XenFacil.com
Administrador
- Mensajes
- 440
- Puntuación de reacciones
- 57
- Puntos
- 28
Recentemente, hemos recibido varios informes de sitios con XenForo que han sido comprometidos. Al investigarlo, todas las evidencias apuntan a que el problema principal es la reutilización de contraseñas
Esta investigación ha puesto de manifiesto que un pequeño número de usuarios de XenForo.com tienen una cuenta de acceso conocida por una tercera persona. Estamos mirando estas cuentas y contactando directamente con sus propietarios.
Para ser claros, no tenemos evidencia alguna de algún compromiso de XenForo.com o un exploit en XenForo así mismo. Este anuncio queire principalmente ser un recordatorio de las mejores prácticas para el mantenimiento de la seguridad de la cuenta. Esto no solo se aplica a tus cuentas en este sitio, sino, y muy importante, a tus cuentas en tu sitio y en otros.
Evitar la reutilización contraseña
Estos días, many account compromises happen through password reuse. Billions of user records have been compromised on a variety of sites and this data is available to anyone who wants to go looking for it. In many of these cases, it's possible to look up a user by username or email and find their plain text password. To give you an idea of the extent of compromised data, try looking up your email on Have I Been Pwned?. If you reuse a password from a compromised site, your account is not secure. Ideally, you would use a unique password on each site.
Usar una contraseña fuerte
Coming up with passwords is hard. If you're choosing your own password, chances are it's not going to be that strong. There are techniques to help you generate stronger passwords, but unfortunately, many memorable passwords are simply not strong enough to hold up to password cracking tools (such as would be used when someone downloads a compromised database). Wikipedia has an extensive page discussing password strength: [url='https://en.wikipedia.org/wiki/Password_strength']Password strength - Wikipedia[/URL]
The strongest passwords are literally random strings. As these are far from memorable, you will need a tool to store (and generate) these passwords. These are known as password managers. With them, you choose one (very strong) master password and then have it generate unique passwords for every site. This means the site only receive a strong password that is unique to it, solving both the strength and reuse issues.
There are a variety of password managers to choose from. A few include:
Enable Two-Step Verification
Whenever you have the option, you should enable two-step verfication (also known as two-factor authentication). Should your password ever be compromised (either through a compromised site or something like a keylogger), two-step verification can help keep an attacker from logging into your account.
If possible, you should do two-step verification through your phone using an app such as Authy (or some other hardward-based method). This would generally require an attacker to physically have your phone/your token to complete the two-step verification. Other methods (such as email verification) provide some benefit but are not as safe as using a separate device for verification.
Enforce Protection of High Value Accounts
Your accounts on different sites may have varying levels of "importance" based on the information they protect. You should be absolutely sure that you are taking as many steps as possible to protect high value accounts. Generally speaking, this would include any email account (as password reset mechanisms mean email accounts are master keys) and financial accounts (banks, PayPal, etc).
More specifically though, as forum owners, this includes accounts of your admins, moderators and other staff. These users may have access to functionality that can compromise other users/the entire site or remove whole swathes of data. If they are compromised, you may need to restore from a backup to fully recovery. While forcing others to not reuse passwords is difficult, we strongly recommend that you require your forum staff to enable two-step verification on their accounts. This helps mitigate any accidental password reuse issues.
By taking as many of these steps as possible, you will significantly increase the security of your accounts across the internet.
Continúar leyendo...
Esta investigación ha puesto de manifiesto que un pequeño número de usuarios de XenForo.com tienen una cuenta de acceso conocida por una tercera persona. Estamos mirando estas cuentas y contactando directamente con sus propietarios.
Para ser claros, no tenemos evidencia alguna de algún compromiso de XenForo.com o un exploit en XenForo así mismo. Este anuncio queire principalmente ser un recordatorio de las mejores prácticas para el mantenimiento de la seguridad de la cuenta. Esto no solo se aplica a tus cuentas en este sitio, sino, y muy importante, a tus cuentas en tu sitio y en otros.
Evitar la reutilización contraseña
Estos días, many account compromises happen through password reuse. Billions of user records have been compromised on a variety of sites and this data is available to anyone who wants to go looking for it. In many of these cases, it's possible to look up a user by username or email and find their plain text password. To give you an idea of the extent of compromised data, try looking up your email on Have I Been Pwned?. If you reuse a password from a compromised site, your account is not secure. Ideally, you would use a unique password on each site.
Usar una contraseña fuerte
Coming up with passwords is hard. If you're choosing your own password, chances are it's not going to be that strong. There are techniques to help you generate stronger passwords, but unfortunately, many memorable passwords are simply not strong enough to hold up to password cracking tools (such as would be used when someone downloads a compromised database). Wikipedia has an extensive page discussing password strength: [url='https://en.wikipedia.org/wiki/Password_strength']Password strength - Wikipedia[/URL]
The strongest passwords are literally random strings. As these are far from memorable, you will need a tool to store (and generate) these passwords. These are known as password managers. With them, you choose one (very strong) master password and then have it generate unique passwords for every site. This means the site only receive a strong password that is unique to it, solving both the strength and reuse issues.
There are a variety of password managers to choose from. A few include:
- 1Password - [url='https://1password.com/']1Password[/URL]
- KeePass - [url='http://keepass.info/']KeePass Password Safe[/URL]
- LastPass - [url='https://lastpass.com/']LastPass | Password Manager, Auto Form Filler, Random Password Generator & Secure Digital Wallet App[/URL]
Enable Two-Step Verification
Whenever you have the option, you should enable two-step verfication (also known as two-factor authentication). Should your password ever be compromised (either through a compromised site or something like a keylogger), two-step verification can help keep an attacker from logging into your account.
If possible, you should do two-step verification through your phone using an app such as Authy (or some other hardward-based method). This would generally require an attacker to physically have your phone/your token to complete the two-step verification. Other methods (such as email verification) provide some benefit but are not as safe as using a separate device for verification.
Enforce Protection of High Value Accounts
Your accounts on different sites may have varying levels of "importance" based on the information they protect. You should be absolutely sure that you are taking as many steps as possible to protect high value accounts. Generally speaking, this would include any email account (as password reset mechanisms mean email accounts are master keys) and financial accounts (banks, PayPal, etc).
More specifically though, as forum owners, this includes accounts of your admins, moderators and other staff. These users may have access to functionality that can compromise other users/the entire site or remove whole swathes of data. If they are compromised, you may need to restore from a backup to fully recovery. While forcing others to not reuse passwords is difficult, we strongly recommend that you require your forum staff to enable two-step verification on their accounts. This helps mitigate any accidental password reuse issues.
By taking as many of these steps as possible, you will significantly increase the security of your accounts across the internet.
Continúar leyendo...
Última edición por un moderador: