incorrect, they provide authy as a 2fa client, and also as a service for websites to integrate 2fa easilyAppleMiner wrote:When I went to the AUTHY site, it seems they only have 2FA for certain websites.
When I typed in prohashing it did not show that it knew what it was.
Perhaps you can add and scan in the code key into that program, if not, id just grab the google authenticator and use that.
Policy changes coming this weekend
Forum rules
The News forum is only for updates about the Prohashing pool.
Replies to posts in this forum should be related to the news being announced. If you need support on another issue, please post in the forum related to that topic or seek one of the official support options listed in the top right corner of the forums page or on prohashing.com/about.
For the full list of PROHASHING forums rules, please visit https://prohashing.com/help/prohashing- ... rms-forums.
The News forum is only for updates about the Prohashing pool.
Replies to posts in this forum should be related to the news being announced. If you need support on another issue, please post in the forum related to that topic or seek one of the official support options listed in the top right corner of the forums page or on prohashing.com/about.
For the full list of PROHASHING forums rules, please visit https://prohashing.com/help/prohashing- ... rms-forums.
-
- Posts: 646
- Joined: Sun Apr 16, 2017 3:01 pm
Re: Policy changes coming this weekend
Re: Policy changes coming this weekend
This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
-
- Posts: 646
- Joined: Sun Apr 16, 2017 3:01 pm
Re: Policy changes coming this weekend
there actually was a few waves of comprimised accounts. probably before your time as a member here.Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
authy has desktop software, although obiviously that option isnt as secure, what about tablet? no internet connection is needed for authy 2fa codes. also, may be an option for bros to look into adding text message two factor auth, but again, this option is less secure.
Re: Policy changes coming this weekend
If someone uses same passwords on several services in crypto world, u can expect to get buttf*cked sooner or later. Keep your email safe, and never have same password on two places specially not same as your email!! Another tip is to use different usernames, makes it harder to track same individuals down on different platforms.
Well yes please add sms verification, im not going to download extra software to put on my phone, i do not trust or want third parties involved.
Well yes please add sms verification, im not going to download extra software to put on my phone, i do not trust or want third parties involved.
Running rigs: KNC Titan, Antminer D3 & L3+'s
Re: Policy changes coming this weekend
i got 3 different accounts as i use a different one for each type of miner (to be able to keep clean statistics on earnings)
not stating much but i can image people using more then 5 for the same reason.. just saying just to weaken your statement "There doesn't seem to be any legitimate reason why one address would need to log into so many accounts." a bit..
not stating much but i can image people using more then 5 for the same reason.. just saying just to weaken your statement "There doesn't seem to be any legitimate reason why one address would need to log into so many accounts." a bit..
- Steve Sokolowski
- Posts: 4585
- Joined: Wed Aug 27, 2014 3:27 pm
- Location: State College, PA
Re: Policy changes coming this weekend
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.
I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Re: Policy changes coming this weekend
Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.Steve Sokolowski wrote:There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.
I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).
I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password
Re: Policy changes coming this weekend
it's because users have passwords like that in the first place. Require of users to make a "hard" password. atleast 1 letter, atleast 1 number, atleast 1 lower case, atleast one upper cas, and atleast one sign like ¤ or &. make the password 8-12 letters long. Keep limit per day low, and ban ip 24h. repeated offenders, perma ban.
Running rigs: KNC Titan, Antminer D3 & L3+'s
- Steve Sokolowski
- Posts: 4585
- Joined: Wed Aug 27, 2014 3:27 pm
- Location: State College, PA
Re: Policy changes coming this weekend
I just figured it out. A user posted why there have been so many attacks in this thread: viewtopic.php?f=5&t=2369Ewil wrote:Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.Steve Sokolowski wrote:There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?
Also, are people really being that dumb about their login security that there's THAT many violated accounts???
This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.
I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).
I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password
The number of attacks was about 120,000 on October 19 (probably because the hacking software was finished halfway through the day), 260,000 on October 20, and similar numbers on October 21. On October 22, "prevent Tor access" was enabled and cut the number of attacks.
But on October 18, there were just 327 attacks. The criminals must have bought the database from the thieves, and then rushed to write software to use this database before their Tor access was going to be cut off by the new release.
The reason there were so many people who got money stolen is obviously because they used the same password in their Bitmain accounts as they did here. This is extremely frustrating. I don't know how many times I can repeat that there are no circumstances where you should ever use the same password as you do on another site.
Re: Policy changes coming this weekend
Steve, as someone with almost 20 years working in Infosec, I'd to warn you that this sort of approach can be a bad idea if you aren't careful in the way you implement and manage the ban. It depends on the timespan over which you intend to measure the 5 failed logins, but with a large user community behind a NAT you could easily have 5 legitimate account login failures in a few hours, certainly less than 24.Steve Sokolowski wrote:There will be a few policy changes coming this weekend, which will affect a large number of customers.
First, attempting to log into more than five accounts with invalid passwords will result in a permanent ban for that IP address. There doesn't seem to be any legitimate reason why one address would need to log into so many accounts. Even if you mistype your username, that would only result in two invalid account logins. The existing limit of 25 login attempts per day for any single account will also remain active.
You can run into problems with Universities, corporate networks, hosting environments, Cloud services, VPNs and any other reasonably large community that sits behind a NAT address so if you really need to implement some kind of control, I suggest you keep the 5 login attempt count window down to 2 minutes or less and implement a rate limiting algorithm, (i,e, don't ban it permanently), start with a 5 minute ban, then 10, etc, etc.
If the failed attempts stop for another arbitrary period (say 30 minutes) then have a timeout for the ban, just like an account lockout. You don't want to be forced to have to manually undo the ban when you can automate it.
Using IP addresses to make security decisions comes with some major issues. Plenty of organisations and companies will give or sell you IP Blacklists and services, but the value of them is entirely dependent on how they re-validate and age that data. Most don't, and the lists are therefore useless over the long term they just keep getting bigger and bigger as more IP addresses are added, and less and less accurate at the same time as the older entries are no longer hostile.
[edit]