Add Security Questions

Status
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
do it these are op if u get hacked u can easily get ur account back where as if u get hacked rn its super hard to get ur acc back

correct me if im wrong
 
Type
Suggestion
Status
Denied
Banned forever. Reason: Dox leaking community members
Upvote 14 Downvote
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.
G

Grace.

Supreme
Feedback score
19
Posts
796
Reactions
367
Resources
4
I agree. But - I think they should be optional, where you can continue as you are rn , but if you want to; you should be able to enable them for added security.
 
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Gabe J said:
I agree. But - I think they should be optional, where you can continue as you are rn , but if you want to; you should be able to enable them for added security.
Click to expand...
100% bro thanks for adding
 
Banned forever. Reason: Dox leaking community members
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Banned forever. Reason: Dox leaking community members
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Banned forever. Reason: Dox leaking community members
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Jerry said:
This happens so rarely that it isn't something that should be changed
Click to expand...
even so, one persons account hacked can cause a gallon of tears and account security should be highly valued on ANY website
 
Banned forever. Reason: Dox leaking community members
Kram

Kram

Wizard
Management
Feedback score
23
Posts
970
Reactions
770
Resources
0
I'd agree if it was something that could be added easily and was optional, but I don't believe that it can be easily added (Correct me if I'm wrong).
 
Ivain

Ivain

Master Terraformer
Supreme
Feedback score
45
Posts
9,610
Reactions
4,888
Resources
0
Security questions do very little. Way better to have something like 2FA.
Security questions are usually limited to a specific set of answers of which the sample size is MUCH smaller than that of passwords.

Common security questions:
-Mother's maiden name
-First pet's name
-favorite book/Tv series
-date of birth of family member
etc.
Each of those usually has a few thousand possibilities. Adding spelling and outliers, you've got maybe a hundred thousand possibilities per question.
Hell, let's stretch it and say there's a good security question that has a million possibilities.

In comparison to that, a fully randomized 8-digit password using ONLY lowercase letters has about 208 billion different permutations. that's a factor of more than 200K times as many possibilities, aka 200.000 times longer duration to brute-force it.

I'd like to note that a hacker with a properly written attack can probably crack an 8-digit password like this in 6 hours (360 mins) of bruteforcing, according to estimates:
http://www.lockdown.co.uk/?pg=combi&s=articles
This assumes a class D attack, which can easily be achieved by quality modern PCs'. My PC would probably be capable of this.

If you can use all 96 symbols available on standard keyboards for an 8-digit, you're a lot safer, as the highest-end system on that list would take more than 80 days to crack a pass, and nobody's gonna waste that on a mineman.

The highest-end system in this list dates from 2009 though, and is simply a distributed-computing attack. I can't speak for what's possible today.
Aka if you've got a high-end hacker with access to a decent-sized botnet, they could probably reach a class F attack by that list.

Note that this entire estimate ignores password re-use and leaked password databases, which contain BILLIONS of logins in total.

TLDR: Security questions don't help for shit against hackers, and only exist so people don't lock themselves out of their PC with their terrible memories. 2FA is a far better defense, for even if your password is cracked, without access to your phone, they'd need to brute-force the code sent to your phone/email as well.
 
Orochimaru

Orochimaru

The Love's Manager
Supreme
Feedback score
21
Posts
2,721
Reactions
1,352
Resources
3
Ivain said:
Security questions do very little. Way better to have something like 2FA.
Security questions are usually limited to a specific set of answers of which the sample size is MUCH smaller than that of passwords.

Common security questions:
-Mother's maiden name
-First pet's name
-favorite book/Tv series
-date of birth of family member
etc.
Each of those usually has a few thousand possibilities. Adding spelling and outliers, you've got maybe a hundred thousand possibilities per question.
Hell, let's stretch it and say there's a good security question that has a million possibilities.

In comparison to that, a fully randomized 8-digit password using ONLY lowercase letters has about 208 billion different permutations. that's a factor of more than 200K times as many possibilities, aka 200.000 times longer duration to brute-force it.

