A forum to post any bugs you may encounter while using TrekCC.
 
By wrrlykam
 - New Member
 -  
#538652
Just checked on my AVG protection software and it is flagging up TrekCC as having had a password leak date 10th December 2020. Any comment on this?
User avatar
Director of Operations
By JeBuS (Brian S)
 - Director of Operations
 -  
Socialite
#538657
Does it provide any other details?

I can tell you that your password isn't stored, so that can't have leaked. What's stored is an encrypted hash generated based on your password. And no, that can't be used to login to the site.
User avatar
 
By SudenKapala (Suden Käpälä)
 - Delta Quadrant
 -  
1E The Neutral Zone Regional Participant 2021
#539430
I was waiting for someone to debunk / explain this. (Trust, but verify.) It is a serious statement; and without closure, it looks... ugly.
I have my own ideas but no way to check them.
:borg: Any news?
User avatar
 
By Takket
 - Delta Quadrant
 -  
1E Qo'noS Regional Participant 2021
#541575
I visited this site on my iPhone just now and my phone warned my the trekcc had appeared on a list of sites where passwords had been compromised and advised me to change my password immediately.

I did so, but wanted to give a heads up to others. Has anyone else gotten this message or heard anything similar???

This is exactly the message I got:

https://macreports.com/this-password-ha ... on-iphone/
User avatar
 
By SudenKapala (Suden Käpälä)
 - Delta Quadrant
 -  
1E The Neutral Zone Regional Participant 2021
#541579
Thanks for putting it out in the open. :thumbsup:

Is macreports.com a trusted site, and/or associated with Macintosh/Apple? I'm more of an IBM person, and I know that, say, Microsoft has registered and uses many trusted domain names (why!?); but as someone who lost his [SD] Comp Skill behind in 2014, I am forced to look at security on, e.g., the URL level.
So, my question... have you got plausible intel from that site before, is it a trusted platform for iDevices?

If so, next question: does this concern the 1 or 2 year old security leak that has been known for some time already (and was patched)? :cross:
User avatar
Director of Operations
By JeBuS (Brian S)
 - Director of Operations
 -  
Socialite
#541598
@Takket
I've merged your thread with this one. I've checked again, and these warnings still seem to be based on the same info I posted above.
User avatar
Director of Operations
By JeBuS (Brian S)
 - Director of Operations
 -  
Socialite
#541626
AllenGould wrote: Tue Feb 02, 2021 12:41 pm Is there something we need to do to get off the naughty lists? After all, my understanding is that we did a complete password reset back then.
Near as I can tell, these are all "low-effort" systems. By that I mean, it's just a bunch of automated systems scraping known vectors and databases. So when something like an old database pops into a feed as "new", these systems just pick it up and run with it.

But I'll put this reminder out there:
Your passwords are best treated like diapers: change them often.

If you've got a slew of passwords that you like to re-use, you should figure that at some point, hackers will try every one of them to login to all of your accounts. So none of your accounts anywhere should ever use the same password that you have ever used anywhere else.
User avatar
Director of First Edition
By MidnightLich (Charlie Plaine)
 - Director of First Edition
 -  
Trailblazer
#541811
I can't recommend a password manager enough. I use LastPass and it's amazing. It lets you get strong, random passwords for every site/app you use, and then only requires you to remember one strong password.
User avatar
 
 - The Center of the Galaxy
 -  
Continuing Committee Member - Retired
Community Contributor
#541813
MidnightLich wrote: Wed Feb 03, 2021 11:36 am I can't recommend a password manager enough. I use LastPass and it's amazing. It lets you get strong, random passwords for every site/app you use, and then only requires you to remember one strong password.
If you're in the Google ecosystem, their password manager is pretty much baked-in to Chrome, and I've been pretty happy with it. About as low-effort as you can get.
User avatar
First Edition Rules Master
By BCSWowbagger (James Heaney)
 - First Edition Rules Master
 -  
Architect
Community Contributor
#541889
As a LastPass user and IT professional, I have to agree. For most people, password managers are the best available solution to an impossibly hard problem.

Of course, make very sure that your LastPass account is both (1) secured all to hell, and (2) that you remember your very long and complicated LastPass passphrase until the sun goes out. But it beats the heck out of having to worry about your bank account being compromised because some Syrian script kiddie broke into the database of a My Little Pony forum you registered for ten years ago and forgot about.

EDIT: ha ha, until the article reminded me, I forgot about white-hat cracking all those passwords to see how bad the damage was. I still have a list of all those (old, bad, long since reset passwords) around here somewhere.

Years later, I'm able to say it was fun seeing how different our "most common passwords" are from the generic most common passwords. On most websites, the most common passwords are some combination of:

password
123456
12345678
trustno1
qwerty
letmein

On OUR website, the most common passwords were:

startrek (11 users)
123456
password
starwars
12345678
Babylon5
ncc1701
qwerty
letmein
heymyhs
ncc1701d
11001001
ncc1701e (4 users)

You lovable nerds. (Mine was a Star Trek reference, too, before I got on to LastPass.) I believe these passwords are all illegal now under our current password policy -- which is probably for the best.

For you: USS Bellerophon [Fed] (7) •U.S[…]

Kolinahr

Well, I prefer to have my personnel in one place, […]

Balance Team Update?

Any update on the next 2E set? Does this fal[…]

Armus is right, although that gives me an idea. Y[…]