Page 1 of 1

Password attacks

Posted: Wed Jan 26, 2011 2:09 am
by Phil White
PHPBB have reported increased attempts at hacking passwords on their boards recently. This applies to many popular boards, including Wordwizard.

If anybody is asked to enter a captcha, it's because somebody has tried to hack your account.

Please use secure passwords to prevent your own account from being misused.

A secure password
  • is at least 6 characters long
  • is not a word found in a dictionary
  • is not a place name
  • uses a mixture of uppercase and lowercase characters
  • has at least one numeral and/or special character
There is little that the administration team can do to prevent this type of attack, although I have taken a temporary measure to reduce the possibility of success. This means that regular users will not be able to view profiles or the member list for a while. The worst damage that can be done is that the hacker can delete or vandalize posts made by the user. If your account is hacked, your password will probably be changed, as will your email address, and we will have no way of validating you, so secure your password! The team will not respond to email or messages saying "my account has been hijacked, can you reset the email/password to xyz" unless we know your email personally. Sorry.

If you stay logged in and don't switch computers (and are not assigned a new IP address by your provider), you will not necessarily notice the issue.

If you have been asked to enter a captcha recently, please PM me so that I can assess the scale of the problem.

Re: Password attacks

Posted: Wed Jan 26, 2011 9:01 am
by Erik_Kowal
Following on from Phil's announcement, here's where to change your password:

User Control Panel > Profile > Edit account settings

Re: Password attacks

Posted: Wed Jan 26, 2011 1:18 pm
by dante
Been there done that :) I hope that damage hasn't been done already

Re: Password attacks

Posted: Wed Jan 26, 2011 1:57 pm
by Phil White
The chances of a successful attack of this kind are slim unless somebody has a password the same as their user name or something really silly like "password".

Even the damage they are likely to do is small unless they hack an administrator account.

The purpose of the attacks is primarily for subsequently launching a spam attack, so they target the most frequent posters on the forums. If they get in, they will probably change the signature of a frequent poster to a link to the site they want to promote, thus instantly getting a couple of thousand links when Google & co index the site. It's all about placing links.

The flurry of attacks on PHPBB sites are due to a script that's going around at the moment. A human (I use the word loosely) user registers in the normal way and then reads out the member list with a script. An automated script then tries to hack all the user names on the list. If it manages to hack one, the human ("scum" would be more appropriate) will then place the spam link (and probably also change the password). That's why I have disabled viewing of the member list for the present and also why Erik and I are on our toes with deleting dubious accounts. The latest version of the PHPBB software has some additional mechanisms to fight this sort of thing and as I have said elsewhere, I shall be updating in the next few days.

Re: Password attacks

Posted: Wed Jan 26, 2011 2:11 pm
by dante
Thanks for the info Phil.

Re: Password attacks

Posted: Fri Mar 18, 2011 9:41 pm
by Shelley
Small question: just now, while revisiting my profile to make changes, I noted the request at the bottom to enter "the second number from this list" into a box -- this, in order to battle the dreaded spam-monster. I'm stuck, because the list is ordered in four-digit groups. It is unclear to me whether I'm to enter "5" (the actual second number), or "3679" (the second group of numbers).

Re: Password attacks

Posted: Sat Mar 19, 2011 1:34 am
by Erik_Kowal
You need to enter 3679.

It's good to see you on the site again!

Re: Password attacks

Posted: Sat Mar 19, 2011 4:38 pm
by Shelley
Thanks for the guidance, Eric. See, I'm back for a bit and already I'm making more work for you! Things were slow at the office yesterday and, well, the boss was away . . . Will continue to carve out more time for Woowooland. (Meirav, where art thou?)