Sleuth Admin
Tale Spinner
|
Feb-2-2008 15:08
We had a little incident with passwords and unauthorized access that I want to share because it has some important lessons in it:
Player A, a subscriber, had used a very weak password (her detective's name). An intruder was able to guess the password and gain control of her detective. The intruder then changed her password and email address so that the rightful owner was locked out of the account.
That detective belonged to an agency that shares some of it's passwords. As a result, she had a message containing the password for Player B's account in her inbox. The intruder was able to gain control of Player B and lock out the rightful owner of that account.
After a few other members of this agency became suspicious, they notified me and some of the moderators of the problem. Several hours later, we were able to unravel the whole mess, change the passwords, contact the owners and ban the IP address of the intruder.
So, some lessons here:
1) Pick an adequately secure password. It should have at least 6 characters, preferably include numbers, letters and special characters.
Do not use "password".
Do not use your detective's name.
Do not use "1234" or similar.
Do not use "qwerty"
Do not use "sleuth"
2) We strongly discourage password sharing. Our official policy is that we don't help with password related issues at all if you belong to an agency that shares passwords. If you do decide to share passwords, do not post them on your agency message board, and delete them in your PMs (delete them from both your inbox and your sent mail folder).
|
