| Yet again, MAL has been hacked. Main reason? Low-level security. Solution? An upgrade of the security, naturally. How? Through the use of Google Authenticator. But I don't want it? It would be optional. What does that have to do with MAL getting hacked? A staff member getting hacked can bring quite a lot of damage, as seen. What if a staff member would not want it? It would be a requirement for them to have it if they wish to be/stay as a member of the staff. How good is the security? Almost perfect. But I need a smartphone? Yes, you do. But Xinil doesn't code shit? He will have to make an exception. Can I contribute to the topic? Yes, post below with your thoughts on the matter. Edit: If you have the time, reading the responses through the thread would be highly recommended. |
SubbedSep 27, 2014 11:50 AM
| i agree with this suggestion, a facebook login or google login will be better security for this website |
| Facebook login is indeed another option, but as seen from one other thread, many MAL users don't use Facebook, so it would be quite a waste to include it if we look at how many things get implemented code-wise — we should think of features that cover the biggest part of the community. Almost everyone has a smartphone nowadays, though. If not, getting one is suggested for other uses as well. Edit: Adding more info from the post shared below. I don't mean that Facebook and other social network logins are not wanted, but looking at the quantity of how many suggestions get accepted on MAL, we should prioritize the better ones. IMHO, one can easily hack the Facebook and Twitter accounts as well, with the method being phishing or keylogging. Google Authenticator, however, is something that requires physical access to the set device. |
SubbedAug 31, 2014 2:38 AM
| i have seen a lot of websites where there are both facebook login and google login and sometimes they include twitter login too, an example of that website is feedly so the more options for MAL users the better since i bet they are not that hard to implement because those login authentications have codes ready to be copied and paste to this websites script |
Frost_Kiss said: Why SSJ like to hack MAL? He/She hack MAL when the summer vacation is going to end. SSJMaster just likes to end his Summer Vacation while hacking MAL nah the problem is not SSJMaster but the poor security of MyAnimeList |
j0x said: i have seen a lot of websites where there are both facebook login and google login and sometimes they include twitter login too, an example of that website is feedly so the more options for MAL users the better since i bet they are not that hard to implement because those login authentications have codes ready to be copied and paste to this websites script I hope you don't misunderstand, I don't mean that Facebook and other social network logins are not wanted, but looking at the quantity of how many suggestions get accepted on MAL, we should prioritize the better ones. IMHO, one can easily hack the Facebook and Twitter accounts as well, with the method being phishing or keylogging. Google Authenticator, however, is something that requires physical access to the set device. |
| Mods should be required to take extra measures, but it should be opt in for users. This account has a unique username, email, and password from all other sites I use so I'm already set on security... anything else being forced on me would just be an unnecessary hassle. |
| [size=200]MAL AVATAR SYSTEM BLOWS |
DerpHole said: Mods should be required to take extra measures, but it should be opt in for users. This account has a unique username, email, and password from all other sites I use so I'm already set on security... anything else being forced on me would just be an unnecessary hassle. Did you even read the thread? I've said this exact same thing. It's a short thread, c'mon. |
| Don't mind if it is a google login. Most have a gmail or at least a youtube account nowadays, and it isn't overflowed with forced commercials like Facebook. |
| Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! Muscle Muscle! Hustle Hustle! |
| You made no allusion to whether or not it would be opt in or mandatory for users. You only specified moderators. Do you even read what you type? c'mon. |
| [size=200]MAL AVATAR SYSTEM BLOWS |
Keitaro004 said: Don't mind if it is a google login. Most have a gmail or at least a youtube account nowadays, and it isn't overflowed with forced commercials like Facebook. Having a G-Mail or a YouTube account has nothing to do with the Google Authenticator app. It is a separate and stand-alone mobile app — I suggest checking it out. DerpHole said: You made no allusion to whether or not it would be opt in or mandatory for users. You only specified moderators. Do you even read what you type? c'mon. Are you being serious? Read the thread again, please. Subpyro said: But I don't want it? It would be optional. |
SubbedAug 31, 2014 2:39 AM
| My bad. No need to jump on my sac for voicing my main concerns though. If anything like this is going to be implemented (lol nope) it has to be opt in |
| [size=200]MAL AVATAR SYSTEM BLOWS |
Keitaro004 said: Don't mind if it is a google login. Most have a gmail or at least a youtube account nowadays, and it isn't overflowed with forced commercials like Facebook. I hate facebook, and as soon as i see facebook login, if it the only option, i just avoid the website. Even if I'm not really active here I'm sure I'm not the only one who don't like those kind of login. |
DerpHole said: My bad. No need to jump on my sac for voicing my main concerns though. If anything like this is going to be implemented (lol nope) it has to be opt in I apologize if it sounded offensive, but I simply do not stand users that cannot even read a short thread properly and after being told so, continue to push how correct they are. I mean, I made the thread so short for a reason, and that's for a casual MAL user (who doesn't wanna read much) to read it fully, hopefully. |
