IMPORTANT! Patreon has had their database compromised! · 10:28pm Oct 2nd, 2015
Hi all.
Guess what? I'm sick! Yeah, not much writing the last few days. Brain has been utter mush.
Oh, and Patreon has been hacked. Yup, hacked big time. Follow me below the break for details.
According to Ars, Patreon has been uber-hacked. Like, completely compromised. This is important enough that I'm typing on the laptop despite the pain to get it all out to you sooner. Sad to say, hacks like this are just a fact of life these days. With most companies, I bet it's only a matter of time.
That being said, this particular hack is so extensive they even managed to pull the source code for their software and website, along with every bit of user information. Now, the good news is that the sensitive stuff is encrypted using bcrypt, which is a very strong encryption algorithm that, IF it was implemented correctly, will made trying to get your password very difficult and time consuming. All the same, CHANGE YOUR PASSWORD! Since the hackers got the source code, a single mistake could render the encryption effectively useless. So, CHANGE YOUR PASSWORD RIGHT NOW!
Also, if you use the same password for Patreon as for other sites, CHANGE ALL OF YOUR PASSWORDS! Yes, I know it'll be a pain, but not using unique passwords means it only takes one site to be compromised to own you completely.
"But Cv, I can't remember all those passwords!" you say. Don't worry, Cv has your back.
There's a bunch of Password Managers out there these days. With them, you only need to know the password to your computer and to the manager. Everything else, the manager takes care of. It can make all your passwords look like this:
dng9baHNFyGFDNMJ3scBXLk.pkTHUY6mCCrFxHrovpT}eggLdr
And you don't even have to remember them yourself. A unique, random password for each website, managed securely, with browser plugins and mobile apps to make it all as painless as possible. Doing it this way is much easier and vastly more secure than writing them down somewhere or reusing passwords or -ugh- writing them in an unprotected text file on your computer. I highly, highly recommend using these things, guys. There's a bunch, but here's a few I recommend.
LastPass - A web-based service that's free for basic functions and has a subscription for "premium" features. Well implemented stuff, highly recommended.
1Password - If you use a Mac or an iOS device, this is a great one. It even has great TouchID support for iPhone 5S or later. It's available on Windows too, but not quite as slick. Unlike LastPass, this one does cost money up front outside of the demo - but it's a one-time fee rather than a subscription. If a subscription leaves a sour note on your tongue like it does mine, get 1Password. It can sync by placing a heavily-encrypted database in either your Dropbox or iCloud Drive, which I really like. Means you're protected with either Dropbox's or Apple's security rather than relying on a smaller company, and both Dropbox and Apple have pretty darn good reputations when it comes to security. This is the one I personally use.
Dashlane - I've heard this one mentioned around, and I hear it's a solid implementation. To sync your passwords across devices seems to require a $40/year subscription, though.
Note, I'm not being paid for this. I'm just trying to promote better security practices.
Now, get over to Patreon and CHANGE YOUR PASSWORD!
Back to Rites news, I'm feeling a bit better today, so hopefully I'll be able to continue writing tonight. Again, you guys are all freaking awesome for sticking with me. I'm still mulling over a switch to monthly payments on Patreon. Will get back to you guys on that when I make my decision.
-Cv
I'm kind of surprised it took this long, with patreon getting so popular, i knew it was only matter of time. This sucks, luckily i don't got a patreon account or I would be pissed
My personal password manager is KeePass, as it's free, open source and uses password-protected flat files that you can sync with any of a dozen other methods rather than being roped into paying for a service that's overpriced for what it is, and just going to attract attacks anyway. That said, it's not the most friendly of programs, so your mileage may vary.
I don't know, I don't do this, but it does seem like paper is unhackable, unlike pretty much any digital solution, changing the point of failure from someone breaking online security to someone breaking into your house. I suspect most people trying for large scale identity theft will be doing the former rather than the latter.
The key would be to put it someplace both handy and private, I suppose.
I tried using lastpass but it was basically useless. I managed to get it to work, reluctantly, on exactly one site. Then the site changed its backing code and lastpass stopped working.
It didn't do anything for all the steam passwords and origin passwords and one-off MMO passwords. Or system passwords for my laptop and desktop and virtual machines and... etc.
Mostly I've been relying on just doing password recovery every single time I need to access any site that I don't visit daily.
