Security announcement/poll

I’ve just come out of my weekly briefing with the head of cyber security.

Apparently ezfka.com is now so popular that someone has been persistently trying to log into people’s accounts using a fancy technique called “brute force”. Particularly keen on Stewie’s account, apparently. Wonder why?!

There are a few things that can be done:

  1. Nothing (easy)
  2. require accounts to have “strong” passwords (easy but annoying)
  3. add a ‘capcha’type thing to the login (medium difficulty & $$)
  4. less forgiving lockout settings (eg get password wrong twice = lock out for 10 hours) (easy, potentially exploitble, deliberately locking out users)

the poll is below – please vote with a “+” for your favoured option.

0 0 votes
Article Rating
44 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Last of the Moorookans

+1,000,000 (see how much MB influence very nice writing style?)

Biggest culprits probably redditors from /r/Brisbane or /r/AusProperty or /r/AusFinance who don’t want people discussin anything but “MORE IMMERGROIDS BECAUSE ME HOUSE PROICES”

I give myself +1 for comment

See how reddit influence very nice writing style?

DictatorDavid

Strong passwords are no issue when using something like Lastpass.

Funny someone is already trying to get into peoples accounts and cause trouble! They must not want people saying what they have to say here. I think Stewie had an enemy follow him here on a thread he posted?

Agent 47

Plot twist: it’s Chris Becker.

DictatorDavid

Now Chris has been sacked from MB maybe we should get him to post here? It could be like one of those British tabloids where he dishes all the goss on Macrobusiness writers.

T

+1 LastPass

The Traveling Wilbur

Gotta protect the sheeple against themselves. For their own sake as well as yours.

Other options can be added too, but *strong* pwd first.

DjenkA

Firefox generates 16 characters long passwords and remembers them for you.
If someone can brute force 16 char password he should be granted access and all hail the God allmighty

Stewie

How much $$ ?

Freddy

Only if the lockout is IP address-based.

Freddy

Login LockDown – WordPress plugin | WordPress.org

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. 

This one more popular
Limit Login Attempts Reloaded – WordPress plugin | WordPress.org

Last edited 7 months ago by Freddy
The Traveling Wilbur

Only if you setup your site’s sessions management to Black Helicopter paranoia level. So no… most sites that allow persistent logins will not clear existing sessions if an additional login attempt for the same account fails. Not even more than once. Even hotmail doesn’t do that. 😇

But if you literally mean “we have suspended your account until” kind of lockout, then yes, that would normally also trigger the end of any existing session. Black helicopter stuff if you ask me. That hotmail does do if you do enough bad things in a row to an email address name that does exist (don’t know what it does to any existing session that may have been still active when it applied the suspension).

Last edited 7 months ago by The Traveling Wilbur
Freddy

That would work. I recall I had to validate the email address upon registration.

Djenka

To get fake disposable email used to be easy.
Now is even more easier.There must be quadripllion disposable email providers now.

Djenka

Maybe I’m dense, not sure how that makes a difference unless you think of phishing other users logins.
Check how mailinator.com works. Email galore and does not even need pre-seting. Spammers will have 100s of registered user names/email-logins within one hour.

Last edited 7 months ago by DjenkA
The Traveling Wilbur

The ginger ones are the tastiest.

T

I think this is a good idea. I got a bunch of emails (2) like someone was resetting my password on ezfka too. It was not me obviously.

Very wierd.

Stewie

Well… what can I say – you can tell the quality of a man by the enemies he makes?

Either Migwig or Maggot or parties unknown. Migwig would certainly have the technical skills to do it, although I will give him enough credit to come at me front on rather than surreptitiously via a hacking attempt… I doubt he actually holds me in high enough regard to waste his time, but the fella is increasingly unhinged.

Maggot is a possibility- the guy has a diamond strength boner for me that he’d use to cut through bullet proof glass if he could get at me. No idea on his technical abilities but I could only wish for a chick to be as infatuated with me as him… then again she’d only end up as a bunny boiler.

Third parties, for some time now I’ve been aware of unknown parties trying to track me down – I don’t know why, I’m such a charming, harmless type. Thought it was maggot because of his enormous erection that he spends an inordinate amount of time stroking over me, but frankly it could be anyone I’ve offended over the years… not a short list to work through.

For the moment I’ve upgraded my password and just contacted my internet provider requesting a new IP address. I’d request a catchpa in terms of security upgrade, although I do like Freddy’s suggestion, with the login lockdown capturing the IP address.