jsrfuture said: Keitaro004 said: Don't mind if it is a google login. Most have a gmail or at least a youtube account nowadays, and it isn't overflowed with forced commercials like Facebook. I hate facebook, and as soon as i see facebook login, if it the only option, i just avoid the website. Even if I'm not really active here I'm sure I'm not the only one who don't like those kind of login. Then deal with it. Even just setting up a disused profile to facilitate this is hardly going to kill you. |
The wikipedia didn't have any pictures so I didn't read it. No seriously I think this'll take like 4-6 months. |
| Guys, please try keeping the discussion on the matter of the Google Authenticator app over the Facebook Logins. The main reason for that is shared in the third post of the thread. R4vel said: The wikipedia didn't have any pictures so I didn't read it. No seriously I think this'll take like 4-6 months. I highly suggest the read, but naturally it's up to you. You would only profit from it, imho. |
Subpyro said: But then if I find some word that's totally new to me then I'll have to read that page again, then it's never ending. I'll give it a try, though I gotta say I think this is actually the first time I've head of it.Guys, please try keeping the discussion on the matter of the Google Authenticator app over the Facebook Logins. The main reason for that is shared in the third post of the thread. R4vel said: The wikipedia didn't have any pictures so I didn't read it. No seriously I think this'll take like 4-6 months. I highly suggest the read, but naturally it's up to you. You'd only profit from it. |
R4vel said: But then if I find some word that's totally new to me then I'll have to read that page again, then it's never ending. I'll give it a try, though I gotta say I think this is actually the first time I've head of it. Oh yeah, sure thing. If you'll require any sort of an explanation, feel free to ask. Many people don't know about Google Authenticator yet because it's relatively new. However, websites are quickly grabbing it due to its excellent efficiency and top-level security. A few websites that have grabbed this security method are some that I frequently visit, but you might have heard of RuneScape. That game's main security measure recently became this feature. |
Subpyro said: Yet again, MAL has been hacked. Main reason? Low-level security. Solution? An upgrade of the security, naturally. How? Through the use of Google Authenticator. But I don't want it? It would be optional. What does that have to do with MAL getting hacked? A staff member getting hacked can bring quite a lot of damage, as seen. What if a staff member would not want it? It would be a requirement for them to have it if they wish to be/stay as a member of the staff. How good is the security? Almost perfect. But I need a smartphone? Yes, you do. But Xinil doesn't code shit? He will have to make an exception. Can I contribute to the topic? Yes, post below with your thoughts on the matter. I think that would be one of the best idea, many enterprise use similar process to secure distant login to their work station. I haven't tested Google Authenticator. And since it wouldn't be optional for the normal user it would affect site traffic (not everyone have a smartphone or are willing to use this kind of app). Enforcing it to moderator and admin seem quite reasonable and probably one of the best way to increase the security of those account. |
| I'm all for an optional facebook login (or any other possibilities). I don't have a smartphone though so I won't be able to use Google Authenticator. |
morshuwarrior said: I don't have a smartphone though so I won't be able to use Google Authenticator. I'm still trying to think of something that users without a smartphone could execute, preferably something that completely evades phishing and keyloggers as well, like Google Authenticator does. |
j0x said: Frost_Kiss said: Why SSJ like to hack MAL? He/She hack MAL when the summer vacation is going to end. SSJMaster just likes to end his Summer Vacation while hacking MAL nah the problem is not SSJMaster but the poor security of MyAnimeList You know your site has a problem with security when most porn sites have tighter security than the site in question. |
| Steel Ball Run anime when? |
Subpyro said: I hope you don't misunderstand, I don't mean that Facebook and other social network logins are not wanted, . But they really aren't wanted. If Mal starts wanting me to have facebook, twitter or any of that shit to log in i will just stop, i won't make account to those stupid sites by force. Subpyro said: morshuwarrior said: I don't have a smartphone though so I won't be able to use Google Authenticator. I'm still trying to think of something that users without a smartphone could execute, preferably something that completely evades phishing and keyloggers as well, like Google Authenticator does. There is no need for the users to do anything. User accounts can cause no trouble since they have no authority and when compromised can easily be returned to the user by an admin changing passwords for the account. No need to make the life of the users harder. Just make it something for mod and admin accounts. |
