Data leak

[Reploid Productions]

My tips for a 'secure' password:
1) Don't use dictionary words (see above), even adding numbers won't help (e.g: Fabulous1) as most 'dictionary crackers' will check for this.
2) The longer it is = the more secure the hash
3) Don't use it anywhere else, I am aware this is a lot to ask for, so at the least, use 2-3 different passwords and spread them out.
4) Important use a different password for your personal things (say, email) then 3rd party sites, say, NS, as both someone getting access to your email gives them more information and Email will likely be the medium you will use to get your NS account back if it is lost, If the hacker has your email password to, then you're SOL.

^--This. In addition, the more important something is, the more intricate your passwords should be. For instance, the password I use on an adoptables site I play on really isn't super secure. But it's simple to remember, and not easy to guess since it's not a dictionary word; and if it DOES get compromised, all I'm losing are a bunch of free pixel pets, so nothing of actual value. The passwords I use on my banking and credit card sites, on the other hand, are probably better described as passsentences, complete with punctuation. (Surprisingly, fairly easy for me to remember, but really, REALLY unlikely for somebody to guess.)

[Hobbesistan]

[snip]

Much appreciated for the further explanation. And aye, dictionary attacks or other means of brute force are possible, especially with simple passwords. I know I have advised other players to utilize a full, 30-character, randomized alphanumeric string with variable case just for an added degree of security. Sure, it's more difficult to remember, but mnemonics can be made to remember just about any random string if you work at it long enough.

I've seen people use super long combination passwords for their services and use 'keychain' services with a more simple password; yes it's a single point of failure but your passwords for individual sites are much more secure, without memorizing individual strings.

[The Archregimancy]

My tips for a 'secure' password:
1) Don't use dictionary words (see above), even adding numbers won't help (e.g: Fabulous1) as most 'dictionary crackers' will check for this.
2) The longer it is = the more secure the hash
3) Don't use it anywhere else, I am aware this is a lot to ask for, so at the least, use 2-3 different passwords and spread them out.
4) Important use a different password for your personal things (say, email) then 3rd party sites, say, NS, as both someone getting access to your email gives them more information and Email will likely be the medium you will use to get your NS account back if it is lost, If the hacker has your email password to, then you're SOL.

I would emphasise the underlined.

Most of use realise that it's unrealistic to use different passwords for every site you use; but at least try and vary the passwords you do use.

I generally use three passwords across three e-mail address variants (with some important exceptions; my NS mod account, for example, uses combinations I never use on other sites for the simple reason that people actively try to hack me here). It can be a pain sometimes if I go to a site I don't use often and can't remember the precise password / e-mail address combination I use for that site but the inconvenience is small compared to the consequences of presenting details that are easy to hack.

Edit:

And I would also repeat Reppy's point about using more secure passwords for more important information, as per my NS Mod account example. And I use a phrase - not a word - for my home e-mail address.

[Kyrusia]

Much appreciated for the further explanation. And aye, dictionary attacks or other means of brute force are possible, especially with simple passwords. I know I have advised other players to utilize a full, 30-character, randomized alphanumeric string with variable case just for an added degree of security. Sure, it's more difficult to remember, but mnemonics can be made to remember just about any random string if you work at it long enough.

I've seen people use super long combination passwords for their services and use 'keychain' services with a more simple password; yes it's a single point of failure but your passwords for individual sites are much more secure, without memorizing individual strings.

Not a fan, personally, of grouping passwords for, as you said, a single point of failure; then again, not everyone is willing to commit a randomized string to memory, so, to each their own I suppose. Using multiple, different strings and never duplicating their usage is, of course, the optimum option; I'm also a fan of the "pass sentence" (as Reploid indicated), assuming it's not a simple sentence and includes punctuation (or other, randomly interspersed symbols).

[Ikania]

Did it affect my old nation, Greater Weselton?

Not a mod, but believe me, if a deleted nation could be revived I'd be going by Mojave right now.

[Jute]

Isn't using a different actual sentence for every site as password enough? My password (not affected) here consists of dictionary words, but it's 20 letters long.

[[violet]]

Isn't using a different actual sentence for every site as password enough? My password (not affected) here consists of dictionary words, but it's 20 letters long.

I believe that's a good strategy, too, yes. Ideally you want unrelated words, though, not a common phrase.

[Jute]

Isn't using a different actual sentence for every site as password enough? My password (not affected) here consists of dictionary words, but it's 20 letters long.

I believe that's a good strategy, too, yes. Ideally you want unrelated words, though, not a common phrase.

Well, my passwords are neither, really.

[[violet]]

Just want to say again, anyone with questions or concerns, please contact us and we'll help you.

