People are trying to brute force my account

[b6gm6n]

Quote:

Originally Posted by cellarius

Sorry, that's pretty much nonsense and backed up by nothing, just silly speculation. You don't need a database to do such a brute force attempt, you just harvest usernames either from the userlist or the posts and throw those usernames at the login form.

"Sorry, that's pretty much nonsense and backed up by nothing"

be well.

[cellarius]

You are the one claiming vb.org was hacked at some time in the past and the database stolen. You back that up by nothing, and you can't explain why the much simpler method everyone else in this thread assumes won't work. So...

[Simon Lloyd]

The fact that they are doing it in alphabetical order proves that they are scanning the members list as the database, if it was stolen, is not automatically in alphabetical order but in order of userid.

It's as simple as that, pretty soon they'll be through the entire list and all this will be forgotten, if you want advice, change your password to something strong and they wont get anywhere with their 5 attempts per ip.

[mykkal]

Quote:

Originally Posted by Simon Lloyd

The fact that they are doing it in alphabetical order proves that they are scanning the members list as the database, if it was stolen, is not automatically in alphabetical order but in order of userid.

It's as simple as that, pretty soon they'll be through the entire list and all this will be forgotten, if you want advice, change your password to something strong and they wont get anywhere with their 5 attempts per ip.

That actually depends on 'preferences', sort options, and how the data is exported. It could be a custom script. So even if it downloads in alphabetical order by username they could still resort by USERID.

Just my opinion but your accusation could have a lot of simpler truths. I don't think thats evidence of stealing.

Whenever I export data I almost always have to manipulate it. It's never in the form I need it to be at export.

[kh99]

Well, as cellarius pointed out, if someone had stolen the database the thing to do would be to use the hashed passwords and salt values to try to crack the passwords on a local computer. Using a stolen database just to get the usernames for a brute force attack over the net would be pretty stupid (but, well, I suppose there are people like that around).

Edit: but of course the point is that there's no reason to think they have access to the database, since it can easily be done with the member list.

[mykkal]

Cosign...

Quote:

Originally Posted by kh99

Well, as cellarius pointed out, if someone had stolen the database the thing to do would be to use the hashed passwords and salt values to try to crack the passwords on a local computer. Using a stolen database just to get the usernames for a brute force attack would be pretty stupid (but, well, I suppose there are people like that around).

--------------- Added [DATE]1360163835[/DATE] at [TIME]1360163835[/TIME] ---------------

brute force is an attempt to login...Not the aftermath of data stolen. If someone had the data they could just clone the site, login, and do whatever without fear of being caught.

I don't think brute force should be by username but by IP because the intruder is foreign and blocking by username would lock out the legitimate user. Just create a strong password and that is enough. Mixed with symbols, numbers, and letters a strong password would take until infinity to crack. That's totally safe.

[Paul M]

No one has stolen any data. Thats enough of such nonsense, any more such ridiculous posts will be removed. Stick to the topic and facts, not wild imagination.

[Simon Lloyd]

@Paul M, do you not think this thread has run its course now?

[mykkal]

it should be closed.

[ForceHSS]

Agree close this, it should of been closed a long time ago