All forums user should reset their password

[Crewp]

Please don't punish the users

I don't see any punishment. As already said, Firefox or a different software can remember the password for you. Therefore I don't see the deal with a short length like 12 characters.

Agreed, this is not punishment.

[Kurt3162]

I shouldn't, but I'll weigh in in that debate...

I agree that forum passwords are not important per se, but only if you do like me and have an unique mail address and password for each. I mean, what could a hacker gain by stealing an email address like "linuxmintforum@somedomain.foo" and some password? Not much, except the ability to spam this specific forum once or twice in my name. Annoying for the moderators, but hardly a security issue.

The real problem is about people who for some reasons reuse the same email and passwords for all kind of sites. That's a big no-no. In this case, gaining your Linux Mint credentials would immediately allow them to log into your bank account. That is the thing people should avoid at all costs, and that's why the Mint people suggested people change their passwords - Not just here, but at your bank account, if it uses the same email/password combo as your Linux Mint forum account.

As for remembering a host of complex and long passwords, there is a technical solution for this: Password managers... Simple ones (for unimportant stuff) are already integrated in your browser (Firefox at least), so there is really no valid excuse to reuse passwords.
I have currently over 60 passwords, some of which are important and thus long and complex (32 characters and more). On the other hand my own RAM stinks, I can't even remember my own phone number. That's where a Password Manager comes in handy: You just have to remember one single complex password, and all the others are safely stored inside the Password Manager. Just backup the database (small USB sticks are cheap) and there is little which can happen to you, even if your house and computer burns down. Put a backup stick in your car, one at the office, one at your aunt's, and you're covered.

Ideally, in this world of spam, you would also have lots of different emails. Unfortunately this is only really possible if you have your own domain and mail servers. If you do (lots of people do actually), never use the same email twice. Give one site/store/company "dF5x9@mydomain.foo", the next site "qa3svh@mydomain.foo". This way not only you don't care about any leaks, but also if some email address starts to get spammed, you just drop it. Easily. No need to notify all your friends and colleagues and change email on a hundred different stores, forums and services; You know that address is only used here, so you just have to change it here, period. Life becomes so easy... I still do see spam, almost every month. That's all.

[samriggs]

I just use a usb with a simple text file with my passwords in it, any time I need to get into one I don't remember I shove it in copy paste the password and pull it back out, that way I can keep it as long as I want and don't worry about remembering it.
Simple and it works, nothing on my computer stored or in browsers.
That way I can make it as crazy as I want and as long as I want without the hassles of remembering it.
As a backup just print out the text file keep it safe somewhere in case the usb borks for some strange reason.

Just a thought for those worrying about remembering long crazy insane passwords and a bunch of them and having nothing stored on the system or anywhere for that matter inside the system.

It's actually quicker for me this way then typing some crazy insane password.

If you want to be doubly secure just type some word ex: "blah" copy it so it overides the password in the clipboard

Sam

[Kurt3162]

Just a thought for those worrying about remembering long crazy insane passwords and a bunch of them and having nothing stored on the system or anywhere for that matter inside the system.

Well, the passwords will sooner or later go through your computer, for that's where you use them...
So there isn't any security to be gained by having them separate; If you have some spying virus on your computer, it will get your passwords, no matter if they are stored in cleartext on the hard drive or written on a piece of paper hidden in the strongbox in the basement...

Password security only makes sense as long as your computer is supposed to be safe. If your computer is compromised, it's game over, no matter what you do.

Password Managers, besides the obvious use facilities (clipboard management and sanitization) only protect your passwords in case your computer (and thus the password database) gets stolen. They protect the database as long as you're not using it, which is the same as putting it on a USB stick which you hide under your mattress, only user-friendlier.

[blabloblu]

It's a bit late to ask this question, I guess, but I will give it a go. After closer look at email warning users about the leak I tried to log in to my account, however I didn't remember the password. So I when I typed username and email address I got message saying that I am not registered on the site. I managed to create this account using same email address some time ago.

Does it mean that my old account was deleted because was not active? Or was there another reason to do it?

[killer de bug]

Some accounts were removed the database after the hack. Accounts without posts and where the last login period was too old. You were probably part of this group.

[blabloblu]

Some accounts were removed the database after the hack. Accounts without posts and where the last login period was too old. You were probably part of this group.

Thank you for clarification.

[avij]

I got a spam email titled "iPhone 6 PLUS = 99$ [LIMITED STOCK]" yesterday, with a link to some .su domain. The spam was sent to an email address that I use only on this forum. I hope this is related to the February incident. This was the first time I received spam to this email address. The email address I used back then is the same I'm using now.

If I start getting more spam to this email address I can simply redirect it to /dev/null, so that's not a problem.

edit: I got two more similar spam emails today, so I have changed my email address here on the forum and disabled the old email address on my mail server.

edit2: Looking closer at my mail logs, looks like I started receiving those on June 22nd. However, the spam emails that I received in the last few days were the first ones that weren't caught by my antispam countermeasures.

[Sector11]

I got a spam email titled "iPhone 6 PLUS = 99$ [LIMITED STOCK]" yesterday, with a link to some .su domain.

Interesting, I've been getting those same iPhone Limited Stock mails for a while now.

Then another started, 'you are on the list to receive $1,000,000, all you have to do...' mails I only use this email on 'forums' and have had it for at least 7 years.

[Kurt3162]

Add me to the list of people having got the "iPhone 6 PLUS = 99$ [LIMITED STOCK]" spam from "invitation-(random letters)@blackhack.su" on an unique mail address I only used here on this forum...

Apparently they do send the same thing, but not to everybody at once; For me it's the very first spam on that e-mail address. I'm sure because I don't route forum registration e-mail addresses through the spam filter (normally they're supposed to remain a secret between just the forum engine and me).