[95X]

My tips for a 'secure' password:
1) Don't use dictionary words (see above), even adding numbers won't help (e.g: Fabulous1) as most 'dictionary crackers' will check for this.
2) The longer it is = the more secure the hash
3) Don't use it anywhere else, I am aware this is a lot to ask for, so at the least, use 2-3 different passwords and spread them out.
4) Important use a different password for your personal things (say, email) then 3rd party sites, say, NS, as both someone getting access to your email gives them more information and Email will likely be the medium you will use to get your NS account back if it is lost, If the hacker has your email password to, then you're SOL.

^--This. In addition, the more important something is, the more intricate your passwords should be. …complete with punctuation.

+1 for using punctuation in passwords, +1 for using different passwords for things like financial/healthcare/e-mail sites. I'd be very careful about reusing passwords on multiple sites though.

The page says I'm not affected (nor any other nations I have with the same e-mail address), but I took the time to change my password anyhow.

And, remember, no matter how secure the password, nothing can replace physical security and common sense.

[Slakonian]

checked it and now I feel much better

[MERIZoC]

Thanks for the response on this. Was pretty worried as a scrolled through all my puppets, checking each one.

[NyanInk]

I panicked for a second but im glad they had the tool.

[Summerset Plains]

This is just stupid; But uh, I feel jealous for not being leaked

[A mean old man]

I wonder which nation with one telegram from me in their inbox was compromised and I wonder how incredibly mundane that telegram was.

[NyanInk]

This is just stupid; But uh, I feel jealous for not being leaked

Well just post your passwords all over the internet and that wont be a problem. :sarcasm:
But, in a way, I feel bad for those who got leaked, some people only use one email for EVERYTHING...

[Yuketobaniac]

my god...

[SalusaSecondus]

The server keeps a specific "key" with it that is able to decypher this hash and verify if the password enters matches. Any hacker will just have the hash and will not have the ability to see what the password is from the hash code.

We don't actually. While I don't want to go into the details of our hashing algorithm, it is "irreversable". This means that we don't store a key allowing us to decrypt the password. We simply calculate the "hash" of the password you give us and compare it to the "hash" we store. This is much more secure than storing the password in a way we could possibly decrypt it.

(Edit to fix quote tags)

[Des-Bal]

I needed an excuse to update anyway. I've switched from one or two phrases I would recognize to completely unique and much much longer phrases interspersed with numbers, symbols, and capitalization in a pattern that I can remember but nobody's going to guess for every site I use. I've also stored them for the likely event I manage to forget which one goes where in an invisible and encrypted file on a flash drive hidden in secret compartment that I'm investigating fireproofing because I am a psychopath.

[Mesoland]

An old puppet of mine seems to have been affected (what are the chances?). I just refounded it after over two years of non-existence, and I must admit I'd forgotten about it and don't particularly care about it. The password is one I use rarely and isn't the same as this main account of mine. Is there any point/any need for me to change the password or email address, or can I safely let it sink back into the graveyard?

[SalusaSecondus]

An old puppet of mine seems to have been affected (what are the chances?). I just refounded it after over two years of non-existence, and I must admit I'd forgotten about it and don't particularly care about it. The password is one I use rarely and isn't the same as this main account of mine. Is there any point/any need for me to change the password or email address, or can I safely let it sink back into the graveyard?

I'd recommend changing the password before letting it sink back into oblivion. That way you don't need to worry about (the very slim) risk of someone else grabbing it should they happen to crack your password hash. (I'd also recommend changing this password anywhere else you use it.)

As for the email being exposed, that's us just making sure you know that it's been exposed. Your email account isn't at risk.

[Mesoland]

An old puppet of mine seems to have been affected (what are the chances?). I just refounded it after over two years of non-existence, and I must admit I'd forgotten about it and don't particularly care about it. The password is one I use rarely and isn't the same as this main account of mine. Is there any point/any need for me to change the password or email address, or can I safely let it sink back into the graveyard?

I'd recommend changing the password before letting it sink back into oblivion. That way you don't need to worry about (the very slim) risk of someone else grabbing it should they happen to crack your password hash. (I'd also recommend changing this password anywhere else you use it.)

As for the email being exposed, that's us just making sure you know that it's been exposed. Your email account isn't at risk.

Alright, I'll take the necessary steps and change the password on the (one?) other site I use it. Thanks for the advice!

[The Blaatschapen]

Well I wasn't affected but the admin to the MF may've as I haven't checked.

Any info on who's responsible?

There was no person behind the leak. It was a technical glitch thanks to faulty hardware.

[Blekksprutia]

Darn, I (or one of my puppets, can't tell) was leaked. Did they get TGs from everyone?

[Reploid Productions]

Well I have a related question: Do the Mods have access to seeing a nation's TG's?

Because I just am wondering this, and this has been wondered before.

Mods can view a nation's telegrams, but we cannot do so without providing a specific (and VALID) reason (such as "Investigating report #xyz") first. And as always, it's logged in the moderator action logs so we can't get away with putting in fake reasons.