• Welcome to the Fantasy Writing Forums. Register Now to join us!

Old Accounts Getting Hacked

Devor

Fiery Keeper of the Hat
Moderator
Many of you have seen the threads already, but there's been a rush of posts from old but valid accounts posting spam. Some of them were still stopped by our spam filters, and some we had to delete manually.

Although we call this hacking, most likely they are matching emails and passwords that were leaked from other big site hacks. Many people use the same password for multiple accounts, so when an email and password combo are leaked in one place, scammers know there's a good chance that combination will work in other places.

So while we look into ways to address this issue, we advise everyone to please change your passwords. There are also places online where you can check which passwords have been publicly connected to your email. And finally, this incident highlights why it's always good advice to use a unique password, but it's an absolute must for your email account, followed by your google, facebook, apple, microsoft and bank accounts. Long multiword passwords (dogcatfrogtoad) are more effective, but most of the time they use info from big hack leaks or they trick people into entering their information in the wrong place.

Please report any spam. And stay safe online, folks.
 

pmmg

Myth Weaver
Yes, that was an argument I had at my last company, and was shot down. All those crazy characters really add nothing to the security. Cause most passwrods are 'cracked' because they were leaked, in which case the password is known, or it is brute forced, in which case, the attacking computer just tries every key combination anyway--it does not care what the keys are.

A password like: %$@ewe3 will get cracked in like 3 seconds, where as a password like: MARYhadalittlelamb will take 4 trillion years. (which is all fine and dandy until quantum computing comes on line, and even that will get cracked in like 3 seconds ;))

Its better to use password phrases and make them long. Mixing up characters does not hurt, it will thwart a dictionary attack, so stick a number of weird character on the end.

Oddly, the cyber industry, which knows this to be true, still cannot convince the corporate world to adopt it. The reason being, no one wants to be the corporation getting sued for a leak and have to go before congress and say, we were using this newer lessor known password policy. Thats a road to liability for them.
 

skip.knox

toujours gai, archie
Moderator
>most passwrods are 'cracked' because they were leaked,

Yep. And yep also for long passwords. But when I have 50+ passwords to manage, even the long password thing is a challenge. That's where a good pw manager helps. Not only does it generate a long pw, I can set it to remind me to change passwords every 90 days or so. Yes it's a hassle.
 

pmmg

Myth Weaver
There is actually no good reason to change a password every 90 days unless you have reason to believe its been leaked.

Changing password frequently has been shown to lead to higher likelihood of them getting leaked.


From the NIST guidelines:


Frequency of Password Changes​

Contrary to popular belief and prior standards, NIST does not suggest frequent password changes (example: every 60 or 90 days); individuals who are asked to change passwords frequently are much more likely to reuse an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. Plus, if a previous password has already been compromised, any derivations of that password, even if additional characters are added or modified, are more easily breached in the future.

NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days. The shift to longer password life is intended to encourage users to generate longer passwords that are harder to crack.
 

Devor

Fiery Keeper of the Hat
Moderator
Changing password frequently has been shown to lead to higher likelihood of them getting leaked.

I didn't know that. Some places force you to change passwords and it's a pain in the butt that doesn't even help? Geesh.

Although, if Skip's using a password manager, then it should avoid the human-related reasons they're more likely to leak, I should think.
 

pmmg

Myth Weaver
Yep....

The average business or corp will have a policy like:

One strange character
One number or captial letter
min 8 characters
change every 90 days
remember last 8 password.


NIST, who made that standard has reversed course on it, and even the guy who made it up 20 or so years ago has publicly recanted it and said he was wrong.


Their newer standard is long password phrases, and don't change them.


Course....now the standard is 2 factor for anything important. IF MS could implement 2 factor for any account unused in the last year, that would stop all the spammers.


I cited NIST at my last company, and they shot me down. They said....


One strange character
One number or captial letter
min 8 characters
change every 90 days
remember last 8 password.


Annoys the crap out of everyone, and weakens and not strengthens protection. This type of policy leads to ppl keeping little sticky notes under their keyboards, or passwords like qwer1234.
 

pmmg

Myth Weaver
The issue with password managers, and its not a terrible concern, is that everything is stored in one place. They crack the manager, they crack everything. Plus its also counter to convenience.