3438077 That's a shame. Hopefully they've improved since then. 1Password has been extremely useful for me, and works great on my Mac.
3437789
KeePass also has clients for every remotely major platform (Windows Mobile 6.0 to BSD and many more...). It's not overly difficult to have the encrypted (recommended) key database synced via Dropbox or another cloud provider either.
If I wasn't utilising BlackBerry's mono-platform "Password Keeper", this is what I'd be using. I've looked at it in the past, but didn't have much need until recently...
Strangely enough, I find this to be funny.
I use a very secure method to keep track of my passwords. It's un-hackable. It's a notebook.
Just to be pedantic, bcrypt is a hash algorithm, not encryption.
I prefer the old school "Make a four word sentence that's easy to remember," way of doing passwords. I don't have anything recorded, it's all in my head.
3438669
That kind of password is easily broken by dictionary attack. Avoid dates and names for the same reason.
On the original subject, personally I would recommend PasswordMaker Pro. Works practically anywhere (by website interface, and stand alone programs and browser plugins for a dozen or so platforms), no third-party data store (that's a horrible security flaw on it's own: LastPass has been compromised twice, and several of its competitors have been compromised as well), completely free, open source implementation, highly configurable.
3438811 Those rely on real words and people not using slang. Just throw a Whozamahazle in there and you're all set.
3438811
If the words chosen to form the “sentence” are random (and a mnemonic then made around them rather than a sentence being constructed out of whole cloth) then a dictionary attack isn’t enough to overcome the additional length.
3437789
I also use KeePass myself. There's an open source plugin to Firefox called KeeFox that integrates pretty much like LastPass, that I use at work. There's also a really good Android app called Keepass2Android.
3438031
Using KeePass, I could store either the password database or the key file that unlocks there database on an USB flash drive. This way, it is physically safe as well.
3438811
Not really true. If you make a password using, say, an effectively random selection of four of the two thousand most common English words, you are essentially making a password four characters long using a two thousand word ‘alphabet,’ which is actually of a similar level of security to longer strings of completely random characters using a much smaller alphabet. I still recommend the password manager approach with 16-ish character random passwords, but the XKCD method has good math behind it.
3438031 If you're really smart, you could even encrypt it by hand with a simple cypher, one simple enough to do in your head if you know the rule. Then if any average robber decided it looked important and swiped it the vast majority wouldn't be able to read it.
3439816
If you want it written down, forget about simple cyphers. Those provide a laughable amount of security (there are really only two kinds of encryption: stuff that is proof against your little brother, and stuff that is proof against national governments). If you really want a piece of paper, get a PasswordCard. Now all you have to remember is a starting point (row number or color and a symbol from along the top, e.g. "yellow sun symbol (☉)", a direction, and a length. You can use the same direction and length everywhere and just change the starting point for each website. This still cuts down on the security a lot if an attacker gets the card, but not nearly as much as a hand-workable cipher. Well, a really good hand-workable cipher like VIC might be better, but I wouldn't count those as "simple".
3440620 Well the point of the cypher I'm talking about is really so that if you leave it lying around nobody will read it. How many people do you know who can decode a substitution cypher in their head, or heck, even recognize one? If any big group like the CIA or something really wanted your data, they'd probably just find a way around the password. Or even just make the website release it.
3438811
While Lastpass has been compromised before, they only got the encrypted password files, so as long as you have a good master password, getting the encrypted passwords doesn't do much cause they can't unencrypt them. Lastpass themselves never store your master password on their servers, so they won't be able to get them by hacking the site. Lastpass is also free and I have used it with chrome for a couple of years and almost never had a problem. The only issue I have had is the auto-form fill sometimes not getting a credit card's expiration date in cause they used weirdly formatted drop boxes to enter them. Their mobile app isn't as good with the auto-fill stuff unless you use it's built in browser which I don't like as much as the built in Chrome on my android, but it is still possible to use copy-paste to put in the username and password, although then you have to make sure to clear your clipboard history. Not perfect but not bad enough for me to switch just cause of that.
3440845
Most of the people that I know, actually (not sure about in their head, but that's why we invented writing). But I'll admit that I'm atypical in that regard. I'll also admit that they'd have a hard time with a password. Multiple passwords would be easier, assuming they can make good guesses as to websites/account names to test possible passwords against (unless you used a completely different key for each one, in which case you probably don't need to be writing down passwords).