|
|
|
02-18-2015, 06:30 AM
|
#1
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Spam bots trying to guess your password
Over the last weeks spammers have been trying to (automatically) hack user accounts in some forums (including ours) in order to send spam links via PM. One of the many, many attempts appears to have succeeded today.
- They are trying to guess passwords, so you may get an automated message from the forum, informing you that someone tried to log in to your account unsuccessfully. We are checking the forums for "weak" passwords frequently, so I know no member is particularly vulnerable. There's nothing to do or worry about. But a more complex password that's not just a word you could find in a dictionary is immune against these "dictionary attacks".
- If you do get unexpected PMs with strange links, notify me or any other moderator via PM, or use the "Contact us" link at the bottom of the forum home page, with the user name of the PM sender. Of course, do not click the link and do not quote/post it on the forum. Just delete the PM.
Last edited by Ollie; 02-18-2015 at 06:55 AM.
|
|
|
02-18-2015, 06:33 AM
|
#2
|
Human being with feelings
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
|
I got a spam PM from a member (who has zero posts and was banned) earlier today and went to the PM and clicked the report button. Is that sufficient to let you guys know all the details you need?
EDIT - The spammer is the same one numerous others received and posted about here... http://forum.cockos.com/showthread.php?t=155812
|
|
|
02-18-2015, 06:44 AM
|
#3
|
Human being with feelings
Join Date: Nov 2010
Posts: 2,436
|
What's up with Cockos forum lately? I've never seen so many bots and attacks on other forums...maybe it's finally time to update vBulletin to more recent version?
|
|
|
02-18-2015, 06:45 AM
|
#4
|
Human being with feelings
Join Date: Jun 2009
Location: Croatia
Posts: 24,790
|
Quote:
Originally Posted by Breeder
maybe it's finally time to update vBulletin to more recent version?
|
Hear, hear!
|
|
|
02-18-2015, 07:17 AM
|
#5
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Quote:
Originally Posted by Breeder
What's up with Cockos forum lately?I've never seen so many bots and attacks on other forums...
|
A forum has to be a) interesting for the spammers (high PR) and b) must be included in the URL lists of the known spambot softwares to get so much attention in first place. Other forums you visit may not meet those "requirements", or you spend less time there so you miss the spam before it gets deleted. Anyway, we are not the only forum that gets it pretty hard currently, and I wouldn't blow it out of proportion and call it an "attack", they're just spamming in more desperate ways now.
Quote:
Originally Posted by Breeder
maybe it's finally time to update vBulletin to more recent version?
|
The bots are trying to hack user accounts via "dictionary attack", not the forum software. A forum software update wouldn't help with that, and it doesn't help with fighting spam in general.
|
|
|
02-18-2015, 09:24 AM
|
#6
|
Human being with feelings
Join Date: Aug 2007
Location: Near Cambridge UK and Near Questembert, France
Posts: 22,754
|
Anyone else remember when cowpie lyrics site had their mail list hacked?
I got over 200 self-opening emails containing a variant of the old winklez virus.
That is when I discovered Norton was useless......
|
|
|
02-18-2015, 09:50 AM
|
#7
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Again, there was no attempt at hacking the forum or the member database, it's just attempts to log into existing accounts by guessing the password. There was no security breach. If you want to be extra safe, use a password as described e.g. here http://wolfram.org/writing/howto/password.html
|
|
|
02-18-2015, 09:53 AM
|
#8
|
Human being with feelings
Join Date: Jun 2013
Posts: 1,646
|
what is the sense of finding out user´s passwords ?
Is the hacking attack maybe the reason for the new update maybe having a trojan Virus ?
|
|
|
02-18-2015, 09:56 AM
|
#9
|
Human being with feelings
Join Date: May 2006
Location: Surrey, UK
Posts: 19,677
|
^^^^
I like the idea of the first letter of the words in a memorable phrase.
So I'm going to use: Possibly all sociology students will observe red deer.
I do hope that that will be OK.
__________________
DarkStar ... interesting, if true. . . . Inspired by ...
|
|
|
02-18-2015, 10:04 AM
|
#10
|
Human being with feelings
Join Date: Jan 2013
Location: Newcastle UK
Posts: 474
|
Quote:
Originally Posted by Naji
what is the sense of finding out user´s passwords ?