Until resolved I suppose I’ll have to access EZFKA through Tor.

Last edited 7 months ago by Stewie
Miguel de Sousa

Pffffft Iike I’d do brute force!

If I had to guess it’s Haruldos trying to comment without having to admit it. Anyway, what would I do with your account? Make posts about how IQ might not actually be the only reason we’re all idiots? 🤷‍♂️

Stewie

No, as much as I despise your chronic nihilism and toxic views that are sourced from the Juicy handbook of “How to raise good Goy”, I will give you enough credit to come at me front on.

Last edited 7 months ago by Stewie
The Traveling Wilbur

To be fair, there are plenty of groups that borrowed heavily from that handbook.

Every good goy deserves fruit.

Last edited 7 months ago by The Traveling Wilbur
Stewie

I think it is more than that – I’ve been having someone or some people trying to identify who I am in the real world for some time. I won’t give any further details, least it assist them, but I’ve good reason to believe that this is the case…. or it could simply be that Maggot’s boner for me, especially after I edited his cucking my wife or his pedo fantasies, simply tripped him over into a deranged psychoses, and he wanted to get in to edit my posts and do some raw vandalism as pay back…. but again, he could simply post some more comments without violating those two criteria, which I’d leave up without issue. FFS I haven’t even banned his accounts. It is a bit weird.

Last edited 7 months ago by Stewie
Stewie da limp dick bean counter

Why would I waste my time hacking into your account u silly old cuck? If I was that keen I’d rather meet u in person and see how much of a limp dick you really are….always talking tough yet you’re just a pencil neck accountant! aaaaaaaahahahahahahahahaha

Cheers – thanks for confirming. Judging from your lame insults I would have been surprised if it was you. You could be lying, but the opportunity to show your contempt for me as being beneath your effort is so transparent I’m now fairly certain you didn’t.

Still it would have been reassuring to know that it was you, better to have a known deadshit to contend with than an unknown party. On the other hand I would have actually been a little disappointed if it was you – if I’m going to have a nemesis I’d rather it be someone a little more challenging than a queef like yourself.

BTW why do you bother with me so much though? Honestly your hard on for me is amazing. If I dislike someone I can’t be bothered reading them – it is a pointless energy sink. Yet you’re constantly seeking out my lame musings and commenting on them…. you’re actually taking the time to read them!?! Every interaction is a win, I’m living rent free in your head!! LMFAO.

Anyhow feel free to keep commenting, I seem to remember that you’d occasionally post comments on DLS or Leiths articles that had some insights.

Last edited 6 months ago by Stewie
Djenka

Just tried to log in from my phone and it redirects to 127.0.0.1
I hope my login was not snatched

Djenka

My commnet disappeared

Djenka

I tried to log in from the phone and it redirects to 127.0.0.1
Typed in wrong pw by mistake

Djenka

Well, that one single pw error made my phone blocked. Cannot log in from my phone at all.
I will try via VPN to see if that makes ad ifference. I can also spoof MAC and device signature… then I’ll report (if needed).

Last edited 7 months ago by DjenkA
bjw678

I lean heavily towards either do nothing or require an email address rather than user name.
Also advise strong passwords be used as this already does.
In terms of cost/benefit what is the real harm if someone actually gets into someones account?

Last edited 7 months ago by bjw678
Djenka

Firefox offers some complex pw auto generation and saves it as a login. Although a very complex pw is no less “crack prone” than say 343234323432, I can’t be bothered inventing new passwords each time then trying to remember it. If FF gets to be Swiss cheese, we’ll, I’m flucked.

Last edited 7 months ago by DjenkA
bjw678

indeed, you can generate very strong passwords uniquely for each site. but that requires me to have access to the password store on any machine I want access from.
Paypal, banking etc I think should have a unique and strong password.
A free blog with some articles and comments doesn’t really need the same security.
It’s like securing your garden shed the same as a bank, doable but not worth the effort

Djenka

FF can sync pw, history and favs across devices. I’d never use another comp for banking other than my phone or my comp. But for those, I chose a pw that I can remember because it has a meaning to a human but it is deeply personal.

Look up Ubuntu stick: a USB that comp can boot from and makes that computer run OS from it with 0 impact on local non removable drives. I still keep one in my car (.flac music usb).

bjw678

Fair enough, but if someone hacks into my MB/ezfka/random forum account do i really care that much?
It’s a cost benefit thingy.
Chrome will do the same as well, but then everything is just tied to that one password anyway, if that gets hacked then everything gets hacked.