Important Security Guidelines (1 Viewer)

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Yesterday, 21:54
Joined
Feb 28, 2001
Messages
29,499
Dear members:

As a moderator it is part of my job to watch out for spammers and hacked accounts. AWF has its share of both. The spammers frequently want to just plant ads. I'm catching 3 or 4 per day myself and the other moderators have also noted an uptick in approval requests from suspicious sources. This is not a problem for the members. However, hackers have breached account passwords and have been planting ads under an established member's name. Some of you have reported such posts - and thank you for calling them to our attention.

I want to discuss hacked accounts. First and foremost, we cannot see your passwords. (Nor do we want to.) But if your account gets hacked, then at least one other person besides yourself now has your password. That bad actor could use your account to post inappropriate messages that could get Jon and this site in trouble considering recent British legislation called the "Online Safety Act." This link below will let you find out what is in this act on your own time. The main concern is that with a hacked account, a hacker could easily make trouble for Jon and AWF. I'm sure you agree that we should protect against being hacked.


What I want to do is suggest (not mandate) that if you have been using a relatively weak password, you might wish to change it. I cannot tell you what standards exist elsewhere, but in the US military sites, a secure password for an "ordinary" user contains not less than 1 uppercase, 1 lowercase, 1 numeric, and 1 special character out of a total of at least 10 characters. According to some security articles, each character you add to a password multiplies its effectiveness by about 100. (That is rounded off.) Note that if you were a systems or database administrator for the government, the password standard would have been 2 each of upper, lower, digit, and special with a minimum length of 15 characters.

If you have a long enough and complex enough password, you should be OK. However, if you have any doubts about the security of your password, change it.

Thanks,

- Richard
 
However, if you have any doubts about the security of your password, change it.
I strongly second this recommendation!
If someone figured out the username/email/password combination you used *anywhere* (incl. AWF), they will try the very same combination on a long list of sites (Paypal, Amazon, Microsoft, Ebay, you name it). If it matches anywhere they will use it to their own gain and your loss. - I know this from the bad experiences of several friends and colleagues.

If your account on AWF has been hacked and you used the same password elsewhere also, act immediately to change this password everywhere you used it.
 
A small addition on my part:

And it is best to use a different password for each site/service.
A password manager is ideal for managing passwords.
 
A small addition on my part:

And it is best to use a different password for each site/service.
A password manager is ideal for managing passwords.

With one minor addendum. If you are going to use a password manager of any kind, be sure that the system running that manager has a really good password on it.
 
they will try the very same combination on a long list of sites (Paypal, Amazon, Microsoft, Ebay, you name it)
Though I understand and accept your and others’ concern, but these days no one can login to these (and almost all other) sites even if they know the correct combination of username and password. These sites and any other shopping/financial site, need a dual authentication, which means they send you a SMS to confirm if it’s actually you.
( l don’t have EBay account and am not sure about them, but my money is on they’ve moved to dual authentication too)

Some sites like Google, send you a Yes/No SMS, and the login process freezes until you tap Yes.
Some send you a password on every login attempt.
My credit card site uses a triple authentication method.

Again, I accept having different and secure combination of login/password for each site is a good practice.
 
Last edited:
At the moment, 1-factor (password) authentication is all AWF has, so we have to make the best of it. @KitaYama, web chat sites tend to not require multi-factor authentication but instead even allow you to stay logged in even if you close the browser. Sometimes that is a BROWSER function, not a SITE function. It is a balancing act on the best of days. Like it or not, we DO have to be careful here. And even though we shoot for technical content, we are a web chat site when you boil it down to what we do.
 
these days no one can login to these (and almost all other) sites even if they know the correct combination of username and password.
Authentication is only one part of the puzzle, or challenge, depending on who you ask. Security strategies are changing everyday, and it's best not to trust too much. Nothing happens, people say, until something happens.

For reference, this website lets you check whether your email has been compromised at some point. To their knowledge, of course. A bunch of the data breaches originated from places where XFA was in place, so, it's good to know. Even then, your credentials could be out there anyway, it's just not public yet.
 