Is the hacking attack maybe the reason for the new update maybe having a trojan Virus ?
|
Oh no not again that damned horse gets everywhere
|
|
|
02-18-2015, 10:08 AM
|
#11
|
Human being with feelings
Join Date: Oct 2008
Location: Right Hear
Posts: 15,618
|
Thank Ollie... I too got one of those PM's and just deleted it....
|
|
|
02-18-2015, 11:33 AM
|
#12
|
Human being with feelings
Join Date: May 2006
Location: State of California
Posts: 660
|
Quote:
Originally Posted by DarkStar
^^^^
I like the idea of the first letter of the words in a memorable phrase.
So I'm going to use: Possibly all sociology students will observe red deer.
I do hope that that will be OK.
|
Or Purple Aardvarks Stand Silently Wiggling On Real Dirt.
Seriously, you need to avoid any word or phrase in any language that has ever appeared on the internet. I read that a password cracker cracked the password "Ph'nglui mglw'nafh C'thulhu R'lyeh wgah'nagl fhtagn" (a phrase from H.P. Lovecraft's Call of Cthulhu) in seconds because it appears on Lovecraftian websites and got scooped up and added to the dictionary file. You need to have your own personal nonsense words combined with random numbers and symbols.
|
|
|
02-18-2015, 11:58 AM
|
#13
|
Human being with feelings
Join Date: Mar 2010
Posts: 4,713
|
Quote:
Originally Posted by Stringer
You need to have your own personal nonsense words combined with random numbers and symbols.
|
If you use a password manager, then you only need to remember one of these crazily weird, random and virtually un-rememberable passwords. Any common pattern in your passwords makes them less secure. Get a PM with 2FA and you won't have to worry about this stuff at all anymore
|
|
|
02-18-2015, 12:04 PM
|
#14
|
Human being with feelings
Join Date: May 2009
Posts: 29,260
|
Quote:
I like the idea of the first letter of the words in a memorable phrase.
|
Look up Rainbow table or dictionary attack. With millions upon millions of hacked passwords being released over the last few years, anything containing any phrases or based on phrases becomes suspect. I can't say your idea is especially bad but if it already exists anywhere in any table of previously hacked passwords, it isn't secure any longer.
The best is for it to be long and random and different for every service that is password protected.
__________________
Music is what feelings sound like.
|
|
|
02-18-2015, 12:10 PM
|
#15
|
Human being with feelings
Join Date: May 2006
Location: State of California
Posts: 660
|
Quote:
Originally Posted by karbomusic
Look up Rainbow table or dictionary attack. With millions upon millions of hacked passwords being released over the last few years, anything containing any phrases or based on phrases becomes suspect. I can't say your idea is especially bad but if it already exists anywhere in any table of previously hacked passwords, it isn't secure any longer.
The best is for it to be long and random and different for every service that is password protected.
|
You missed the joke. His phrase (and mine) spell out "password." But you r advice is good.
|
|
|
02-18-2015, 02:12 PM
|
#16
|
Human being with feelings
Join Date: May 2009
Posts: 29,260
|
Quote:
Originally Posted by Stringer
You missed the joke. His phrase (and mine) spell out "password." But you r advice is good.
|
Ruh oh, you are right. I was all "security serious" and missed it. LOL!
__________________
Music is what feelings sound like.
|
|
|
02-18-2015, 02:23 PM
|
#17
|
Human being with feelings
Join Date: May 2006
Location: L.A. Cahleefornia
Posts: 305
|
I got a spam PM as well. I'd already deleted it so I can't tell you who it was from. Sorry.
|
|
|
02-18-2015, 03:48 PM
|
#18
|
Human being with feelings
Join Date: May 2011
Location: Padova
Posts: 1,626
|
me too this morning, i reported it with the exclamation mark symbol and deleted it...i don't remember the nickname, sorry
|
|
|
02-18-2015, 04:26 PM
|
#19
|
Human being with feelings
Join Date: Jan 2012
Location: Central US
Posts: 467
|
Quote:
Originally Posted by ReaDave
I got a spam PM from a member (who has zero posts and was banned) earlier today and went to the PM and clicked the report button. Is that sufficient to let you guys know all the details you need?
EDIT - The spammer is the same one numerous others received and posted about here... http://forum.cockos.com/showthread.php?t=155812
|
That's the one I got. Report and delete.
For God's sake (or whatever spins your propeller), DON"T CLICK ON ANY LINKS! Computer 101, right? I had to hose down the desktop after my wife played one of those infernal Facebook games, and she clicked on a link to the "game website".
|
|
|
02-18-2015, 04:53 PM
|
#20
|
Human being with feelings
Join Date: Feb 2013
Location: Northeast Michigan
Posts: 3,460
|
I got one yesterday. But I was notified of the PM via email and when I read it I knew it was junk and when I logged into Reaper I just deleted it without looking at it.
