Security 101: Securing your online forum accounts

RainstormZA

Grumpy Old Vaper
LV
31
 
Joined
24/8/17
Posts
4,403
Awards
33
Age
44
Location
Selby, North Yorkshire, UK
Hi all

Just to clarify on something I've been pondering on for a while.

Security of forum accounts.

Just to put it out there, an account of mine on another forum was hacked and a tiny change in my personal details. I would have not noticed if I had not checked today as I regularly check in daily a few times. The reason I missed it was because it was just one tiny detail that was changed. Note, the password and email was not changed.

Webp.net-resizeimage-2-min.jpg
The biggest issue we face daily is invasion of privacy. I have actually requested to have my account deleted over there because it seems that it has been an ongoing problem, and the owner not doing anything about it, numerous of messages going unanswered. Also with me going to the UK, it's just pointless keeping that account alive.

I"m not assuming it to be the same case here. I'm just writing this to give you a few pointers on account security - how to prevent it from being hacked and how to beef up a bit more security on your personal / vendor accounts. This is a really great forum and I don't want to see it go down the drain.

A few security pointers to keep in mind, if you really want a secure account:
  • Make use of the two-step verification - either email or cellphone number. This is one of the best security measures I've ever seen in today's technology. If it doesn't work as intended, notify the administration as this is an huge security risk if something isn't working.
  • Make regular password changes - I'm guilty of this, it's hard enough trying to remember 20 different passwords for 20 different online accounts.
  • Password history - don't reuse the same password after 20 changes, it makes things so much easier for an hacker to gain access.
  • Password complexity - don't use iamabletohackaccounts. A mix of alpha-numerical and symbols make it so much harder to hack. Something along the lines of this example - !am@bl3t0h@ck - not a easy feat to remember, I agree. But not exactly like this, make it really random to make it much harder to hack.
11salszieder_web.jpg
The other thing that the administrators can only do is make regular security audits and increase their security defenses, such as using a WAF (Web application Firewall) and refuse ICMP packets from incoming (this is a source of DDOS attacks) plus banning grabbing is a real issue. If it is too much of an hassle, it does pay to have SaaS (Security-as-a-Service) cloud based security if you are using an hosting company that can do all of your security for your business or forum. HIPS (Host-based Intrusion Prevention System) and HIDS (Host-based Intrusion Detection System) also helps if one does a regular security audit to check for false negatives and false positives.

The rest is up to you to safeguard your accounts. If you get hacked, it's actually your own fault if you keep a simple password, not do regular virus and malware scanning, keeping your software updated regularly and do system checks.
 
Last edited:
Thanks for this info @RainstormZA - it is helpful and appreciate the effort.

I agree, choosing a good password and changing it every now and then is the way to go

If someone suspects their account has been "hacked" or logged into by someone else, let one of the members of the Admin & Mod Team know and we will try assist.

Stay safe
 
Thanks, just tell me something. If they hack my Ecigssa account, what are the going to do? Make sarcastic comments under my name and piss people off? I do it allready:-D
 
Thanks, just tell me something. If they hack my Ecigssa account, what are the going to do? Make sarcastic comments under my name and piss people off? I do it allready:-D

Most people as a habit tend to use the same password over different platforms. So Hackers go for the "Soft Targets" first, then when they have your details they start going onto "harder accounts like e-mails and banking etc.
 
Thanks, just tell me something. If they hack my Ecigssa account, what are the going to do? Make sarcastic comments under my name and piss people off? I do it allready:-D
Something along the line of she's dangerously stupid was put under the about me section. Obviously someone over there has a beef with me. :D

But yeah things like that.

Btw the Google Authenticator is an awesome tool. It has both barcode reader and generates random code so this makes it much harder to hack. I recommend this method.
 
Something along the line of she's dangerously stupid was put under the about me section. Obviously someone over there has a beef with me. :D

But yeah things like that.

Btw the Google Authenticator is an awesome tool. It has both barcode reader and generates random code so this makes it much harder to hack. I recommend this method.
Thats funny, wish I knew how to hack a few accounts here:-D, could pump some life into the forum
 
Ok I have an issue with Google Authenticator. It pops up adverts, even when it's closed and right in the middle of browsing on websites / forums. This really irritates me. Judging by the reviews, I don't think Google has done anything about the issues and probably has made the problems worse by adding stuff that shouldn't even be there in the first place.

I suggest you find something else, something that will work well for you.
 
Ok I've tried a few Auth apps and they all are crap. These things are full of adware - I wouldn't even touch them with a barge pole.

I see that ECIGSSA provides 2-step through email which is probably far the best option you can have over Auth apps as the email goes straight to your inbox.
 
Password managers work quite well if you get a proper one. It will cost you some money but they are relatively cheap. One pro is that you can generate passwords that look like this: P6rTsa1. It saves all the passwords for you and the only one you have to remember is your master password. If you can't remember your master password you won't be able to reset it. The only problem you can run into otherwise is if someone hacks into your password database that is why I recommend getting a good one.
 
I use LassPass and have done for more than a year... very happy with it and it's a reasonable price to protect your passwords... as you can imagine I have more than one or two passwords and it has been a real help. Works on my PC and on my iPhone and my iPad!

https://www.lastpass.com/
 
I use LassPass and have done for more than a year... very happy with it and it's a reasonable price to protect your passwords... as you can imagine I have more than one or two passwords and it has been a real help. Works on my PC and on my iPhone and my iPad!

https://www.lastpass.com/
Im still mentally young and have 6000 passwords in my head. Pity I only get 3 tries on most platforms :D
I even remember the windows 98 key I used ages ago as I typed this out so many times!
 
Yeah, @Christos, one's memory can be trained to retain a whole plethora of information.

Just a warning to you guys - when I installed the Google Authenticator, it infected my phone with adware. I've just spend 30 minutes wiping it and then restoring everything now. I've reported it to the App store as not safe. Even after I uninstalled the two offending apps, I was still getting ads in the middle of doing things. It was really driving me up the wall so hopefully the wipe will give me a clean start.

Oh and @RenaldoRheeder kept on face-palming me because of the above. :D
 
2fa in todays world is not enough. Say for example your company uses 2fa to log onto prod systems. First auth might be ldap auth and secondary an otp like Fortress mainframe. Issue is, if a hacker gains access to ldap its easy to access to fortress application. Even if the 2nd auth is an external otp application, its extremely easy to hack as otp apps uses a well known and documented algorithm.
Only solution is using a multiple auth methods, i.e. 3 to 4 auth. First auth would be a priv/pub key pair with a 15 min character password. Second auth ldap, 3rd auth otp and 4th auth some kind of logon phrase kept in a vault system that needs to be booked out by an ansible automated controlled system using same auth controls in order to book out an expiring password
I definitely agree with you there - have just learnt a lot of new stuff today with 2FA and what you said makes a helluva lot of sense.
 
Password managers work quite well if you get a proper one. It will cost you some money but they are relatively cheap. One pro is that you can generate passwords that look like this: P6rTsa1. It saves all the passwords for you and the only one you have to remember is your master password. If you can't remember your master password you won't be able to reset it. The only problem you can run into otherwise is if someone hacks into your password database that is why I recommend getting a good one.
I was just thinking of ways to store a list of sites and random passwords and hide them.

We just did a bunch of steganography puzzles. We could apply the same principle - audio files , video files, image files and so on.
 
I was just thinking of ways to store a list of sites and random passwords and hide them.

We just did a bunch of steganography puzzles. We could apply the same principle - audio files , video files, image files and so on.
hide it inside a photo.
 
Back
Top