Someone tried or has been able to guess my password ?

[ZioMario]

Hello.

What's happening ?

I've just got this message in my email address :

ZioMario,

To complete the login to your account (or to complete two-step verification setup) at The FreeBSD Forums, you must enter the following code:​

hidden​

This code is valid for 15 minutes.
The login was requested via the IP : hidden. If you did not initiate this request, you should change your password urgently.

but I didn't start the login process...

 

[mer]

Check the email headers, it probably did not come from the forums and don't click the link.

This is why I keep saying "email should be just text"

 

[ZioMario]

It seems that it came really from here :

The links provided points here. The IP showed is IPV6 and can't be converted in IPV4...

How does it work ? Someone guessed my password or not ?

 

[rafael_grether]

I don't know, but when in doubt, change your password again (always through the website, never clicking on links).
Changing your password regularly is never a bad thing.

 

[eternal_noob]

Changing your password regularly is never a bad thing.

It is. Research has shown that changing passwords too often can lead to weaker password habits, as users may resort to simpler or more predictable choices just to remember them.

 

[RetroComputingCollector]

Do you have the Android "app"? It auto logs you out after a timer, then logs you in, but it cannot automatically complete the 2FA as it is Chromium based. Visiting the Forums on a Chromium-based browser in Android prompts you to set up an app.

 

[ZioMario]

Which kind of Android app you are talking about ? I always use FreeBSD to login,sometimes Linux.

 

[RetroComputingCollector]

Which kind of Android app you are talking about ? I always use FreeBSD to login,sometimes Linux.

Oh. Nevermind. I have an android phone as I can't take Apple products (just unlock it and flash it with AOSP). The website is configured to add an "app" that is actually a Chromium instance. I use FreeBSD on my PC, but I don't think it runs on phones.

 

[ZioMario]

I have the IP number that tried to login. Which kind of informations can I obtain from it ?

 

[eternal_noob]

Which kind of informations can I obtain from it ?

Maybe this helps:

IPv6 Lookup - Locate IPv6 Address Online

IPv6 lookup tool provides you information about the owner of an IPv6 Address. Just enter any IP6 or domain to find WHOIS, ASN Details, IPv6 location, Company, Organization, Address, Country, City, Reverse IP Lookup.

dnschecker.org

 

[astyle]

It is. Research has shown that changing passwords too often can lead to weaker password habits, as users may resort to simpler or more predictable choices just to remember them.

There's plenty of places that require you to change your password on a regular basis, like once every 3 months (like a toothbrush), AND they require you to have a password that is different enough from the last 5 or 6 ones, AND the passwords do keep getting longer every year.

Might as well learn some new habits to keep your data safe. Most phones have apps available that allow you to manage passwords and keep notes on security questions, and the like. I have over 100 different places that I do need passwords for, the apps are a good way to keep track. And I prefer that over SSO.

 

[RetroComputingCollector]

Might as well learn some new habits to keep your data safe. Most phones have apps available that allow you to manage passwords and keep notes on security questions

But do you trust Apple/Google with your passwords? I wouldn't use Google auth given that it is yet another way to gather your data and show you ads: https://sites.google.com/view/privacypolicyforauthenticator/home

 

[ZioMario]

Maybe this helps:

IPv6 Lookup - Locate IPv6 Address Online

IPv6 lookup tool provides you information about the owner of an IPv6 Address. Just enter any IP6 or domain to find WHOIS, ASN Details, IPv6 location, Company, Organization, Address, Country, City, Reverse IP Lookup.

dnschecker.org

That's interesting. The IP comes from CLOUDFLARENET. I use it everyday,but I didn't try to login. I suppose that someone used the same IP that CLOUDFLARENET assigned to me to login here ?

 

[eternal_noob]

There's plenty of places

such as? I don't know any because our admins are smart. Either we have key-based authentication or the machine is not important.

 

[astyle]

But do you trust Apple/Google with your passwords? I wouldn't use Google auth given that it is yet another way to gather your data and show you ads: https://sites.google.com/view/privacypolicyforauthenticator/home

I don't trust Apple/Google signons, my app is an off-line one. There's quite a few options for offline password managers, and I make sure it's impossible to copy-paste a password. Look it up on one device, type it in by hand on another. And if Apple/Google try to offer SSO, I just say no.

 

[eternal_noob]

I suppose that someone used the same IP that CLOUDFLARENET assigned to me to login here ?

Maybe the forums are protected by Cloudflare and all inbound traffic has a Cloudflare IP.



SirDice may answer that.

 

[astyle]

such as? I don't know any because our admins are smart. Either we have key-based authentication or the machine is not important.

Key-based authentication is only useful in the workplace, in an enterprise environment. Outside of that, it's better to have clunky passwords that one changes on a regular basis (as opposed to Google/Apple SSO).

Teams is one such example, another is Amazon (to answer your question).

After all, it's Wild West Internet, I don't want trackers giving me cookies.

 

[eternal_noob]

Teams is one such example

I use Teams for 3 years now without it prompting me to change my password.

 

[astyle]

I use Teams for 3 years now without it prompting me to change my password.

Well, there are quite a few gov't services that do.

 

[eternal_noob]

It's all a matter of the password policy that the admin dreamt of.

 

[blackbird9]

You are welcome to use my little script...

snippety-snip
---------------------------------------------------------------------------------
#!/usr/bin/perl
#/home/user/bin/mkpwd
use warnings;
use strict;

sub mkpasswd {
my $len = shift;

my $pwd;
my $rexp = qr/(.)\1\1\1+/;
do { $pwd = join '', map { ('0'..'9', 'a'..'z', 'A'..'Z')[rand 62] } 1..$len; } while $pwd =~ m/$rexp/;
return $pwd;
}

my $pwd = mkpasswd $ARGV[0];
print $pwd, "\n";
----------------------------------------------------------------------------------

Install in /home/user/bin/mkpwd
Usage: just say "mkpwd <length>"
for example
$ mkpwd 20
xycg4GO8BVbrFXbFarSx
$ mkpwd 64
Z38UHxDYY58lXwQFwK7sKG226v4BWBvvJti156RKaEhnawsXSSRUUhzltgng8qAL

 

[RetroComputingCollector]

You are welcome to use my little script...

snippety-snip
---------------------------------------------------------------------------------
#!/usr/bin/perl

Wasn't perl removed from base a while ago?

 

[blackbird9]

I hope not... its on my box . What, no perl? Oh well someone can translate it to py-crap then, or rust, so it's "safe"

 

[astyle]

It's all a matter of the password policy that the admin dreamt of.

I'd say it's a matter of tradeoffs, and who has the burden of keeping passwords safe.

Teams admins probably put in a lot of effort into ironing out 2FA and monitoring which device you're using to log into Teams. Tradeoff from that - they know the model of your phone. The reward - less effort for user to maintain the password.

Gov't agency - the priority is serving the public and prevention of identity theft. That's why they organize authentication differently than private commercial shops, and place the burden on the user to protect the password and authenticate.

 

[RetroComputingCollector]

I hope not... its on my box

I don't think it is installed by default anymore. However github still shows that 1.2% of the base system code is written in perl, so I don't really know what the hell is going on.