So how does this happen

[alund]

https://www.rig-talk.com/forum/thre...password-fractal-fm3-v1-non-headphone.272791/
Rarely my wife’s Facebook account gets hacked and now over the past few days we have had discussions of a few members here on RT getting hacked. How? How does the hacker enter enough passwords to get in without even knowing anything but a user name? Are they that smart we we that stupid? The passwords can’t be that easy unless “0000”. Or “1234”? Is there a back door like “Joshua” -for those that remember WarGames ? Or what ? Mods? Anyway to know that a PW has recently changed and this raises a flag on the classified market here? I’d be mortified if/when I’m hacked and someone scams folks. At least on fb is just pictures of dix and tangs. And someone from Kenya? Wtf. Is not that the place that a previous president called a shithole? Do they even have a stable grid let alone high speed internet ?

 

[War_in_D]

Best way to combat it, is by enabling the "two factor" authentication for your forum account. It sends a code to your phone when you try to log in, and also kicks you out every 30 days and makes you log back in. So, even if the hacker figures out your password and tries to log in as you, they can't get into your account because they don't have the code sent to the phone.

 

[glpg80]

The site was hacked ages ago and passwords were compromised. If you haven’t changed them in a while then people have access to your account.

 

[Monkey Man]

I can say this much:

Apparently the member in the example link used the same password at TGP, the Fractal forum and here. 3 forums, same password.

Not a good idea.

 

[SpiderWars]

I can say this much:

Apparently the member in the example link used the same password at TGP, the Fractal forum and here. 3 forums, same password.

Not a good idea.

Yeah but having a separate password for every thing you need to have a password for is nuts. I use password manager but still have issues.

If they wouldn't put restrictions on the password it would be way easier. eg - some say you must use a special character and some say you can't use a special character (these are all hints for the bad guys to guess your password anyway). So many times I have 'had' to change my password only to not be able to access it later because I didn't write it down and password manager has no record of the change.

You know who has NEVER asked me to change my password? My banks. My retirement accounts. My credit card accounts. Things that NEED to be secure never ask me to change my password. If any entity says to change your password every 6 months or whatever you know right there that they aren't secure and have no clue wtf they are doing.

Someone hacked my FB account (that I haven't accessed in over 10 years) and I was like: Good riddance. You can have it. No idea what that password was.

 

[Monkey Man]

Yeah but having a separate password for every thing you need to have a password for is nuts. I use password manager but still have issues.

I've only ever used the built-in (automatic) auto-fill feature in Safari (I'm no Mac).

It has never let me down, not once.

If it did 'though, I have that covered:

So many times I have 'had' to change my password only to not be able to access it later because I didn't write it down and password manager has no record of the change.

I always type it into a text file before I even enter it for the first time.

With only 1 exception IIRC all sites have accepted my preferred format of:

xXx-XxX-xXn-XnX

Where x and X are letters and n a number. Numbers are used sparingly-and-randomly. Sparingly 'cause letters are 1-in-52 odds and numbers only 1-in-10.

If any entity says to change your password every 6 months or whatever you know right there that they aren't secure and have no clue wtf they are doing.

Agreed. Thankfully we've only done it once since I joined back in 2016 (or was it just before I joined?). I think that's the only time in 20 years.

OTOH, we've no idea what we're doing, so there's that.

Someone hacked my FB account (that I haven't accessed in over 10 years) and I was like: Good riddance. You can have it. No idea what that password was.

Indeed, good riddance Brother M!

 

[Clig Herdunkachuk]

https://www.rig-talk.com/forum/thre...password-fractal-fm3-v1-non-headphone.272791/
Rarely my wife’s Facebook account gets hacked and now over the past few days we have had discussions of a few members here on RT getting hacked. How? How does the hacker enter enough passwords to get in without even knowing anything but a user name? Are they that smart we we that stupid? The passwords can’t be that easy unless “0000”. Or “1234”? Is there a back door like “Joshua” -for those that remember WarGames ? Or what ? Mods? Anyway to know that a PW has recently changed and this raises a flag on the classified market here? I’d be mortified if/when I’m hacked and someone scams folks. At least on fb is just pictures of dix and tangs. And someone from Kenya? Wtf. Is not that the place that a previous president called a shithole? Do they even have a stable grid let alone high speed internet ?

There are a number of ways. The two most common are:

Username/Password exposed in a site compromise. This is made even riskier if you use the same username/password on multiple sites.

Phishing is another common way. You get an email that appears to be from a site you use instructing you that you must take some action. A link is provided. When you click the link you go to a site that looks like the real site but is not. When you attempt to log in they get your username and password. The text of the link typically looks right, but if you hover to view the actual link it will be some bogus address like “rigtalk.imastealyoshit.com”. Don’t follow links in emails, type the address in on your own. There is also a phone and text/sms based version of this attack.

Then there is interception, this is much more difficult to pull off. If an attacker can redirect traffic through their own proxy or monitor traffic on an ip address they can log all the traffic. Even if it is secured with TLS/SSL/other encryption, it is fairly trivial for a serious hacker to decrypt encrypted packets. Especially if they captured and logged the key exchange.

Then there is compromise of a users computer. If a remote keystroke logger, trojan host, or remote viewer can be installed on a persons computer the hacker can capture everything you do and even use your computer as if they were sitting behind the keyboard.

How do you get compromised like this? Unused or outdated antivirus/anti-malware protection. Going to porn sites. Cruising the dark web. Going to shady, backwater websites. Going to seemingly legitimate websites. Piss of the government.

Some peoples login for ther personal computer has administrative privileges. They do it to make their life easier. It also means that all the software they run including their web browser are probably running with full administrative privilege. They visit a site, are prompted to approve something, and unwittingly give permission for software to be installed. Since they are an ”administrator” the system happily allows it. That software could be benign or it could be malware.

2 factor auth helps a lot... unless the hijacker has also secured access to your email account and you are using email as your 2-factor notification method.

So in short, yes it does generally involve the hacker being smarter than the mark. Such attacks rely on peoples stupidity, lack of technical skill, and/or trust.