Yesterday's brute force attempts at password hacking

[Lynne]

Yesterday afternoon, it seems there was somebody (or a group of somebodies) who decided to try to brute force their way to hacking vbulletin.org user accounts. Several of you got emails about being locked out of your accounts after the five attempts were made. Unfortunately, there is no one IP, or even an IP range, that we can block to stop this as the IPs came from all over.

I would strongly suggest that users change their passwords. You should pick a password that is at least fourteen characters long and utilize both lower and upper case letters as well as numbers and other keyboard characters

There is a password generator here that you may use to create a random, strong, password - http://strongpasswordgenerator.com/

[wraggster]

ahh i wondered why i got the message, my site had been hacked recently and we have introduced a heck of a lot of new security measures and ive made my passwords 30 chars long.

Thank god it wasnt just me

[gamerzhut]

But what happened to me was different, even after entering the right password it said incorrect. After 15mins i got the account locked email . .But i manually entered my password for all the 5times.

[AdrianH]

Quote:

Originally Posted by gamerzhut

But what happened to me was different, even after entering the right password it said incorrect. After 15mins i got the account locked email . .But i manually entered my password for all the 5times.

Then you should PM an admin for help.

[Alfa1]

Quote:

Originally Posted by Lynne

Unfortunately, there is no one IP, or even an IP range, that we can block to stop this as the IPs came from all over.

You can block the useragent and other aspects with vB Bad Behavior.

[Adem GEN?]

I got the email

Quote:

The person trying to log into your account had the following IP address: 196.1.70.202

Now I changed my password, vbulletin.org & vbulletin.com
Now my passwords 33 characters

[Lumina]

Quote:

Originally Posted by Lynne

I would strongly suggest that users change their passwords. You should pick a password that is at least fourteen characters long and utilize both lower and upper case letters as well as numbers and other keyboard characters

There is a password generator here that you may use to create a random, strong, password - http://strongpasswordgenerator.com/

Dear administrator,

1) vbulletin.org Lost Password Recovery Form generates base 10 only passwords (0-9), 8 characters long. PHP suggests the following characters for higher bases:
*base 16: (0-9, a-f)
*base 32: (0-9, a-v)
*base 64: (0-9, a-z, A-Z, "-", ",")
You should adopt the base 64 for generated passwords and make it 16 chars long.

2) Wysisyg mode on Google Chrome will prevent you from replying to this thread and your message will be lost. I had to write it again.

[Lynne]

Quote:

Originally Posted by Lumina

Dear administrator,

1) vbulletin.org Lost Password Recovery Form generates base 10 only passwords (0-9), 8 characters long. PHP suggests the following characters for higher bases:
*base 16: (0-9, a-f)
*base 32: (0-9, a-v)
*base 64: (0-9, a-z, A-Z, "-", ",")
You should adopt the base 64 for generated passwords and make it 16 chars long.

You should not be keeping the generated password. You should only use it to login and then you should be setting it yourself.

[DragonByte Tech]

82.145.242.38
201.22.130.226
120.136.20.91

Those are the IPs I got for my old "Revan" account, in case you wanted to ban them or write them down or whatever


Fillip

[qryztufre]

The person trying to log into your account had the following IP address: 200.181.109.18

add this IP to the list...