IMPORTANT: Account security

Archon

Gagi
TranceFix Crew
Jun 27, 2020
3,913 Posts
2,809 Thanked
Hello everyone,

There are some indications that one of our users (@definitelynotadj) has been hacked. His avatar was changed, his posts meddled with, his password and email changed as well. Because we don't know what was the weakness that led to the hacking, we can't trust his email address and IP anymore, and therefore he probably won't be able to access his profile at all even with our intervention. The profile and IP have been banned as well, and since we don't know him personally, we can't verify it's him securely. That may happen to some of you as well.

I want to talk to you about account security, what could've been his mistake, and what you can do to improve your account security.

1. Password

Upon inspection, I could see that he had a 6-character password. Admins can't see your passwords at all, so there's nothing to worry about, but we can see how long they are. Generally, the longer your password, the harder it becomes to break with brute-force algorithms. But that is not all. Password-breaking algorithms also check for commonly used passwords such as "password", "123456" etc.

Advice: Use strong, long (and randomly generated) passwords.

There are some apps for this (password managers). Some of them are Firefox Lockwise (comes with Mozilla Firefox, free to use), LastPass, DashLane etc. I'll give you a list below. Some are free, some are paid. You can also use random generators, but then you have to store your passwords safely and securely, and type them in manually each time. There are also apps/websites that will test the strength of your passwords, but I'm not sure about how reliable or secure they are.

I personally use Firefox Lockwise, because it is integrated into Mozilla Firefox browser, has an Android app, and is completely free and easy to use. It randomly generates your passwords and keeps them synced between devices. Hassle-free, really.

If you do not want to use them (though I still encourage it), here are some tips for stronger passwords:
- Don't use names.
- Don't use dates.
- Don't use obvious and commonly used passwords.
- Don't reuse your passwords.
- Make your passwords long.
- Make your passwords as random as possible.
- Use letters (uppercase AND lowercase), numbers, spaces and symbols.
- Change them from time to time.

Some additional resources:
- Best Password Managers of 2020
- Choosing a Bulletproof Password
- How Navy SEALs Create a Bomb Proof Password
- Google - Create a strong password & a more secure account
- Avast - How to create a strong password
- 8 tips to make your password as strong as possible

2. Two-Step Verification

I could also see that he wasn't using two-step verification. Now, what is that really? Well, it is a security addition to the existing login model.

How it works is it generates a code on a device that you possess, which is usually your phone. So, you log in with your email and password, and then you have to open the Google Authenticator app on your phone and enter the code from the app. You can also set it up to remember your device, so you don't have to enter the code on it again.

Why does it work? Well, let's say someone has your email and password and they want to log in. They would then need access to your phone in order to log in, which they obviously don't. It's really simple but it's more secure than just using an email and password. If he used it, his account would've been protected.

Enable it here: https://www.trancefix.nl/index.php?account/two-step/

It is preferable to use the Authenticator app instead of email codes (since, of course, emails could be hacked).

Resources:
- Google Authenticator setup
- Multi-Factor Authentication

3. Phishing

Phishing is giving your info to hackers without knowing you did it. You may be presented with the identical website (but on a different domain), where you log in and actually give away your info to hackers. You may receive an email where you are asked for your details in one shape or another.

Without delving too much into theory (I will post links below, as usual), here are some quick tips about how to prevent that:

- Do not click on links or buttons in emails you aren't sure came up from a trusted email address. For our forum, these are: admin@trancefix.nl and trancefixforum@gmail.com. The 2nd one is for contact purposes, so you will never receive links or buttons from it. From the first one, you may receive password reset emails, if you request them. If we do it on a wide-scale, we will do our best to notify you. But generally, trust only these two, and even then always be a bit wary.
- Use HTTPS instead of HTTP. There are browser extensions that support this (such as HTTPS Everywhere). What that basically guarantees, is that the website you have accessed is verified by a 3rd party. There should be a closed lock next to it (on our site, sometimes images break that lock). Our certificate is issued by Let's Encrypt, so if you ever check that, it's best to know.
- Use anti-virus software and security browser extensions. If you're using Mozilla Firefox, they have recommended extensions which meet their standards and are assumed safe to use. I use AdGuard, Disconnect, Privacy Badger, Privacy Possum and HTTPS Everywhere, and they, in combination, block potentially malicious content, block trackers and ads, warn about phishing, force HTTPS etc.
- Do not give your login info to anything or anyone but TranceFix - Electronic Music Forum.
- Track data breaches and see if your emails were a part of it. Some of the websites where you can check whether an account with your email address has appeared in a data breach are Firefox Monitor and Have I Been Pwned. If you did appear in some, it is recommended to change your passwords (especially if you use the same or similar passwords on some websites). You should generally change your password of your email, of your account that appeared in the data breach, and as well as all the other accounts where you use similar or same passwords. It is also advisable to change password for every account which holds sensitive data (Google/Micrososft/Apple, as well as banking etc). Regardless, change them regularly and using the aforementioned guide for best results.

Resources:
- 10 Ways to Avoid Phishing Scams

4. Common Sense

Apart from the more technical stuff, there's also some common sense involved here. Store your password safely. Use different passwords everywhere. Don't make them obvious. Don't let anyone know your password or see you while you're entering it. Don't send your passwords anywhere on the web, even if it is just sending it to yourself via Facebook Messenger or whatever (it's possible). Use safe (and trusted) networks. If possible, don't send sensitive data or log in anywhere if you're using WiFi in a cafe, airport, mall etc. Lock your devices with PIN codes or passwords, fingerprints etc. If possible, prevent other people from accessing your device. Always be a little bit wary about everything regarding your data. Don't be lazy. Neither is perfect, but adds just another layer of security.

5. Note to Admins and Moderators

We have an even greater responsibility to protect ourselves from these things, because the potential breach of our data has greater consequences on this forum.

Here are some tips on how to keep our forum better protected:

- Always check for users with weird usernames and email addresses, and either delete/ban them instantly or bring them up in the group chat for further discussion.
- Never allow anyone through our spam filter without being sure that the username and email address are valid.
- Keep your account(s) secure using the guide outlined above.
- Permanently (!!!) delete any post with what looks like code in it, or at least report it to me.

6. Ending Notes

I hope everyone understood the importance of security, and that they will keep their accounts secure as a result of reading this, even outside of TranceFix. If a couple of users get hacked, we may be forced to force you to reset your passwords and secure your accounts even further.

If anything was left unsaid, if you have anything to add, anything to ask, I will leave this thread unlocked so post ahead.

Thanks for reading.

On behalf of TranceFix Admin Panel,

Gagi