A Password Policy Update

Posted in

#1 by Yorhel
2019-05-17 at 12:32
< report >In the past I've always had a "the security of VNDB is my responsibility, the security of your account is yours" mentality regarding password policies, but that hasn't worked out too well lately. People re-use passwords across sites even while knowing it's a bad idea. Many sites have had database breaches over the past decade and many of these databases are now widely available to anyone who's interested. As a result there have been quite a few attempts to use these databases to take over VNDB accounts and, rather annoyingly, some of these attempts have been successful (annoying for me, that is, in that it increases my support load :P).

So I've now added a simple password policy check: If your password is in a public database, it's not secure and you should change it! In practice this means the following:

- Weak passwords will not be allowed when you register a new account or change the password of your existing account.
- If you try to log in to your account and it turns out that you have a weak password, you'll be forced to change it before you can continue.
- You won't be able to use the API with a weak password.

Additionally, I've relaxed the password restrictions a bit. Previously passwords had to be ASCII and at most 64 characters, now you can use Unicode and up to 500 characters.


Has VNDB been breached?
To my knowledge, no. But good hackers are stealthy, so who knows...

How do you determine if a password has been leaked?
I compiled a little database based on publically available leaks. It currently includes the CrackStation "Human Passwords Only" list and the infamous 41 GiB "Breach Compilation".

I will likely update this list in the future, so even if your password isn't included now, that doesn't necessarily mean your account will be safe forever.

How do I check if my password is listed?
In the main menu, open "My Profile", and insert your current password in all three "Change Password" fields. If you don't get an error, you're fine. Note: This will cause your other sessions to be logged out. As an alternative, you can open a private browsing window and log in to your account. If that works, you're fine.

What about supporting 2FA?
Feels overkill for an animu porn site, to be honest. But if there's enough demand I can consider adding support for it.

I'm sure seeing security announcements on each and every site you visit gets tiring after a while. Such is life. I'm sorry.Last modified on 1970-01-01 at 00:00
#2 by truetakuma
2019-05-17 at 13:03
< report >People, use a password manager(KeePassXC ) or a password generator (Win ) or (Linux) (PWGen) with a notepad.

You will have a random generated, strong password against brute force attacks in any website you use.

It's really that easy.

BTW, great news, Yorhel.Last modified on 2019-05-17 at 13:38
#3 by harp
2019-05-17 at 13:45
< report >Roger! I'll change my password even if it's somehow passable (which I doubt.)
Since I use this so extensively for keeping track of my VNs it would be a pain to lose access to my profile, even if it's just an animu porn site.
#4 by forever-here
2019-05-17 at 13:46
< report >Isn't it overkill though for vndb to request for stronger passwords? even if this account is hacked what are they gonna use it for? forum trolling?

keeping track of my VNs

I guess that's one good reason.Last modified on 2019-05-17 at 13:47
#5 by kiru
2019-05-17 at 13:53
< report >Not sure how save it is, but you can always vary your passwords based on the site. You can fairly easily remember that. For example, the first 4 characters are something you use on every site, the last 4 are specific to the site, based on what you do there or what the site is about.

Simple "check a list of passwords" attempts will fail with this method. Someone would actually need to start thinking to get your account. So maybe make an exception for anything involving money.
#6 by Yorhel
2019-05-17 at 14:39
< report >
even if this account is hacked what are they gonna use it for?
There has been one case of vote manipulation using a hacked account (no clue why anyone would go through the trouble of doing that when you can just create a new account, but w/e).

but you can always vary your passwords based on the site
That's not a very good strategy. Your pattern will be visible if one or two sites have been breached. And surprisingly, yes, some kids seem to have too much time on their hands and actually take the effort to attack accounts of random nobodies. If you make it easy enough for a bored kid to figure out your password, you may be a target.

Take #2's advice.Last modified on 1970-01-01 at 00:00
#7 by bobjr2000
2019-05-22 at 02:40
< report >I rem the russia hack thing that happen few years ago and proud to say they attempted but failed to hack my account but alas my password being on short side still was forced to change anyways across most sites :(

my advice is write long stupid passwords on sticky notes keep it in desk. Short of some weird burglar breaking in house usually works.
#8 by irx
2019-05-22 at 06:43
< report >
That's not a very good strategy. Your pattern will be visible if one or two sites have been breached.
Maybe, but imo it's ok for sites like vndb which can't really compromise any of the sensitive info in case of a breach. What's the alternative? You can't remember truly secure passwords for 100+ sites, and trusting them to some keeper doesn't seem like a good idea either. I personally only use strong unique passwords for ~2 dozens of really important services, and have them stored in the encrypted hidden container with max security just in case. For the rest I use varieties of the same pass.Last modified on 2019-05-22 at 06:44
#9 by ffthewinner
2019-05-22 at 11:54
< report >That is a very nice idea admin! thanks :)

