Could you all do a password update, just to make sure you’re secure. Hate to ask it, but some very bad people are trying bad nuisanceful things, and you can at least give them a poke in the eye for their trouble.
Because there is a botnet action out there…Lynn's suggesting a password change…
by CJ | Apr 13, 2013 | Journal | 38 comments
38 Comments
Submit a Comment Cancel reply
You must be logged in to post a comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Done.
Done.
Done.
I use http://grc.com/passwords/ to generate my passwords. If they can brute force that, then changing the password won’t help much.
Goodness, I haven’t been to WordPress in ages. It had a VERY old email address for me. And the new password is complex enough I had to write it down. OH DEAR – my avatar changed. THAT was not intentional.
Eri-ji your Gravatar is still linked to said old email; you have to go to gravatar.com (login name there presumably equals the deprecated email address, which if you’ve forgotten the password for and no longer can access the old email, could be a problem)
In gravatar, add the new email & remove the old one. Note you still have your pictures saved there, even if not in active use. Also, while one email serves as the gravatar ID, you can have multiple addresses — each with separate defined pictures! — tied in.
I was under the impression that the wordpress attack was concentrated on brute-forcing “admin” and known default/system accounts. In essence, if the wordpress-aiji account is still named “admin”, that needs to be changed, posthaste, to some synonym (create new admin (e.g. BigBossMan), login as BigBossMan (or whatever), delete “admin”). My example is deliberately one that will not be used here (and probably shouldn’t be used anywhere now, because hackers can read these posts, too)
Unless Lynn is talking about a different attack than the one I’ve seen described elsewhere?
xheralt, I’m pretty sure the attack Lynn’s worried about is the same one you are describing, and that I was talking about earlier. Getting rid of the admin user is an excellent security measure, as you point out.
Some of those who don’t play with software either as a hobby or to make a living seem to be a bit confused about one aspect of this. The site, Wave Without a Shore, is not on wordpress.com, rather it is on its own hosting account somewhere and it runs wordpress software. What’s the difference? WordPress.com blogs are like those on Blogspot or Livejournal, even a little bit like Facebook. They are part of somebody else’s huge site and you have to play by their rules.
WordPress software is basically a program you run on your own hosting. (Hosting is a whole separate topic and I’m not going to talk about that right now, but for most of us, it’s another area where we play on somebody else’s computers, so maybe we just imagine we are more independent than people on wordpress.com 😉 .)
WordPress software is to a website as the Windows operating system is to you; it’s the program that makes it possible for you to do all those cool things that are the reason you have a computer, or a website in this case.
I hope this made sense and maybe helped somebody understand the situation.
BTW I echo CJ’s suggestions on lastpass. Without keeping track of your passwords with something like that, you are likely to use the same pw at many sites just because you can remember it. You are likely to use something that a hacker might be able to guess fairly easily. And so you will be vulnerable, and depending on your level of access you may introduce an attack vector for somebody to get into the sites you belong to. Lastpass is great, and it’s what I use. Just be sure that the access to Lastpass itself is even more secure than anything else…otherwise you create a whole new way for the hackers to get into not just this site but everything you have access to, including but not limited to bank sites if you store those passwords there too.
This security stuff is irritating and complicated but it’s very important. Just think about the lengths Ari had to go to in Regenesis when she was protecting herself from attack. We have it easy; in most cases these intrusions we face aren’t really directed at us! These are just opportunists, trying the doors and windows of houses to see if they can get in.
took me forever to remember my old password. Let’s see how long I can remember the new one!
As far as passwords go – just wafting this thought out there…I keep seeing the same old advice, of “use letters and numbers and crazy symbols yeah!”
I gotta say, the guy that does XKCD had what appears to be much wiser advice. I mean – granted that’s a webcomic; and granted that his advice wouldn’t protect you from, say, a keylogger…He says the use two to four common words (his example uses 28 characters over four words). Length alone seems to make that pretty good, plus it’s easier for a human brain to remember.
But since we’re on the subject, *is* that advice actually decent? I’ve been using it for a year and haven’t had any trouble remembering passwords or with having “short” passwords. Then again, I also use various ad blockers and am careful about what sites I visit.
Mix and match like that, Mad Libs style, is one I’ve seen recommended before. It lets the human remember it more easily.
As long as you do upper and lower case and numbers, symbols if the password will take them, but usually only a letter allowed for the first character, you should have a strong password and a memorable one.
The guy who does XKCD is a physics or math major, grad student now, IIRC. He’s never been a slouch, and he’s nearly always funny, clever, oddball, or “awww” (or sometimes a little bawdy, but not in a bad way) in his webcomic. … Gosh, I haven’t checked in there lately. Shame on me!
He has scifi references regularly, and I’ve seen at least Cherokee and one other language referenced. I think that’s general interest, rather than specific, but not sure. Anyway, plenty to recommend XKCD.com webcomics.
done… better late than never
X, I did as you said, logging in the defunct email address and reselecting my daylily picture. Posting to see if it works now.
Well, phooey.
Heh heh heh figured it out. Thanks X, my salad! 😀