To avoid these ads, REGISTER NOW!

Change your passwords!

R

Ryan

Administrator
Staff member
Joined
Jan 26, 2006
Messages
5,695
Location
Texas/Hawaii
Recently, we've been noticing a growing a trend. Essentially, we will get a spam post by a long time member - seemingly out of the blue. I'd guess we've had over 100 of these in the past week. So, what's going on? Has the site been hacked?

Actually, no. And what's going on is quite simple.

When you see a long time member with a spam post, it's because that user has used the same password elsewhere... and that "elsewhere" was part of a data breach. This breach could have happened last week or it could have happened years ago... But, rest assured, that user is not taking their password responsibility seriously enough and is using the same password on multiple sites.

And what happens next is predictable. Spammers have bought the databases from the hackers that performed the data breach and now are using these email and password combinations to log into other sites such as this one. In doing so, they are able to get past our spam filters and use your accounts to post spam.

It's a complete pain in the ***... And has cost me hours and hours of work.

So, please... CHANGE YOUR PASSWORD ON THIS SITE RIGHT NOW. You can do so here. Also, don't use a password you've used anywhere else. Use a password manager if you are forgetful. I recommend 1password, but there are many others. For more pointers, see here.
 
To avoid these ads, REGISTER NOW!
V

Viper GTS

New member
Joined
Jun 7, 2015
Messages
3
Using a unique password at every single site you ever sign up for is a good first step. Password managers make this simple (1Password is great).

To take this to the next level, use an email anonymizer. I’ve used a few over the years my current preferred is AnonAddy:

anonaddy.com

Free, Open-source Anonymous Email Forwarding | addy.io

Create unlimited email aliases for free. Protect your real email from spam by using a different address for each service. Privacy friendly, anonymous replies.
anonaddy.com anonaddy.com

If you register your own domain you can use [email protected]. For example, I might use [email protected] for this site. You can set it up to catch anything that comes, so you can make them up on the spot. You can literally write down any email address @yourdomain.com and it will get to you. You can also send from and reply from these addresses, and turn them on and off at will. So if a site sends you too many emails you just flip a switch on the AnonAddy dashboard and you don’t see them any more. Need to get an email from the site? Turn it back on for a few minutes then back off when you’re done. You have full control over a site’s ability to put an email in your inbox.

The result of this is that everything I sign up for that isn’t banking or medical gets both a unique email and a unique password. It’s not a lot of work once you have the infrastructure setup for it, and it’s relatively low cost (around $50/year for registrar + AnonAddy Pro). Site breaches are no longer a cause for concern at all, You change one password if you care about the site (and no rush because you used a 20-50 character password that they’ll never rainbow table), otherwise you just shut off the email alias and move on with your life.

One more thing to add to this:

Website admins need to do their part in this. Hopefully you are salting and hashing properly.
 
Last edited:
To avoid these ads, REGISTER NOW!
N

NUTTSGT

Super Moderator
Staff member
Joined
Sep 14, 2009
Messages
50,863
Location
Northern Central Ohio
Viper GTS said:
......

One more thing to add to this:

Website admins need to do their part in this. Hopefully you are salting and hashing properly.
Click to expand...
Like I mentioned elsewhere, Ryan has been working on it.

I think some members are under the impression that since Ryan doesn't post much on the forum that he just lets it run it's course. He's probably more involved than people realize.

I've seen the guy take care of stuff when most normal people in Az are sleeping.
 
R

Red 17

Well-known member
Joined
Oct 25, 2018
Messages
441
Location
Pasadena CA
I'm a mod on another site--automotive--tons of old accts hijacked. Others there reporting the same on multiple forums. Seems like it dropped off though.

Password changed BTW.
 
OP
R

Ryan

Administrator
Staff member
Joined
Jan 26, 2006
Messages
5,695
Location
Texas/Hawaii
Viper GTS said:
Website admins need to do their part in this. Hopefully you are salting and hashing properly.
Click to expand...

I don't know of any modern database driven platforms that don't salt and hash passwords in stock form. We take that quite a bit further... and, in the thirty years I've been doing this, we've never had a data breach on any of my properties. Doesn't mean it won't happen obviously, but we work harder than most on user privacy.
 
OP
R

Ryan

Administrator
Staff member
Joined
Jan 26, 2006
Messages
5,695
Location
Texas/Hawaii
Half-fast eddie said:
ok … i’m clueless …
Click to expand...

Basically, passwords are stored in a database and matched with your username/email. When you log in, the DB is called and your login credentials are checked. The problem with that is, if someone ever gains access to your DB they also have access to all of your users usernames and, more importantly, passwords. So those combinations can be used on other sites such as your bank, etc...

Salting and hashing the passwords in the database is a way to protect them even if access is gained. It turns them into 32 or more characters and disguises those characters with hashes... basically...

This is the bare minimum of DB protection. We do a whole lot more than that.
 
You must log in or register to reply here.
To avoid these ads, REGISTER NOW!
Top Bottom