Invaders

[Robert Earthpig]

Just a warning to everyone... When I signed on just now I had to type in the italicized code word and was told I had exceeded the allowable number of sign in attempts. Apparently some joker has tried to weasel aboard in the guise of me. Effin swine.

[BetweenthePipes]

Same thing happened to me when I logged on about an hour ago. Not so this time.

[Stunned]

Happened to me as well.

It does look like it's a fairly recent attack strategy. I'll keep an eye on it and keep you guys posted if something comes up.

phpbb3 support is aware of the issue and it's not unique to our board. Here is one funny quote from an impacted site posted on 1/2/2011:

my users made a big deal about it because they're usually pretty drunk or high and that makes captcha tough, ya know.

My short-term advice is to make sure you have a good password that isn't easy to guess/hack. Unfortunately, I doubt there will be any solution to the problem that could guarantee that this will never happen to you. But maybe they'll come up with something. If they do, I'll update the site to make use of it.

I'll also make sure we're backed up and increase the backup frequency. I don't know what action they'll take if the attackers successfully hack an account, but if it happens and they do something that takes the site down, please bear with me...

Also, I'm going to make this a announcement on this board for now.

[yotesreign]

after what happened to this guy the new password is 'I'll keep my mouth shut':

[CBL]

They finally got to me

Oh well, it was about time for me to make a password change anyway (not that I had to, but I was well overdue one).

I just hope I can remember it for longer than a week...

[more info]

I had the same message several days ago, didn't think much of it until I saw this post.

[Puckhead]

I joined the party today while logging on.

[Robert Earthpig]

Had a real mess to deal with yesterday. Someone's attempts at logging on in my name caused me to be basically shut out of this site. I'd log in and try to add a comment to a thread and then I'd have to log in again and my written message would be toast - and so on.
Fine today.
Bastage. You'll never figure out my password!

[BetweenthePipes]

Again, today, I had to enter a code from an image to log in, as someone had clearly tried to guess my password. Any chance that Administrators can get some computer guru to chase down who is trying to do this?

Good passwords should be more than 8 characters and should include both letters and numbers. On some sites, passwords can be case sensitive as well (not sure about here). Passwords should not be, say, the ages of your children, the dates of family member birthdays, the names of your family members, etc. Preferably, they have no meaning at all and contain no real words, with one or more numbers in there at various places.

The problem always is that there are so many web sites one might visit which require a password. How the heck to remember them all is the problem (especially as I get older)! I recommend writing them down and keeping the list in some random place NOT beside the computer (in a book on a shelf, somewhere, for example--just remember which book).

[gollybass]

I changed my password... and now I dont remember it! Hopefully I dont have someone try to hack me again so i dont have the forgotten password hoopla

[Robert Earthpig]

Had to do the long sign in again as our poor, bored and life-needing friend has struck again. Keep guessing jackwad.

[Stunned]

Again, today, I had to enter a code from an image to log in, as someone had clearly tried to guess my password. Any chance that Administrators can get some computer guru to chase down who is trying to do this?

Good passwords should be more than 8 characters and should include both letters and numbers. On some sites, passwords can be case sensitive as well (not sure about here). Passwords should not be, say, the ages of your children, the dates of family member birthdays, the names of your family members, etc. Preferably, they have no meaning at all and contain no real words, with one or more numbers in there at various places.

The problem always is that there are so many web sites one might visit which require a password. How the heck to remember them all is the problem (especially as I get older)! I recommend writing them down and keeping the list in some random place NOT beside the computer (in a book on a shelf, somewhere, for example--just remember which book).

As I said earlier, this is a known problem. What I mean by this is that the makers/supporters of phpBB3 software that we're using are aware of the problem and are working on a solution.

Keep in mind that almost no solution could ever be perfect. Determined people that hack sites find ways around new defenses. And finding them is resource intensive and generally difficult to do. And keep in mind that we're not protecting your bank accounts, we're protecting a hockey discussion forum. I don't say that because I take the issue lightly, but we can't afford to pay a guy $200/hour to try to track down some joker kicking of phpBB3 login bots behind proxies and generally from foreign countries only to have him tweak a thing or two and force us to find him (or her, or them) again. And even if we did find him/her/them, then what?

Fortunately, we do have CAPTCHA which, while it's inconvenient, is the safe guard protecting your account.

Definitely use a good password.

There are two password tracking tools that are free that I'm aware of (and I know there are others that you can pay for).

I won't divulge them here publicly, but if you're interested PM me and I'll give you the information.

One of them I've been using for YEARS. Simple, easy. I tie it to a keyboard shortcut (windows). It's kept my passwords/account information dating back many years. Takes some discipline to use it consistently and keep it up to date, but it's saved my butt many, many, many times. So I'm more than motivated to keep it current.

The other is also good and I know people where I work that love it.

These are far better than keeping a spreadsheet, text file, note paper list. You can back up the encrypted files. Use them on your home network (assuming you want access to it from an PC in your house). Put backups on CD and store in your safe, safety deposit box...you get the idea. Many, many other benefits including the ability to generate passwords of arbitrary complexity based on different password rule strategies that you run into from time to time. Again, very, very simple to use.

[Stunned]

Had a real mess to deal with yesterday. Someone's attempts at logging on in my name caused me to be basically shut out of this site. I'd log in and try to add a comment to a thread and then I'd have to log in again and my written message would be toast - and so on.
Fine today.
Bastage. You'll never figure out my password!

That does suck. Hasn't happened to me...yet. Were you able to back up in the browser and at least save what you wrote (i.e., cut/paste to notepad or something...)?

[Robert Earthpig]

No, on the bright side I was only writing short blurbs so it wasn't all that bad. Just kind of annoying. Don't get the buzz being had by this person trying to hack into something that will provide absolutely no reward. I pity da foo.

[BetweenthePipes]

I was 'hit' again for the third time, today. I do not log on every day, so I don't know exactly when the attempt was. My pw is what it should be, so I am not worried, just mildly annoyed. After all, what's the point of hacking someone's account here? Loser.