Maximum Logins Exceeded
- Keith Robinson
- Site Administrator
- Posts: 723
- Joined: 05 Apr 2005, 22:06
- Location: Georgia, USA
- Contact:
Maximum Logins Exceeded
I understand that a number of users are getting this message lately. Basically, you go to log in and find a message saying that "you've exceeded the maximum number of login attempts," and then you're prompted to go through the visual verification screen.
Why is this happening?
As I saw written somewhere else, "The reason this is happening is that an automated script is being run on infected computers scanning for phpBB forums, and then attempting to log in to them by using brute force dictionary attacks. In other words, the scripts are scanning memberlists for usernames and trying to guess people's passwords by running through huge lists of common words to see which work."
(Don't be too worried about the mention of infected computers. It's more likely that the memberlist has been snatched by a spammer, entered into their auto-spamming program, and run from somewhere on the internet.)
What happens if they get in?
Once the correct username/password is figured out, the spammer might come back another time and start posting spam messages in your name. By spam messages, I mean anything from links to Viagra websites, porn, or just nonsense that seems to serve no purpose.
Should a member be concerned about his or her password?
Make sure your password is strong -- ie, not easily guessable, and not a word you'd find in a dictionary. Imagine if I knew your username. To find your password, I could run a program that enters every word in the dictionary, starting from A, and if there were no limits to the number of times I could try, I would reach Z in fairly short order. If your password is a dictionary word, I'd be in. Make sure to mix it up a little. Even adding a number to the end of the word makes it much more difficult to guess.
What can the administrators do about it?
Not a lot, I'm afraid. The number of login attempts is set to 3. This is plenty for the average user; you have three attempts to get your password right, and after that you have to go through visual verification as well. (Maybe there's a "locked" period? I can't remember.) The thing is, I could easily set the maximum number of login attempts to 10 or 20 or 5000, but the spammer's program will still whip through that number in record time and the result would be the same, only with a much bigger load on the server. So it will remain at 3.
Is there anything that can be done to avoid the problem?
Yes -- stay logged in. You have the option (on login) to be "remembered." There's absolutely no need to log out; your profile is perfectly safe in its "logged in" state even if you don't visit the forums for a month. The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in. But other than that, there's no danger -- so stay logged in. If you find that you have to log in each time you visit even though you always check the "stay logged in" or "remember me" checkbox, then maybe your browser is deleting cookies when you close it. In which case, change your browser's settings so it doesn't delete cookies.
Yesterday I tried enabling a feature that checks user IP addresses against a blacklist, thinking that maybe spammers' IP addresses would be blocked. But straight away it blocked a genuine Blytonite, just because her IP address had (innocently) been added to a blacklist somewhere. Maybe someone in her IP range is actually a spammer; unfortunately all the others in that range are blacklisted too. So I disabled this feature again.
Well, that's all for now. Spammers, eh? They should be thrown into the coal cellar!
Why is this happening?
As I saw written somewhere else, "The reason this is happening is that an automated script is being run on infected computers scanning for phpBB forums, and then attempting to log in to them by using brute force dictionary attacks. In other words, the scripts are scanning memberlists for usernames and trying to guess people's passwords by running through huge lists of common words to see which work."
(Don't be too worried about the mention of infected computers. It's more likely that the memberlist has been snatched by a spammer, entered into their auto-spamming program, and run from somewhere on the internet.)
What happens if they get in?
Once the correct username/password is figured out, the spammer might come back another time and start posting spam messages in your name. By spam messages, I mean anything from links to Viagra websites, porn, or just nonsense that seems to serve no purpose.
Should a member be concerned about his or her password?
Make sure your password is strong -- ie, not easily guessable, and not a word you'd find in a dictionary. Imagine if I knew your username. To find your password, I could run a program that enters every word in the dictionary, starting from A, and if there were no limits to the number of times I could try, I would reach Z in fairly short order. If your password is a dictionary word, I'd be in. Make sure to mix it up a little. Even adding a number to the end of the word makes it much more difficult to guess.
What can the administrators do about it?
Not a lot, I'm afraid. The number of login attempts is set to 3. This is plenty for the average user; you have three attempts to get your password right, and after that you have to go through visual verification as well. (Maybe there's a "locked" period? I can't remember.) The thing is, I could easily set the maximum number of login attempts to 10 or 20 or 5000, but the spammer's program will still whip through that number in record time and the result would be the same, only with a much bigger load on the server. So it will remain at 3.
Is there anything that can be done to avoid the problem?
Yes -- stay logged in. You have the option (on login) to be "remembered." There's absolutely no need to log out; your profile is perfectly safe in its "logged in" state even if you don't visit the forums for a month. The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in. But other than that, there's no danger -- so stay logged in. If you find that you have to log in each time you visit even though you always check the "stay logged in" or "remember me" checkbox, then maybe your browser is deleting cookies when you close it. In which case, change your browser's settings so it doesn't delete cookies.
