Log in every time???

[Kenn]

thats a good possibility ... someone could also collect member names from the home page. Online members are listed on the left even if your not signed in

[cyberwollf]

thats a good possibility ... someone could also collect member names from the home page. Online members are listed on the left even if your not signed in

Are we really a big enough club for someone to go through the hassel of manually collecting usernames?  I'd think someone would write a script to target SMF fourms since they'd all use the same HTTP Headers.  They could just get a list of all SMF sites and let the CPU do its work.

[ohioreef]

We aren't the only ones experiencing this:  http://www.simplemachines.org/community/index.php?topic=416928.0

[Kenn]

Are we really a big enough club for someone to go through the hassel of manually collecting usernames?  I'd think someone would write a script to target SMF fourms since they'd all use the same HTTP Headers.  They could just get a list of all SMF sites and let the CPU do its work.

I dont disagree with you but people who do this have a lot of time on thier hands and when you discount someone would do it just because YOU (not you personally ) think it is a slow and tedious way, you open yourself up to exploitation.

 

[lazylivin]

Thanks for the link Gary, it led me to a fix that is looking promising.   

Paul the list I provided was a sort by IP addresses so I could show a single IP to many account logon attempts. There were 100's of new IP addresses hitting us each hour.

[lazylivin]

We are definitely good to go. Was seeing several attempted logins per minute last night and haven't seen one since the fix. You may have had to re-login once more after the fix but that shouldn't not happen anymore. 

[ohioreef]

Seems to be fixed here!!  Good job, Brian!!

[lazylivin]

Great! Thanks

[Kenn]

Everything is working good on my end as well

Thanks for all the work Brian 

[Secondgen]

Good for me Brian. Thank you.

[micki]

I'm gone most of this weekend, but thought I would try this morning before I left and it's a GOOD TO GO!!!  Thanks so much Brian!!!

[reefkeeper]

Thanks Brian.  It's working great now!

[Telekinesis]

Good thing I have the most ridiculous password ever. Those of you who had auto-login issues might want to change your passwords, as I'm pretty sure this means your account was successfully logged into. I'm assuming providing an incorrect password for a random username from a different connection/PC wouldn't be enough to tamper with your settings. In fact, I'd make sure you weren't using the same one for bank info or anything more personal. Maybe it isn't that serious, but it's better to be safe than sorry. There are a lot of reasons people steal passwords, but posting under your account on a reef club forum is hardly one of them.

Just my two cents. Feel free to correct me if I'm wrong about the log settings.

[ohioreef]

Unless your password was ridiculously easy, ie same as log-in, I'm pretty sure no passwords were compromised. The error log showed all incorrect attempts, correct me if I'm wrong, Brian. The need to log-in each time was a security feature of the software.

[Joel]

All is back to normal for me as well, great job!

[lazylivin]

You are 100% correct Gary, it is very unlikely a password was comprised and the need to relogin was a result of the Security protection feature on Ohio Reef.  Just to add to that the log won't show a successful login, so a account could have been comprised and not know to us. With this said it is a good idea to change your passwords for your online financial banking/transactions if it was the same as what you have on Ohio Reef.

[Telekinesis]

Ahh, gotcha. Thanks for the info, all.  I've never maintained an SMF board, so it's nice to know there's a security feature like that in place. I'm glad to see it appears to be resolved. I'm far too lazy to log in and out all the time.

[lazylivin]

I just checked the configuration and it was set to trigger at three failed attempts. When breaching that it would remove the cached session in the database and require a authentication. I am not sure how that helps from a security stand point other then creating awareness that there is an issue. Maybe that is it?

[cyberwollf]

You'd be surprised at some of the password dictionaries that have been created for cracking.  #1 make sure your password is NOTHING that exists in Websters, etc.  #2 not a ASDF type keyboard pattern.  Those too are pretty well mapped and easily guessed in the first few 100,000 tries lol.  Anytime a password database is hacked, those guys pass around the results to update "common" passwords

[rayviv]

 What is === ASDF type keyboard pattern?

[Wall_Tank]

Look at your keyboard Ray.    You would be surprised how many use passwords

12345
qwerty
asdfg
zxcvb

etc.

[rayviv]

Thanks man.
 Seems the older I get the more I seem to need things spelled out for me.
Appreciate your help.

[cyberwollf]

What is === ASDF type keyboard pattern?

like just going across the middle line of the keyboard "asdfghjkl" (or top line "qwertyuiop")  same goes with vertical patterns.  You figure lots of folks have lots of passwords and a pattern is easier to remember.  BUT those are much easier to crack.  Just think, If its anything that anyone else might EVER consider, its in a password cracker database somewhere (names included).  Combinations of special charactors (@#$%) and numbers with words is best.

[cyberwollf]

Look at your keyboard Ray.    You would be surprised how many use passwords

12345
qwerty
asdfg
zxcvb

etc.

DOH, didnt refresh to see your response lol