Ron Pope Motorsports                California Custom Roadsters               

Security first

Mike

Well-Known Member
We had an issue crop up on the forums in the last couple days and I want to remind everyone that we want to remain security-minded at all times.

I spend a lot of time trying to make this site easy for the search engine spiders and bots to crawl, but there are also some malicious bots out there. I have some of them IP blocked at the root level of the site with an .htaccess file. I also do some directing, some blocking and some throttling with a robots.txt file at the root level. I try to keep the malicious bots out and the good bots focused on forum content with these files.

Unfortunately, none of these bots wear a sign around their necks, identifying them as good guys or bad guys. And some of the bad guys don't like to obey the directives in our robots.txt file. So I spend a bit of time looking around, trying to keep a handle on the malicious bots so I can block them.

It seems we had an e-mail scraper run through here. A member had his e-mail in his signature and it was scraped. It resulted in him getting an e-mail from a spammer.

So let's talk about security for a bit.

Since Day One, I have had the option to display ANY e-mail addresses shut off. That way none of our e-mail addresses are available on the front end of the forum. So I recommend that none of you display them in your signatures, either. A scraper looks for text containing - text@text - and it copies it. And before you think textATtext is safe, I've seen scrapers that will scrape that bit too. If you need to convey an e-mail address, do it via Private Messages.

Do not post your street address or phone number to the open forum. Never, ever, never. Think about it - I don't know a single one of you personally, but I know that the majority of you have an above average amount of disposable income. You can afford a T-Bucket. And chances are you built it, which means your garage has likely got a lot of tools in it. And look, you've even posted a picture of your T sitting in the driveway of your $350,000 home. And now, you want to divulge your address or phone number to the world?!?

I've been going through a recent spate of members forgetting their passwords. Please hover your mouse over the attached image, below. When I log into the Admin Control Panel, this is a portion of the information associated with your accounts that I can see.

Notice how that Password field is blank? I can change them, but I don't get to see them. I can't even sift through the database to find them, as they are encoded. When you enter your password at registration, it passes through an MD5 hash generator, where it becomes a 32 bit hexadecimal string.

Here is an example of an MD5 hash - My name (Mike) looks like this - 1b83d5da74032b6a750ef12210642eea

For those that are thinking this hash could be easy to break, we're not finished here. This hash then gets salted with my vBulletin customer account number, which adds another 13 characters to the hash.

We're still not finished, because this 45 character string passes back the the MD5 generator again, to generate another hexadecimal string.

You passwords are as secure as we can make them. But nothing is foolproof. For this reason, I cannot stress how important it is for you to reset your passwords on a regular basis. Once every other week, one a month, once every six weeks, whatever you feel comfortable with. Just keep the password changing, all the time. And do NOT, under any circumstances, use the same password on multiple sites. If someone has it in for you, there's no sense in making life easy for them as they set about making life miserable for you.

A good password will be a string of at least 8 random characters. An example of a good password might be something like LrF9qZ3p. And if you simply cannot remember a string like that, then write it down somewhere. With a couple of caveats - don't write down what the string really is and don't hide the note under your keyboard, mousepad or desk drawer.

Of course your note can say T-Bucket Forums Password - LrF9qZ3p and you can tape it to your monitor, where everyone can find it. If you are that forgetful, please be sure to mow your lawn with an electric mower, so you can find your way back to the house when you finish.

If you forget your password, you can request the forum software send you a temporary (use it right away, tomorrow will be too late) password, that will let you get logged back in and get the password reset to something you will remember.

I've had a handful of members that are apparently still drinking Mama's milk whining about how difficult the forum-generated passwords are to use. :doh: Guys, guys, guys, your passwords are not meant to be easy. For that reason, the forum doesn't generate simple passwords. But it is a very simple matter to make that 'difficult' password work. When the e-mail arrives with your temporary password, highlight the password with your mouse, copy the password to your operating system clipboard, point your browser to the forum, enter your username and then click in the password field. From there, it is as simple as pasting the new password into that field. Once you are logged in (see how simple that was?), visit your User Control Panel to edit your password to something you can remember.

If you do not understand how to copy-n-paste with your computer's operating system, shut your computer off, immediately. Find a local computer club that will teach you the basics of your operating system and attend their classes until you have a handle on how to operate your computer system. Do not drive any motor vehicles or operate any equipment more complex than a crayon, as these devices will also be far too technical for you to use.

If all else fails, use the Contact Us link, located at the bottom of every forum page. Send me a message WITH YOUR USERNAME INCLUDED (just in case I've left my crystal ball at home that particular day) and I will manually change the password for you. (Note - I will change your password at my earliest possible convenience, so be patient. It might not even happen today, but I will get it changed for you. If you feel the overwhelming desire to contact me a second time to give me a cussin' for not getting to it straight away, I assure you it will never be changed.) Once you get logged into the forums, please visit your User Control Panel to change the password to something only you will know.

Following these steps will help to keep your user information secure.
 
Here is a fine example of the work you do for us behind the scenes From all of us a great big THANK YOU
 

     Ron Pope Motorsports                Advertise with Us!     
Back
Top