I remember who it was from though. Dark Star!
KIDDING!!!!!!!
It may still be in my email so I'll look next time I check in.
EDIT: Yep. Same one The Whistler got from the same name.
|
|
|
02-18-2015, 06:00 PM
|
#21
|
Human being with feelings
Join Date: Dec 2013
Location: Boston
Posts: 548
|
|
|
|
02-18-2015, 11:33 PM
|
#22
|
Human being with feelings
Join Date: Mar 2008
Location: Netherlands
Posts: 2,629
|
Quote:
Originally Posted by Stringer
You need to have your own personal nonsense words combined with random numbers and symbols.
|
Just dream up some very strange sentence and use that. Something like:
Quote:
aggressivetreeseatbroccoli
|
It is also very easy to remember (for you) because it is strange. I use the same 'passphrase' (obviously not 'this' one) for decades now and it never got hacked, and I'm pretty active on the webs (also for decades)
The only problem is that there are still (a lot of) websites and forums that don't allow passphrases, sometimes just six or eight character passwords. Which is pretty stupid coding-wise as any good system should only store the MD5 hash, instead of the actual password, and a hash is the same length no matter what you throw at it.
Quote:
Originally Posted by Ollie
We are checking the forums for "weak" passwords frequently, so I know no member is particularly vulnerable.
|
Does this mean the forum passwords are stored as clear text
Or do you do a dictionary attack yourself just to test
|
|
|
02-19-2015, 07:43 PM
|
#23
|
Human being with feelings
Join Date: Sep 2008
Location: Location
Posts: 5,559
|
Shouldn't we all have the password '12345' or, if at least eight characters are demanded, '12345678'?
I personally find '12121212' extremely compelling.
-Data
|
|
|
02-19-2015, 10:36 PM
|
#24
|
Human being with feelings
Join Date: Jul 2009
Posts: 7,570
|
Quote:
Originally Posted by Naji
what is the sense of finding out user´s passwords ?
|
because people are lazy and many use the same passwords for multiple sites. If it matches their email login then they can get a lot of information.
|
|
|
02-20-2015, 03:39 AM
|
#25
|
Human being with feelings
Join Date: Mar 2014
Location: Texas, USA
Posts: 525
|
Yep,I've got a message in my inbox now.
__________________
×××××××××××××××××××××××××××××××××××××××××××××××××× ××××××××××
Reaper, Reason 8, Studio One Artist, EZ Drummer 2, and not enough time.
|
|
|
02-20-2015, 04:19 AM
|
#26
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Quote:
Originally Posted by technogremlin
Does this mean the forum passwords are stored as clear text
|
No. vBulletin has a function to check this. Passwords can't be read, retrieved or accessed in any way.
|
|
|
02-20-2015, 04:34 AM
|
#27
|
Human being with feelings
Join Date: Sep 2009
Location: Dayton, Ohio USA
Posts: 1,714
|
Quote:
Originally Posted by Ollie
No. vBulletin has a function to check this. Passwords can't be read, retrieved or accessed in any way.
|
I posted in the other related thread where you said you routinely look for weak passwords and hadn't found any for a long time. Up until Wednesday night, I had a VERY weak password, so I'm not sure if the vbulletin function is terribly reliable.
|
|
|
02-20-2015, 06:25 AM
|
#28
|
Human being with feelings
Join Date: Dec 2013
Posts: 41
|
I also got a PM from an unrecognized sender prior to reading your post. I just deleted it- If I get another I'll let you know the sender
|
|
|
02-20-2015, 07:23 AM
|
#29
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Quote:
Originally Posted by KevinW
I posted in the other related thread where you said you routinely look for weak passwords and hadn't found any for a long time. Up until Wednesday night, I had a VERY weak password, so I'm not sure if the vbulletin function is terribly reliable.
|
Yeah it's at best rudimentary. So if you're using "password" as a password and get your account hijacked, you will feel the wrath of your fellow forum members and lose your account. Don't do that.
|
|
|
02-23-2015, 03:03 PM
|
#30
|
Human being with feelings
Join Date: Feb 2015
Location: Rocky Mountains
Posts: 2
|
This is my approach ...
