Chuck should have something more to say on all this at some point. I do know extensive measures were put into place last time. That's why the site was down for weeks.

If your google password is the same as a poker forum, it's a good chance that your password security needs a major overhaul.

Take this opportunity to use a password manager like Lastpass and use random passwords for every site. There is even an app for Android that can enter passwords in sites and Lastpass app on mobile so you don't have to worry about complex passwords on your cell. if you're on iPhone, you can still use the lastpass app to copy/paste password into apps, or use their browser to visit sites easily.

I used their security manager today to check my password that I used for 2+2 and saw that I had it on a few other sites as well. I went through every one where I had used this password and changed them immediately.

Got my last pass security score over 95%

Sadly, I can't go much higher because some saved passwords either aren't mine, or are for internal logins, like to remote into a router or raspberry pi or rails app.

Seriously?! Are the passwords stored in encoded form?!

#waiting for the next breach..

If the passwords are out there, this process is just fake security. Clicking the expired password link allows the person that knows the password to change the password and email addres. Thus hijacking the account.

The only way to do this is to force a password reset (not change), requiring the user to prove to have access to the registered email address.

seriously though you people are ****ing idiots and that's fine I guess

by you people I don't mean people of a race or color obviously

You sound like a real dainty lass, Emily.

I didn't realize 2+2 poker book publishing company was also a cyber security research firm on the side. I guess that would make sense to be so upset about a security breach.

1 hack every 1702 days doesn't seem like 2+2 is ignoring security.

The last big hacking of 2+2 (when it was down for ages) is what made me finally get a password manager and start using unique passwords for each site I use.

So, basically 2+2 has done more for my security than any other site/company and I owe them a lot

better than yahoo, right? And I'm sure yahoo spent millions on security

edit

looks like it's actually only half a million in the last year

this is what I do. It also allows you to know which places are selling your info. Because you start getting email to that address from other sites.

This forum is so unprofessional!

Your forum get hacked (OK could happen to almost any site these days).

Your response: send a haughty email to all your users with no apologies at all.
Instruct them to take security measure to protect their personal computer. (What does this have to do with the hack?)
Ask them to enable two-factor authentication wherever possible, yet your own forum doesn't support it.

The problem is, even that doesn't prevent hijacks.

If we assume nefarious characters have this database and have already decrypted the passwords, it's too late. They can already have hijacked numerous accounts and changed the email addresses registered to them, and once that happens, 2+2 can force password changes all day long to no avail.

Unfortunately, there is no perfect answer now, so 2+2 has to do the best they can. It doesn't appear that any 2+2 accounts have been compromised thus far, so measures are being taken that are felt to be the best mix of reducing the risk of hijacked accounts while not overly inconveniencing 2+2 members.

That's the thing - 2+2 can take security seriously while not being infallible. Much bigger companies holding much more sensitive data than 2+2 have been hacked numerous times before. I'm not saying that lets 2+2 off the hook, but I think people need to temper their expectations.

IDK, I get that tone doesn't always come across well in written word, but I have a really hard time finding anything in this "haughty":

Sure, it could've been apologetic. Haughty? I'm not seeing it.

This part was cut-and-pasted from another posters' suggestion list (typos and all - ack), so maybe it should've been made clearer that those weren't directly from 2+2 but something they agreed with. Basically, it's a list of good security practices in light of the database compromise. Securing other passwords makes sense, as for most people that's really the only damage a 2+2 hack could cause - if you don't engage in transactions with other 2+2 members, your next big risk would be if you use the same password elsewhere, so I think suggestions to remedy that are a good idea.

The suggestion was to "enable 2 factor authentication on any vital accounts/emails". I don't think most people would consider their 2+2 account to be vital in the way that I assume was meant here - to me, vital would be accounts like financial institutions, poker sites, etc. Two factor authentication seems like overkill for a forum.

I couldn't tell you what my current or previous 2+2 password is (without checking my password manager). They tend to be 12-16 characters and just a mix of letters, numbers and special characters.

The new Macbooks have TouchID which would be handy.

I use a certain variation of a password for most sites. Apparently it ended up the same on this forum as on my e-mail. But you are right it is not very secure,and I will look into a password manager.

Chuck, Bobo, or someone else who knows for certain,

I believe I recall seeing some 2p2 administrative post to the effect that among the steps being taken was elimination of old, unused accounts. (I can't find such a post right now and it's possible I'm just imagining it.)

I have quite a few accounts, primarily for use in POG games, and some of those accounts haven't posted in years. I did just go through and change the password for every one of the accounts. (A pain in the ass, even with a password manager, but whatcha gonna do?)

Will these accounts be safe from culling, given that they have logged in but not posted or otherwise done anything on the forums? Going forward, will there be other periodic culling that I'll need to worry about?

Thank you.

(By the way, this as atakdog; I'm posting as Shrike while saving my main's 50K post for something special.)

(Further by the way: pseudorandom 24 to 27 character passwords with all character types. Everyone else should do the same. I use Lastpass but I suppose any password manager is better than none; I don't know which is best.)

If they haven't posted in years... it's time to let them go. I know it's hard and it's ok to cry, but set them free. If it was meant to be, they'll come back.

the only thing that might happen is more passwords might be erased again. we decided not to delete accounts unless requested.

Cool. Thank you for answering.

This may have already been mentioned, but I know 2p2 has had an extensive problem with password integrity in the past due to security breaches. Basically the suggestion is to make user displayed names different from the username login credentials. this promotes a healthier safeguard against numerous potential password breaches.

whether its a valid email used for the login, or for example with the poster above me, to make shrike the username he logs in with but the display ontwoplustwo shows Shrike.582 or slight variation of username. causing the username to be indistinguishable to potential intruders.

this is just a recommendation, but if the issues with passwords is expected to be a re-occurring problem every few years, maybe safeguard, such as this can add a new variable into the mix.

Problem with that is if it's a relational database, which I'm guessing it has to be, it'd be trivial to match the login/screen name, assuming all the tables were compromised.

I believe he is talking about people's accounts getting compromised, at least that is the problem using a different log in name than display name would solve.

Kindly note;

identity*

simple error that can use a quick edit.

i have to check with the hacker to see if he can make that change.