Deathnosis said: I'm suggesting HTTPS for login page and I like the idea of having a Multi-factor authentication for all users. Not a fan of facebook login though I don't know how necessary a switch to HTTPS would be, since I have yet to see any wiretapping or man-in-the-middle attacks to take action on MAL. But then again, it cannot hurt and if it would please the community, why not if possible. Monad said: No need to make the life of the users harder. Just make it something for mod and admin accounts. You cannot speak in the name of all the users. Some users prefer more security just to feel safer. As said, this would be optional. If you wouldn't want it, no one would be forcing it onto you. Your whole argument fails just because you think it's either nothing or everything. No. You have the ability to choose for yourself. |
| I thumbs up for this, seriously this low level security of mal should end |
[right] |
| It all seemed fine until the smartphone bit. If all the mods have smartphones anyway, then fine, but if they don't then I'd rather not support the idea. Asking a staff member to get a smartphone or drop the team just doesn't seem right; I'm taking people's possible backgrounds and feelings toward smartphones/technology into consideration. I don't know how much smartphone cost though. There has to be another way that doesn't require a a mobile device. Oh right, I might be assuming incorrectly (I'm trying to stay awake here), but if staff was required to use the smartphone, I'm guessing that they'd only be allowed to access MAL through mobile and never through their laptops/desktops? |
Geekies said: It all seemed fine until the smartphone bit. If all the mods have smartphones anyway, then fine, but if they don't then I'd rather not support the idea. Asking a staff member to get a smartphone or drop the team just doesn't seem right; I'm taking people's possible backgrounds and feelings toward smartphones/technology into consideration. I don't know how much smartphone cost though. Subpyro said: I'm still trying to think of something that users without a smartphone could execute, preferably something that completely evades phishing and keyloggers as well, like Google Authenticator does. Geekies said: Oh right, I might be assuming incorrectly (I'm trying to stay awake here), but if staff was required to use the smartphone, I'm guessing that they'd only be allowed to access MAL through mobile and never through their laptops/desktops? You are assuming incorrectly. You can connect via a desktop and/or laptop normally, a code that gets generated is simply listed on your mobile device and you write it down in those 30 seconds, through whatever means you are accessing the website. Also, pretty please, do not assume. Google Authenticator is not a theoretical product. It actually exist. Please, do read what it is and what it is used for before continuing to pose points of its functionality. |
Subpyro said: You are assuming incorrectly. You can connect via a desktop and/or laptop normally, a code that gets generated is simply listed on your mobile device and you write it down in those 30 seconds, through whatever means you are accessing the website. Also, pretty please, do not assume. Google Authenticator is not a theoretical product. It actually exist. Please, do read what it is and what it is used for before continuing to pose points of its functionality. It was poor wording on my part, but my assumption was meant to be more of a question in order to understand the wiki article a bit better. I'm not too sure how apps work, so I was having a little trouble understanding what the article was saying. The way I was reading it came off to me as if it was all happening on the device, but thank you for correcting me; I was mistaken. Anyway, if that's the case, it seems easy enough, it's just the problem with getting staff and other users the device. I'll keep a look out for anything similar that might help, just as you are! |
| I think it's a good idea, just a matter of what Xinil will think of it. |
 |
Subpyro said: 0h noes, not that shit. Fuck it.But I need a smartphone? Yes, you do. Anyway, you can suggest the Hell out of it, but mark my words, nothin' of it will ever be made to reality. Wanna bet? |
 There is such thing as shit taste. Only idiots think that every "work of art" should have the same value.  Persona anime are good. Deal with it. |
| I don't know exactly, but I'm all against social network stuff to be a default thing on a site. Like from login to commenting. They can't be trusted, mostly because of the current American laws and acts towards the data about us, users to the government or any multi-company more than the necessary. I don't want to make this a political, law or any other question than what it is, but I say these can't be trusted. Also, I would have made this thing to the court, since in my country, they give from 5 to 10 years of prison... But that's the Hungarian law, I'm not familiar with the US laws and acts in this matter. |
| I agree that this would definitely be a good thing to do. At the very least for staff members if anything. However I'd stick to google authentication and skip the social network stuff. I really don't like social media like facebook... or should I say especially facebook? Too bad though that it'll never happen. |
| For those who seek perfection, there can be no rest on this side of the grave. Hope is the first step on the road to disappointment. |
Tyrantarmy6 said: I really don't like social media like facebook... or should I say especially facebook?. No, you shouldn't exclude Google from that stuff, since what ever Google made or bought are now mainly linked to G+. Like YouTube comments for example, but those who have a running channel there, now the messaging system is replaced with the G+'s. They are likely to force you to use the G+ no matter or what, sooner or later. |