I'd like to note that a hacker with a properly written attack can probably crack an 8-digit password like this in 6 hours (360 mins) of bruteforcing, according to estimates:
http://www.lockdown.co.uk/?pg=combi&s=articles
This assumes a class D attack, which can easily be achieved by quality modern PCs'. My PC would probably be capable of this.

If you can use all 96 symbols available on standard keyboards for an 8-digit, you're a lot safer, as the highest-end system on that list would take more than 80 days to crack a pass, and nobody's gonna waste that on a mineman.

The highest-end system in this list dates from 2009 though, and is simply a distributed-computing attack. I can't speak for what's possible today.
Aka if you've got a high-end hacker with access to a decent-sized botnet, they could probably reach a class F attack by that list.

Note that this entire estimate ignores password re-use and leaked password databases, which contain BILLIONS of logins in total.

TLDR: Security questions don't help for shit against hackers, and only exist so people don't lock themselves out of their PC with their terrible memories. 2FA is a far better defense, for even if your password is cracked, without access to your phone, they'd need to brute-force the code sent to your phone/email as well.
Click to expand...
When I have those questions I go generate a 32-64 random string of letters, numbers, etc and yeah


Anyway, I don't think this should be added, its so rare that it's pointless.
 
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Ivain said:
Security questions do very little. Way better to have something like 2FA.
Security questions are usually limited to a specific set of answers of which the sample size is MUCH smaller than that of passwords.

Common security questions:
-Mother's maiden name
-First pet's name
-favorite book/Tv series
-date of birth of family member
etc.
Each of those usually has a few thousand possibilities. Adding spelling and outliers, you've got maybe a hundred thousand possibilities per question.
Hell, let's stretch it and say there's a good security question that has a million possibilities.

In comparison to that, a fully randomized 8-digit password using ONLY lowercase letters has about 208 billion different permutations. that's a factor of more than 200K times as many possibilities, aka 200.000 times longer duration to brute-force it.

I'd like to note that a hacker with a properly written attack can probably crack an 8-digit password like this in 6 hours (360 mins) of bruteforcing, according to estimates:
http://www.lockdown.co.uk/?pg=combi&s=articles
This assumes a class D attack, which can easily be achieved by quality modern PCs'. My PC would probably be capable of this.

If you can use all 96 symbols available on standard keyboards for an 8-digit, you're a lot safer, as the highest-end system on that list would take more than 80 days to crack a pass, and nobody's gonna waste that on a mineman.

The highest-end system in this list dates from 2009 though, and is simply a distributed-computing attack. I can't speak for what's possible today.
Aka if you've got a high-end hacker with access to a decent-sized botnet, they could probably reach a class F attack by that list.

Note that this entire estimate ignores password re-use and leaked password databases, which contain BILLIONS of logins in total.

TLDR: Security questions don't help for shit against hackers, and only exist so people don't lock themselves out of their PC with their terrible memories. 2FA is a far better defense, for even if your password is cracked, without access to your phone, they'd need to brute-force the code sent to your phone/email as well.
Click to expand...
first of all you can have MULTIPLE security questions, and second of a
Ivain said:
Security questions do very little. Way better to have something like 2FA.
Security questions are usually limited to a specific set of answers of which the sample size is MUCH smaller than that of passwords.

Common security questions:
-Mother's maiden name
-First pet's name
-favorite book/Tv series
-date of birth of family member
etc.
Each of those usually has a few thousand possibilities. Adding spelling and outliers, you've got maybe a hundred thousand possibilities per question.
Hell, let's stretch it and say there's a good security question that has a million possibilities.

In comparison to that, a fully randomized 8-digit password using ONLY lowercase letters has about 208 billion different permutations. that's a factor of more than 200K times as many possibilities, aka 200.000 times longer duration to brute-force it.

