Maximum Logins Exceeded
Posted: 16 Feb 2011, 04:52
I understand that a number of users are getting this message lately. Basically, you go to log in and find a message saying that "you've exceeded the maximum number of login attempts," and then you're prompted to go through the visual verification screen.
Why is this happening?
As I saw written somewhere else, "The reason this is happening is that an automated script is being run on infected computers scanning for phpBB forums, and then attempting to log in to them by using brute force dictionary attacks. In other words, the scripts are scanning memberlists for usernames and trying to guess people's passwords by running through huge lists of common words to see which work."
(Don't be too worried about the mention of infected computers. It's more likely that the memberlist has been snatched by a spammer, entered into their auto-spamming program, and run from somewhere on the internet.)
What happens if they get in?
Once the correct username/password is figured out, the spammer might come back another time and start posting spam messages in your name. By spam messages, I mean anything from links to Viagra websites, porn, or just nonsense that seems to serve no purpose.
Should a member be concerned about his or her password?
Make sure your password is strong -- ie, not easily guessable, and not a word you'd find in a dictionary. Imagine if I knew your username. To find your password, I could run a program that enters every word in the dictionary, starting from A, and if there were no limits to the number of times I could try, I would reach Z in fairly short order. If your password is a dictionary word, I'd be in. Make sure to mix it up a little. Even adding a number to the end of the word makes it much more difficult to guess.
What can the administrators do about it?
Not a lot, I'm afraid. The number of login attempts is set to 3. This is plenty for the average user; you have three attempts to get your password right, and after that you have to go through visual verification as well. (Maybe there's a "locked" period? I can't remember.) The thing is, I could easily set the maximum number of login attempts to 10 or 20 or 5000, but the spammer's program will still whip through that number in record time and the result would be the same, only with a much bigger load on the server. So it will remain at 3.
Is there anything that can be done to avoid the problem?
Yes -- stay logged in. You have the option (on login) to be "remembered." There's absolutely no need to log out; your profile is perfectly safe in its "logged in" state even if you don't visit the forums for a month. The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in. But other than that, there's no danger -- so stay logged in. If you find that you have to log in each time you visit even though you always check the "stay logged in" or "remember me" checkbox, then maybe your browser is deleting cookies when you close it. In which case, change your browser's settings so it doesn't delete cookies.
Yesterday I tried enabling a feature that checks user IP addresses against a blacklist, thinking that maybe spammers' IP addresses would be blocked. But straight away it blocked a genuine Blytonite, just because her IP address had (innocently) been added to a blacklist somewhere. Maybe someone in her IP range is actually a spammer; unfortunately all the others in that range are blacklisted too. So I disabled this feature again.
Well, that's all for now. Spammers, eh? They should be thrown into the coal cellar!
Why is this happening?
As I saw written somewhere else, "The reason this is happening is that an automated script is being run on infected computers scanning for phpBB forums, and then attempting to log in to them by using brute force dictionary attacks. In other words, the scripts are scanning memberlists for usernames and trying to guess people's passwords by running through huge lists of common words to see which work."
(Don't be too worried about the mention of infected computers. It's more likely that the memberlist has been snatched by a spammer, entered into their auto-spamming program, and run from somewhere on the internet.)
What happens if they get in?
Once the correct username/password is figured out, the spammer might come back another time and start posting spam messages in your name. By spam messages, I mean anything from links to Viagra websites, porn, or just nonsense that seems to serve no purpose.
Should a member be concerned about his or her password?
Make sure your password is strong -- ie, not easily guessable, and not a word you'd find in a dictionary. Imagine if I knew your username. To find your password, I could run a program that enters every word in the dictionary, starting from A, and if there were no limits to the number of times I could try, I would reach Z in fairly short order. If your password is a dictionary word, I'd be in. Make sure to mix it up a little. Even adding a number to the end of the word makes it much more difficult to guess.
What can the administrators do about it?
Not a lot, I'm afraid. The number of login attempts is set to 3. This is plenty for the average user; you have three attempts to get your password right, and after that you have to go through visual verification as well. (Maybe there's a "locked" period? I can't remember.) The thing is, I could easily set the maximum number of login attempts to 10 or 20 or 5000, but the spammer's program will still whip through that number in record time and the result would be the same, only with a much bigger load on the server. So it will remain at 3.
Is there anything that can be done to avoid the problem?
Yes -- stay logged in. You have the option (on login) to be "remembered." There's absolutely no need to log out; your profile is perfectly safe in its "logged in" state even if you don't visit the forums for a month. The ONLY thing you have to worry about is an unauthorized person using your computer. Obviously that person could post on your behalf if you're still logged in. But other than that, there's no danger -- so stay logged in. If you find that you have to log in each time you visit even though you always check the "stay logged in" or "remember me" checkbox, then maybe your browser is deleting cookies when you close it. In which case, change your browser's settings so it doesn't delete cookies.
Yesterday I tried enabling a feature that checks user IP addresses against a blacklist, thinking that maybe spammers' IP addresses would be blocked. But straight away it blocked a genuine Blytonite, just because her IP address had (innocently) been added to a blacklist somewhere. Maybe someone in her IP range is actually a spammer; unfortunately all the others in that range are blacklisted too. So I disabled this feature again.
Well, that's all for now. Spammers, eh? They should be thrown into the coal cellar!