Like many many other times I connect to the forum this morning, and I got this:


CloudFlare One more step

Please complete the security check to access fantasygrounds.com




With a captcha.

Beside the fact that captcha don't work, this is simply unacceptable. Why should I suddenly need to input a captcha to go on the official website (and support system) of my paid software? Especially since I'm on a fixed IP, and no attack was issued from it.

Edit: And a second time, minutes after the first, still from my same old IP. So on top of everything else, it's broken. And I'm guessing CloudFlare ain't cheap…

Didn't CloudFlare stop all those ddos attacks the servers suffered after the last fg con that went on for months? I've never been asked for a captcha to access the site.

Editing my post per Nickademus's request.

I've never been asked for a captcha to access the site.

Neither have I - but I have been asked when I've updated the Wiki and uploaded Extensions and Mods.

Its an annoyance, but (for me) it's only been a "speed bump", not a "stop sign".

Cheers

I've never been asked for a captcha to access the site.

Try to edit your post.

Ive had cloudflare lose me a post or two.
But Ill take the Cloudflare interruption ANY day.
This site availability was really struggling prior to CloudFlare.

Try to edit your post.
I just did, does cloudflare intervenes when you do that? Because it didn't do anything on my end when I edited my post.

The only time I get it is when I try to view someone's profile - wait five seconds and its done. Knock on wood.

profiles is the most common time - but you do occasionally get it when editing or writing a post - and it can be painful and it can lose your post!
but ultimately it is required for site stability and availability....

Profile page views and Blog views are marked as higher security since these were frequently used in DDoS attacks. We might be able to fine tune a few settings, given enough information on what sort of activities are getting flagged and where you are connecting from. You are correct that Cloudflare isn't cheap, but it has managed to greatly increase the overall stability of the site. We were getting slammed by repeated DDoS attacks and now CloudFlare absorbs all of those.

I could check into post edits if that is something you are commonly seeing flagged. If you think about it, try shooting me the URL to [email protected] and I'll see if I can modify the settings for those.

The only time I get it is when I try to view someone's profile - wait five seconds and its done. Knock on wood.
That's the only time I've been seeing it too.

I've only gotten it when i'm trying to upload a file... usually it works just fine, but i've had it deny me even though i put in the correct letter/number combination.

It's the only way to beat Ultron... (https://9gag.com/gag/a8Y4BBZ/even-ultron-hates-captcha)

This is the second time I have heard of cloud fire today, apparently its being used by various dodgy pirate sites to side step ISP blocks, never heard of cloud fire before today!

Hey hawkwind, please consider emailing me the URLs of those dodgy pirate sites. I have a problem with Cloudflare if they are also protecting sites that traffic in illegal activities. You can email me at [email protected]

https://torrentfreak.com/secure-pirate-bay-unblocked-by-most-uk-isps-150316/

https://torrentfreak.com/court-orders-cloudflare-expose-pirate-site-operators-141106/

this came up in rss feed at work

Thanks. I contacted Cloudflare to ask them about that.

And 6 months later, SmiteWorks is still discriminating various non US users with its overpriced useless brainless Cloudflare thingy. It still takes me an average of 6 tries to post anything. Sometimes, no matter how many times I try, I just can't.

And 6 months later, SmiteWorks is still discriminating various non US users with its overpriced useless brainless Cloudflare thingy. It still takes me an average of 6 tries to post anything. Sometimes, no matter how many times I try, I just can't.

Hello Blacky, if you get routed through the verification process, there should be a code provided. That code can be sent to us at [email protected] and we can forward that to Cloudflare so they can trace what is causing your traffic to be flagged, and hopefully remedy it on our end or on Cloudflare's end.

Now featuring leaking passwords and personal details, well anything going between us and fantasygrounds.com. Well, when I say now, I mean for the last six months…

Hello Blacky,

That is not correct. We received an email from Cloudflare that disclosed this issue that affected only some of their clients. They notified every client that was affected and said that our site was unaffected.

Change your passwords on every internet site you use - just in case folks - Cloudflare provides CDN and proxying for over 4million websites.

I was wondering about the status here with that bug. I only have real issues with it when I am in China and often it would just not accept anything I input or it would just not generate the input screen. I just got back from China and it seemed to be working better.

Could someone actually explain or post a link to something that explains what you all are talking about? Apparently these statements assume some knowledge that may not be as commonly known as assumed.

https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/

Just google cloudflare and a ton of these articles will come up.

Ok, thanks for the link.

To summarize, Cloudflare which FG and many other websites use had a bug that leaked some sensitive info including passwords starting last September. According to Smiteworks, Cloudflare said that www.FantasyGrounds.com was not affected.

As stated by Damned, just in case, you should change your passwords on ALL websites (because Cloudflare is used by millions of sites). Which is something, IMO, you should be doing REGULARLY anyway.

