Another thing to keep in mind is that forum software was never built to have bank/credit card style security, and even those have been hacked. You must use your head when doing trades and get absolute confirmation that you are actually dealing with the person you believe is doing the transaction. Nothing is foolproof but a phone call is pretty good start.

Except passwords that use only words found in a dictionary are a lot quicker/easier to crack so that comic is wrong.

Yeah, if you only use one word.

Yea, that comic shows up in every such debate and it is really quite useless given that one of the most important things for passwords are that they should be unique from place to place. Try remembering 100 passwords made with that method and then which one goes where.

Keepass ldo

Someone tried to access my account a couple weeks ago (I posted about it in the LC thread before this thread existed. The IP address trying to log in then was actually my reg IP address but I was already logged in and they got denied because my password is a pretty good one afaik.

Yesterday, I got another email about ssomeoe trying to login. It's a different IP address this time but a quick google shows that's it's most likely the IP address my phone uses. None of which are in China. I don't know much at all abour computers but could they be using a VPN to try to log in from my IP or is there a problem on my end?

You on pain meds?

Guess it's theoretically possible you could have a virus doing this stuff.

looks like you're hacking yourself

Cross site scripting is possible in theory, too. But it would be a strange approach.

Now I think on it, Mat's probably just drunk and sending you fake emails with your own IP address in it.

Most likely explanation imo

mmd

I think it's safe to assume 2p2 made a lot of money over the years through the forum Database with Ads revenues, affiliations, book sells and whatnot.

Congrats to the 2p2 company on its success but at the same time I expect a little bit more than a "police yourself dumb mother****er" when it comes down to the security of the same Database that brings 2p2 revenues.

So a little bit of time and a little bit of money to ensure more security for users accounts than a random forum is not too much to ask.

As for the general tone of the thread, I was referencing some posts that had been since moved elsewhere.

I don't ask for RSA tokens or whatever a bank would use to ensure the security of his customers online account.

Just 2 questions for a 2p2 rep:
1) Could we expect to be able, as users, to see the logs on our own account ?
If no, then an explanation would be appreciated.

2) Do you have some plans in order to strenghten the security of user accounts ?
Like a big lockout after few failed attempts as suggested in the thread.

I'm not affiliated with 2p2 and I don't know how profitable it is. But I admit I'm a little biased. Mainly because any security concern, that I brought to the attention of the administration, was addressed very quickly. One literally within seconds.
I don't know how much they spend already, or how much they should spend. I also don't know if they block a huge amount of IP addresses, and the hacker just uses even more. Or if they don't block many.
I'm in favor of posting constructive ideas. No clue why they should be demands.

Enforcing strong passwords would be the most effective change. But implementing it for 400k existing users would be a logistical nightmare. The forum software doesn't store the password itself, but only a hash and some other information to verify the password. The 2p2 server alone can't tell, if a password is weak.

Account reactivation after a certain number of failed log ins could be a good idea. Obviously there is the problem that legit users will be locked out of their accounts, when they don't have access to their email.

Longer lock out period could discomfort legit users, too. Showing users the IP used to access their account doesn't bring much (imo). But it doesn't have any obvious disadvantages.
I didn't see those. That explains the misunderstanding.

The part in red is such a huge concern. For those of you that were around for the "Great Hacking" crusade on 2p2 - so many users didn't have access to their accounts and it took significant effort of volunteer mods to restore access to those users and many were never able to regain access to their legitimate accounts because there was no way to verify them. It isn't as if 2p2 gathers legitimate personal information when you open your account so there is really nothing there to authenticate yourself other than knowledge of username and password and some sort of access to a registered email address.

I remember some of the posts. Definitely a sad and frustrating experience for those who couldn't regain access. And the volunteer effort could have been used in a more pleasant and more productive way.

It could also encourage criminals to bring certain accounts into the activation stage. And try social engineering on the moderators. Even if they fail, they waste a lot of volunteer time.

All in all a bad idea. Glad it was mine.

permaban? really?

What was your original account name?

doesnt matter. im done with this site gg

Suit yourself. I don't understand why you created a new account, but luckily I don't have to.

I don't know any of the details about what happened here, but yeah, it's pretty standard that when an account is suspected to be compromised, it's banned, so as to ensure no one gets scammed. Do you have a better solution?

The ban reason looks pretty good - it explains why you were banned, and welcomes you to open a new account. There have been occasions when we were able to satisfy ourselves that an account could be reinstated, but those are rare. TBH, in your case with an account that was only a year and a half old and had not much more than 100 posts, I wouldn't think a new account would be a big deal.

Edit: I fail at embedding, apparently.

https://www.youtube.com/watch?v=opRMrEfAIiI (Jimmy Kimmel - What is your password?)

Are we supposed to be posting IP addresses from failed log in attempts or PM'ing them to somebody or what?

I'm pretty excited about this. I am proud to know that I finally have something of value to the scumbag scammer community. I worked hard for this moment!

You can PM them to me.