I’ve just come out of my weekly briefing with the head of cyber security.
Apparently ezfka.com is now so popular that someone has been persistently trying to log into people’s accounts using a fancy technique called “brute force”. Particularly keen on Stewie’s account, apparently. Wonder why?!
There are a few things that can be done:
- Nothing (easy)
- require accounts to have “strong” passwords (easy but annoying)
- add a ‘capcha’type thing to the login (medium difficulty & $$)
- less forgiving lockout settings (eg get password wrong twice = lock out for 10 hours) (easy, potentially exploitble, deliberately locking out users)
the poll is below – please vote with a “+” for your favoured option.
Do nothing
+1,000,000 (see how much MB influence very nice writing style?)
Biggest culprits probably redditors from /r/Brisbane or /r/AusProperty or /r/AusFinance who don’t want people discussin anything but “MORE IMMERGROIDS BECAUSE ME HOUSE PROICES”
I give myself +1 for comment
See how reddit influence very nice writing style?
Strong passwords
Strong passwords are no issue when using something like Lastpass.
Funny someone is already trying to get into peoples accounts and cause trouble! They must not want people saying what they have to say here. I think Stewie had an enemy follow him here on a thread he posted?
Plot twist: it’s Chris Becker.
Now Chris has been sacked from MB maybe we should get him to post here? It could be like one of those British tabloids where he dishes all the goss on Macrobusiness writers.
+1 LastPass
Gotta protect the sheeple against themselves. For their own sake as well as yours.
Other options can be added too, but *strong* pwd first.
Firefox generates 16 characters long passwords and remembers them for you.
If someone can brute force 16 char password he should be granted access and all hail the God allmighty
Captcha type thing
How much $$ ?
Hair trigger lockout
Only if the lockout is IP address-based.
I doubt that’s how it works.
I do wonder, if you’re already logged in on some device and old mate tried to log in and gets the account locked, whether that affects you…
Login LockDown – WordPress plugin | WordPress.org
This one more popular
Limit Login Attempts Reloaded – WordPress plugin | WordPress.org
Only if you setup your site’s sessions management to Black Helicopter paranoia level. So no… most sites that allow persistent logins will not clear existing sessions if an additional login attempt for the same account fails. Not even more than once. Even hotmail doesn’t do that. 😇
But if you literally mean “we have suspended your account until” kind of lockout, then yes, that would normally also trigger the end of any existing session. Black helicopter stuff if you ask me. That hotmail does do if you do enough bad things in a row to an email address name that does exist (don’t know what it does to any existing session that may have been still active when it applied the suspension).
Thanks Wilbur … I don’t know how any of this works 🤭
Another option is to require people to log in with email addresses (which aren’t displayed) rather than usernames.
I suspect that won’t work because made up email addresses…?
That would work. I recall I had to validate the email address upon registration.
To get fake disposable email used to be easy.
Now is even more easier.There must be quadripllion disposable email providers now.
Yeh yeh, but the point is different.
the point is to forbid logins with “Djenka/DjenkaLOVEScat$”
and require
”Djenka52@hotmail.com/DjenkaLO EScat$”
…spammers won’t know the first bit…
Maybe I’m dense, not sure how that makes a difference unless you think of phishing other users logins.
Check how mailinator.com works. Email galore and does not even need pre-seting. Spammers will have 100s of registered user names/email-logins within one hour.
we’re talking about different things – you’re saying that spammers can sign up with email addresses. And I think they easily can.
I’m talking about spammers trying to log in with existing users (presumably to do funny posts under their accounts?). That’s what it seems they’re doing although I don’t know why they’d bother.
The ginger ones are the tastiest.
I think this is a good idea. I got a bunch of emails (2) like someone was resetting my password on ezfka too. It was not me obviously.
Very wierd.
Well… what can I say – you can tell the quality of a man by the enemies he makes?
Either Migwig or Maggot or parties unknown. Migwig would certainly have the technical skills to do it, although I will give him enough credit to come at me front on rather than surreptitiously via a hacking attempt… I doubt he actually holds me in high enough regard to waste his time, but the fella is increasingly unhinged.
Maggot is a possibility- the guy has a diamond strength boner for me that he’d use to cut through bullet proof glass if he could get at me. No idea on his technical abilities but I could only wish for a chick to be as infatuated with me as him… then again she’d only end up as a bunny boiler.
Third parties, for some time now I’ve been aware of unknown parties trying to track me down – I don’t know why, I’m such a charming, harmless type. Thought it was maggot because of his enormous erection that he spends an inordinate amount of time stroking over me, but frankly it could be anyone I’ve offended over the years… not a short list to work through.
