A call for action with regards to security

The actual head vBulletin site was hacked and it so happen that the moderator used the same pass on vBulletin as MR.

Xenforo FTW.

 

I don't think two step authentication is all that necessary for a site like Macrumors. If your user account is compromised, there's really nothing anyone can do with it other than post as you.

 

What are they gonna do with my MacRumors username and password? Troll people under my username? I do that already. And I've changed my password. So basically, until next time, there is nothing to worry about.

That is, unless, you're a muppet and you've used the same password that you use to access your online banking or amazon account or apple account. But that isn't a problem for MacRumors. That is a problem for you. And your stupidity.

 

What they'll do is use a bot to troll any other sites for your username. Once they find another site with the same username they will try your password, and if that doesn't work, then guess at it using info from the compromised forum info and/or brute force it. They will then use it to gain access and attempt to glean more and more info about you, until they can get into things that will hurt you.
That is why they do what they do, not to gain access to a forum so they can post as you.

Where I work, some guy was using our webmail admin tools to reset the passwords of women's Facebook/photobucket or whatever accounts so he could look at their private pictures and dirty secrets. All you need is one account to lead you to others.

 

Hey now, don't be making fun of Muppets. We're a bright bunch of stuff.

 

The simple fact that no forum I visit currently does this makes me a bit wary of it. Yeah, sure for banking or educational accounts, sure, force the password to be reset. But for a forum? Not so much. The worst someone could do with my MR username and password is troll so much they get me banned. It's not a high security thing, its a forum... people talk. Thats pretty much it.

 

This is nothing..Be glad the info wasn't stored in plain text like Cupid Media did in January when 40 million were hacked. IN plain text format.

"An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity."

http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/

 

So is does he serve a "boyfriend" while completing a sentence for a couple years now?

 

What!? Personal responsibility!? How can you ask such a thing of us!

 

I can kind of see optional 2nd authentication and better encryption of passwords but beyond that what does someone gain by getting into my account? Keep these sites simple and don't reuse passwords. My bank on the other hand should be doing all that if not more.

 

Easy now, common sense like this is not welcome here.....

 

Is it possible to add fingerprint verification?
I'd also like a voice verification, along with texts exchange on my phone in order to log in.

You could also avoid storing passwords and opening dedicated offices for users to log in. The process would require the user to provide personal documents to the "logger", and a fee that would be returned when logging out.

 

retina verification.