darkhavens (darkhavens) wrote in bloodclaim,

Security PSA - PLEASE READ (edited at 18:45 and 19:26)

Here is some important lj security advice:
If you enable a security question, then anyone attempting to get your password sent to an email address will have to answer a security question first. This includes you, so REMEMBER THE ANSWER. (You can make up your own question so there's no excuse for forgetting!)

Edited to correct false info (thanks, uniquewonders):

You have to answer the security question only if you've lost access to all of the e-mail addresses associated to your account. The security question was precisely implemented "as an alternate method of restoring access to your account in case you have forgotten your password and cannot access any of the email addresses associated with your LiveJournal account."

"If you don't have access to the your mailbox, and you have recorded a secret question and answer for use with your account, you will be able to change your password in 5 days. This waiting period is due to security reasons. You must return to the Lost Information page after (five days), enter your username, and press "Continue" in order to reset your password using this method. If you successfully log in at any time during the 5 day waiting-period,
this request will be canceled."

So, all in all, not as good a security feature as I'd thought.

ETA2: it has just been pointed out to me (thanks ciaran_h) that having a security question may actually reduce the security of your lj, especially if you do not log in every day (ref: the 5 day waiting period mentioned above):

Normally, you can only reset your password in LJ if you have access to the current email address on your account or any previously validated address. Before the security question was set up, there was no way for anybody who was not logged in as you to reset your password if they did not have access to one of those email addresses.

However, with a security question set up, the password can be reset using *any* email address merely by knowing the answer to the secret question - and chances are, many people will pick a question that can probably be answered by looking at their journal posts. It can be significantly easier for a hacker to know the answer to a secret question that it normally is for the same person to have access to one of your email addresses.

Also, if the person has access to your email address, they don't have to go through the secret question - the question is only there for the benefit of anybody who loses access to their validated email address, because there's no other way to regain an account.

There's more info on this at this FAQ: http://www.livejournal.com/support/faqbrowse.bml?faqid=287 .

To remove old addresses, you will need to have a validated email addy that is at least 6 months old. This prevents someone from reregistering an old Hotmail address (for example) you deleted years ago and which Hotmail has since purged. It can happen. It has happened.

Anyone who has a flist of 500+ or moderates a comm of 500+ should READ THIS POST IMMEDIATELY.

Wondering why I'm so worried? It's because posts like this (click for larger version):
have started popping up in various comms again, and that's not good. If you follow a link in a post like that, you should run your antivirus programs immediately, as the linked pages can contain viruses and keyloggers, and if they gain control of your journal, they will systematically delete every single post there, and then they will attack any comms you moderate.

It sucks, but them's the facts. For a much better look at the problem, read acari's post how not to become the next hacker victim.

Comments disabled as I cannot provide any more help/advice than is contained in the posts linked here.
Tags: !modpost

  • The Love of the Bullied 18/?

    Title: The Love of the Bullied 18/? Author: Forsaken2003 Pairing: S/X Rating: R Disclaimer: I own none, all belong to Joss Whedon Comments: Always…

  • The Love of the Bullied 17/?

    Title: The Love of the Bullied 17/? Author: Forsaken2003 Pairing: S/X Rating: R Disclaimer: I own none, all belong to Joss Whedon Comments: Always…

  • The Love of the Bullied 16/?

    Title: The Love of the Bullied 16/? Author: Forsaken2003 Pairing: S/X Rating: R Disclaimer: I own none, all belong to Joss Whedon Comments: Always…

Comments for this post were disabled by the author