also,dont undersell your site. it is far more than "animu porn site",it is the definitive VN Quality Info site ;)
#10 by artumis
2019-06-24 at 04:06
< report >#8 The other thing to keep in mind with this technique is that it doesn't need to be a blatantly observable password mechanic. So while having a "Base + Site" (1234VNDB) password might be super obvious, you can do more creative things like weaving the 'random' element into a password (1V2N3D4B), offset the characters (+1 1234WOEC), some other transform or even (preferably) a combination. The only real requirement is that it's going to create a unique password that isn't weak, is easy to "remember", and doesn't need to be tracked by some 3rd party tool. It's also simple to add more secure passwords for more important sites, so even if your password get's stolen from Sony or some animu porn site, your email and such can use more secure, but similarly easy to remember systems. You can get even more creative by using a hashing function to generate a "random" secure password ("VNDB" + SHA-256 = 9A489DEBF9DF3628BFF8B9B5DAE4C4121E346DCB67BBC266760D7FD1BEA9F1CA). Those might not be easy passwords to remember, but you can keep them easily accessible with a simple command line call, batch file, etc.
#11 by substanceof
2019-07-03 at 12:23
< report >Well, if you has been able to check passwords over public db, does it mean that vndb stores (or stored?) passwords in cleartext?
#12 by zakashi
2019-07-09 at 20:08
< report >I heard once that a 100 words password composed by the lyrics of some music is more secure than a 15 words password composed by random characters like "hBms¨&93!²³icDK.;^Ç.."

I think if you use characters of other alphabets like russian or japanese the password gets even stronger, probably unicode supports it.
#13 by artumis
2019-07-10 at 04:37
< report >#11 raises an interesting point that I rarely consider. VNDB is a https website, with the 's' in that standing for secure. When you log in, that password has to be transmitted "securely" (ideally at least) and a rudimentary check of the strength of the password might not be rife with exploitation, so long as the data isn't cached or easily visible while going through the process. Since this is something a user would be notified of at login or password creation, it does indicate that passwords are (seemingly) properly encrypted on the backend, and thus this kind of operation needs to be done when the password is submitted. The security of any such process is always up for debate, and that's the one of the primary reason users shouldn't reuse passwords, particularly across a large number of known or related websites. From a hacker/cracker standpoint, it's fairly easy to build a probability tree from known data and work up that tree until I find the data I want or realize the data isn't there. If a website keeps track of an email address, the password for the website and email should be entirely different, otherwise access to one grants access to the other.
#14 by ardanis
2019-07-17 at 23:29
< report >Oh, ffs, will this ever stop? I *get* that the password is weak/leaked, but if I decide that it's fine then it's fine and that's the end of it.
#15 by Mutsuki
2019-07-17 at 23:39
< report >#11, no, most likely the "weak" passwords reset have been found by taking the list of already leaked "weak" passwords from previous hacks, running them all through the password encryption and checking them. It's pretty much brute force decryption except the goal is just to reset any ones matched rather than enter their account (because let's face it yorhel doesn't need to hack our accounts to edit anything we can about them).
#16 by Yorhel
2019-07-18 at 04:41
< report >
but if I decide that it's fine then it's fine
As mentioned in the first post, I mainly did this to reduce my support load. Recovering accounts that have been taken over is a pain. And yes, it happens. It happens because of password reuse.

does it mean that vndb stores (or stored?) passwords in cleartext?
Uh, nope. And unlike #15's explanation, it's not feasable for me to brute force VNDB's passwords against such a large leaked password database. I mean, it takes ~200ms on my machine to hash a single password for a single user.

It's much simpler: Your password is checked against the database when you register, log in or change your password. Those are the only times that the server has your password in plaintext.

EDIT: too relevant.Last modified on 2019-07-18 at 05:03
#17 by kametec
2019-07-22 at 20:33
< report >Another relevant Xkcds:
Password Strenght
Password Reuse
#18 by warfoki
2019-07-22 at 21:14
< report >To be fair, I do reuse passwords on sites a lot, but not on actually important sites. My VNDB password used to be super crap, but since the mandated password change, I changed that. On sites where I deem security important (banking accounts, PayPal, main e-mail address, Steam, etc.) I have long, entirely unique passwords that I use nowhere else.

For the rest of the sites though, I use the same two simple password / username combo everywhere, because I cannot remember like 30 sets of passwords and usernames from the top of my head, and re-registering all the time because I lost the piece of paper / .txt file where I wrote down the combo is a pain in the ass. And if someone hijacks one of my secondary e-mail addresses that I mostly use for registering on shady torrent and porn sites, or my wikia account that I only use to occasionally ask a question on the Aigis wiki... well, I don't particularly give a shit. I'll just make a new one.Last modified on 2019-07-22 at 21:15
#19 by zakashi
2019-07-31 at 22:00
< report >#18 You can use a google account to save your passwords, there are also lastpass, 1password,..., you save them in a database which you access with a master password. And when you access your sites the passwords are generated automatically, you don't need to copy/paste them as if it were a .txt file.
#20 by Yorhel
2022-12-03 at 12:58
< report >I've just updated the password check to use the HIBP password database. It contains 851 million passwords, so there's bound to be a few people whose password is not accepted anymore. You can use that link to check if you're affected, or use the "How do I check if my password is listed?" approach mentioned in #1.


You must be logged in to reply to this thread.