A Password Policy Update

Posted in

#1 by yorhel
2019-05-17 at 12:32
In the past I've always had a "the security of VNDB is my responsibility, the security of your account is yours" mentality regarding password policies, but that hasn't worked out too well lately. People re-use passwords across sites even while knowing it's a bad idea. Many sites have had database breaches over the past decade and many of these databases are now widely available to anyone who's interested. As a result there have been quite a few attempts to use these databases to take over VNDB accounts and, rather annoyingly, some of these attempts have been successful (annoying for me, that is, in that it increases my support load :P).

So I've now added a simple password policy check: If your password is in a public database, it's not secure and you should change it! In practice this means the following:

- Weak passwords will not be allowed when you register a new account or change the password of your existing account.
- If you try to log in to your account and it turns out that you have a weak password, you'll be forced to change it before you can continue.
- You won't be able to use the API with a weak password.

Additionally, I've relaxed the password restrictions a bit. Previously passwords had to be ASCII and at most 64 characters, now you can use Unicode and up to 500 characters.


Has VNDB been breached?
To my knowledge, no. But good hackers are stealthy, so who knows...

How do you determine if a password has been leaked?
I compiled a little database based on publically available leaks. It currently includes the CrackStation "Human Passwords Only" list and the infamous 41 GiB "Breach Compilation".

I will likely update this list in the future, so even if your password isn't included now, that doesn't necessarily mean your account will be safe forever.

How do I check if my password is listed?
In the main menu, open "My Profile", and insert your current password in all three "Change Password" fields. If you don't get an error, you're fine. Note: This will cause your other sessions to be logged out. As an alternative, you can open a private browsing window and log in to your account. If that works, you're fine.

What about supporting 2FA?
Feels overkill for an animu porn site, to be honest. But if there's enough demand I can consider adding support for it.

I'm sure seeing security announcements on each and every site you visit gets tiring after a while. Such is life. I'm sorry.
#2 by truetakuma
2019-05-17 at 13:03
People, use a password manager(KeePassXC ) or a password generator (Win ) or (Linux) (PWGen) with a notepad.

You will have a random generated, strong password against brute force attacks in any website you use.

It's really that easy.

BTW, great news, Yorhel.Last modified on 2019-05-17 at 13:38
#3 by harp
2019-05-17 at 13:45
Roger! I'll change my password even if it's somehow passable (which I doubt.)
Since I use this so extensively for keeping track of my VNs it would be a pain to lose access to my profile, even if it's just an animu porn site.
#4 by forever-here
2019-05-17 at 13:46
Isn't it overkill though for vndb to request for stronger passwords? even if this account is hacked what are they gonna use it for? forum trolling?

keeping track of my VNs

I guess that's one good reason.Last modified on 2019-05-17 at 13:47
#5 by kiru
2019-05-17 at 13:53
Not sure how save it is, but you can always vary your passwords based on the site. You can fairly easily remember that. For example, the first 4 characters are something you use on every site, the last 4 are specific to the site, based on what you do there or what the site is about.

Simple "check a list of passwords" attempts will fail with this method. Someone would actually need to start thinking to get your account. So maybe make an exception for anything involving money.
#6 by yorhel
2019-05-17 at 14:39
even if this account is hacked what are they gonna use it for?
There has been one case of vote manipulation using a hacked account (no clue why anyone would go through the trouble of doing that when you can just create a new account, but w/e).

but you can always vary your passwords based on the site
That's not a very good strategy. Your pattern will be visible if one or two sites have been breached. And surprisingly, yes, some kids seem to have too much time on their hands and actually take the effort to attack accounts of random nobodies. If you make it easy enough for a bored kid to figure out your password, you may be a target.

Take #2's advice.
#7 by bobjr2000
2019-05-22 at 02:40
I rem the russia hack thing that happen few years ago and proud to say they attempted but failed to hack my account but alas my password being on short side still was forced to change anyways across most sites :(

my advice is write long stupid passwords on sticky notes keep it in desk. Short of some weird burglar breaking in house usually works.
#8 by irx
2019-05-22 at 06:43
That's not a very good strategy. Your pattern will be visible if one or two sites have been breached.
Maybe, but imo it's ok for sites like vndb which can't really compromise any of the sensitive info in case of a breach. What's the alternative? You can't remember truly secure passwords for 100+ sites, and trusting them to some keeper doesn't seem like a good idea either. I personally only use strong unique passwords for ~2 dozens of really important services, and have them stored in the encrypted hidden container with max security just in case. For the rest I use varieties of the same pass.Last modified on 2019-05-22 at 06:44
#9 by ffthewinner
2019-05-22 at 11:54
That is a very nice idea admin! thanks :)

also,dont undersell your site. it is far more than "animu porn site",it is the definitive VN Quality Info site ;)
#10 by artumis
2019-06-24 at 04:06
#8 The other thing to keep in mind with this technique is that it doesn't need to be a blatantly observable password mechanic. So while having a "Base + Site" (1234VNDB) password might be super obvious, you can do more creative things like weaving the 'random' element into a password (1V2N3D4B), offset the characters (+1 1234WOEC), some other transform or even (preferably) a combination. The only real requirement is that it's going to create a unique password that isn't weak, is easy to "remember", and doesn't need to be tracked by some 3rd party tool. It's also simple to add more secure passwords for more important sites, so even if your password get's stolen from Sony or some animu porn site, your email and such can use more secure, but similarly easy to remember systems. You can get even more creative by using a hashing function to generate a "random" secure password ("VNDB" + SHA-256 = 9A489DEBF9DF3628BFF8B9B5DAE4C4121E346DCB67BBC266760D7FD1BEA9F1CA). Those might not be easy passwords to remember, but you can keep them easily accessible with a simple command line call, batch file, etc.


You must be logged in to reply to this thread.