Clewby wrote:I don't there is anything that can be done, as a site administrator has no way of knowing if your email or forum posting is actually an attempt to gain unauthorised access to an account.
I suspect the best thing you can do is
set up a new account as soon as possible,
inform everyone of the change in your email address, and make sure you
use a password that is not easy to guess, and make sure that you record it somewhere safe in case you forget it. You can check if a password you wish to use has been used elsewhere by using
https://haveibeenpwned.com/, which despite the odd address is a legitimate website. Do check what I am saying is true by an independent source of information. Don't just take my word for it.
You guys need to be using better, unguessable passwords.
Also, DO NOT USE THE SAME PASSWORD HERE AS YOUR SPAMGOURMET ACCOUNT - THIS FORUM ALLOWS FOR PASSWORDS OF UP TO ONE HUNDRED CHARACTER PASSWORDS - USE THAT TO YOUR ADVANTAGE. Because of the likelihood that this version of phpBB is so old it's being exploited by hackers It's likely that if so many people are getting their account hacked, there has been a breach at SpamGourmet and we ALL should change our password
ASAP!I recommend using a 25 to 30 character password like one
Roboform can create.
Thumbnail - Click to enlarge.
Roboform is an all in one password manager. It does cost money, but I've been using it for over 20 years and Roboform is the ONLY password manager company I am aware of that has not been hacked. This is because not only do they custom write the code to their password manager, but they wrote the code for their own web server and database out of fully custom code, so there's risk of it being exploited by zero days hacks on Apache, ngnix, or mySQL. They've been in business since 1999.
So, what they've done that's really cool recently is made it so it will have an extension in your browser and when you hover over your login/password information it will prompt to fill and submit it for you.
(Thumbnail - click to enlarge)
When you sign up for a new site it will prompt you to fill in a new password, then create a completely random password via a PRNG (pseudo random number generator), which is I assume is proprietary. I would set it as I have in the picture with as many characters as possible with A-Z, a-z, 0-9, !@#$%^&* and exclude similar characters.
What this will do is keep your password out of any dictionary files, which brute force hackers use to break into a an account. So, if your password is found in a dictionary in any language, expect to get hacked. They will also use tools like HashCat and Cain & Abel to do some serious searching that will look for numbers and letters appended to files in the dictionary or simple substitutions like "democracy" becomes "d3mocracy"
What else is cool is Roboform will do the exact same thing on your phone now (At least Android) and when it sees you come up to a screen in a website or app it will pop up with the buttons for automatically logging into the website.
And the absolutely GREAT thing about
Roboform is all your passwords are stored in the cloud in AES encryption that not only Roboform knows, but you only have to remember
ONE password and that is your master password. I would make this extensively hard but memorable to you. For example, if your favorite movie is The Avengers, you could make your password Th34v3ng3rs. I realize that is simple substitution, but you can do some neat tricks to extend the link of that password. For example, you could add 13 periods in front of the password so it would become ".............Th34v3ng3rs" and I GUARNTEE you that's not going to show up in any dictionary file or be guessed. You could put a bar in-between each letters so it becomes T|h|3|4|v|3|n|g|3|r|s. That's another one that's not going to show up in any dictionary files. You want to make your Master Password absolutely impenetrable as possible. There are countless other variations you could make based on what's easiest for you to remember. Because if you lose this password, there's no getting back into your account. Also make sure and take advantage of the 2FA feature in the app for maximum security.
You can set it to log you out under various circumstances, such as anytime the screen saver comes on (which a bit overkill, IMO, unless you're in public places a lot) or after a certain period of time, or if you put your PC to sleep. If you use this on a smartphone, you will also need a simple 4 digit pin number to access the account while you're still logged in to the account. I wish it allowed for 6 digits, but it only allows 4.
So, Roboform costs a little bit of money (there is a free version you can download, but it's severely limited in what it can do).
Right now, at the time of writing, there is a 30% discount on the software so you can buy 1 year for $16. (12/28/21)
If you use the link I posted, you get 6 months of usage for free. I'm not 100% clear if you can apply the holiday discount or not, but pick what works for you. If you buy Roboform Everywhere, you can put it on your PC, your phone, and then access it via other computers. You can do this by using the
Chrome Extension (which also works for Chromium based browsers using Blink such as MS Edge, Brave & Opera.) There is also an extension for
Firefox if that is your browser of choice. Both extensions are written by the mfg of the product, not some 3rd party or random user.
So, what I do when I sign up for a brand new website is I choose an email based on my SG parameters. For example, I decided to use watch words to avoid getting spam bombed by someone who didn't know this. Since you don't know what my username is on my account (no, it's not the same as my username here, I'm not that dumb).
Thumbnail click to enlarge.
So, in order for someone to email me and get through, they have to include one of those colors in my email. So, they would have to email something like
color-nameofwebsite.myusername@spamgourmet.com. This is a bit of a paranoid feature. AFAIK, I've never seen anyone try to email without the color in the email, but there's only a log of the last 3 eaten emails, so who knows.
As of right now I have the following stats on my SG account:
"Your message stats: 11,452 forwarded, 100,236 eaten. You have 507 spamgourmet address(es)."Your message stats: 11,452 forwarded, 100,236 eaten. You have 507 spamgourmet address(es).
So, I am keeping the Spam Gourmet pretty full. But, I will use one of these email addresses, sometimes if it's sketchy site I might mark it
red-websitename.3.username@spamgourmet.com so I'll only get 3 emails from that account before it stops forwarding the email. If I know the email are legit, I'll add them to my trusted sender list. Then, I either let Roboform generate a password for me to login to the website (some sites disallow characters like !@#$%^&*, so you'll have to manually generate a password without those, which is extremely simple. Just keep it long as possible).
Also, if you come to one of those websites that won't allow you to paste in your browser's username and password, try the extension
Don't F*ck With Paste for Chromium/Blink browsers or the
Firefox version which will allow you bypass these stupid anti-pasting measures.
Anyway, using this method has helped me evade SO many database breaches because they have a bogus email and a super secure password that wouldn't even help them if they cracked it, because I use a new email for every site I sign up for.
So there you have it ladies and gents. The BEST way to evade getting hacked, store your passwords on an AES encrypted cloud service with access anywhere you go, and use a Spamgourmet email to hide your identity from the site you're trying to sign up on.
I
HIGHLY recommend this method to signing up for new websites. It's extremely effective and keeps you off
https://haveibeenpwned.com/.