Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Announcement: Forum Back Up, Private Message Spam
- Thread starter arn
- Start date
- Sort by reaction score
I agree, that seems to be useful.
There is already a limit of only one PM/30 seconds.
I figured it was some type of attack on MR with the way things were (still are) so slow. It's sad that something like weak passwords caused compromises. Not sure if vBulletin allows you get at this, but I have some regular expressions for testing password strength.
A decent MR password strength: start with a letter, contain at least 2 letters, at least 2 numbers, not contain a list of characters, and be between 6 and 20 characters long:
If you want to go really strong: at least 2 lowercase, at least 2 uppercase, at least 2 numbers, at least 2 special characters and be between 9 and 32 characters:
The special characters allowed or disallowed can be tweaked as needed. I anyone at MR would like further details on this to implement on the site I'd be more than happy to help.
A decent MR password strength: start with a letter, contain at least 2 letters, at least 2 numbers, not contain a list of characters, and be between 6 and 20 characters long:
Code:
^[a-zA-Z]((?=(.*[a-zA-Z].*){2,})(?=(.*\d.*){2,})(?!.*[$^\*\(\)\+\=\"\.\\\/\|\{\}\[\] \`\~\@])).{6,20}$If you want to go really strong: at least 2 lowercase, at least 2 uppercase, at least 2 numbers, at least 2 special characters and be between 9 and 32 characters:
Code:
^[a-zA-Z]((?=(.*[a-z].*){2,})(?=(.*[A-Z].*){2,})(?=(.*\d.*){2,})(?=(.*[!&\?#\<\>'].*){2,})(?!.*[$^\*\(\)\+\=\"\.\\\/\|\{\}\[\] \`\~\@])).{9,32}$
This is a nutty week for spammers. My exchange server for my 11 user business has been attacked three times this week, from overseas, causing my linux firewall to crash each time. I wonder what's going on?
Someone's probably already thought of this, but M$ hosts one of those 'password' checker things that you usually see only on the sign-up pages (sometimes). I find it useful, actually. My password is medium. Aagh! 
Microsoft Password Strength Checker
Microsoft Password Strength Checker
Someone's probably already thought of this, but M$ hosts one of those 'password' checker things that you usually see only on the sign-up pages (sometimes). I find it useful, actually. My password is medium. Aagh!
Microsoft Password Strength Checker
OMG.. that's cool!!
I just tried my work login password and it came up as "BEST"..
There are many solutions for longer and better passwords. I use 1Password which came in one of the Mac Bundles a while back. By default it creates 14 character passwords with 2 numbers and mixed case. Often times at a site I will have it generate the maximum allowable by the site. It also syncs all my passwords to my iPhone and works very well integrated into the browser. All you have to remember is your master password. They are currently running a beta of their online password storage too although that's a little more than I care for. Granted they could just as much e-mail my passwords to them from their program as they could mooch them from the online storage. But it's not them I worry about...
I'm sure other solutions are out there and some are probably free. This is just the one I use and it works fairly well.
I'm sure other solutions are out there and some are probably free. This is just the one I use and it works fairly well.
But in case you don't want to get too carried away, you probably don't need 14 characters that are completely randomized. Using the common tricks -- making sure that it contains numbers and both lower/uppercase letters, making sure it does not contain any properly spelled words or names, etc, works reasonably well. You can use 1337-speak or better yet, idiosyncratic misspellings if you want to use real words.
Also don't pick anything that people obviously relate to you. If you pick the last name of some character in a novel you read twenty years ago and never talk about, no one is going to guess it. If you pick the name of a character on Lost, it probably won't work so well.
Also don't pick anything that people obviously relate to you. If you pick the last name of some character in a novel you read twenty years ago and never talk about, no one is going to guess it. If you pick the name of a character on Lost, it probably won't work so well.
Further Explanation for Those Interested...
Glad to see MacRumors back online.
One of my good friends and fellow MacRumors members sent me an e-mail explaining his experience with regards to this incident.
Basically, it started with a message from MacRumors stating that he had received a private message. After logging in, it was indicated that the member had turned off private messaging, however there was a text link in the notification e-mail.
The link redirected him to a site called "clipwizards", claiming to be a porn site.
It then, via javascript, forced the download of an "Active X component" by looping until he pressed OK.
![]()
![]()
After clicking OK, a file called 1023.dmg was downloaded to his desktop.
Curious, since there's no such thing as ActiveX for the Mac.
A Google search for "1023.dmg" leads to this page, which pretty much explains everything. It appears to be a massive organized Eastern European crime ring that has access to nearly every machine hosted by the ISP "iPowerWeb". They don't do MR's hosting though, do they?