I would also recommend using a method such as outlined here (https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/) to generate your passwords. Also, two factor authentication is one of the best ways to prevent access to any of your accounts even if your password is leaked. Maybe Doug can look into enabling 2FA for the website?

https://strongpasswordgenerator.com/

password123

password123

John!!!!

That should be: p@55w0rd123 :p

That should be: p@55w0rd123 :p
Dulux!!!!

You need an uppercase character in there! :p

;)

Use dice to make your password! (https://world.std.com/~reinhold/diceware.html)

Dulux!!!!

You need an uppercase character in there! :p

;)

I thought about that, but I decided that that would be pushing the joke too far ;)

I thought about that, but I decided that that would be pushing the joke too far ;)

And this stopped you because...?

And this stopped you because...?

Touché

I have the distinct feeling you all were making fun of me. :p- I work for a bank as a developer so security is one of the top issues we have to consider anytime we implement something new that is going to production. It is something I'm very conscious off with my personal information too. I would hate to see anyone get hosed because of something like this.

I'm not making fun of you. I'm making fun of the Aussie Paint.

I contributed what I use for passwords. It meets the Strong qualifications of everything I've seen so far.

Are you guys saying password123 isn't secure?

OK... how about Qwerty1 then.

A former employer had so many systems that I quite literally would forget at least one a day, and I wasn't the only one since we had 6+ FTEs who did nothing but reset passwords all day 24x7.

Mandated new passwords every 30 days. Had to have one capital letter, one symbol and one number and be at least 8 characters long. No new password could be similar to any of the prior 10 you had used and you couldn't re-use passwords across multiple platforms. And heaven forbid anyone suggested a single sign-on solution.

Then IT hits the roof when they find everyone has pages in their day timers dedicated to nothing but writing passwords down, which was a valid concern, but they drove the behaviour.

I thought about that, but I decided that that would be pushing the joke too far ;)

A joke pushed too far is still funny, just for a different reason. :)

Then IT hits the roof when they find everyone has pages in their day timers dedicated to nothing but writing passwords down, which was a valid concern, but they drove the behaviour.

Everyone should use a tool like LastPass. I have hundreds of passwords, all of them random strings, and forget none. :-)

Are you guys saying password123 isn't secure?

OK... how about Qwerty1 then.

A former employer had so many systems that I quite literally would forget at least one a day, and I wasn't the only one since we had 6+ FTEs who did nothing but reset passwords all day 24x7.

Mandated new passwords every 30 days. Had to have one capital letter, one symbol and one number and be at least 8 characters long. No new password could be similar to any of the prior 10 you had used and you couldn't re-use passwords across multiple platforms. And heaven forbid anyone suggested a single sign-on solution.

Then IT hits the roof when they find everyone has pages in their day timers dedicated to nothing but writing passwords down, which was a valid concern, but they drove the behaviour.

Been there, for an aerospace/defense contractor.

I was in a meeting discussing a new software package and said we needed to have it authenticate against our LDAP instead of its own. The IT rep told me there was no need. I said people couldn't remember the passwords of the existing systems and had to write them all down. He said that was against policy, end of discussion.

Within two weeks we were passing in the hall and I stopped him for a moment, picked up a random keyboard to show him the note with all the users passwords written on it. By the end of the next month we had a single-signon initiative.

We had a Security Officer coming down for a meeting one day, so I made sure to write a fake sticky note with a bunch of fake passwords all scratched out except the last one and stuck it on my monitor. Unfortunately, I don't think he even noticed even though he was in my office at one point to say "hello".

The fake ones I chose were really good.


Prior to this, I did software development and consulting and it wasn't uncommon to get access to some online store's website database to do a job, only to find that the previous developer had learned on the job and stored all the passwords in the database as plain text. Jesus and the local sports teams were very popular in the region, along with the names of children.

The most amusing thing is, is that the whole "change your passwords every 30, 60, 90, or 120 days (or whatever) and make it at least 10 characters long", etc, is a MYTH - its one of the great ICT Security Myths that even most ICT Security people don't know is a myth (like this (https://www.snopes.com/photos/natural/iceberg.asp) picture), and just repeat it over and over as if it was the "TRUTH" (see the 5 Monkeys Experiment (https://www.wisdompills.com/2014/05/28/the-famous-social-experiment-5-monkeys-a-ladder/)).

Let me explain - back in the 1970s someone once asked one of the leading Computer Science researchers (I can't remember which one) about how long to crack a password using the technology of the time (IBM 330, DECs, etc). Using the back of an envelope (I'm not kidding) the Computer Scientist calculated that a password of 7 characters would be sufficient to withstand a brute-force attack using the technology of the time, and besides, the Unix crypt() function truncated passwords to 8 characters anyway, so that was all good.

So, imagine how much more more powerful today's computers are and consider if 8, 10 or even 16 characters might be strong enough (actually, 16 probably is in 2017 - maybe).