Yesterday I tried enabling a feature that checks user IP addresses against a blacklist, thinking that maybe spammers' IP addresses would be blocked. But straight away it blocked a genuine Blytonite, just because her IP address had (innocently) been added to a blacklist somewhere. Maybe someone in her IP range is actually a spammer; unfortunately all the others in that range are blacklisted too. So I disabled this feature again.
Well, that's all for now. Spammers, eh? They should be thrown into the coal cellar!
- Aurélien
- Posts: 3205
- Joined: 21 Oct 2008, 22:10
- Favourite book/series: Book: The Boy Next Door / Series: Famous Five
- Favourite character: Noddy
- Location: Auckland, New Zealand
Re: Maximum Logins Exceeded
Thanks, Keith. You do lead an interesting life.
Cheers,
'Aurélien Arkadiusz'
Cheers,
'Aurélien Arkadiusz'
- Eddie Muir
- Posts: 14566
- Joined: 13 Oct 2007, 22:28
- Favourite book/series: Five Find-Outers and Dog
- Favourite character: Fatty
- Location: Brighton
Re: Maximum Logins Exceeded
Thanks for this invaluable information, Keith.
'Go down to the side-shows by the river this afternoon. I'll meet you somewhere in disguise. Bet you won't know me!' wrote Fatty.
Society Member
Society Member
- Lucky Star
- Posts: 11495
- Joined: 28 May 2006, 12:59
- Favourite book/series: The Valley of Adventure
- Favourite character: Mr Goon
- Location: Surrey, UK
Re: Maximum Logins Exceeded
I am permanently logged in. To the extent that I once forgot my own password when I tried to log in on another set whilst on holiday. It is indeed much handier. Thanks for all the info and for looking after us so well Keith.
"What a lot of trouble one avoids if one refuses to have anything to do with the common herd. To have no job, to devote ones life to literature, is the most wonderful thing in the world. - Cicero
Society Member
Society Member
- Keith Robinson
- Site Administrator
- Posts: 723
- Joined: 05 Apr 2005, 22:06
- Location: Georgia, USA
- Contact:
Re: Maximum Logins Exceeded
Hehe. The thing is, in my spare time I paraglide, bungee jump, and work on an alligator farm. I just don't want to bore people with those anecdotes...Aurélien wrote: Thanks, Keith. You do lead an interesting life.
- Julie2owlsdene
- Posts: 15244
- Joined: 24 Jul 2007, 20:15
- Favourite book/series: F.F. and Mystery Series - Five get into Trouble
- Favourite character: Dick
- Location: Cornwall
Re: Maximum Logins Exceeded
Thanks for the info Keith. I also tried to stay logged on but when I came out of the site I had to log back in again, so at least now I know what that little problem is and can alter my settings so it doesn't delete the cookies.
Julian gave an exclamation and nudged George.
"See that? It's the black Bentley again. KMF 102!"
Society Member
"See that? It's the black Bentley again. KMF 102!"
Society Member
- Fiona1986
- Posts: 10540
- Joined: 01 Dec 2007, 15:35
- Favourite book/series: Five Go to Smuggler's Top
- Favourite character: Julian Kirrin
- Location: Dundee, Scotland
- Contact:
Re: Maximum Logins Exceeded
Thanks for the info Kieth! I was wondering what was up. I do stay logged on my laptop at home, and I do the same on my iPhone though still need to log in every few days on my phone (and have gotten that message on my phone a few times in the last week or so). Shall need to check a dictionary to see if my password would be in there now!!
"It's the ash! It's falling!" yelled Julian, almost startling Dick out of his wits...
"Listen to its terrible groans and creaks!" yelled Julian, almost beside himself with impatience.
World of Blyton Blog
Society Member
"Listen to its terrible groans and creaks!" yelled Julian, almost beside himself with impatience.
World of Blyton Blog
Society Member
- Timmylover2
- Posts: 70
- Joined: 23 Feb 2012, 08:13
- Favourite book/series: Five on Billycock hill, The secret Island, Fami
- Favourite character: Julian, Peggy, Jack, Bets
Re: Maximum Logins Exceeded
Well, I visit the forums ONLY on my first-generation iPad (ouch, it's HEAVY!) which goes with me everywhere I go, rather like Timothy with George.Keith Robinson wrote:... The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in.
... ... ...
Spammers, eh? They should be thrown into the coal cellar!
has posted this.
-
- Posts: 191
- Joined: 14 May 2012, 23:45
- Favourite book/series: Famous five of course!
