Passwords and botnets

Image by rob _pym on Flickr

It appears that a large botnet of about 90,000 home computers is trying to break into WordPress sites (hat-tip to @TheMacFixer) using a brute force attack. This news instantly made me login to WordPress and review my password security. My existing password was 12 characters, non dictionary, numbers and letters and symbols, uppercase and lower case. So yes, quite secure.

Selecting the new password function I found that a 50 character password generated by 1Password is acceptable to WordPress. So I saved that.

This isn’t it of course, but it looks like rhe6sham0sara3jypi1rhu2purt9thop3xupe2duki6li2rhim

Do your worst, botnets.


Getting your Facebook a little more private in these open “Graph” days to come


No doubt you’ve heard of how Facebook privacy settings can prove the undoing of your privacy when potential employers see your embarrassing posts and photos. Well, the new “Graph” search function that’s soon to be implemented will open up these possibilities even more – unless you know how to adjust your settings to protect not only you, but your friends as well.

Dear M&S why oh why do you need so much PII to log me in?

I needed to phone my credit card provider today. The telephone login procedure to their overseas call centre raised alarm bells for me. Too much PII. So I’ve emailed them as follows:-

I just had to call CS as website was not allowing logins. I am concerned about the amount of PII that I had to give your operator to login.
I was asked for:-
My CCN (obviously needed)
Firstline of my address
my postcode
and my password.

This imo is excessive. You *do*not* need all this information to identify me when I call you. All your operator needs is my CCN and my password. Otherwise why set a password?!?
I would be more than happy to discuss this at length with your IT / security / infosec department. Please get them to call me Peter 077** *** *** many thanks for your help. I look forward to hearing from you. <email ends>

How much Personally Identifying Information do you give away when you call your bank or credit card company? Too much? The right amount?

Dear Mr, You have inherited $17.7million USD. Just phone or email.

I’m used to getting spam emails, but this was a letter. Plain envelope, no return address, correctly addressed to me at my company address.

I’ve scanned a copy for reference. Note the not-quite-vertical format, suggesting it’s a scan. A scan of a scam ….. badumtish.

Contact details are

[for the sake of stating the bleeding obvious, please do not send an email to this address]

Tel +852-8197-4465

       852 8197 4465


I think I might give him (or her?) a call about 04:30 local time. All excited.

The fact that these letters keep coming means that people are still getting sucked in. Which in turn means we need to put the details out there so that if anyone googles that email address or phone number they get this post. Part of our civic duty, as @TroyHunt would say.