Newgrounds needs to implement some password and login rules immediately. These rules are generally easy to code, and it shouldn't take more than a few days or so to put together:
1) Password length - minimum 6 chars, max 20 (may require a database change)
2) Password MUST contain at least 1 uppercase letter, 1 lowercase letter, a digit and a special symbol ($,#,^,&, etc) (simple string-text checking function)
3) If someone logs in with a "weak" password, the system will force the user to change the password now, and it must follow the above rules (code change to login module)
4) When logging onto a user account, the sign-in program needs to keep track of unsuccessful login attempts for a given user ID. If 5 or more occur in a row, either the user forgot the password, or it's a hack attempt. In either case, an entry is made into a log file that tells the date/time/user ID, P address, etc - and the account is locked for a period of time. If this is a brute-force attack, we will know where it's coming from - even if it is from multiple sources. Later, we can ban those IP addresses completely (code change, new log tracking table in the database)
Yes, I realize that this option could prevent the real user from accessing the account if someone else is hacking it at the same time, so there's more logic to do:
5) All accounts should have a new feature - challenge question and user response. They should be set up on all accounts as required fields. The questions will be displayable after the fact, but the answers are treated like passwords - not shown on any screen, and only known to the user and the admin database. In the event an account has been locked due to a hack job, a new link on the login screen will pop up a challenge box, where the user name is entered first. The system will show 5 challenge questions - 4 are random, one will be the real one. The user has to then select the correct question, and provide the answer. (answers are converted to lower case, and punctuation is ignored). If the user selects the correct question and provides the right answer, the account lockout is lifted, and the sign-in screen is shown again. In this case, if the correct password is given now, the login will be successful, even if other people are trying to hack in. (more code change, and updates to the user account master file)
6) All admins and mods and any account with some sort of power should be forced to change their passwords every 30 days, as per the above rules. (nightly processing change, new field in the user account table)
If we gather enough IP information on these attacks, we can compare attack IPs versus "normal" logins - which may lead us to the alts of users who are trying to do us harm. It's not foolproof, but it will give us a starting point. If an IP address is used for extensive hacking, it can be banned and ignored completely. (data mining and analysis program digging through new IP log table)
I think if we just tighten up the security here a bit, we can make brute-force password attacks fail 99+% of the time. These ideas that I presented are the same ones I've used for other secure retail and store websites, as well as from some work I've done for some accounting firms.
If Tom or Wade are interested in doing this, and want me to lend a hand and/or give them more details, that would be great - I would love to help. They can PM me if they want, or respond here.
I'm tired of a bunch of hacker wanna-bes messing up Newgrounds. Time to step up the game - and the first order of business: beef up our defenses!
*Salutes*