As for the 1023.dmg file, it contains the app that made the news a couple months ago - the Mac trojan that asks a user to enter their username and password on which then modifies the Mac's DNS servers, etc. etc.
Anyway, there ya go...
Glad to see MacRumors back online.
One of my good friends and fellow MacRumors members sent me an e-mail explaining his experience with regards to this incident.
Basically, it started with a message from MacRumors stating that he had received a private message. After logging in, it was indicated that the member had turned off private messaging, however there was a text link in the notification e-mail.
The link redirected him to a site called "clipwizards", claiming to be a porn site.
It then, via javascript, forced the download of an "Active X component" by looping until he pressed OK.
After clicking OK, a file called 1023.dmg was downloaded to his desktop.
Curious, since there's no such thing as ActiveX for the Mac.
A Google search for "1023.dmg" leads to this page, which pretty much explains everything. It appears to be a massive organized Eastern European crime ring that has access to nearly every machine hosted by the ISP "iPowerWeb". They don't do MR's hosting though, do they?
As for the 1023.dmg file, it contains the app that made the news a couple months ago - the Mac trojan that asks a user to enter their username and password on which then modifies the Mac's DNS servers, etc. etc.
Anyway, there ya go...
That's a good point. I don't actually even *know* my passwords since they are so convoluted. This isn't a big deal for me since they are stored on my iPhone and I can get to them but admittedly it can be a pain on occasion. The pain can be good sometimes though as I sign into Facebook a lot less.
Doing things like taking the lyrics of a song and using the 1st, 2nd, or last letter of every word is a good start. You can then "leet speak" the password and/or do something like make all vowels uppercase, every 3rd letter uppercase, every letter A-M uppercase, add a number behind every vowel, or whatever to "up it".
I just use the naEyuRF2MnwpZ8 passwords because they work for my situation.
Note... that may or may not be a password to one of my many accounts across the interwebs... I honestly couldn't tell you... highly doubtful though...
That's exactly why I like the Firefox add-on called NoScript. I have JavaScript disabled by default for all domains and can turn them on individually as I go making a white list. It is funny about the Active X thing though, maybe they're hoping to effect Parallels-type users who have Windows on their machines as well.
I had also gotten a PM, which was obviously spam and I immediately reported it to the administrator, then a couple minutes later PM-capabilities disappeared, then a couple more minutes went by and the forums went down for maintenance. I didn't try accessing the site that the PM sent because well I'm smarter than that
I'm glad that the site seems to be running smoothly now though.
Because for many people MR is a low risk website i.e. they don't do much with their accounts or don;t check the website very often. So they pick a very simple password e.g. 123, and if it gets compromised, they've lost nothing important.
I know I have several user accounts on various websites / online games that have extremely simple passwords as it's not worth the effort of giving them a harder password / memorising it / or putting it into a password storage system. I'd rather reserve my hard passwords for accounts where I stand to loose more if they're compromised.
That reminds me - I must beef up some of these passwords
I didn't try accessing the site that the PM sent because well I'm smarter than that
Yeah, smart move. My friend is no dummy either, but I'm glad he did follow through with things just for interest's sake is (since he knows what he is doing as well) as it really revealed some interesting info he or I would not have otherwise known, both about the linked site's content and the fact that the file was the Mac trojan from recent times. An interesting attack! Glad MacRumors (and presumably its members) weren't too adversely affected by it.
Awww as I was reading your post, I was hoping to be amused by the hackers making Mac users download a Windows virus
Sadly, I am not amused...
Because for many people MR is a low risk website i.e. they don't do much with their accounts or don;t check the website very often. So they pick a very simple password e.g. 123, and if it gets compromised, they've lost nothing important.
I know I have several user accounts on various websites / online games that have extremely simple passwords as it's not worth the effort of giving them a harder password / memorising it / or putting it into a password storage system. I'd rather reserve my hard passwords for accounts where I stand to loose more if they're compromised.
That reminds me - I must beef up some of these passwords
Too true. I'm the same way.
In some ways, as well, it's a trust thing for me, too. I don't know who is going to get hold my password on these sites, and if I don't intend to really hang around there much, I may as well not use my proper passwords because it gives me a higher chance of being phished (I'm sure there are probably websites that get you to sign up to them, and then take your username details, email address and password and try using them on a multitude of sites to hack in and cause mischief... and if there aren't, why not? It's a genius idea.)
But yeah... I'm sorry to hear this caused problems on here. In the future, I too, will not pick weak passwords, just to stop other sites having the same problem.
You don't think what the Grand Inquisitor did was "work"?Now there's an interesting concept.