darkhavens (darkhavens) wrote,

  • Mood:

Thank you letters and another PSA

First of all, thank you to everyone who sent birthday wishes, by email, ecard, PM, comment and journal post. (If anyone sent one by skywriter... I missed it. Sorry. :D ) It was a wonderful day full of the bestest food and the bestest booze and the bestest boys doing the bestest things to each other. ;)

Secondly, to anyone who has a flist of 500+ or moderates a comm of 500+, you need to READ THIS POST IMMEDIATELY.

Thirdly, and this applies to everyone, here is a little security advice for your lj:
If you enable a security question, then anyone attempting to get your password sent to an email address will have to answer a security question first. This includes you, so REMEMBER THE ANSWER. (You can make up your own question so there's no excuse for forgetting!)

Edited to correct false info (thanks, uniquewonders):

You have to answer the security question only if you've lost access to all of the e-mail addresses associated to your account. The security question was precisely implemented "as an alternate method of restoring access to your account in case you have forgotten your password and cannot access any of the email addresses associated with your LiveJournal account."

"If you don't have access to the your mailbox, and you have recorded a secret question and answer for use with your account, you will be able to change your password in 5 days. This waiting period is due to security reasons. You must return to the Lost Information page after (five days), enter your username, and press "Continue" in order to reset your password using this method. If you successfully log in at any time during the 5 day waiting-period,
this request will be canceled."

So, all in all, not as good a security feature as I'd thought.

ETA2: it has just been pointed out to me (thanks ciaran_h) that having a security question may actually reduce the security of your lj, especially if you do not log in every day (ref: the 5 day waiting period mentioned above):

Normally, you can only reset your password in LJ if you have access to the current email address on your account or any previously validated address. Before the security question was set up, there was no way for anybody who was not logged in as you to reset your password if they did not have access to one of those email addresses.

However, with a security question set up, the password can be reset using *any* email address merely by knowing the answer to the secret question - and chances are, many people will pick a question that can probably be answered by looking at their journal posts. It can be significantly easier for a hacker to know the answer to a secret question that it normally is for the same person to have access to one of your email addresses.

Also, if the person has access to your email address, they don't have to go through the secret question - the question is only there for the benefit of anybody who loses access to their validated email address, because there's no other way to regain an account.

There's more info on this at this FAQ: http://www.livejournal.com/support/faqbrowse.bml?faqid=287 .
To remove old addresses, you will need to have a validated email addy that is at least 6 months old. This prevents someone from reregistering an old Hotmail address (for example) you deleted years ago and which Hotmail has since purged. It can happen. It has happened.

Wondering why I'm so worried? It's because posts like this (click for larger version):
have started popping up in various comms again, and that's not good. If you follow a link in a post like this, you should run your antivirus programs immediately, as the linked pages can contain viruses and keyloggers, and if they gain control of your journal, they will systematically delete every single post there, and then they will attack any comms you moderate.

It sucks, but them's the facts. For a much better look at the problem, read acari's post how not to become the next hacker victim.

(Please don't ask for technical details or help because all I've done is read the posts that are floating around and thought "I gotta warn everyone!". If you read the linked posts, you have as much info as I do.)
Tags: me, psa

  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.