Ricz said: Tyrantarmy6 said: I really don't like social media like facebook... or should I say especially facebook?. No, you shouldn't exclude Google from that stuff, since what ever Google made or bought are now mainly linked to G+. Like YouTube comments for example, but those who have a running channel there, now the messaging system is replaced with the G+'s. They are likely to force you to use the G+ no matter or what, sooner or later. I know and I don't like what they're doing with G+, but some security meassure is needed, and Google Authentication requires a smart phone which is pretty solid security. I never said I trust Google, but if I'd have to choose between Google and other media like Facebook, I'd still choose Google. |
| For those who seek perfection, there can be no rest on this side of the grave. Hope is the first step on the road to disappointment. |
| What is Google Authenticator? And i have found some holes in security myself.. I've been encountering many Captcha.. i dunno why.. anyways I mistakenly put the wrong answer and it accepted it -_- Not only that it is spamming me Captcha and everything it accepts anything you write.. |
 |
Subpyro said: Monad said: No need to make the life of the users harder. Just make it something for mod and admin accounts. You cannot speak in the name of all the users. Some users prefer more security just to feel safer. As said, this would be optional. If you wouldn't want it, no one would be forcing it onto you. Your whole argument fails just because you think it's either nothing or everything. No. You have the ability to choose for yourself. No what i see is reality. The truth is that whenever sites try to go with this "log in with your facebok,twitter, google account" bullshit they always end up throwing away the conventional way of logging in even when they at first say it will just be optional. It is like a trend where everything leads to always uniting everything in one big annoying fucking online profile because it beneficial to advertizes(and government agencies) to have a full image of who you are and your activity and in the end that is actually more compromising for the average user than safe because if that profile ever gets hacked then every fucking thing you are a part off will be compromised. This "but it will all be optional and up to you to decide" are nothing but Utopian silly dreams. And to make a small star wars reference, once you go to the dark site of the force there is no return. Besides how will increase security when it will be optional? It can't. You can't go built a big iron door and then say "well you can ether go threw here or the normal wooden door just on the left" and feel that you made something safer. What is the point of the iron door then? |
MonadAug 31, 2014 8:09 AM
Monad said: Subpyro said: You cannot speak in the name of all the users. Some users prefer more security just to feel safer. As said, this would be optional. If you wouldn't want it, no one would be forcing it onto you. Your whole argument fails just because you think it's either nothing or everything. No. You have the ability to choose for yourself. No what i see is reality. The truth is that whenever sites trie to go with this "log in with your facebok,twitter, google account" bullshit they always end up throwing away the conventional way of logging in even when they at first say it will just be optional. It is like a trend where everything leads to always uniting everything in one big annoying fucking online profile because it beneficial to advertizes(and government agencies) to have a full image of who you are and your activity and in the end that is actually more compromising for the average user than safe because if that profile ever gets hacked then every fucking thing you are a part off will be compromised. >no such thing as making a throwaway fake account |
| I don't think any moderator would want to go through the hassle of authenticating whenever they want to login. Specially when they don't have their phone turned on and nearby. Unless you only need to authenticate once per computer/ip. But that might require even more work. You know xinil under craveonline. |
| Two-factor authentication should be a MUST for staff members, however it's useless for normal users: if someone gets your MAL password, he will use it to try login your e-mail/Paypal/More important stuff. In this case the authenticator does nothing, it's only useful to avoid having your MAL list vandalized (however, we alredy have backups at our disposal and it's more than enough). As for how two-factor authenticator should be implemented, Google Authenticator is unnecessary: you can easily write a similar authenticator that sends SMSs using one of the many free services online; this way a staff member is only required to have a SIM card and nothing more. But there's an ever bigger problem in MAL security than insecure logins: the lack of a good database restore system. It's unbelivable that they're currently manually restoring every anime title one by one. In situations like this you should have a backup and a log of every edit done to the database after the backup; in this cases, you restore to the last backup and make a simple script that parses the logs and reapplies the changes to the database, excluding the changes made with the stolen's account. Villa-Lobos said: Cookies can be used to avoid re-authenticating again for, example, a week. However if someone is able to get the cookie from the mod's pc, it can be used to bypass the authentication.I don't think any moderator would want to go through the hassle of authenticating whenever they want to login. |
PKXAug 31, 2014 9:12 AM
