• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Warning: change your password please!

Rottmannash

Major Contributor
Forum Donor
Joined
Nov 11, 2020
Messages
2,968
Likes
2,604
Location
Nashville
FYI we discovered 3 more today. Our spam filters are catching them after the fact by quarantining the posts. It is possible there are more that we are not seeing although that is unlikely. So scale is small but not zero or random.
Are these accounts only created to sell items?
 

beefkabob

Major Contributor
Forum Donor
Joined
Apr 18, 2019
Messages
1,636
Likes
2,073
Install wordfence (or similar) on your sites, and set it to block an IP after 5 login attempts. Kills brute force attacks. And turn off the account named admin.
Admin has never been on. I actually block for 999 hours after 2 attempts. Otherwise I get too many notifications. Nobody has ever used the correct login let alone the correct login and password.
 

antcollinet

Master Contributor
Joined
Sep 4, 2021
Messages
7,408
Likes
12,291
Location
UK/Cheshire
Admin has never been on. I actually block for 999 hours after 2 attempts. Otherwise I get too many notifications. Nobody has ever used the correct login let alone the correct login and password.
Fair enough. On my sites (when they were operating) any IP that spammed 5 attempts got permablocked.
 

Labjr

Major Contributor
Joined
Dec 14, 2018
Messages
1,051
Likes
949
Earlier today I received an email from Credit Karma telling me someone accessed my account from a computer I didn't recognize. So I changed my password and activated 2FA. Afterward, I figured I'd do the same with my Experian account only to find out Experian doesn't support 2FA! I was able to log in from another computer with no problem! How is it that one of the largest credit reporting agencies doesn't have better security on their own web site?
 
Last edited:

antcollinet

Master Contributor
Joined
Sep 4, 2021
Messages
7,408
Likes
12,291
Location
UK/Cheshire
I'm on it, but my priority is changing all the 200 and something credentials that were in my vault that lastpass kindley gave away to bad actors for me.

It was protected by a pretty strong password - but not strong enough to keep me from worrying about it - so everything gets changed, logon id's/emails as well as passwords. I estimate about 2 weeks of 2 hours per day. It's a bloody mess but on the plus side it'll all be neat and tidy once I've finished.

My ASR password was not in last pass, and already strong - so less of a worry.
 

antcollinet

Master Contributor
Joined
Sep 4, 2021
Messages
7,408
Likes
12,291
Location
UK/Cheshire
Cool, but not everyone is inclined to self-host their own password manager.

Bitwarden (cloud-hosted, not self-hosted) or 1password (already cloud-hosted) are an easy recommendation for anyone who's not technically inclined.

If I tell any of my non-technical friends to self-host their own password manager, they'll look at me like I'm from another planet.
I'm not non technical - but still choose to believe that "they" are going to better at securing stuff in the cloud than I am in my self hosted system. Given that I want acess when away from home, so would have to open my self hosted system to the net.
 

Digby

Major Contributor
Joined
Mar 12, 2021
Messages
1,632
Likes
1,555
I'm on it, but my priority is changing all the 200 and something credentials that were in my vault that lastpass kindley gave away to bad actors for me.
What a palaver. Too many eggs in one basket? Seriously, I have always thought a password manager was a poor solution dressed up as a good one, in that if what happened with lastpass happens, then bad actors have access to EVERYTHING.

Personally, I am coming to thinking a tiered system is needed, where most important stuff is separated from important, which is separated from relatively unimportant. Perhaps better to use an encrypted rar file on your own server (far more innocuous) than lastpass or similar, which is just begging to be hacked, as it broadcasts precisely what it is to the entire world.
 

AdamG

Proving your point makes it “Science”.
Moderator
Forum Donor
Joined
Jan 3, 2021
Messages
4,636
Likes
14,918
Location
Reality
Are these accounts only created to sell items?
I can give you a partial answer from what I have seen. The recent run of hacked accounts have been 100% spambots. Posting links to stuff for sale or other nefarious purposes. I made it a point not to click through to the linked sites. Hope that helps.
 

antcollinet

Master Contributor
Joined
Sep 4, 2021
Messages
7,408
Likes
12,291
Location
UK/Cheshire
What a palaver. Too many eggs in one basket? Seriously, I have always thought a password manager was a poor solution dressed up as a good one, in that if what happened with lastpass happens, then bad actors have access to EVERYTHING.

Personally, I am coming to thinking a tiered system is needed, where most important stuff is separated from important, which is separated from relatively unimportant. Perhaps better to use an encrypted rar file on your own server (far more innocuous) than lastpass or similar, which is just begging to be hacked, as it broadcasts precisely what it is to the entire world.
It's a balance of risks.

The convenience afforded by decent password managers, makes it possible to work with unique strong passwords for every system, and to not leave systems logged in to avoid having to lookup passwords in a less easy system (such as an encrypted rar file).

