Jump to content
Why become a member? ×
Please Support Basschat

Nearly got scammed on here!!

RikiB

By RikiB,
in General Discussion

 Share

Recommended Posts

scrumpymike Veteran

scrumpymike

Posted
Posted

Read the warning message re scammers a few hours back, so immediately changed my password. Then got a lockout message because someone from London had been trying to sign in on my account, presumably just before I changed it! Thanks for your vigilance Woodinblack 👍

 

Beware, the barbarians are at the gates!

  • Thanks 1
Link to comment
Share on other sites
lemonstar Experienced

lemonstar

Posted
Posted

I use the free Bitwarden - to generate, store and automatically paste in passwords - it works across Windows, Android, iOs. I have changed mine just for the sheer hell of it. As @velvetkevorkian suggested - it's worth checking https://haveibeenpwned.com/ - it's very possible the same username and password have been harvested from another site that he was using. 

 

The question that has to be asked is - has BC been hacked (unlikely as only one incident [so far]) - this is why maintaining sites (as I've found) can be a PITA - you have to keep on top of security updates and sometimes the updates don't always work out. Worse than that - depending on how extensive the site security patch is - any hand crafted changes to the code have to be redone - it's not always simple and problem free.  

Link to comment
Share on other sites
lemonstar Experienced

lemonstar

Posted
Posted
4 hours ago, RikiB said:

Oh yeah we could’ve just sent him money doh.

oh well it’s set up now and I’ll share it with my friends as £5 here and there will add up.

if you guys could do the same .

I stuck some pennies in fwiw. 

  • Like 1
Link to comment
Share on other sites
JoeEvans Mentor

JoeEvans

Posted
Posted (edited)

A ten digit password still has a crazy number of possible combinations, maybe 68 to the power of ten, depending on which special characters are allowed. Not sure that really long, complex passwords add much - the crucial thing is that they're all different.

 

Edit - a couple of billion billion combinations, if I've understood my calculator's shorthand correctly.

Edited by JoeEvans
Link to comment
Share on other sites
pluckedout Experienced

pluckedout

Posted
Posted (edited)
1 hour ago, JoeEvans said:

A ten digit password still has a crazy number of possible combinations, maybe 68 to the power of ten, depending on which special characters are allowed. Not sure that really long, complex passwords add much - the crucial thing is that they're all different.

 

Edit - a couple of billion billion combinations, if I've understood my calculator's shorthand correctly.

All conceivable 10 character passwords can still be brute forced by a basic desktop computer in less than a day. And cracking an account is even easier than that if you use a rainbow table (a dictionary file with not just the contents of all the words in a dictionary but misspellings too and prioritised based on the most common length (6-10)). Passwords is one area where length really does matter. Combining three or four random words is a good way of doing this, or using a line from a film/song/book.

Edited by pluckedout
  • Like 1
Link to comment
Share on other sites
Woodinblack Grand Master

Woodinblack

Posted
Posted
3 hours ago, lemonstar said:

The question that has to be asked is - has BC been hacked

 

no

 

3 hours ago, lemonstar said:

- this is why maintaining sites (as I've found) can be a PITA - you have to keep on top of security updates and sometimes the updates don't always work out. Worse than that - depending on how extensive the site security patch is - any hand crafted changes to the code have to be redone - it's not always simple and problem free.  

 

the site is updated every month, there is custom code, it is often a PITA and messes up, but it needs to be done
 

 

1 hour ago, pluckedout said:

All conceivable 10 character passwords can still be brute forced by a basic desktop computer in less than a day. 


not if there is an internet round trip time of many 100 of ms, and you get locked out after 3!

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
jrixn1 Mentor

jrixn1

Posted
Posted
7 minutes ago, Woodinblack said:

not if there is an internet round trip time of many 100 of ms, and you get locked out after 3!

 

The scenario is that the password file has been leaked. In that case, the passwords will be cracked locally, not against the live site.

  • Thanks 1
Link to comment
Share on other sites
Jean-Luc Pickguard Grand Master

Jean-Luc Pickguard

Posted
Posted
22 minutes ago, Stub Mandrel said:

password_strength.png

 

In brief longer passwords stronger than odd characters.

 

I built a WordPress plugin based on that comic: https://wordpress.org/plugins/correct-horse-battery-staple/

 

Also I use 'correct-horse-battery-staple' as my password everywhere including basschat as it is the most secure password you can have. 😁

  • Thanks 1
  • Haha 2
Link to comment
Share on other sites
Stub Mandrel Grand Master

Stub Mandrel

Posted
Posted
23 minutes ago, Jean-Luc Pickguard said:

 

I built a WordPress plugin based on that comic: https://wordpress.org/plugins/correct-horse-battery-staple/

 

Also I use 'correct-horse-battery-staple' as my password everywhere including basschat as it is the most secure password you can have. 😁

 

It would be interesting to know how many people have actually done that.

Link to comment
Share on other sites
Woodinblack Grand Master

Woodinblack

Posted
Posted
1 hour ago, jrixn1 said:

 

The scenario is that the password file has been leaked. In that case, the passwords will be cracked locally, not against the live site.

 

But in common with a lot of sites, the passwords aren't stored, just the hashes of them and something else.

If you have access to that (and I am pretty confident that no bad people do), you don't need as much time because you don't need to crack one password, you need to crack any, with passwords in different groups having different value. Or just replace the passwords entirely if you have access.

 

It is a lot easier to social engineer your way in though. 

 

I mean if I took the email list, made a mass email saying 'hi, my name is sophie, sorry for the un-announced email, I got your email from the internet as a bass player. My dad passed away recently at the age of 60, he played this one bass all his life, he loved it as it had the same date of birth as him. It says Fender Precision Bass at the end, and it is brown fading to black at the edges, it is in good condition in an orange lined case that says Fender on it. Now I need to clear his stuff out, and was wondering if anyone would be able to give me £1500 or around there for it - would you be interested?'. Most people would ignore it, a lot of people would reply saying dont' sell it for that, but I would also have a very healthy bank account by the end of the day.

  • Like 1
Link to comment
Share on other sites
ambient Grand Master

ambient

Posted
Posted
On 05/06/2023 at 23:30, daveybass said:

I actually said I’d pay the PayPal fees and then when the scammer said no then he was told to run and jump.

it’s only a few per cent extra to protect you


There are several websites you can use to calculate the fees the seller will incur. I’ll just pay whatever the extra is to ensure the seller gets what they wanted while protecting myself.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...