It looks like you're new here. If you want to get involved, click one of these buttons!
Subscribe to our Patreon, and get image uploads with no ads on the site!
Base theme by DesignModo & ported to Powered by Vanilla by Chris Ireland, modified by the "theFB" team.
Comments
It doesn't have to be mandatory, but users could be strongly encouraged to use it. It also doesn't have to be that annoying, only necessary when logging in on a new device etc.
Shame Vanilla doesn't support it.
I have the file which this particular scammer is using - of the forum members I've found in there (there's a lot to go through - roughly 230 million email addresses), all of them have single-word passwords that would take seconds with a dictionary search and a hash.
Coincidentally, those are precisely the people who look at MFA and say "Nope, that's too much like hard work". Ergo, it has to be mandatory, or it's pointless for this purpose.
Mine wasn't a single word, and was about 15 characters, but I've still changed just in case.
I wasn't only looking through the prism of this attack. MFA is generally considered a Good Thing to verify that users are who they claim to be, and a useful part of an overall security posture. No need to bat it away because it doesn't work when it's switched off.
If there isn't an option, I don't think users can be blamed for not taking it and perhaps more than you think would; as I said earlier it's becoming part of the mainstream. Even my mum deals with it (she's 86, bless).
Not sure if there's a way to only target users with relatively insecure passwords as I assume they aren't stored in the database in cleartext and the hashing is hard to break.
Maybe emailing users who haven't been active for a long time e.g. over a year on the (possibly mistaken) basis that these accounts are more vulnerable than accounts of frequent users.
I'm thinking that users become more aware over time so it's more likely that User X had "password" as their password years ago but now is more enlightened.
With that said, that's all strategic thinking; right now, I'm staying well away from that because of the immediate concerns...which are strictly in the realms of "How much can we sacrifice to prevent further accounts being compromised under this attack (or similar)?".
Apologies in advance for the following word vomit. I'm sure I'll be called out for mistakes in the following, but some observations as a potential scam victim:
These 3 sale threads (2 sellers) have all been closed/banned by yourselves for potential scams. But the thread title still says 'sold', which is false if anyone was searching the forum. Can the title be appended with 'potential scam investigation' or something to make it obvious.
And/or can the first post in the sale thread have some verbiage _added_ so that if anyone opens it, the first thing they see is a message that this sale is being investigated, or has been confirmed a scam. This just helps with awareness in the future.
This is also the most effective way to deal with it, because it guarantees that the message goes to the whole modmin team; sending a PM to one of us relies on that person being available.
However, if it's a non-urgent issue or something you think needs a bit of discussion, a PM will do fine.
I was blinded by a guitar I always wanted, the seller had been a member for 10 years, had lots of points and badges etc, answered all my questions about the guitar, asked for PPFF, I obviously thought the whole thing was genuine and not wanting to miss out I agreed.
Yes I am still numb from the experience and hope no one else has to go through anything similar.
the vendor gets precisely what they requested, I pay the few % extra for peace of mind.
If handled tactfully, no one seems to mind, and if anyone does object, there’s your red flag.
I appreciate this is shutting the stable door after this particular horse has bolted, but just a spot of well-meant future advice for my Brothers and Sisters in GAS \m/
https://www.thefretboard.co.uk/discussion/comment/3975290#Comment_3975290