The down side - as you say - is the target they make. This is why they work on a zero knowlege architecture - only strongly encrypted data is stored in the cloud - it is only ever unlocked on your own system.

As ordinary people - we also have the advantage that when the vaults do go walkabout they are burried in hundreds of thousands of others. It is so expensive to even attempt to brute force them, that they are unlikely to go after the likes of you and me. So our systems remain secure. That - unfortunately for me - still doesn't give me sufficient peace of mind to leave my passwords unchanged.
 
OP
amirm

amirm

Founder/Admin
Staff Member
CFO (Chief Fun Officer)
Joined
Feb 13, 2016
Messages
44,368
Likes
234,381
Location
Seattle Area
I would hope ASR is not storing passwords in plaintext...
Of course not. As I post earlier, the system uses bcrypt to properly encrypt all passwords.
 

testp

Senior Member
Joined
Jul 22, 2020
Messages
390
Likes
229
biggest threat about search engines showing scammers sites as first is with banking i think, if you use for instance google search engine to enter your bank, you could just pick the first one from query, so instead of entering the real bank, you are entering something like www.1-23_bankname.com there's a high chance loosing your money that way (scammers are usually using instance bank transfers) so chances getting your money back is close to zip..

so..just a reminder (especially for older folks):
always use your own link, type url, or atleast check url before entering your bank website, if it doesn't feel right, it probably isn't, better safe than sorry..
 
Last edited:

antcollinet

Master Contributor
Joined
Sep 4, 2021
Messages
7,408
Likes
12,291
Location
UK/Cheshire
biggest threat about search engines showing scammers sites as first is with banking i think, if you use for instance google search engine to enter your bank, you could just pick the first one from query, so instead of entering the real bank, you are entering something like www.1-23_bankname.com there's a high chance loosing your money that way (scammers are usually using instance bank transfers) so chances getting your money back is close to zip..

so..just a reminder (especially for older folks):
always use your own link, type url, or atleast check url before entering your bank website, if it doesn't feel right, it probably isn't, better safe than sorry..
If your bank isn't using multi factor authorisation for web sign on, then you should be changing your bank.

I have to get a code from an app on my phone, both to log on - and to set up a new transaction destination. So even if I'm fooled into logging onto a fake site, and the scammers are in paralel logging onto the correct site, the scammers still can't send money anywhere without my cooperation in setting up the destination. And even then - to get the code I have to enter digits from the destination account number - so it will fail if the scammers try to divert that to a different account.

The biggest risk from bank scammers is being fooled into authorising a scam transaction (we are fraud department - you need to move your money into a safe account type stuff), where the scammers have managed to convince you they are someone you can trust.
 

testp

Senior Member
Joined
Jul 22, 2020
Messages
390
Likes
229
If your bank isn't using multi factor authorisation for web sign on, then you should be changing your bank.

I have to get a code from an app on my phone, both to log on - and to set up a new transaction destination. So even if I'm fooled into logging onto a fake site, and the scammers are in paralel logging onto the correct site, the scammers still can't send money anywhere without my cooperation in setting up the destination. And even then - to get the code I have to enter digits from the destination account number - so it will fail if the scammers try to divert that to a different account.

The biggest risk from bank scammers is being fooled into authorising a scam transaction (we are fraud department - you need to move your money into a safe account type stuff), where the scammers have managed to convince you they are someone you can trust.
if your bank offers any other means of sign-in other than 2FA, vulnerbility remains, people still get confused, when a web site says 2FA identh isn't possible now, pls use xxxx authentication..
 

Doodski

Grand Contributor
Forum Donor
Joined
Dec 9, 2019
Messages
20,745
Likes
20,756
Location
Canada
@amirm I need to edit the ASR EQ webpage for the purpose of adding another EQ to the MAC section. The edit function has been disabled. Can you enable that for me?
 

Doodski

Grand Contributor
Forum Donor
Joined
Dec 9, 2019
Messages
20,745
Likes
20,756
Location
Canada
Once you’re a forum donor, the edit function will be back.
Oh... I forgot to add some funds...lol. Silly me... I was thinking the hackers where mucking about and ASR disabled the function. :D Thanks for the head's up.
 

Andysu

Major Contributor
Joined
Dec 7, 2019
Messages
2,883
Likes
1,477
 

Jimster480

Major Contributor
Joined
Jan 26, 2018
Messages
2,880
Likes
2,032
Location
Tampa Bay
Oh no! This is becoming a weekly issue all around the internet.

Any chance you'll be able to use passkeys in the near future rather than passwords?
Passkeys are not secure. Once passkeys become the norm; everyone will be compromised at once.
The best thing to do is to just have people have better passwords; people being socially engineered will never change.
 
Top Bottom