Welcome to Inkbunny...
Allowed ratings
To view member-only content, create an account. ( Hide )
Inkbunny

Incoming security update - make sure your email is current

Hi everyone,

There is a site security update we're about to roll out that will increase the strength of our session IDs.

This update will be run in the next day or two and we will announce a new site version once it is complete.

The update makes it much harder for attackers to simply guess valid session IDs, as we move from 4-bit MD5 (eg: 9e107d9d372bb6826bd81d3542a419d6) to 6-bit SHA-512 (eg: UX8ScxaAoJI2i9WvhUSrHw6vVzJFkCZ3-4vsbiRmA,kylJ4C0DY5qT0T5sGmPX2Ixyiimn0Yn-,QKxVqIzE4T2).

These crazy looking IDs are something you don't normally see but they are stored in cookies that your browser receives and sends after you log in, as a way of identifying your valid login session.

The side effect of this change is that all currently logged in sessions will be reset, so you will need to log in again after we run the update.

As long as you know your password (or your browser knows it) then you just need to log in as per normal after the update and there should be no issues.

Please make sure your email address is valid and up to date as recorded in your Account Settings. This way, if you have any login issues, you can simply reset your password via the Forgot Password option on the Login Screen. This requires a valid email address connected to your account to work.

As the maximum session age is 1 month, all users have to log in at most every 4 weeks anyway, but we figured it's still best to give you all a heads-up!

If anyone has issues after the security update and can't log in, please email us at admin@inkbunny.net

Thanks

Inkbunny
Viewed: 347 times
Added: 5 years, 6 months ago
Site News Item: yes
 
Catwheezle
5 years, 6 months ago
Thanks for looking after us. I really appreciate the work you put into keeping us safe, and I'm sure I'm far from the only one :)
Alfador
5 years, 6 months ago
Awesome!! =^_^= *huggles*
garuru
5 years, 6 months ago
Allrighty !
LupineAssassin
5 years, 6 months ago
Thanks!
kenji321
5 years, 6 months ago
I welcome this change.  Thanks for the information.
MaDrow
5 years, 6 months ago
In b4 new server needed due huge system resources use increasement thanks to the hashing |=(;3
starling
5 years, 6 months ago
Haha well at 0.33 of 8 cores under load on average, we have room to grow. :D

The hashing for session IDs is done only when the ID is created, so that's probably only a few per minute.
zakdavis
5 years, 6 months ago
The countdown timer is nice because it tells me exactly how much time till the update. Thanx IB
starling
5 years, 6 months ago
It's one of those features I always wished sites like ours had. :3
Tycloud
5 years, 6 months ago
And you still did not include an optional birthday icon for the users!
fluffdance
5 years, 6 months ago
Is it possible to embed this hash key into the browser to prevent primary login hijack susceptibility?
Skash
5 years, 6 months ago
well, a more secure way of reducing hijack would be to have the development team whip up a program that generates a pgp through a random hash and stores it on your computer, and have the browser app only turn on when you visit IB's secure site then it will post the pgp with other data to login and in return listens for a token that it stores.

but when it comes to your I.P. lockin on the website, I would suggest you use it if you feel you need to add security, I myself have my account locked so that only a small percentage of Australian's can login, locking out 90% (or more) of the internet.

there are many ways to increase security, but at the end of the day, there needs to be a good balance between simplicity, maintenance, expandable, user friendly interface.

if it all goes wrong, then it can be just as bad as EA's DRM coupled with Trymedia and Sony's copy protection along with Steam, splash on a 3rd party random generated code from your mobile and you got a clusterfuck that needs a manual just to login, and on TOP of that would be a 10 minute session timeout.

imagine someone making damage if that was done, let alone them trying to figure out how he can enter his victims password without needing 2 hours reading up on the security they installed lol.

but all in all, Inkbunny, I see that you have security under control.
that leaves myself to assume the answer of "do you save passwords as plain text?" to be a solid "FUCK NO!"
starling
5 years, 6 months ago
We use individually salted sha512 hashes for the passwords. :P

We could offer those browser embedded certificates per user, but they are a lot of pain for the user to install. It's going a bit far I think. xD As you say, IP restriction cuts down the chances of a direct account session attack succeeding to pretty much zero.
starling
5 years, 6 months ago
I'm not sure what you mean by primary login hijack susceptibility! :O
fluffdance
5 years, 6 months ago
Upon initial login, the hash can (at least in theory) be intercepted, even if it, itself, is encrypted.  This was a tactic used a few years ago to Root FA.  It's more a concern for admins than general users, but a colleague of mine is an exceptional hacker (and also our security director at the datacenter!), and she's been able to do some outright incredible stuff.

I had forgotten, however, that you guys provide IP white-listing.  Marginally annoying while on the road, but nothing a quick VNC can't fix.  ;-)
starling
5 years, 6 months ago
The hash is sent inside an encrypted tunnel just like all other page data on IB, thanks to SSL. :P

The reason FA was bent over that way years ago was because they didn't use SSL.

IB admin/mod accounts have IP range locking so I could actually give everyone here my current session ID and no one could use it. :3

Edit: Sorry I'm half asleep I realise you said most of this already xD
fluffdance
5 years, 6 months ago
Haha, no worries, I'm in much the same state myself.

And ah!  I was gonna ask if you guys were using HSTS!

I would dispute needing physical access to the network, as I've seen it done without, but it's so far beyond my tiny little brain that I'm not even going to try.  XD

Awesome to know you guys are so security-oriented, though!
starling
5 years, 6 months ago
There are a bunch of attacks that can intercept the request to an SSL encrypted page and then fake an unencrypted version back to the end user, tricking them in to typing their password in etc in to an unencrypted page if they aren't paying attention. To do this you need physical access to the target's network (or an open wireless connection they are using, etc) and even then it only works on old routers. But we mitigate against that too by using https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Sec...
Skash
5 years, 6 months ago
and on that note, I'm off to update my DSL Router's firmware, Tata
Skash
5 years, 6 months ago
funny how this website, that earns less than a small credit union has more security in mind than the top banks in Australia, and many banks across the globe, and you have been established for just a few years, compared to over 100 years,

Kinda makes me want to setup a bank account here lol
starling
5 years, 6 months ago
Haha, the First Bank of Inkbunny!
HashTagHeel24
5 years, 6 months ago
Just so you know Firefox users can't log in. Tried everything and nothing worked using IE. Sucks as it's my preferred browser. Oh well it was a good run.
New Comment:
Move reply box to top
Log in or create an account to comment.