀████
░▐█░░███░██▄▄
░░▄▀░████▄▄▄▀█
░█░▄███▀████ ▐█
▀▄▄███▀▄██▄
░░▄██▌░░██▀
░▐█▀████ ▀██
░░█▌██████ ▀▀██▄
░░▀███
▄▄██▀▄███
▄▄▄████▀▄████▄░░
▀▀█░░▄▄▄▄████░░
▐█▀▄▄█████████
████▀███░░▄░
▄▄██░███░░█▌░
█▀▄▄▄████░▀▄░░
█▌████▀███▄░█░
▄██▄▀███▄▄▀
▀██░░▐██▄░░
██▀████▀█▌░
▄██▀▀██████▐█░░
███▀░░
2112
Legendary
*
Offline Offline

Activity: 2128
Merit: 1073



View Profile
September 12, 2016, 04:21:24 PM
 #20

I think that someone could make money by buying a few dozen servers distributed across the globe and selling GRE-tunnel-based DDoS protection from SYN floods and maybe also bandwidth leeching (by tracking when new IPs start using way more traffic than anyone else), ideally with anycast IP addresses to distribute traffic among the firewall servers. I think that you could do it largely with standard iptables rules, though it'd be very complicated. If I was setting up a service like this, I would oversell like crazy -- each site is only actually DDoSed a very small percentage of time, so you only need enough ordinary capacity to protect against one or two active attacks --, but then have some sort of backup plan to add more servers in an emergency (maybe by spinning up EC2/DigitalOcean/Vultr instances, which are expensive compared to a dedicated server but quickly available in case more capacity is needed now).
Anycast to distribute state-full traffic? Anycast only really works with stateless/connectionless services like DNS over UDP. Anything else requires a modified client side to recover the hidden state.

And in addition to the above modifying the routing rules after the DDoS started to add more firewall servers? Guaranteed failure because it will prolong the instability and limited availability.

"standard iptables rules, though it'd be very complicated" - this claim is such a deep bullshit, that I can't believe a sane person with IT knowledge would utter it. What about the state of the TCP/IP socket required to track sequence numbers?

To me it seems like you've talked to too many professional bullshit salesmen in the DDoS mitigation industry and they successfully managed to turn your brain to mush to prepare you for closing a sale.

Four days ago you had a generally correct idea. Within AWS the GRE tunnels are not required because EC2 offers a private LAN segment for free to allow connections between instances spawned from the same account. Maybe just get some sleep and then implement it yourself.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!