1. Use a password manager. I use LastPass
2. Do not use the same password twice. i.e. use a different password for every site
3. Use strong passwords like 's6i#tyG9srwaVl$Q' for sites like this.
4. Use stronger passwords like 'wrC^I$yM3uIrOEBp0LLiXpn3ippANJEd' for financial sites
5. Change your passwords for important sites at least 4 times a year.
6. Use LastPass 'Security Challenge' once a month to check if your email addresses have been compromised and the status of any compromised sites you frequent.
So far so good! ;-)
By the way, I must confess that I'm not quite in compliance with item #2. I still have quite a number of low level sites all using the same password. I'm working at getting that number to zero.
|
|
|
02-23-2015, 06:10 PM
|
#31
|
Human being with feelings
Join Date: Feb 2007
Posts: 966
|
Quote:
Originally Posted by magicchord
I got a spam PM as well. I'd already deleted it so I can't tell you who it was from. Sorry.
|
Same here. There was a link to how to make a million dollars in 5 minutes working from home or whatever, and I just immediately deleted it.
I have created a more robust password, though, after reading this.
|
|
|
02-26-2015, 03:38 AM
|
#32
|
Human being with feelings
Join Date: Jan 2014
Location: Europe
Posts: 153
|
Quote:
Originally Posted by Ollie
Again, there was no attempt at hacking the forum or the member database, it's just attempts to log into existing accounts by guessing the password.
|
Which is why this thread shouldn't have "hack" in the subject. Just gives the wrong idea of what's going on. "Spam bots trying to guess passwords" may be less fear inducing.
|
|
|
02-26-2015, 04:27 AM
|
#33
|
Super Moderator (no feelings)
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
|
Good point, thanks.
|
|
|
02-26-2015, 07:09 AM
|
#34
|
Human being with feelings
Join Date: Feb 2015
Location: Rocky Mountains
Posts: 2
|
Quote:
Originally Posted by Mivo
Which is why this thread shouldn't have "hack" in the subject. Just gives the wrong idea of what's going on. "Spam bots trying to guess passwords" may be less fear inducing.
|
Attempting to exploit weaknesses in a computer system, like weak passwords, is by definition hacking these days. The definition of hacker has changed over the years. It used to be a positive thing.
|
|
|
02-27-2015, 12:23 PM
|
#35
|
Human being with feelings
Join Date: May 2011
Location: Shaolin => NJ
Posts: 1,213
|
Last Pass. I can't live without it.
|
|
|
03-08-2015, 11:42 PM
|
#36
|
Human being with feelings
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
|
Quote:
Originally Posted by Quest The Wordsmith
|
Big +1.
|
|
|
02-27-2016, 08:25 AM
|
#37
|
Human being with feelings
Join Date: Feb 2016
Posts: 19
|
LastPass got hacked. I would never rely on a password manager. Talk about a high profile target.
If it's a site that really matters I use a random combination of upper case, lower case, numbers and symbols. They are all stored on encrypted USB sticks that also have a sequence that is unbreakable by a dictionary crack. I only have to remember that password. I back up the USB stick every time I make a change to another encrypted USB device.
You don't want them residing on your computer and you don't want them in the cloud, which has proved vulnerable.
Make them as long as the site will allow. Apple ID, for example, allows 25 characters. Use 25.
Just because you're paranoid doesn't mean they aren't watching you. We pretty much know for a fact they are.
|
|
|
04-01-2016, 01:20 PM
|
#38
|
Human being with feelings
Join Date: Oct 2006
Location: Greece
Posts: 3,553
|
There is also KeePass, which is an application that works locally (i.e. not on the cloud). It is open source.
I currently use LastPass because it seems solid in Chrome and Firefox. But I need an excuse to move over to KeePass and find reliable browser add-ons.
LastPass keeps data encrypted in the cloud. As long as the (your) master password is complex enough, it (the data) should be pretty safe from any 3rd party.
|
|
|
04-01-2016, 02:09 PM
|
#39
|
Human being with feelings
Join Date: Apr 2010
Location: Seattle
Posts: 5,635
|
Generally, requiring goofy characters in a password, and adding other restrictions on what it has to have and what it can't have actually make it easier for computers to brute force.
Common words you can remember, strung together, are the best option. You can remember them, so you're not writing them down somewhere, they provide enough data to make it hard for computers to break, and they won't be found in any pregenerated rainbow tables.
|
|
|
04-02-2016, 09:50 AM
|
#40
|
Human being with feelings
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
|
Interesting info Jerome. I've always used the former combinations of random characters and symbols but what you've posted makes sense.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 12:22 PM.
|