- Favourite character: Dick, he is so me
- Location: Teesside
Re: Maximum Logins Exceeded
I used to work on an IT helpdesk "have you tried turning it off and on again?"
and the number of people who used PASSWORD as there password was unbelievable.
and the number of people who used PASSWORD as there password was unbelievable.
- MJE
- Posts: 2534
- Joined: 15 Nov 2006, 12:24
- Favourite book/series: Famous Five series
- Favourite character: George; Julian; Barney
- Location: Victoria, Australia
- Contact:
Re: Maximum Logins Exceeded
Some years ago I came across a web page which contained a list of a few hundred words, which claimed that something like 80 percent of passwords consisted of one of the words on the list. I'm pretty sure "password" was one of them.
Also, very oddly I thought, the composers Beethoven and Rachmaninov were both on the list also - which made me wonder why those composers' names were relatively popular as passwords.
I once used a composer's name as a password - a far more obscure composer than most people are likely to have heard off, but it wasn't just the surname alone - and I have abandoned it now. I don't think even anyone who knows me very well would guess the one I often use now. (It isn't a composer's name, and also uses non-letter characters - so if anyone wants to crack my account, don't bother trying a music dictionary attack on my password.)
Regards, Michael.
Also, very oddly I thought, the composers Beethoven and Rachmaninov were both on the list also - which made me wonder why those composers' names were relatively popular as passwords.
I once used a composer's name as a password - a far more obscure composer than most people are likely to have heard off, but it wasn't just the surname alone - and I have abandoned it now. I don't think even anyone who knows me very well would guess the one I often use now. (It isn't a composer's name, and also uses non-letter characters - so if anyone wants to crack my account, don't bother trying a music dictionary attack on my password.)
Regards, Michael.
Society Member
Re: Maximum Logins Exceeded
I never understand why people use a word as a password. It only (usually) has to be a combination of characters. For example, you could use IWILIB as a password - it is an acronym for I Wish I Lived In Bangladesh. I use this as an example, it isn't one of my passwords! You can also use other characters, for example: @unCLeqUenTIn@ . It'd be difficult to crack that one!
Society Member
- MJE
- Posts: 2534
- Joined: 15 Nov 2006, 12:24
- Favourite book/series: Famous Five series
- Favourite character: George; Julian; Barney
- Location: Victoria, Australia
- Contact:
Trouble keeping track of passwords.
I assume it's because most people find a word easier to remember.Moonraker wrote:I never understand why people use a word as a password.
Yes, but you might then remember it wrongly as "I wish I could visit Bangladesh" (IWICVB) (or was it "I would like to visit Bangladesh" (IWLTVB)?), or "I wish I lived in Pakistan" (IWILIP) - and so on. And thus it might be difficult to remember accurately.Moonraker wrote:It only (usually) has to be a combination of characters. For example, you could use IWILIB as a password - it is an acronym for I Wish I Lived In Bangladesh.
I have used the same password for different things only too often, as probably most people do, even though experts advise that not only should you use a totally different password for everything, but you should also change each one every few weeks or months. Believe me, it is difficult to keep track of them all even if you don't change them very often. Aware of this, I tried adopting a system of varying them, and it is very difficult to remember especially the ones you use less often - I can quite understand why some people get lazy about this.
That example follows advice often given to mix cases of letters and to introduce non-letter and non-number characters. But that makes passwords far harder and slower to type, especially for non-touch-typists. I am a touch typist, but I would find a password like that a thorough nuisance if I had to use it several times a day.Moonraker wrote:I use this as an example, it isn't one of my passwords! You can also use other characters, for example: @unCLeqUenTIn@ . It'd be difficult to crack that one!
I don't know what the ideal answer is, though. A properly secure system would be quite unworkable in practice for many people.
Regards, Michael.
Society Member
Re: Maximum Logins Exceeded
Soon a finger print will suffice, making passwords obsolete.
Society Member
- MJE
- Posts: 2534
- Joined: 15 Nov 2006, 12:24
- Favourite book/series: Famous Five series
- Favourite character: George; Julian; Barney
- Location: Victoria, Australia
- Contact:
Re: Maximum Logins Exceeded
Then we'll have crooks bailing people up and using a butcher's knife or machete to hack their hands or fingers off to use to get through fingerprint-controlled doors or computer accounts. There could be a down-side to the use of fingerprints as a password substitute.
Regards, Michael.
Regards, Michael.
Society Member
- Daisy
- Posts: 16632
- Joined: 28 Oct 2006, 22:49
- Favourite book/series: Find-Outers, Adventure series.
- Location: Stoke-On-Trent, England
Re: Maximum Logins Exceeded
What a cheerful thought!
'Tis loving and giving that makes life worth living.
Society Member
Society Member