I'd like to note that a hacker with a properly written attack can probably crack an 8-digit password like this in 6 hours (360 mins) of bruteforcing, according to estimates:
http://www.lockdown.co.uk/?pg=combi&s=articles
This assumes a class D attack, which can easily be achieved by quality modern PCs'. My PC would probably be capable of this.

If you can use all 96 symbols available on standard keyboards for an 8-digit, you're a lot safer, as the highest-end system on that list would take more than 80 days to crack a pass, and nobody's gonna waste that on a mineman.

The highest-end system in this list dates from 2009 though, and is simply a distributed-computing attack. I can't speak for what's possible today.
Aka if you've got a high-end hacker with access to a decent-sized botnet, they could probably reach a class F attack by that list.

Note that this entire estimate ignores password re-use and leaked password databases, which contain BILLIONS of logins in total.

TLDR: Security questions don't help for shit against hackers, and only exist so people don't lock themselves out of their PC with their terrible memories. 2FA is a far better defense, for even if your password is cracked, without access to your phone, they'd need to brute-force the code sent to your phone/email as well.
Click to expand...

srsly... if someones that good at hacking they can hack anything also your acting as if there is only one security question. you write that attack and tell me when your done.
 
Banned forever. Reason: Dox leaking community members
fawny

fawny

fawny.me
Supreme
Feedback score
120
Posts
331
Reactions
527
Resources
0
Great idea, but definitely make them optional like said above. Even if it could range between one to three depending on preference of the user. Would make hacking a lot less of an issue.
 
Jerry

Jerry

Confirm ONSITE
Supreme
Feedback score
73
Posts
1,250
Reactions
1,194
Resources
0
fawny said:
Great idea, but definitely make them optional like said above. Even if it could range between one to three depending on preference of the user. Would make hacking a lot less of an issue.
Click to expand...
It's already such a minimal issue though, I've seen very few members of this site get compromised over my time in comparison to the number of active users.
OROCHIMARU said:
When I have those questions I go generate a 32-64 random string of letters, numbers, etc and yeah
Click to expand...
inb4 rat
Hype said:
first of all you can have MULTIPLE security questions, and second of a


srsly... if someones that good at hacking they can hack anything also your acting as if there is only one security question. you write that attack and tell me when your done.
Click to expand...
So you want someone to use questions that can easily be guessed? If someone's going to waste their time trying to get into your MCM account, they'll find enough information to make an educated guess on your mother's maiden name or your first school. If anything, it aids a hacker in getting full access to your account.
 
Hype

Hype

PM me for FREE Instagram Likes!
Banned
Feedback score
28
Posts
424
Reactions
142
Resources
0
Jerry said:
It's already such a minimal issue though, I've seen very few members of this site get compromised over my time in comparison to the number of active users.

inb4 rat

So you want someone to use questions that can easily be guessed? If someone's going to waste their time trying to get into your MCM account, they'll find enough information to make an educated guess on your mother's maiden name or your first school. If anything, it aids a hacker in getting full access to your account.
Click to expand...
i disagree, its the users choice to decide the security questions also im getting lazy to reply to this thread imma just leave it to staff
 
Banned forever. Reason: Dox leaking community members
Jerry

Jerry

Confirm ONSITE
Supreme
Feedback score
73
Posts
1,250
Reactions
1,194
Resources
0
Hype said:
i disagree, its the users choice to decide the security questions also im getting lazy to reply to this thread imma just leave it to staff
Click to expand...
Regardless of which security question, they're much easier to guess because there's a clear hint. With a password, there's not much to work off of.
 
Ever

Ever

King
Supreme
Feedback score
28
Posts
1,292
Reactions
656
Resources
0
Hype said:
do it these are op if u get hacked u can easily get ur account back where as if u get hacked rn its super hard to get ur acc back

correct me if im wrong
Click to expand...
agreed, i know someone whos mcm got hacked yesterday after he bought premium @Gibbay (name changed, idk what it is now)
 
Status
Top