Change your Passwords

[Aceman]

Today, yet another astounding irritating event happened. Today, the server (not sfm specifically) was hacked by an unknown person. They apprently hacked into one of the websites on this server (a small space for our good friend Howard Day) and then uploaded scripts, which then executed and gave them root access, and the ability to get all passwords, and even install several scripts (the kind that attack other servers), and even a website that gathers passwords under the guise of being Sears Customer service.

Those scripts, websites, and passwords have all been dealth with or are being handled by my hosting company which discovered the attack and responded. They got us back online, and restored several files the attacker changed.

Accordingly due to this invasion, ALL passwords for the server are being changed. As an added precaution, if you feel you would like to protect yourself. I would recommend that every user change their passwords immediately. THIS IS REQUIRED FOR ALL ADMINS AND MODS. CHANGE YOUR PASSWORD

What's a bad password?
A bad password is any password composed of common words or names, particularly if the password is short. For example, "iLoveMikey" is a bad password. "mydogspot" is a bad password. "GeorgeInParis" is a bad password. All are simply combinations of words or names. On top of that, many people choose bad passwords that express information that someone who knows you might be able to guess. If your boyfriend's name is "Mikey", your dog's name is "Spot", or you met someone named "George" during a trip to Paris, these are all things that people who know just a little about you can use to start making some educated guesses as to what your password might be.

And as I said, people can be really good guessers.

The irony is that the people who know you the best - your friends - are the ones who can probably make the best guesses and are the most likely to guess your password if it's a bad one.

Another problem with passwords made up from words and names is that it's really easy for a determined hacker to set up a computer with a dictionary of words and names and have it start trying combinations until something works.

What's a good password?

A good password is a long random sequence of characters - letters, numbers and any "special characters". "qicITcl}" is a good password. "rAg2imWOIgIf47IM24busml6kpetPF9UGRpPAFBMCoSmSTptbD cOxwcG3aPoa79" is a great password. The best passwords are made up of completely random characters and as long as you can make it.
You can see the problem - great passwords are impossible to remember. So if you can't remember it, what good is it?

The solution is either a compromise, or the use of some technology.

The compromise

The compromise I use works like this:
I never include full English words or names - instead I use misspellings or phonetic sound-alikes

I always include a mix of uppercase and lowercase letters and numbers

I always make sure the password is at least eight characters long, preferably longer

So, for example, while "Macintosh" is bad, "Mac7T0sh" might be good and probably easier to remember. "HondaPrelude" is bad, but "Pre7ood6" is much, much better.

The bottom line for this compromise: pick a random looking password that YOU can remember but that "they" would never guess - and as I've said a couple of times, always assume that "they" are always really great guessers.

[Ramiel]

Out of curiosity, what's the worst thing they can do with our passwords (in this forum of course)?
They can make posts with our username, but I think that would be easy to understand if someone is trying to "do" us if they are doing wrong things on this board (like spam, personal offence and things like these...)
Can we have a little "explanation" before we start changing our password?
Thanks.

[Aceman]

The fact that someone could post as you on this forum means very little. Infact the chance of them taking the time to do that are next to none. BUT, what they could do is this:

1. Get your password here.
2. Log into your account and get your email address.
3. IF by chance your email has the same password as here, your email could become jeopardized.
4. If you use that email for any other accounts such as ebay, paypal, etc, etc.. they could potentially log into your accounts at those sites IF your passwords are the same.

It's my duty as the admin to alert you to the possibility that your information on SFM may have been violated. It's upto you if you feel that you should or shoudn't change your information.

As a moderator/admin/sensei - you account has the ability to remove threads, posts, and change account information (limited to admins). So as an added precaution I requested that these users change their password.

I hope this "explains" why I alerted the membership to the server break in.

And Ramiel - It's what could be done with the information beyond this board that has me concerned. Better to play it safe. Even if the information you use here isn't the same login pass for your online banking.

(which btw - never use the same passwords on different sites.. especially between public forums and say.. paypal, your bank, etc.)

Aceman

[Howard Day]

And, guys I can't tell you how sorry I am about this. I knew my FTP password was less than...awesome, and I had let it slide for far too long. It's been changed to something far more awesome, and I doubt anyone will ever get in that way again. I again apologize for the inconvenience.

[Ramiel]

Thanks for the explanation, I've changed my password, but now I must log-in everytime I come back here (before I was already logged when I was visiting the site... Could this be a "new server's problem"?)
Sorry for all these questions

[Norman]

Nahh.. that's usually cookies.. be sure you use the www. before sometimes that causes it.. however I will check the cookie settings too