Large vb boards often have problems with spam bots randomly trying to guess passwords on every account on the board. They generally stop at 4 tries, as to not trip the system that temp bans them and warns the user.

Til this morning we had escaped this sort of bot. As near as I can guess it was farming accounts for quite a while now, measures will be taken to hopefully detect this sort of thing.

At least one user used their username as their password. This should never occur as that may be the first thing this bot tries. The same goes with using password as your password.

The affected accounts were banned but will be unbanned if the user uses the contact us (http://forums.irowiki.org/sendmessage.php) form at the bottom of the forums, or ask us on IRC (http://irowiki.org/irc).

vb doesn't have a built in password security system (Min chars, different chars etc so I'm going to work on installing one. Until then, please practice good password safety.

We set everyone's passwords to expire 90 days after being changed. I'll keep it like this for a few days then turn it back off. If we ever get a password security system, we'll reset passwords again.

If you have any questions, let us know, and enjoy your evening! :D

Can't find anywhere else to post it so I'm hopeing here's fine?

DO NOT REPLY TO THIS EMAIL!*************************** Dear =Void=, You have received a new private message at iRO Wiki from Alirah, entitled "Have You ever seen this website". To read the original version, respond to, or delete this message, you must log in here:http://forums.irowiki.org/private.php This is the message that was sent:*************** *Have You ever seen this website*Image: http://gumson.info/161h.....6i.html (http://.....gumson.info)Have You ever seen this website (http://....f.gumson.info) *************** Again, please do not reply to this email. You must go to the following page to reply to this private message:http://forums.irowiki.org/private.php All the best,iRO Wiki

I'm assuming this Email I recieved had something to with the hackings or what ever was going on? I did check for Alirah and found nothing, and have no PM's on this site. So here's assuming their trying another route of attack? :confused:

PS: did remove some of the info in the links I posted hoping they won't pose a threat to anyone =3

That is the spam PM and you can't find it here because we deleted all of them, so all's well.

Working with computers and a bit of IT, I know this kind of issue is a problem across the board. My first internship, we ran a program that predicts how fast a hacker could crack your user's passwords, and we found that something like 30% of the users were using something as simple as part of their name, or a family members name, or a favorite sports team, or simply "password".

As a result of this finding, we came up with a password creation strategy that I would like to share with you. Its an easy method that creates a password complicated enough that nothing shorter than many days of brute force guessing would crack. Here is the method:

1) Start off by picking a 2-word phrase who's total length is at least the minimum password requirement size, and each word is not more than 1 letter longer than the other. (I will use "soapy dish" which is 9 letters, which is long enough for most pw requirements. Other phrases could be "blue pens", "hungry hippo", or "tooth pick"). Use all lower case letters.

2) Interchange the letters of the words (if one word is longer than the other, start with the longer word). "soapy dish" becomes "sdoiasphy". (ignore the bold, I'm using it to emphasize what I meant by interchanging the letters)

3) Randomly select at least 1 (or more if password reqs require it) of the letters to change into numbers...think l33t (O can be 0, L or I can be 1, A can be 4, e can be 3, t can be 7, etc). "sdoiasphy" becomes "5do1asphy"

4) Random select at least 1 (or more if password reqs require it) of the remaining letters to change into a special character (I or L can be !, a can be @, s can be $, v can be ^, o becomes *). "5do1asphy" becomes "5do1@$phy"

5) Randomly select at least 1 (or more if password reqs require it) of the remaining letters to change into upper case letters. "5do1@$phy" becomes "5Do1@$phY"

As you see, in 5 steps, I changed the phrase "soapy dish" into an unguessable password. It may take you a couple days to remember it, but it will be secure.

Good luck.