I know you can do this in about five minutes.

We've got a couple of motherfuckers farming the hundreds of existing, unused accounts to use them as aliases. Suspending the alias doesn't stop them.

First, assign more robust default passwords to new accounts. This will limit the growth of the pool.

Second, design some kind of definition of susceptible unused accounts—hasn't logged in for at least three months and has fewer than 100 posts, maybe—and forcibly change the passwords using the new password generation algorithm I just called for. If any of the real users ever feel the need to log in legitimately, they can use the password recovery feature.

This shit's got to stop.

[Edited on July 7, 2005 at 12:58 PM. Reason : ...]

7/7/2005 12:57:51 PM

That's a damned good suggestion. If you haven't already, you should send it to them as a pm, too, because this thread is going to get buried under a pile of suspend/unsuspend threads in no time.

7/7/2005 1:15:33 PM

another great suggestion that will go in the "inbox"
never to be looked at again

7/7/2005 1:23:06 PM

4th

7/7/2005 1:41:41 PM

i think they'd notice if someone made a password cracker... i dont think its that

7/7/2005 3:09:15 PM

you don't really need a sophisticated cracker to figure one out, just a brute force approach and time, since they're so short and simple i mean

[Edited on July 7, 2005 at 3:25 PM. Reason : sdfgd]

7/7/2005 3:25:14 PM

yeah and im sure they'd notice the tens of thousands of invalid logins

7/7/2005 4:51:33 PM

what

you mean like they notice every-goddamn-thing else on this site

EXCEPT WHEN IT'S TIME FOR ME TO PAY MY PREMIUM

fuckin' bullshit

7/7/2005 4:54:37 PM

each account would take 8788 failed logins, on average

the login page is 4056 bytes, each login returns you to the login page so that's 4056 bytes total per attempt

at 4 accounts an hour, that'd be 35152 logins per hour, 9.8 per second, times 4056 = 39748.8 bytes per second, or 99.151gb/month-- probably around 100-200$ a month, depending on their plan

I think they'd notice that pretty quickly

7/8/2005 12:22:22 AM

what is the 9.8?

is that last figure only for 4 attempts?

if it's for more then your analysis may be right for brute force, but what about someone systematically narrowing down the possibilities, by looking at joined dates compared with those for accounts of known passwords for instance...if that figure is for only 4 attempts then they would prob notice regardless, like you said

[Edited on July 8, 2005 at 8:29 AM. Reason : dsaf]

7/8/2005 8:27:40 AM

i guarantee one thing - any person who'd ever be capable or pathetic enough to want to take over unused accounts so they can use them as an alias, has already posted a comment in this very thread.

besides me

or frosh

7/8/2005 11:27:26 AM

add me to that list, i was just backing up frosh

7/8/2005 11:40:20 AM

k

7/8/2005 11:42:21 AM

no seroiusly dude, DO IT

7/8/2005 1:14:52 PM

plz do.

7/8/2005 7:17:30 PM

[concur]

7/9/2005 12:35:57 PM

shut the fuck up emily

no one likes you

then again, you think everyone is joshnloaded, jackleg, or scrumples. I think the drugs have made you paranoid.

7/9/2005 7:26:01 PM

SELECT RIGHT(NEWID(), 6)

7/9/2005 8:52:11 PM

this would help alot

7/9/2005 8:53:05 PM

eat a dick jason - you're the one that ever came to morphine uninvited & not one person will miss you b/c you think you know it all so bad that you fuck up too much. the aliases i've said were those faggots are 100% true & i wouldn't have said so w/o having proof.

if no one likes me - i guess i have a good # of friends that fake it. oh wait, that makes no sense. tww isn't where most of my friends exist.

7/9/2005 8:55:40 PM

The system locks an address out after 10 failed attempts

7/11/2005 4:19:44 PM

Then that must not be the hole. But there is a hole, and it needs plugging.

7/11/2005 4:21:02 PM

i doubt it permanently locks anyone out after 10 failed logins.

weak passwords may be the key. it's a moot point after-the-fact ( unless A LOT of unused accounts are disabled ) but it may help if new users are required to have a stronger password w/ a symbol or # in the mix. i'm not sure how hard that is to set-up.

& i just noticed that you are allowed to change your password to one as low as 3 characters in length!!
maybe there could be a minimum length of 8 characters required?

7/11/2005 7:50:21 PM

if you really want to find the hole... think about it a little longer

7/11/2005 8:07:32 PM

That won't do much good. Hacking and all that is beyond me, I wouldn't know where to start.

7/11/2005 8:21:01 PM

the hole is:

it's just a message board - crazyj & jake do not post enough to ever be annoyed by aliases. therefore, the security of user accounts isn't a pressing issue for them, seeing as it's ultimately the responsibility of the person who registered for the account to use a smart password. it's not like they are running a system full of personal or confidential records of individuals on it - it's just a stupid ass message board.

7/11/2005 8:21:16 PM

you sure take it seriously

dyke!

7/11/2005 11:08:56 PM

proxies like whoa

7/12/2005 12:07:45 AM