- Posts: 700
- Joined: |11 Feb 2011|, 05:11
- Favourite Beer: Cold
- Location: Hamilton, ON
To be sure, there's no real sensitive content on this website.
We talk about home brewing--not exactly "secret sauce" material.
The risk was that once the control of the domain name was lost, a very easy phishing attempt to steal your usernames and could have easily been made.
How would this work?
- A malicious person gains control of the domain name and sets up a look-alike website at the proper web address (the domain canadianhomebrewers.com)
- A user (you?) browse to the CHB site to check the forum.
- You enter your username and password to log in, but you keep getting "incorrect username or password" errors. (The attacker now has your username, and password--double/triple checked for spelling)
- Assuming you've lost your mind, you click the "reset password link" and enter your email address. (The attacker now has your username, password, and email address)
- After a couple tries, the user fills out a "reset your password" form, and enters his email address (Now the attacker has your email address, password, and username)
Think about your current accounts. Do you re-use any passwords?
It's VERY BAD JUJU (See: https://www.cisecurity.org/reusing-pass ... ple-sites/ ) to use the same password across multiple websites, accounts, emails etc.
However, many people still do it.
With your email address (which sometimes gives a very good guess at your real name), username, and password, a would-be attacker has a great start on gaining access to your other accounts.
Consider someone who uses the same password for his e-mail address. In that situation the attacker can log into your email, and reset your passwords at other websites (and, say, drain your PayPal account).
Suddenly, we have a real issue.
In the case of CHB, there was never a compromise. But the risk was there. This is a good opportunity to reassess your password and security practices. There's lots to learn on Google