BNA - Australian Cycling Forums

[AUbicycles]

As reported in the Forum Feedback > Login Oddity post, there are a lot of errors occuring where members are getting an error 'maximum login attempts exceeded' and a requirement to login with the captcha.

This problem is a recognised problem on phpbb forums and elsewhere it is being suggested that there are infected computers worldwide that are launching brute force attacks on phpbb forums to attempt to gain access of user accounts.


IMPORTANT: Please make sure your password is not easy to crack
You can change your password in your profile

Here's some tips borrowed from here for your account passwords and what you should choose:
* Avoid single word passwords that use a word found in the dictionary.
These are extremely easy to crack by these automated attempts
* Avoid using common names, phrases or cycling related words.
Because they are easy for people visiting or some unscrupulous friend to guess!
* Do use a number, or even better, a number and a symbol in your password - e.g. bett#69
* Try and alter the cAsE of your PaSswOrd to make it harder to guess - e.g. Dur@c3LL
* Change your password regularly if you share or use multiple computers to sign in

--

Unfortunately there will still be the "maximum login attempts" problem which we can't stop.
Action has been taken to try and minimise the damage of the attacks however as a member - you need to help and if your password is too simple, change your password

I will take action of deactivating member accounts which have not been active for some time and include a post here. Feel free to post reports of the "maximum login attempts" error here: Login Oddity.

If you are using tapatalk and receive the error - use your web browser to login in (entering the captcha) and then from tapatalk you should be able to log in again

[Aushiker]

Hi

I would add one more hint ... use a different password for each site/place of login. Not that hard actually and I do it. If someone got my password here it cannot be used anywhere else.

Andrew

[AUbicycles]

Before the speculation starts, members inactive here for over 2 months have had their accounts deactivated. Sorry I had to do this however it will protect these accounts if the owners are not around to ensure their passwords are strong.
Have a look at the forum stats on the homepage, 10.000+ members 2 days ago, 8.000 yesterday and 2.600 today.

For the purpose of clarity, please help keep this thread on topic, for comments 'just to chat' and that are not on topic - lets use the login oddity thread. This will help other members get the facts and useful tips (like Aushikers comment).

[ozzymac]

Hi,
I was reading a tip the other day for making passwords that are a bit more difficult than the normal ones.

There suggestion was when making a password decide on a combination lets say " SNOWPATROL2010"

Now when you go to use it on a site instead of typing snow etc....

You use the key next to the letter you want to use, thus " SNOWPATROL2010" would become " DMPE[SYTPM@)!)" for numbers you can use shift to get extra characters.

It makes it easy to have harder passwords without really having to remember them.

I hope thats right anyway.

cheers

[WarrenH]

For anyone who cant log-on using Firefox, perhaps this change might work.

I followed Admin's advice to the tee and I still couldn't log-on. I must have tried at least 50x over the past two weeks, to log-on using Firefox. I cleared the cookies, to start again ... but no cigar.

I changed to Google Chrome this morning and logged-on first go. I went back and tried Firefox and failed to log-on again. I'm back here on Chrome.

Warren.

[daniel.s]

Hi,
I was reading a tip the other day for making passwords that are a bit more difficult than the normal ones.

There suggestion was when making a password decide on a combination lets say " SNOWPATROL2010"

I use another variant on this theme for my day to day passwords. Going with the "Snow Patrol 2010" example, the password would end up being "Sno@)!)roL". You just do the following:
1. First 3 letters of the first word, uppercase first letter
2. Type the number while holding shift
3. Last 3 letters of the second word, uppercase last letter.

This works well, except for when you go overseas and they keyboard layouts have different characters on the shift keys. The good thing is that it's easy to remember, and you can always use longer numbers or change the words periodically.

Otherwise, use a password manager such as KeePass. I do this, and have unique, long random passwords for every different site.

[CommuRider]

I changed to Google Chrome this morning and logged-on first go. I went back and tried Firefox and failed to log-on again. I'm back here on Chrome.

Using Firefox 3.6.13 no problems logging in for the last 48 hours or so.

[Spiza]

Hi Christopher,
Just an idea... if the attacks continue, your programmer might be able to change/customise the login screen or process to fool the automated attacks.
Take a look at the Westpac login screen https://businessonline.westpac.com.au/esis/Login/SrvPage

[eeksll]

I'd suggest use a password manager like https://lastpass.com/ you'll never have to remember another password or make one up as you can get it to auto-generate a random password. It will require a master password .... and has browser integration.

I personally use a combination of keepass http://keepass.info/ and lastpass.