No, if you want to be secure then the best couple of things you can do are:

Make your passwords llllooooooooooooonnnnnggggg - "A sausage-roll at the corner shop costs $4.50 on Wednesdays." is a way better password (pass-phrase) than "P@55w0rd123", obeys all the common complexity rules (Capital and lowercase, digit and punctuation/speical characters), is 60-characters as opposed to 11-characters, and is easier to remember.
Use a Password Manager - I use KeePass (free, multi-platform, etc)
If you use a Password Manager, use a different random password for every website, etc, because a Password Manager makes it easy. I always use 64-character random passwords (unless the website, etc, doesn't allow passwords that long).


I hope that all of this helps :)

Cheers

My take on password rotation/change is driven by two things, let me know what you think;

1) Because if a website is hacked, it is unlikely you will be informed of the breach in a timely manner. If you change them regularly, it would be less likely you would be compromised as part of a secondary data user (i.e. someone who buys the breached data after the original user has done what they intend with it).

2) If you don't use unique passwords (which is a bad habit, but one I suspect a vast majority of people do), then when #1 happens, you are exponentially exposed (and not ina good "kilt" kind of way!)

Everyone should use a tool like LastPass. I have hundreds of passwords, all of them random strings, and forget none. :-)

Yep, I use LastPass also. All of them at least 20 characters long and random and also never forget them either because I only have to remember one password.

My take on password rotation/change is driven by two things, let me know what you think;

1) Because if a website is hacked, it is unlikely you will be informed of the breach in a timely manner. If you change them regularly, it would be less likely you would be compromised as part of a secondary data user (i.e. someone who buys the breached data after the original user has done what they intend with it).

2) If you don't use unique passwords (which is a bad habit, but one I suspect a vast majority of people do), then when #1 happens, you are exponentially exposed (and not ina good "kilt" kind of way!)

Rotating passwords on websites is not a bad idea - but a better one is to use unique, looonnnggg, random passwords on each website - the longer the password, the harder it is to brute-force, and if it's random, hackers can't dictionary attack it (ie guess) and if its unique it won't matter (much) if it is compromised because you only use it in that one place. But in an office situation forcing the end-users to rotate their passwords is often counter-productive (as some of the posts here have shown) - it leads to things like "passowrd1", "password2", "password3", etc with the number corresponding to the month of the year (for eg).

But quite frankly, I wouldn't bother with rotating passwords on a website - if its hacked, then I'm way more worried about my other personal details (name, DOB, social security number, etc) being stolen than a one-site-use, loooonnnngggg, hard to guess/break password - I know which is more valuable (and which isn't normally stored securely/encrypted)

Depressing, isn't it :p

As a manager at a pizza place, I had to change my password every two weeks and could never reuse a password, even years later. It was ridiculous. I also had to enter them every few minutes (approving discounts, sending drivers out, practically everything needed a manager password), so the goal was to make them fast and easy. The result was that I just used two or three keys so I could enter it in less than a second. poipoi changed to popopo, then oiuoiu, and so on. My favorite thing about transferring stores was that I could start the cycle over and use numbers again. Thankfully, I'm done dealing with that.

Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
I honestly would like to know...

I use two-factor auth (pw + yubi key) on my LastPass account. Anywhere you can possibly use two-factor auth, you should. Most email services have two-factor options, as does DropBox, Facebook, etc.

Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
I honestly would like to know...

Yes. It could happen. Make a long unique password and maybe for good measure type it twice making it twice as long. And use 2fa.

Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
I honestly would like to know...

As damned said, yes, it is possible. And what he suggests is also the best way to do things.

But the idea behind a Password Manager is that the only place where you use the über-long Pass-Phrase needed to unlock the "password safe" is on a computer you "own" (ie you trust) and that it never gets sent "over the wire" - so for someone to break it they would have to access you PC (or mobile phone, or whatever) and then steal the password-safe, and then perform a brute-force attack on the über-long password and the encryption used to encrypt all the passwords stored within.

This is the electronic-equivalent of raiding your house to steal the wall safe out of the wall and then breaking open the safe - and notwithstanding the movie Fast & Furious Five, that's not easy to do.

It all comes down to "is it worth it" - is it worth a hacker to spend all that time and energy breaking into your "safe" for what's inside - and the answer is almost certainly "No".

Oh sure, if the American NSA wanted in they might - that's might - be able to crack it - although looking at all the reports about the police not being able to get into a iPhone (and the encryption on a Password Manager is often more secure than the encryption on an iPhone) I'm not so sure - but what are the chances of the NSA wanting to steal your passwords from you when they can steal them from a website and get oh-so-many more.

Most hackers (well over 90%) are little more than Script-Kiddies who don't really know what they're doing but who use a bunch of programs written by others to do their hacks. Its a bit like the difference between a punk gang-member, a trained soldier, and a special-ops member - all of them can use a gun but I know which order I'd put them in in terms of lethality :p