This is being posted in regards to a recent vandalism attempt on a user. They were spotted in the User Control Panel, caught via the [url=http://phpbb.mfgg.net/viewonline.php]online user list[/url]. Thankfully there was a moderator online to stop this before any damage could be done, but the situation could have easily been worse. The troublemaker was able to easily get in because he made a valid guess at the user's password, which was a very weak one. If you value your account, you should do the following: 1. Use a strong password consisting of numbers, lowercase and capital letters, and symbols. Here is a password generator that may help. http://www.passwordcard.org/en (thanks Mason!) 2. Keep it as random as possible, and at least 8 characters. Write it down, and do not lose it. NEVER give your password out to anyone. 3. Try not to use the same password for multiple locations online. These simple steps can help you avert an attack on your user accounts. Take note that by the time a troublemaker is spotted, he could have done pretty much anything with your account. Remember that [b]you and only you[/b] are responsible for your account! That is all.

Moving this to News so more people will see it. Please read and heed this message - it's important.

Out of curiosity, who was hacked? I understand if you feel if it would violate their privacy (even though I don't necessarily agree with that choice in this particular case), but I have to wonder regardless.

^Same

The user in question wishes to remain anonymous. I see no good reason to break this wish.

Who was the hacker?

[quote="CopperMario"]Who was the hacker?[/quote] The hacker was hiding behind a Proxy, unfortunately, we actually don't know who exactly it was. the proxy was common among spam bots, and has been banned from accessing these forums to prevent future attacks from said individual. Fact of the matter is however: This happened, and precautions should be taken to prevent such from happening in the future. [quote="Rystar"]Out of curiosity, who was hacked? I understand if you feel if it would violate their privacy (even though I don't necessarily agree with that choice in this particular case), but I have to wonder regardless.[/quote] [quote="Shadow Kami"]^Same[/quote] for this, i quote what miles said.[quote="Miles"]The user in question wishes to remain anonymous. I see no good reason to break this wish.[/quote] Also, revealing their name may attract future attack attempts on their account. Im sorry. That is a security risk we simply do not need.

That's Understandable.

Just saw this and I can not believe what I'm hearing. At least it tells us to take action now to keep our respective accounts secure from any more hacking attempts (heaven forbid that we get any more hacking attempts at all).

[quote="Mason"]Here's a random password generator thingy that might be of interest: http://www.passwordcard.org/en (literally just found out about it a few days ago, thanks Xgoff) [quote="Nite Shadow"]Use a strong password consisting of numbers, lowercase and capital letters, and symbols.[/quote] 2c@nz4Lyf3[/quote] Excelent! Ive added this to the top post. Thanks mason! lol, toucans for life. [quote="Merit Celaire"]Just saw this and I can not believe what I'm hearing. At least it tells us to take action now to keep our respective accounts secure from any more hacking attempts (heaven forbid that we get any more hacking attempts at all).[/quote] Hopfully people heed this post, and take precautions.

[quote="Miles"]The user in question wishes to remain anonymous. I see no good reason to break this wish.[/quote] [quote="Nite Shadow"]Also, revealing their name may attract future attack attempts on their account. Im sorry. That is a security risk we simply do not need.[/quote] Understood. Sorry for the trouble ^^

[quote="Rystar"] Understood. Sorry for the trouble ^^[/quote] No harm done, Are their any more questions?

Just want to clarify that password guessing or informed password guessing (as in the user fell for a phishing attempt or gave their password to someone) shouldn't really be labeled hacking. If someone is able to hack into your account or computer, the password isn't going to stop them from doing so. By misusing the word hack in this situation, you're giving people false comfort that may lead them to believe other standard protections against hacking aren't necessary (such as regular virus/spyware/adware scans or not clicking links in suspicious emails). I think the specific method in which the intruder gained anonymous' password is important information and that you should include it.

[quote="Pedigree"]Just want to clarify that password guessing or informed password guessing (as in the user fell for a phishing attempt or gave their password to someone) shouldn't really be labeled hacking. If someone is able to hack into your account or computer, the password isn't going to stop them from doing so. By misusing the word hack in this situation, you're giving people false comfort that may lead them to believe other standard protections against hacking aren't necessary (such as regular virus/spyware/adware scans or not clicking links in suspicious emails). I think the specific method in which the intruder gained anonymous' password is important information and that you should include it.[/quote] you might have a point, some of the wording in the top post has been fixed. (Thanks Miles)

Has the user been notified of the attack? From a Privite Message that was send by an administrator?

[quote="mario4513"]Has the user been notified of the attack?[/quote] Yes.

I think i found a way to show password strength through UCP, Admins, use this Plugin. https://www.phpbb.com/customise/db/mod/show_password_strength/

I know this is sort of old, but I just wanted to kind of mention that if you want a strong password you should just [url=http://xkcd.com/936/]use a sentence made up of 4 or 5 random words[/url]. Also: [quote="FTON"]I think i found a way to show password strength through UCP, Admins, use this Plugin. https://www.phpbb.com/customise/db/mod/show_password_strength/[/quote] This indicator won't show you password strength. 12345qwert!"£$% will show as a very strong password, which it isn't. If you want a good password strength indicator, look at [url=https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/]Dropbox's zxcvbn[/url]. It recognises logically weak passwords (e.g. ones using keys near to each other, or common words with numbers substituted for letters). Password strength is tricky, but the XKCD comic that I linked is a good method to follow. It's easy for you to remember, but (if you really use random words, like the "correcthorsebatterystaple" example in the comic) it's almost (and effectively) impossible to crack.

I reccomend this site: http://howsecureismypassword.net/ You type in a password, and it will tell you how secure it is and how long it would take to hack.

That site says that qwert12345! is a strong password, so I wouldn't trust it. EDIT: wow, okay. It also says just running through the letters on the keyboard ("qwerty...asdfgh...") is a very secure password and would take "48 quintillion years" to crack on a desktop PC (which is a useless comparison anyway, since it won't be done on a single desktop). [url=http://dl.dropbox.com/u/209/zxcvbn/test/index.html]This is a much better password strength indicator[/url]. It's an implementation of zxcvbn that I linked just before. It shortens that 48 quintillion years estimate down to a realistic 7 hours.