Keepass for my bank accounts and stuff like that which i want more secure or is not browser type passwords. And stuff which I dont want auto-login (in case someone steals my computer/gets access)

and i use lastpass for most of my browser stuff which I dont mind auto login for.

[jules21]

a combination of word and nos. is pretty safe, as long as the word is not too common - e.g. "john" or something obvious. it would take a brute force attack a long time to crack that.

[twowheels]

I got the login oddity message. Just wondering if the admin can change the captcha colour format. The first one was too difficult to read & i guessed the second one (WRT is that an 8 or a B sort of thing). I'm not colour blind, but I'm guessing it would be too difficult if one were, ie orange on green letters. The font & brightness/contrast of letters to background made it real hard. i'm guessing many returning members may not be able to read the captcha.

[rustguard]

2 months is not long. I'd say its a fair bet that people who have just had a hard time, holiday, or other responsibilities (or a cycle tour) might of just lost their account. you should keep the records so you can re-activate an account if the owner messages the admin.

[casual_cyclist]

Hi

I would add one more hint ... use a different password for each site/place of login. Not that hard actually and I do it. If someone got my password here it cannot be used anywhere else.

Andrew

I do that too.

[AUbicycles]

As a reminder, no accounts have been lost or deleted.

The deactivation is an account put on hold and can either be reactivated by the user (via send a reactivation email) or in the case of problems, email me and I will reactivate manually. I would have preferred not to have had to deactivate such a large volume of accounts however have created notes when these members try to log-in so that they easily understand the process and know that it is not their error and reactivation is (usually) easy. The deactivation is now protecting these members from having their accounts compromised.

--

I am working on the sessions - essentially, for users who never log out, there are no problems - however in the last while most users need to log in every day... my current task is to make it as comfortable as possible, at least for most.

[trailgumby]

Looks like my account got hit a second time. Had to enter a Captcha password. Fortunately my password is reasonably strong and unlikely to be cracked by a brute force attack.

[Joeblake]

Got hit this morning. The first captcha was almost impossible to read (Colours).

One suggestion for keeping a password list at hand but still reasonably secure is to keep a text file of all your passwords, but saved under a name which is unlikely to be associated with passwords. Using the word processor on your computer, create a macro which will find the file then open it. Keep the name of macro on a piece of paper somewhere as an aid memoir if necessary.

Depending on which wordprocessor you use, it should be possible to put a secure password on the text document itself and either have THAT password on a post-it note or even built into the macro.

Joe

[CommuRider]

Looks like my account got hit a second time. Had to enter a Captcha password. Fortunately my password is reasonably strong and unlikely to be cracked by a brute force attack.

I'm just trying to get my head around this...so if I see the Captcha password it's because some people have been trying to access my account on here? Don't they have better things to do?

[AUbicycles]

Joeblake, pratically that is a good suggestion (who doesn't do it) though most security experts would not recommend it.

CommuRider - it is an automated attack sent via infected computers world-wide with the likely aim of breaking into user accounts and then spamming forums.


I have made a change to the Captcha which will make it easier to enter as the hidden letters is really tough. If you have better suggestions for the security questions (so that a human can answer but a bot can't easily do the same) email me.

[CommuRider]

If you have better suggestions for the security questions (so that a human can answer but a bot can easily do the same) email me.

Can or can't?

Being a bike forum, surely the security questions should be bike oriented? Name a bike maker starting with G, 5 letters etc?

[Joeblake]

Which is better? Carbon or Steel?

Joe

[Chanboy]

CAPTCHA is probably the best way to effectively differentiate a human login to a computer/bot login.

Security questions are a bit problematic, in that you need to have quite a lot of them - and a dedicated bot programmer would simply go through all the questions and program answers to them.

[CommuRider]

Which is better? Carbon or Steel?

Joe

Now Joe, it's supposed to be an easy, objective response that anyone can answer. If I write "neither" I probably won't be allowed in

[Joeblake]

The idea is that this question will immediately provoke a debate, proving that the attempted logger is human.

Joe

[Baalzamon]

Looks like my account got hit a second time. Had to enter a Captcha password. Fortunately my password is reasonably strong and unlikely to be cracked by a brute force attack.

That has happened to me twice. Yesterday morning and after work when I got home had to use it. I've also been logged out a few times. But my password is quite strong and brute force attack would need to be trying over 1 year to crack it lol.

[verbs and nouns]

My account has been deactivated. I can't get a reactivation email and I need to see a PM regarding a frame. I had to start this "new" account just to post this.

This sucks.

Any help?

Old username was "Verbs & Nouns".