That's the terrible thing with security. Its always a fight between convenience and security. Its always a fight between people complaining cause the process sucks, and things getting leaked.

And...there is no such thing as security really. There is only making it harder. The only way to have security is not be online at all.
 

skip.knox

toujours gai, archie
Moderator
Well, that recommendation acknowledges that changing passwords is a good idea; it merely suggests a less-frequent schedule (12 months versus 3 months). Moreover, the underlying argument is that users tend to re-use passwords. That's a reasonable observation for a large or random group of users, but it doesn't necessarily hold for an individual user, who might consciously avoid re-use of passwords. Those same pw management programs can enforce or remind you of re-used passwords. Finally, some organizations enforce non-reuse, though the algorithms can be gamed.

I don't entirely disagree with the quoted advice; I only raise contingent points to say there's some nuance to advice.
 

skip.knox

toujours gai, archie
Moderator
>everything is stored in one place
It's not the cracking that makes me nervous, it's me. I lose that one device or otherwise have trouble (e.g., botching the master pw), and now I've created a real headache for myself. It hasn't ever happened, but I can be fiendishly clever at being inept.

Here's another angle on pw management. I sign up at sites, then sooner or later decide I'm not interested. I just stop using the site, but my account is still there and the login information is still in my pw manager. I'm aware of this just now because I'm making myself do some clean up. It feels like a waste of hours, but I have way more passwords than I'm using and that feels foolish.

Still working on finding a fantasy writing angle to this thread. <grin>
 

pmmg

Myth Weaver
I've got a ton of logons on sites I dont visit anymore as well. I wish I could go kill them all, but...that would mean spending a day of a few days going and cleaning them all up. It is a pain.

Mostly, I look at them and decide...meh...if that got hacked, I dont care.


I hate to say, but I do think a day is coming soon when AI takes over the password problem, and we wont have to fuss with it anymore. One day, we will have an encryption chip implanted in our brain and it will just be our key to everything. --till it gets compromised ;)

I have a password manager and stopped using it. It was just easier to reset my password when I forgot then to figure out how to get back into the password manager.
 
I actually find using a password manager a lot more convenient than not using one. I only have to remember 1 single password, and I can sign-in everywhere without reusing a password. Passwords can be as long or short as they need to be, and if some site has some weird extra password rule, then complying with it is easy.

I don't even need to remember if I have an account somewhere or not. The password manager does that for me. If I end up on a log-in screen, it simply fills in any details for me it has and logs me in. I would recommend it to anyone.
 

Miles Lacey

Archmage
My approach to passwords is to use the same one where the only deviations would be the use of a symbol if it is required, using a capital or small J in one of the words and changing the three numbers that are included in the password. To date I've never been hacked.

That way it's a lot easier for me to remember the passwords but makes them surprisingly tough to crack.
 

Ban

Troglodytic Trouvère
Article Team
I've got a ton of logons on sites I dont visit anymore as well. I wish I could go kill them all, but...that would mean spending a day of a few days going and cleaning them all up. It is a pain.

Mostly, I look at them and decide...meh...if that got hacked, I dont care.


I hate to say, but I do think a day is coming soon when AI takes over the password problem, and we wont have to fuss with it anymore. One day, we will have an encryption chip implanted in our brain and it will just be our key to everything. --till it gets compromised ;)

I have a password manager and stopped using it. It was just easier to reset my password when I forgot then to figure out how to get back into the password manager.
More like weeks. While most websites are accomodating when it comes to account deletions, some others are less so to put it mildly.
 

Black Dragon

Staff
Administrator
I don't see any signs that our site was hacked or compromised in any way. As Devor speculated above, the most likely scenario is that people were using the same password on multiple sites, and those passwords were compromised on sites other than this one.

What we are experiencing now is probably a result of the following incident:

Again, there is no reason to believe that our site was compromised or our data was leaked.
 

pmmg

Myth Weaver
Yes...I dont think the site has been hacked. Just that some accounts got compromised. There were two that came up recently. Both were from members who had not signed on in years.

Forcing a password change on them, or disabling them would take them out of the mix.
 
Top