At the moment, 1-factor (password) authentication is all AWF has, so ...
I don't know if we have discrepancy between US and UK or just different individual usage but by my understanding AWF is 2-factor (userid and password).

Not that this very minor question has any relevance to the threads emphasis on security, which I totally endorse.
 
I don't know if we have discrepancy between US and UK or just different individual usage but by my understanding AWF is 2-factor (userid and password).

Not that this very minor question has any relevance to the threads emphasis on security, which I totally endorse.
By second factor they mean a second alert such as an email or text message
 
As for three factor authentication just don't lose your mobile phone! Like the 400 a day in London!
Yeah, even 2FA will come back to bite you HARD when you lose your phone, and not all apps/services/websites are very good about automatically recognizing a new device and sending notifications to that device instead. Something to consider
when considering 2/3FA
 
Authentication is only one part of the puzzle, or challenge, depending on who you ask. Security strategies are changing everyday, and it's best not to trust too much. Nothing happens, people say, until something happens.

For reference, this website lets you check whether your email has been compromised at some point. To their knowledge, of course. A bunch of the data breaches originated from places where XFA was in place, so, it's good to know. Even then, your credentials could be out there anyway, it's just not public yet.

Google password manager, for all its possible flaws, is very good about telling you immediately when any of your passwords are 'out there'.

Of course most of ours already are, that's the sad thing.

Every time I hear about the most recent data breach, and it says something like "affects 120 million people", over and over, and I"m thinking, there are only about 300 MM in the US! We might as well accept that ALL of our information is out there, not just some of us.

The most important thing, therefore, becomes to monitor your credit and put 'locks' on your CREDIT.
Your information is already gone and for sale on the dark web, protecting it is very close to futile. What you can protect next is the actual door to your house, which is people taking your identity to get credit.

Ironically, everyone has an awareness of password safety but few monitor their credit diligently.
 
I don't know if we have discrepancy between US and UK or just different individual usage but by my understanding AWF is 2-factor (userid and password).

Not that this very minor question has any relevance to the threads emphasis on security, which I totally endorse.
User name or ID is authenticated by a password, thus 1 factor authentication for said username/ID. Means I can't just enter "DickyP" as my user, I need to authenticate it.
 
User name or ID is authenticated by a password, thus 1 factor authentication for said username/ID. Means I can't just enter "DickyP" as my user, I need to authenticate it.
Sorry but this not the accepted meaning in security seervices - and incidentally why they are called factors. ID is the first factor, password the second. That's why the term three factor was invented in the 1970s. I agree it has suffered drift since - see Wikipedia for instance, which can't make up its mind - but this is how I was it taught to me at University and the Army.

Then the third factor was usually a dongle or an authentication diskette.
 
@DickyP -

For the U.S. Navy, UserID and Password in combination was 1-factor. A smart-card that plugged into the computer was 2nd factor, OR a code sent via text to a known phone would be 2nd factor. Or a code sent to a known e-mail address would be 2nd factor. UserID + Password + the public half of a security certificate would be a 2nd factor. UserID/Password + SmartCard + Transmitted Code would have been 3rd factor. That's the way it was listed for my CompTIA Security+ certificate. The guy who came out to "train the trainers" (for the time when I used to teach this stuff to new Navy admins) made it clear. An isolated userID isn't 1-factor anything.

USA and UK understanding of these definitions may differ, but I'm certain that for Security+, userID by itself is merely identification; entering the password matching that userID made it 1-factor authentication.
 
At the moment, 1-factor (password) authentication is all AWF has
As you can see, I was explicitly answering to sonic8 about shopping (Amazon, Ebay,...) and financial (PayPal,...) sites. To prevent any confusion I quoted the part I was answering to. I didn't mean awf or any other online forum

To prevent more confusions, again I understand, respect and second your suggestion to change to a stronger password.
 
As I said in my first post the importance of terminology to the thread of better security is low! I suggest we cease the dialog and agree to differ, as it is just niceties and if and when we need to use the terms we explain what we mean. I certainly don't wish the dialog to deteriorate as some have.
 

Users who are viewing this thread

Back
Top Bottom