[Read!] Recent Spammer Infiltration Update

[vtcnc]

Frequent visitors of the forum may have noticed an onslaught of spammers promoting crypto pump and dump schemes through a link that is being posted all over the forum.

Keypoints for everybody to understand:

- This is affecting more than just Xenforo forums like ours, i.e., this is not a security bug native to Xenforo or The Hobby Machinist.

- At some point in the past, spammers accessed email and password data from a large email breach. I want to emphasize that breach did not occur here at Hobby Machinist. The general consensus is that the type of passwords being affected are what are deemed as insecure. For example, "password", "123456", "youremail" etc., etc.

- What is happening on our site is that a spamBot is using those old passwords, and trying them against old dormant accounts. They are hitting lots and lots of systems out there (like Xenforo and VBulletin forums) If an old Gmail user account uses the same password here at H-M as they did say, 5 years ago...the spamBot gets in and will have taken control of your dormant user account here.

- Nearly all of the accounts affected here and at other forums are old, dormant and unused accounts.

Actions that Staff is taking for security precautions:

Reaction: because we have no way to know which dormant accounts will be targeted, we are banning those accounts as they get hijacked. This is often the result of members like you reporting the spam, so please keep hitting that report button when you see it.

Prevention: All accounts that have not registered a login within the past six months will be temporarily locked. A password reset email will be sent to the email account in your profile. You will be required to reset your password before you can regain entry to the site.

Actions that you can take personally:

- Keep hitting that Report button. If it smells like SPAM, let us know.

- If you are an active member, meaning you have logged in recently or within the past six months, it is highly recommended that you voluntarily reset your password. You are likely NOT affected by this breach. However, if you have an easy to guess password, such as "password", then you are at risk for future security risks. Please take time to evaluate your personal online security and take appropriate actions.

If you want some ideas on how to come up with password ideas, here is a link to get you started: password security tips

 

[vtcnc]

As an aside, I have a very specific algorithm for creating my passwords.

Without giving away the farm, if I memorize the algorithm, I never have to write down a password for recreational sites like Hobby Machinist. So, I can go to any website and based on my algorithm which will remain top secret, I can generate my passwords without having to recall them.

The problem with a special word is that it isn't special. Using the word "elephant" and then coming up with clever ways to describe "3leph@n!" is actually quite simple for a spamBot to crack. But most people would just use "elephant" because it is easier to remember which is why spamBots are so good at brute force attacking sites and getting in, because most of the breaches are on really dumb passwords.

My secret? I use my surroundings and situational circumstances to remember my algorithm. It is stable and unknowable unless you are driving the vtcnc bus upstairs.

I will make one possible algorithm up for you now. This isn't mine but is similar in its nature meaning that you can come up with your own after reading this but it will be impossible for me to develop it using the algorithm.

Perhaps you have an anchor word or phrase you have memorized - like "soupy7". Let that be your Anchor. It will be in every password. Then determine a good variable for you to associate with the website you are visiting, this will be different for every site. From there, you should determine a unique way to code that variable for the site you are visiting that isn't obvious to the third party observer. Let's pick the obvious example and choose main theme color. "Red" for when you visit Netflix. For Facebook, another site, your code might be Blue. You will come up with a way if you think about it. You are looking to create an algorithm here where is applicable to all sites but is capable of generating a unique code for each one. Finally, determine a unique connector code to link the other two pieces of your variable together. This should be one of those quirky multi-char codes that satisfy password generator gatekeepers. E.g. use m@k$a. You now have three password codes combined into one site password.

This gives you the following combination: Anchor + Site Variable + CharCodes

You can then combine them and settle on your algorithm:

Anchor + Code + Site Variable,
Code + Anchor + Site Variable,
Site Variable + Anchor + Code,
etc., etc.

Using the first combination above you get:

soupy7m@k$aRed = Netflix password
soupy7m@k$aBlue = Facebook password

Using the second combination you get:

m@k$asoupy7Red
m@k$asoupy7Blue

And the third:

Redsoupy7m@k$a
Bluesoupy7m@k$a

You get the idea. Pick a combination and run with it. Of course, the human imagination is pretty wild and you will come up with your own simple rules to build very complex algorithms. I made this one up on the fly but you can imagine that if you come up with your own system, the possibilities are pretty unique and unbreakable because the three different algorithms must be known.

About once per every year or two - I change my algorithm. That is the only downside, if you want to call it one. Changing can simply mean rearranging the algorithms like I did above. This method doesn't fail me and I don't have to write down my passwords.

For financials, banks and online stuff, I use the encrypted two factor authentication in addition to the method above, let them do the heavy lifting and I still change my passwords at least once per year.

The obvious answer for security is of course, not to give away your algorithm codes. While I haven't done that here, I do hope that me sharing this with you helps you with coming up with your own secure password schemes.