For the moment I’ve upgraded my password and just contacted my internet provider requesting a new IP address. I’d request a catchpa in terms of security upgrade, although I do like Freddy’s suggestion, with the login lockdown capturing the IP address.
Until resolved I suppose I’ll have to access EZFKA through Tor.
Pffffft Iike I’d do brute force!
If I had to guess it’s Haruldos trying to comment without having to admit it. Anyway, what would I do with your account? Make posts about how IQ might not actually be the only reason we’re all idiots? 🤷♂️
No, as much as I despise your chronic nihilism and toxic views that are sourced from the Juicy handbook of “How to raise good Goy”, I will give you enough credit to come at me front on.
To be fair, there are plenty of groups that borrowed heavily from that handbook.
Every good goy deserves fruit.
Yeah, it’s strange – not sure what the point of breaking in to someone’s account is. A few funny posts sure is fun, but there are easier ways to do that.
I think it is more than that – I’ve been having someone or some people trying to identify who I am in the real world for some time. I won’t give any further details, least it assist them, but I’ve good reason to believe that this is the case…. or it could simply be that Maggot’s boner for me, especially after I edited his cucking my wife or his pedo fantasies, simply tripped him over into a deranged psychoses, and he wanted to get in to edit my posts and do some raw vandalism as pay back…. but again, he could simply post some more comments without violating those two criteria, which I’d leave up without issue. FFS I haven’t even banned his accounts. It is a bit weird.
Why would I waste my time hacking into your account u silly old cuck? If I was that keen I’d rather meet u in person and see how much of a limp dick you really are….always talking tough yet you’re just a pencil neck accountant! aaaaaaaahahahahahahahahaha
Cheers – thanks for confirming. Judging from your lame insults I would have been surprised if it was you. You could be lying, but the opportunity to show your contempt for me as being beneath your effort is so transparent I’m now fairly certain you didn’t.
Still it would have been reassuring to know that it was you, better to have a known deadshit to contend with than an unknown party. On the other hand I would have actually been a little disappointed if it was you – if I’m going to have a nemesis I’d rather it be someone a little more challenging than a queef like yourself.
BTW why do you bother with me so much though? Honestly your hard on for me is amazing. If I dislike someone I can’t be bothered reading them – it is a pointless energy sink. Yet you’re constantly seeking out my lame musings and commenting on them…. you’re actually taking the time to read them!?! Every interaction is a win, I’m living rent free in your head!! LMFAO.
Anyhow feel free to keep commenting, I seem to remember that you’d occasionally post comments on DLS or Leiths articles that had some insights.
Just tried to log in from my phone and it redirects to 127.0.0.1
I hope my login was not snatched
My commnet disappeared
I tried to log in from the phone and it redirects to 127.0.0.1
Typed in wrong pw by mistake
I think that’s the hair trigger 😛
IT are tooling around with some settings to see what works. And what is overzealous.
Well, that one single pw error made my phone blocked. Cannot log in from my phone at all.
I will try via VPN to see if that makes ad ifference. I can also spoof MAC and device signature… then I’ll report (if needed).
I lean heavily towards either do nothing or require an email address rather than user name.
Also advise strong passwords be used as this already does.
In terms of cost/benefit what is the real harm if someone actually gets into someones account?
Firefox offers some complex pw auto generation and saves it as a login. Although a very complex pw is no less “crack prone” than say 343234323432, I can’t be bothered inventing new passwords each time then trying to remember it. If FF gets to be Swiss cheese, we’ll, I’m flucked.
indeed, you can generate very strong passwords uniquely for each site. but that requires me to have access to the password store on any machine I want access from.
Paypal, banking etc I think should have a unique and strong password.
A free blog with some articles and comments doesn’t really need the same security.
It’s like securing your garden shed the same as a bank, doable but not worth the effort
FF can sync pw, history and favs across devices. I’d never use another comp for banking other than my phone or my comp. But for those, I chose a pw that I can remember because it has a meaning to a human but it is deeply personal.
Look up Ubuntu stick: a USB that comp can boot from and makes that computer run OS from it with 0 impact on local non removable drives. I still keep one in my car (.flac music usb).
Fair enough, but if someone hacks into my MB/ezfka/random forum account do i really care that much?
It’s a cost benefit thingy.
Chrome will do the same as well, but then everything is just tied to that one password anyway, if that gets hacked then everything gets hacked.