Time  Nick         Message
10:30 Taoki        Hi. Is the Minetest forum moving or upgrading? Logins seem to have broken x_x
10:33 Taoki        Yeah I think the same passwords no longer work. Should I send a request for a reset for my forum account?
10:57 Taoki        Um... it seems the person who advised I email him to reset account passwords is OldCoder (on Twitter). Given what I remember from last time I'm nervous to even speak to him. He's already talking there about people "seeing the truth" and what not...
10:57 Taoki        Can anyone else help with the password procedure thingie please?
11:11 Taoki        Yeah it's definitely him. Getting dragged into some weird stuff again after he messaged me. I don't want to have to email him since it seriously creeps me out to talk to him now... please let me know who else can help with the forum issue.
11:14 rubenwardy   Make sure it is Minetest.net
11:14 rubenwardy   Then just use the password reset feature
11:14 rubenwardy   I can trigger one of you like, TC01
11:14 rubenwardy   Taoki:
11:14 rubenwardy   Lol
11:15 Taoki        Oh... it was minetest.org
11:15 rubenwardy   Lol
11:15 rubenwardy   Make sure you reset anywhere else that you use the password you just entered
11:15 rubenwardy   Consider it compromised
11:15 Taoki        Oh yeah, it still works on minetest.net
11:15 Taoki        I haven't reset my password on either forum in ages
11:16 Taoki        Just a few login attempts in the org site
11:17 Taoki        So yeah no neet to trigger on minetest.net I'm good there. I just wasn't aware the forums had split.
11:20 Taoki        rubenwardy: Is there risk of a password leak for old accounts? Someone mentioned a DDoS attack or something.
11:20 rubenwardy   No
11:20 rubenwardy   If you submit onto the malicious site then you have given the password to the malicious site
11:20 Taoki        Okay. I tried logging into the minetest.org forum with my old passwords, and I'm not sure if those are logged.
11:21 rubenwardy   Assume they are
11:21 rubenwardy   He didn't get any passwords, emails, or ips though
11:21 Taoki        OldCoder seems to be an admin on that one. I don't know what to expect from him since he's acting really crazy.
11:21 rubenwardy   C55 made a semi-public backup of the forums which oldcoder had access to
11:21 Taoki        Okay. So PHPBB logs the attempt but not the password you entered, correct?
11:21 rubenwardy   All passwords were removed
11:21 rubenwardy   No, assume the password was logged
11:22 Taoki        Damn :(
11:22 rubenwardy   You should be using separate passwords for separate sites though
11:22 rubenwardy   Right
11:22 Taoki        It was two passwords I use everywhere and can't change so.
11:22 Taoki        It's hard to use a differnet password for every site.
11:22 rubenwardy   Password manager!
11:23 rubenwardy   More secure than not using one, for this exact reason
11:23 Taoki        Really though, why would PHPBB log every invalid password you enter?
11:23 rubenwardy   The most common way an account is compromised is by passwords being compromised on other sites through SQL leaks and such
11:24 rubenwardy   Not through brute force
11:24 Taoki        That sounds like a crazy thing for the forum to log by default.
11:24 rubenwardy   Phpbb doesn't by default, but you're forgetting who hosts it
11:24 Taoki        Okay. He probably didn't mod the forum itself.
11:24 rubenwardy   He may have though
11:25 rubenwardy   And he may log post requests anyway
12:01 ChimneySwift it's safe to say that it's compromised though, it'd really not worth risking it at least for anything important
13:15 Taoki        Well... at least I got to do a nice security checkup with this occasion. Changed several passwords to be sure he couldn't have gotten it.
13:16 Taoki        Doubt he'd be crazy enough to try breaking accounts even if he decided to turn on me in his mind for whatever reason. That is if he even modded PHPBB itself to snoop on passwords.
13:19 twoelk       oops, you went near the oc dangerzone, off to decontamination you go
13:58 Taoki        I wonder if people could and should be warned about minetest.org being an unsafe copy of the forum. I don't want to be mean as I couldn't OldCoder as an evil person or anything... however his behavior is scary enough that I worry he may pose a threat to the community if for instance people attempting to login there could have their passwords leaked to him.
