Lately I've been noticing this error message when I log into my account. It would seem that bots or hackers are attempting to login to our forum user accounts by means of "brute force," which is just to systematically guess our passwords over and over again.

Our security measures can prevent the automated bots by requiring you to enter a CAPTCHA code (visual numbers and letters) after a few flubbed logins, but a determined real human hacker might be more successful with some educated guessing.

Please make sure your password is strong. That means using a combination of letters, numbers, and punctuation if you can handle it. Avoid dictionary words and obvious ones like "password" or "123456."

I've read that other forum admins are seeing this same sort of brute force login attempt traffic lately too.

Thanks.

In addition to what Zane said, you can change/modify your password by clicking on User Control Panel (left top), Profile, Edit Account Settings. Password is in the lower part.

Yeah I have been getting that a lot lately, guess its time to change the password.

Sent from my HTC Evo using Tapatalk

Ya, so anything rude I'm about to say or personal attacks I'm about to make aren't really me You know how long it took me to memorize my password?

So what is there to gain from hacking into our accounts, I just don't get it.

Sent from my HTC Evo using Tapatalk

Mongo wrote:So what is there to gain from hacking into our accounts, I just don't get it.

Nothing, really. Some do it for challenge, others as a means to access other opportunities for things to hack. Information mining, email addresses, eventually something could lead them to a truly exploitable system where credit card numbers or identity information is stored.

If my account was hacked, a lot of damage could be done to our forum. It would be temporary, as everything gets backed up frequently, but it would suck.

Zane wrote: That means using a combination of letters, numbers, and punctuation if you can handle it. Avoid dictionary words and obvious ones like "password" or "123456."

Thanks.

So I better change my password from somthing too obvious to somthing nobody could guess. From badspeller to bestplane

Tim

Not a bad idea to use both upper case and lower case in your password.

Example: *HaCkErS#sUcK!!!

Yeah, filthy rich people with airplanes are a good target for hackers. I've lost one computer to hacking, it wiped the hard drive clean back in 98. I don't keep farm records or business on any computer that goes online anymore. But the wife and I do more purchasing with a credit card now than we used to so we also are doing more with PayPal but that is not impenetrable either if some employee at PayPal becomes disenchanted and takes exception to capitalism, then publishes everything.

Mongo wrote:So what is there to gain from hacking into our accounts, I just don't get it.

Sent from my HTC Evo using Tapatalk

I've studied many of the various login hacker scripts that are out there. The scripts are always tuned to exploit human habits. Commonly, the scripts would first try all the words in the dictionary, then loop through all the words in the dictionary with a 1 appended, then they might or might not try all the words in the dictionary with a 2 appended. No point in trying to append a '3' because not enough people do that. Then, it would start looping through all combinations of letters, then all combinations of letters and numbers, etc. The system will often kick them off after a number of failed login attempts, so that will often stop the script.

NOW, GO LOOK AT THIS LIST OF HACKED PASSWORDS, AND SEE HOW MANY WERE SINGLE WORDS OR A WORD WITH A '1' APPENDED!
http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php

What the hackers want is 1) any username/password that will escalate their privileges and 2) any username/password in general, and 3) any email address / email password pairs that can be associated with the username. So, if they can hack into Zane's account, they should be able to go look at the database (escalation of privilege) and get a list of all of the usernames, their regular email addresses, etc. As a parallel effort, they try to hack into all of the known regular user accounts, because many people will use the same password for both their forum password and their regular email password.

Once they've got the username/email/password info, then it can be sold to someone who specializes in identity theft. Now, that person will run a script that will take all of the known data for that person, and try to use it to login to various sites that sell things. They will check your email for online purchases to help them find what sites you buy things from. Also, they will look for other account username / password information. (Did you save the email from buycrap.com that notified you of your account and password?) Anyone that uses the same password on multiple sites is money in the bank for them. Once they have a site where they can login with your credentials, they order some crap off the site and have it shipped to an accomplice, who then sells the items for a bargain price (cash only) on craigslist. If they've got your email and password, they will delete the emails from the vendor that notify you of a package that was shipped.

Well, anyway, that's one attack vector. There are others.

Bottom line is: Use a strong password. I can tell you with confidence that no one will ever brute force mine.

Well...maybe if they come to my house with a gun...but I have guns too.

using a password with many letters numbers ect.could help with not getting hacked. I got well over 10 in mine

cstolaircraft wrote:using a password with many letters numbers ect.could help with not getting hacked. I got well over 10 in mine

And keep changing it.

Our office computers require at least 8 characters (must include upper case & lower case) and must change it every 2 months.

If you don't want to wear your fingers out at each login and/or have a single password for all your accounts ( also dangerous ) you may want to think think about a password vault. Roboform http://www.roboform.com/ is one option.

The passwords can be as complex and mind bending as you wish and all you have to remember is the master password which unfortunately has to be typed in when you turn on the computer, but only once per session.

All the passwords are 128 bit encrypted so if someone steals your password file it will be next to impossible to read it.

TD

Thanks Z, kinda' figured something like that was going on. HC

Hey Zane, for what it is worth, I also got the message that I have tried to login too many times for the second time now in the last two days. The system made me re-authenticate before letting me in. I think the walking dead have your scent.

Same thing happened to me today

Trying things to prevent this. Lots of russian traffic in the logs.

It is beginning!

Zane wrote:Trying things to prevent this. Lots of russian traffic in the logs.

Sounds familiar. Can you share some of these things?
Cheerio!