September 16, 2002
-
PASSWORDS
I’m noticing that a good percentage of abuse complaints I get are entitled “hacking”.
When it first started happening I thought: woah, maybe Xanga’s password security has somehow been breached?! After all, many of the hacked accounts are totally compromised: their look and feels are changed, fake blogs posted, and even old posts deleted.
But by now I’ve looked into dozens of cases, and it’s pretty clear what’s going on: people are guessing other people’s passwords!
There are some things I can do:
- limit password guessing to three tries every XXXX minutes
- force passwords to have a number or two
- force passwords to be at least YYY characters long
But help me out guys: y’all’s passwords are soooo easy to guess.
I would guess that hundreds of you have set your password to “password”. Several hundred more of you have your password set to your username, your first name, or your last name. Or maybe your password is your kid’s name or your favorite number (which you may blog about on occasion)
C’mon people!! I could guess half the passwords in my Sites I Read in my sleep!
Well, password hacking wouldn’t be a problem if it weren’t for bored/evil people, so I’m going to take strong action against there first. As part of that effort, I’m going to identify serial offenders and shut down all of their accounts, even the accounts they’re not hacking from. Here’s how I can do that: if you hack someone elses’ account, I can see your IP address in our server logs. Monsur programmed a nice shutdown feature for me, so I can easily find and shut down your other accounts…
In the meantime, please protect yourself and make sure your password is something super tricky. Ask yourself: would my spouse/parents/siblings be surprised by my password?
If not, please consider changing it!
- limit password guessing to three tries every XXXX minutes
Comments (17)
we had the same problem on http://www.uberladder.com. what we did was limit 3 wrong guesses per day, and if someone tried to “guess” or activate the “i forgot password” for an admin, we’d immediately block their specific IP. it was great.
as for password tips, yours are great. my university email forced us to have alpha and numeric characters in our pws. it’s a good safety measure to put in place.
cheers, and i hope people do change their passwords!
Sounds like a plan to me, but you also have people who log into accounts to change people’s skins, or fix their html. How will that effect them?
lyssa – you mean, like when people give their passwords out to friends to tweak their sites for them?
I did that with a friendto make sure her skin was working and debug it once it was up…
I also changed my password because I realized i was one of the people out there who are lucky they haven’t been hacked yet.
I’m with Jeanie – my uni made me have an alpha-numeric password with a certain number of characters that wasn’t my name or my student number and I’ll be buggered if anyone could guess it. It’s a good system but it’s not foolproof. I guess it’s about being vigilant and keeping yourself safe.
Nyz xo
A couple times a week, total strangers email me their Xanga passwords so I can fix their broken sites or whatever. Don’t do that, people!
Your advice is great. I think the more ridiculous they can make a password the harder it will be to hack.
John - thank you for looking into this. I had an account hacked – but I’ve since figured out how it was done, and it had nothing to do with Xanga security. I had given my sister my password so she could do the site look for me and a psycho “friend” of hers hacked her email. She read the email that contained that Xanga password and viola – instant mischief. It was still an ugly thing, but there’s nothing Xanga could have done to prevent it. Thank you for your hard work making Xanga the cool place it is.
I haven’t ever gotten a site hacked. Perhaps I’m not that interesting to hack? *shrug* Either way, good luck. Nice work! Keep it up.
I have no problem with your first suggestion but I hate it when people make me put letters and numbers in a password. That just makes it harder for me to remember, and then I get stuck trying more than 3 combinations myself.
ANYONE can choose to use letters and numbers. Let them choose based on their level of paranoia/perceived risk/reward comfort level.
I’ve never been hacked (and that isn’t a challenge people).
Oh, and I assume that you only shut down sites in response to a hacking complaint. If someone lets you in their site and there’s no complaint – how would you know the owner isn’t just doing it from another computer anyway, right?
I’ve done some HTML work for people and what I have them do is change their password to something simple and unrelated to their real password. Then I email them as soon as I’m done and have them change back to their original code. This allows me access only when they’re willing to grant it.
I have done the same as zangazine.. If a friend wants me to go in and help fix their page, I tell them to change their PW and when I am done I let them know to change it back.. I think that people just really need to think about making a PW that is not so easy to guess… that, really, should be a no-brainer… cool of you to look into it though
You know this reminds me of the time my ex-bf’s computer got virused while he was over seas. Mine was on the same LAN and nothing happened.
Why? I had antivirus and he didn’t.
What makes this funny is that he was (is, as far as I know) an IT security specialist and his job was to protect government computers from viruses and hackers.
snicker
But yeah, you have an excellent point. The majority of password hacking is done by simple guessing.
Cheers
I have password that is so sophisticated, even I can’t get into my site half the time, she laughed dweebishly.
Did you know that “password” is the most common password used? As a whole, the name of a loved one is the most common used password. There is only one site I have on here that I think the password would be easy enough to guess. All of the others are relatively random… Only one of them mixes letters and numbers. I know it is safer, but I haven’t had any problems yet.
As for the IP address issue, I think that is still only half-a-solution. I am on dial-up so if I disconnect and reconnect, I will have a new IP.
I think the best answer might be two-fold. Keep educating people to use tough to guess passwords (maybe work it into the initial set-up of a Xanga site?) and shut down the hackers.
How To Choose A Good Password
All of the advice from the above link is good.
1. make people change their passwords once or more a month.
2. make people have passwords more than 6 letters
3. don’t use their personal names, pets name, etc. or have a commin word like music, movies, etc or sex, love, god, etc hacker famous words
cheers
~michelle