| Humans are suspicious and jealous creatures. When they see something perfect, they wanna find a flaw. Ratohnhaketon said: You have much to learn if you have not joined the witch hunt to down vote every anime that rises above our underrated favorites. I am currently on a campaign to get Training with Hinako into the top 12. Shit taste is hard to fight though, it's like trying to talk sense to an army of hallucinating loonies. Ty-Ki said: It's hilarious to see morons wasting more time with the series they hate so much than the fans of it. |
| There was some misleading information shared through the thread, so allow me to clear some things up. Google Authenticator is not a social website. It has no direct relation to external Google products such as G-Mail or Google+, either. It is a mobile application and a standalone release. You do not require any interaction with social networking in order to get it and use it. On the matter of things being hardly optional, I would have to heavily disagree. I frequent some other websites, and where the administrators have said that a security feature will be made optional, it has been made optional. Due to there being no reason whatsoever not to have an optional security measure at MAL as well, I see no reason for the argument against it to stand. Regarding Google Authenticator being useless for users, that is debatable. One might say only a list might be messed with, but what about reviews? And recommendations? And club leadership? And all other content that was put time and effort into being swiftly deleted? No, active and contributive users could get hurt as well. And, if they would feel safer with tighter security, I see no reason why they shouldn't have the option to set it. When it comes to the staff having a hussle of logging in each time with a new generated code, I would have to disagree with such point of view. Looking at how much damage can be done, I believe writing that 6-digit code is nothing. It is also not a terrible hussle at all. I login this way on two other sites daily, with each login taking me less than ten seconds. Arguments such as this system being a hassle are really unnecessary and fruitless, since for the efficiency it brings, the system is extremely smooth and easy-accessible. |
SubbedAug 31, 2014 9:26 AM
| Google Authenticator is just an implementation of RFC6238 (Time-based One-time Password). There are many programs that can support it including for the desktop. Having this as an option for end-users would be good, with a requirement for staff. Of course, turning it on would kill any third-party client use. Maybe MAL could support OAuth for that purpose? This all assumes that Crave will spend any unnecessary money on the site, which seems very unlikely. The chances of 2FA on this site are about as likely as having a mobile-friendly design or having an API that isn't awful. PKX said: Cookies can be used to avoid re-authenticating again for, example, a week. However if someone is able to get the cookie from the mod's pc, it can be used to bypass the authentication. It depends on how well you authenticate the session. You could always require a password confirmation before beginning a privileged operation and then allow those actions only from the IP that authenticated for that session. Combine that with HTTP-only cookies that are marked as secure, and you might have a bit of protection. Obviously, if you have code flaws, none of these actions will help. It will protect against theft of credentials and other attacks against users, though. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
motokochan said: Google Authenticator is just an implementation of RFC6238 (Time-based One-time Password). There are many programs that can support it including for the desktop. Indeed there are. I do not want to pose any discrimination when pointing Google Authenticator out, it's simply one I frequently use over others on various websites. If you know any other in specific, sharing them (preferably multiple of them) would be splendid. The main idea the thread is trying to come across is enabling a two-factor authentication with the user having to physically access the device and prove the ownership that way. |
Subpyro said: If you know any other in specific, sharing them (preferably multiple of them) would be splendid. Well, the article over on Wikipedia lists a few, but I'll post some here.
Of course, the majority of choices are for smartphones. This is simply because they are more portable. Also, they will always have the correct time from ebing set by NTP or the cellular network. TOTP and similar schemes rely heavily on both sides knowing the correct time. Of course, all this is just a software version of those little hardware tokens like SecurID. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
| Out of the ones listed, Authy sounds quite interesting. As a user of the Fedora distro on Linux, I could not deny FreeOTP either, although I do not know how others would feel about that. Duo Mobile appears quite limited in which operating systems it can cover/run on, so I would not really put it on the top of the list. Google Authenticator is naturally the top competitor in my eyes (next to Authy). As for Microsoft Authenticator, I think we can scratch it off the list. Supports only one operating system which many dislike in general. Thank you for that list. In my opinion, if not Google Authenticator, Authy could be a nice authenticator as well. |
More topics from this board
» Sort list by date addedProfaneprayer - Mar 12, 2019 |
12 |
by Alexioos95
»»
6 hours ago |
|
» Way of setting all titles to the English version by defaultskyblade743 - Apr 9 |
1 |
by goryiscold
»»
8 hours ago |
|
» An "Anime Franchise" page_cjessop19_ - Apr 27 |
4 |
by kizumi91
»»
Apr 28, 11:13 AM |
|
» @ sign spam/attackkuroneko99 - Apr 16 |
4 |
by traed
»»
Apr 27, 9:50 AM |
|
» Add the option to change profile favorites picturesk1rb - Oct 21, 2022 |
20 |
by Astachanna
»»
Apr 27, 9:05 AM |