Want to get involved in developing SMF, then why not lend a hand on our github!
Started by LiroyvH, July 23, 2013, 12:45:08 PM
Quote from: margarett on August 02, 2013, 06:48:24 AM...most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.
Quote from: margarett on August 02, 2013, 06:48:24 AMThis discussion is going nowhere now.
QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair
Quote from: margarett on August 02, 2013, 07:12:43 AM- as it was stated clearly, the goal of this attack is to gather passwords and cross-check them in another sites
QuoteThe method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AMQuote from: CandC on August 01, 2013, 01:56:05 PMI don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.htmlMnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades, So, in the example given, Ch!cken and @dob0 are effectively dictionary words. Adding a couple of extra letters to identify your site looks like a good idea, but crackers use automated rules to try patterns like **wordword (where * is any letter/number/symbol and word is any cracker's-dictionary word), word**word, wordword**, and so on. So, although it won't fall alongside 123456, l3tm31n, and qwerty, it will fall soon thereafter. If you reuse Ch!cken**@dob0 across accounts, the pattern is easy to guess, and your other accounts are only protected by combinations of **, which is few enough to go knocking on-line.I wouldn't "cast the first stone" at the author of that article, because we've all done things like that at one time or another.
Quote from: CandC on August 01, 2013, 01:56:05 PMI don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html
Quote from: Peregrinus on August 02, 2013, 07:07:43 AMAt the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?
Quote from: Peregrinus on August 02, 2013, 06:04:44 AMI alerted 'Coreisp' to the fact that ip's would be available to the hacker. He dismissed it. Funny hey?
Quote from: CandC on August 02, 2013, 09:10:26 AMI won't deny your reply has merit and I would be more concerned IF
Quote from: 青山 素子 on August 02, 2013, 10:42:25 AMPerhaps the fact that most end-user computers don't have any kind of remote access running?
Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PMOr in other cases the password is known only to the ISP and access is limited by IP.
Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PMIf you want to check just how little the outside world can see you, try https://www.grc.com/shieldsup (If remote access is enabled on your router, it may be on 8080 rather than 80.)
Quote from: 青山 素子 on August 02, 2013, 05:05:11 PMI'd hope my ISP doesn't know