Weak password? Seems a bit extreme... and weird behavior

[RossoX]

When I logged in today, the following message instantly flash banged me: Sam F95
Never had any issues with my account in the past. I've changed my PW and the message disappeared. Whatever.

But just 24 hours, really? For a porn site this is a rather extreme time-frame. What's this, the government FBI security level or something? You mean to tell me that, if I hadn't logged in daily, it would have locked my account right then? In a 2D cartoon hentai website? Actually sensitive accounts, that hold work or personal important data like for microsoft, google etc they give you ample warning and time to update.

And for such an arbitrary reason too. Because when I changed my PW, for fun I input the previous supposedly "weak" password in the field, and guess what? The bar that evaluates the PW strength actually said that it was a reasonably strong password!! So I'm calling bullshit on the "weak password".

Besides, how come the site can even see the exact password, to evaluate that it was weak, which was even a wrong evaluation to begin with? Shouldn't those be hashed or encrypted in the database? Do you mean to tell us that you're storing the raw naked passwords?

This whole thing is fishy as hell no matter which way you cut it, is what I'm saying.

 

[Insomnimaniac Games]

Am I wrong, or isn't that 24 hours starting from when you logged in?

 

[Sam]

And for such an arbitrary reason too. Because when I changed my PW, for fun I input the previous supposedly "weak" password in the field, and guess what? The bar that evaluates the PW strength actually said that it was a reasonably strong password!! So I'm calling bullshit on the "weak password".

This usually happens when your password was listed on

You must be registered to see the links

. This can either mean someone else who got hacked has the same password as you, or if your password is truly strong (and thus unique) then it's likely there's a combo list floating around containing your email and password. These combo lists are then used by bad actors to spread malware and spam on the forum. If you use that password anywhere else, change it.

The password strength meter is client side, it doesn't perform a server side haveibeenpwned check until you submit it.

But just 24 hours, really? For a porn site this is a rather extreme time-frame. What's this, the government FBI security level or something? You mean to tell me that, if I hadn't logged in daily, it would have locked my account right then?

It's not really 24 hours, it's just to get you to do it ASAP. If you don't and decide to leave it, the next person to login could be the bad actor and they'll just update your password for you, then spread malware or spam.

In a 2D cartoon hentai website? Actually sensitive accounts, that hold work or personal important data like for microsoft, google etc they give you ample warning and time to update.

Your account could have contributed to this: https://f95zone.to/threads/recent-malware-infected-games.207437/

Besides, how come the site can even see the exact password, to evaluate that it was weak, which was even a wrong evaluation to begin with? Shouldn't those be hashed or encrypted in the database? Do you mean to tell us that you're storing the raw naked passwords?

• You input the raw password when you login
• It's then checked against leaked passwords
• If a match is found, your account is flagged
• This all happens during the login process, at no point is your raw password stored

 

[RossoX]

snip

Alright, I kneel. I do in fact use that same pw on a handful of non-essential websites, so your reasoning tracks. I can't tell for sure which one of those got leaked, but that's likely what happened. My initial knee jerk interpretation of the events was off base. Thank you for the level headed and clear reply. Nothing more to see here folks.