14:04 air          anyone using the same password over multiple sites deserves anything they get
14:06 Taoki        Good luck remembering 100 passwords then
14:07 Krock        My password is hunter2
14:08 est31        Krock: I only see ****
14:08 Krock        weird. this shouldn't contain any compression
14:09 air          Taoki: I use randomized passwords, not possible to remember even one of them
14:10 Taoki        Sounds good but you're in trouble if you lose wherever you saved them or someone else gets a hold of that file.
14:10 Taoki        Or if you're away from the device where you saved them and try to login from another device.
14:11 air          you need to learn some security, because none of that is an issue
14:12 Taoki        How is none of that an issue I wonder...
14:12 air          backups and encrypted distributed password wallet
14:14 air          you could use something like lastpass to manage all that for you
14:15 Taoki        Ah. Interesting
14:15 Taoki        So it like remembers passwords for every site, and you can search the whole thing to find yours?
14:15 rubenwardy   Password manager, TC01
14:15 rubenwardy   Taoki:
14:15 Taoki        Like type in www.whatever.com and it tells you "your password for account X is Y"?
14:15 rubenwardy   Also, encryption
14:15 air          you dont need to search, it automatically fills it in
14:16 rubenwardy   Or you can click to do it
14:16 rubenwardy   But it which site you're on
14:16 air          well, you should click to do it, but then it auto fills in
14:16 air          never use auto fill without needing to click, that can leak info without you knowing
14:17 Taoki        How does it automatically fill it in? I assume that requires some browser integration. Do they integrate with Chromium and Firefox?
14:17 air          yes
14:17 Taoki        Nice. I should totally find one for KDE then.
14:17 Taoki        No time now but maybe in the next weeks I'll look into it. Made a mental note now.
14:17 rubenwardy   It's a browser plugin, usually
14:18 Taoki        Would be fun if I could integrate something standard with KDE
14:19 air          why kde?
14:19 Taoki        Cuz it's what I use so then it would be system wide :P But I guess a browser plugin works too since I mainly only use Firefox.
14:19 air          you only need it for web sites, so it only needs to plugin to a browser
14:20 Taoki        My biggest worry is where those passwords are stored, encrypted as they may be. Unless the password file is stored locally in the browser cache AND encrypted, I wouldn't trust anything online based.
14:20 Taoki        Okay
14:20 air          the wallet is stored remotely
14:20 air          you can install the extension on any computer and access your wallet
14:21 Taoki        That makes it very scary to use for me. Unless it's a deentralized open-source system where you can see the code and how the encryption works.
14:21 rubenwardy   It's stored using strong encryptil
14:21 air          encryption happens locally, they cant help if you forget the master password
14:21 rubenwardy   So it's fine to go online
14:21 Taoki        Until it's stored with encryption the server might find some ways to get a hold of them.
14:21 Taoki        Okay
14:21 Taoki        I will look into this later yeah
14:21 air          but you need a good wallet, only a few are good
14:29 Taoki        Firefox does have a builtin PM. But it doesn't seem to be distributed
14:30 Taoki        Actually it might work through Firefox Sync
14:31 Taoki        No such thing as importing / exporting with local files however
14:39 twoelk       ooh, master password - sounds like a nice single point of failure to get completely screwed :-)
14:43 twoelk       I learned a long time ago that security never makes a job easier and tends to become a burden quite out of scale for otherwise simple tasks - and yet the world has become such that you need even more security than any science fiction author could have ever imagined
14:44 Krock        AES being too strong for weak mobile devices
14:50 Taoki        twoelk: That's another thing... the risk of losing the wallet key itself and someone else stealing it.
14:50 Taoki        I guess the best idea is what others have suggested: Long sentences that only you can remember the words of.
17:16 AspireMint   anyone knows why JT2 is green in server list? o.O
17:17 AspireMint   oh wait, nvm
17:19 Krock        oh nice. if the server list allows control characters then you can actually colorize it
17:21 * Krock      tests
17:21 AspireMint   im using script to colorize favourite server, i forgot its still running after years..
17:22 AspireMint   yes, for old / new versions of mt or official / unofficial / stable it might be cool
17:24 Krock        !up ente.kak.si 34617
17:24 MinetestBot  ente.kak.si:34617 seems to be down
17:33 Krock        AspireMint: I found out that the server list doesn't trim color codes, but the server list does
17:33 Krock        err. the server list server doesn't - mainmenu does