The Enid Blyton Society

I understand that a number of users are getting this message lately. Basically, you go to log in and find a message saying that "you've exceeded the maximum number of login attempts," and then you're prompted to go through the visual verification screen.

Why is this happening?

As I saw written somewhere else, "The reason this is happening is that an automated script is being run on infected computers scanning for phpBB forums, and then attempting to log in to them by using brute force dictionary attacks. In other words, the scripts are scanning memberlists for usernames and trying to guess people's passwords by running through huge lists of common words to see which work."

(Don't be too worried about the mention of infected computers. It's more likely that the memberlist has been snatched by a spammer, entered into their auto-spamming program, and run from somewhere on the internet.)

What happens if they get in?

Once the correct username/password is figured out, the spammer might come back another time and start posting spam messages in your name. By spam messages, I mean anything from links to Viagra websites, porn, or just nonsense that seems to serve no purpose.

Should a member be concerned about his or her password?

Make sure your password is strong -- ie, not easily guessable, and not a word you'd find in a dictionary. Imagine if I knew your username. To find your password, I could run a program that enters every word in the dictionary, starting from A, and if there were no limits to the number of times I could try, I would reach Z in fairly short order. If your password is a dictionary word, I'd be in. Make sure to mix it up a little. Even adding a number to the end of the word makes it much more difficult to guess.

What can the administrators do about it?

Not a lot, I'm afraid. The number of login attempts is set to 3. This is plenty for the average user; you have three attempts to get your password right, and after that you have to go through visual verification as well. (Maybe there's a "locked" period? I can't remember.) The thing is, I could easily set the maximum number of login attempts to 10 or 20 or 5000, but the spammer's program will still whip through that number in record time and the result would be the same, only with a much bigger load on the server. So it will remain at 3.

Is there anything that can be done to avoid the problem?

Yes -- stay logged in. You have the option (on login) to be "remembered." There's absolutely no need to log out; your profile is perfectly safe in its "logged in" state even if you don't visit the forums for a month. The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in. But other than that, there's no danger -- so stay logged in. If you find that you have to log in each time you visit even though you always check the "stay logged in" or "remember me" checkbox, then maybe your browser is deleting cookies when you close it. In which case, change your browser's settings so it doesn't delete cookies.

Yesterday I tried enabling a feature that checks user IP addresses against a blacklist, thinking that maybe spammers' IP addresses would be blocked. But straight away it blocked a genuine Blytonite, just because her IP address had (innocently) been added to a blacklist somewhere. Maybe someone in her IP range is actually a spammer; unfortunately all the others in that range are blacklisted too. So I disabled this feature again.

Well, that's all for now. Spammers, eh? They should be thrown into the coal cellar!

Thanks, Keith. You do lead an interesting life.

Cheers,

'Aurélien Arkadiusz'

Thanks for this invaluable information, Keith.

I am permanently logged in. To the extent that I once forgot my own password when I tried to log in on another set whilst on holiday. It is indeed much handier. Thanks for all the info and for looking after us so well Keith.

Aurélien wrote: Thanks, Keith. You do lead an interesting life.

Hehe. The thing is, in my spare time I paraglide, bungee jump, and work on an alligator farm. I just don't want to bore people with those anecdotes...

Thanks for the info Keith. I also tried to stay logged on but when I came out of the site I had to log back in again, so at least now I know what that little problem is and can alter my settings so it doesn't delete the cookies.

Thanks for the info Kieth! I was wondering what was up. I do stay logged on my laptop at home, and I do the same on my iPhone though still need to log in every few days on my phone (and have gotten that message on my phone a few times in the last week or so). Shall need to check a dictionary to see if my password would be in there now!!

Keith Robinson wrote:... The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in.
... ... ...
Spammers, eh? They should be thrown into the coal cellar!

Well, I visit the forums ONLY on my first-generation iPad (ouch, it's HEAVY!) which goes with me everywhere I go, rather like Timothy with George.

I used to work on an IT helpdesk "have you tried turning it off and on again?"
and the number of people who used PASSWORD as there password was unbelievable.

     Some years ago I came across a web page which contained a list of a few hundred words, which claimed that something like 80 percent of passwords consisted of one of the words on the list. I'm pretty sure "password" was one of them.
     Also, very oddly I thought, the composers Beethoven and Rachmaninov were both on the list also - which made me wonder why those composers' names were relatively popular as passwords.
     I once used a composer's name as a password - a far more obscure composer than most people are likely to have heard off, but it wasn't just the surname alone - and I have abandoned it now. I don't think even anyone who knows me very well would guess the one I often use now. (It isn't a composer's name, and also uses non-letter characters - so if anyone wants to crack my account, don't bother trying a music dictionary attack on my password.)

Regards, Michael.

I never understand why people use a word as a password. It only (usually) has to be a combination of characters. For example, you could use IWILIB as a password - it is an acronym for I Wish I Lived In Bangladesh. I use this as an example, it isn't one of my passwords! You can also use other characters, for example: @unCLeqUenTIn@ . It'd be difficult to crack that one!

Moonraker wrote:I never understand why people use a word as a password.

     I assume it's because most people find a word easier to remember.

Moonraker wrote:It only (usually) has to be a combination of characters. For example, you could use IWILIB as a password - it is an acronym for I Wish I Lived In Bangladesh.

     Yes, but you might then remember it wrongly as "I wish I could visit Bangladesh" (IWICVB) (or was it "I would like to visit Bangladesh" (IWLTVB)?), or "I wish I lived in Pakistan" (IWILIP) - and so on. And thus it might be difficult to remember accurately.
     I have used the same password for different things only too often, as probably most people do, even though experts advise that not only should you use a totally different password for everything, but you should also change each one every few weeks or months. Believe me, it is difficult to keep track of them all even if you don't change them very often. Aware of this, I tried adopting a system of varying them, and it is very difficult to remember especially the ones you use less often - I can quite understand why some people get lazy about this.

Moonraker wrote:I use this as an example, it isn't one of my passwords! You can also use other characters, for example: @unCLeqUenTIn@ . It'd be difficult to crack that one!

     That example follows advice often given to mix cases of letters and to introduce non-letter and non-number characters. But that makes passwords far harder and slower to type, especially for non-touch-typists. I am a touch typist, but I would find a password like that a thorough nuisance if I had to use it several times a day.
     I don't know what the ideal answer is, though. A properly secure system would be quite unworkable in practice for many people.

Regards, Michael.

Soon a finger print will suffice, making passwords obsolete.

     Then we'll have crooks bailing people up and using a butcher's knife or machete to hack their hands or fingers off to use to get through fingerprint-controlled doors or computer accounts. There could be a down-side to the use of fingerprints as a password substitute.

Regards, Michael.

What a cheerful thought!