Atlas Quest: May 2007

Thursday, May 31, 2007

Time for Some Hostility?

Okay, I have to confess, I'm not feeling especially hostile at the moment. I'm only posting because of Mark & Sue Pepe's blog, title Time for Some Civility?, which was posted earlier today, and I thought it would be hilarious to get a contrary headline next to it in Letterboxing News. =)

Just so this post isn't a total waste of your time, though, check out these Posting Guidelines I wrote a few years back. There's a Civility version, and a Hostility version to choose from. =)

Thursday, May 24, 2007

Hacking Accounts, Part III

What a firestorm of suggestions I've gotten since my second post about hacking accounts, many of them very good. The months of the year, hobbies, religious themes, and I even tried a couple of very UN-religious words to hack into accounts, and they're all working. Three people even use 'geocache' as their password!

Growing tired of trying all of these excellent suggestions myself, I've now automated the process. Want to play Guess that Password? Now you can.

So far, we've been able to "hack" into about 10% of the accounts on Atlas Quest. Have you chosen a poor password? Change it now. Really. Chances are, nobody is trying to break into your account, but it only takes one person to make your life miserable. Choose good passwords. It's worth the extra thought.

Hacking Accounts, Part II

So I've updated Atlas Quest to reject the most common and easily guessed passwords. New members and those who try to change their password will be expected to think up some better passwords in the future. While it's unlikely nefarious people will try to hack into an Atlas Quest account, at least let's not make it too easy for them! So not only are the most common passwords no longer allowed, but neither are many variations of them.

This morning, thinking about easy-to-guess passwords, I thought of something that wasn't on the top 10 most common passwords from yesterday's post. The word letterboxing or some variant of it. Makes sense, don't you think? It was just my gut instinct, but I had a hunch I'd find more than a couple of accounts with that password. I was right.

letterboxing: 24
letterbox: 47
letterboxer: 1
letterboxes: 0
boxes: 1
boxing: 3

Running with this theme, what if someone thought about being even more specific? What if they used atlasquest as their password?

atlasquest: 9

What if someone wanted to get very clever and use ryancarpenter as a password?

Alas, nobody loves me that much. No passwords match ryancarpenter. ;o)

Still, I managed to crack open another 85 accounts today. So to add to my growing list of "too easy to guess" passwords, anything with the terms letterboxing or atlasquest or a variant of them will no longer be allowed. For those of you who already use it, you won't be forced to change, but it's highly recommended.

For kicks, I've started typing in random words that come to mind, just to see how easy it is to guess passwords. I've tried snake, yahoo, hotmail, facebook, geocities, google, firefox, intel, microsoft, takeahike, search, inkpad, logbook, keyboard, mouse, monitor, speaker, phone, cellphone, cordless, computer, laptop, camera, digital, stereo, turtle, flies, puppy, kitten, goldfish, finch, chick, and chicken.

There complete guesses on my part, but I'm thinking if people want to think of a password, you'll use an object they might see around them as their password (thus, all of the computer related terms I tried or the websites they might have used before going to AQ), or they might use an animal (for some reason, I suspect a lot of people might use animals as passwords). I was right on both counts and among all those words was able to crack open another twenty or so accounts. Not all of the words had success. Two of the words cracked three passwords each. I'm not going to ban all of those words, though--it's not a complete list of computer accessories or animals and there are probably others I haven't tried.

But animals and computer accessories or websites probably won't be very secure passwords.

Just some more food for thought. =)

Wednesday, May 23, 2007

Has Your Account Been Hacked?!

I was reading PC Magazine this afternoon, and they had a list of the 10 most common passwords people use. I've seen lists like these before, and they always amuse me. Who would USE such OBVIOUS passwords? The potential for hacking such accounts are enormous!

And I wondered--how accurate are these lists? There are nearly 10,000 accounts here on Atlas Quest, and I wondered how many of them would use such obvious passwords?

Passwords, I'm happy to report, here at AQ headquarters are always encrypted using a one-way encryption algorithm. Encryption is a fascinating topic in it's own right, but the interesting thing about this one is that it cannot be unencrypted. You might wonder what use is something that's encrypted if it can't be unencrypted. How can Atlas Quest possibly verify the password you type in is correct if it can't lookup your actual password? It doesn't. Not exactly, at least. It takes the password you type in, then encrypts it using the same algorithm that generated your encrypted password. If the two encryptions match, the same password was used. If they don't, the passwords don't match. At no point does Atlas Quest actually have to store your password in an unencrypted format.

Even if a hacker could get into Atlas Quest, they would never be able to see your real passwords. It's all very slick, and I think it's ludicrously stupid for companies to store passwords in anything but an encrypted format using a one-way only encryption algorithm. After all, what good does it do to encrypt a password if a hacker can just unencrypt it later? I always have my doubts about the security of any website that is able to re-send you your original password. It's either not encrypted at all in their databases, or they use an encryption algorithm that can be undone. There's never a good reason to allow this.

Anyhow, a good, encryption algorithm does nothing if people pick a terrible password to begin with. Atlas Quest doesn't really check for bad passwords. It expects a password to be at least five letters or numbers long, but that's about the only constraint. Out of exactly 9,887 account on Atlas Quest at this moment, let's see how many passwords I can "crack."

Here's the list of the ten most common passwords, and how many accounts I could crack using them:

1. password - 48
2. 123456 - 14
3. qwerty - 4
4. abc123 - 4
5. letmein - 3
6. monkey - 14 (say what?!)
7. myspace1 - 0
8. password1 - 1
9. blink182 - 0 (okay, I know this has to have some meaning, but I have no idea what. If you do, please let me know!)
10. (your first name)

I'm leaving that last one blank for now--there's some commentary I want to do with that which I'll get to in a bit. The nine most common passwords, though, could get you into 88 different accounts here on AQ. Are you one of them? I'd suggest you change your password so it's not so easy to guess.

I once read that "god" and "money" were two common passwords. "god" won't work since it's not at least five characters long, but "money" does so I tried that one as well and could break into one more account with that password.

Now back to that #10 on the most of most common passwords. It asked for first names, but I also wondered about last names and trail names, so I tried all three. Additionally, I figured most people type in their passwords in all lower case, but some people might not. Passwords are case-sensitive, so I tried both versions--with the name as all lowercase and exactly as the member spelled it on their account.

Holy jumpin' junipers, people!

First names: 99!
Last names: 62!
Trail names: 118!

Grand total, I was able to "break into" 368 accounts on Atlas Quest. That's nearly 4% of all the accounts on this site.

For kicks, I tried variations of the most common passwords. What about adding "123" to the word passwords? Like "qwerty123" instead of just "qwerty". Bang! Got into another account. What about "first name" + 123? Figured out another person's password. The last name plus 123 got me into two more. And the username plus 123 cracked another member's account.

The lesson to be learned here, if you really want your accounts to be safe, stay away from those passwords you see on this top ten list. I imagine I could break into many more accounts if I had additional personal information I could compare such as birthdays, pet names, children's names, etc.

The best passwords I've heard of people using do not use real words, include upper and lowercase characters, and include numbers. (Not numbers that's just a 1 at the end of the password, or 123 for that matter!)

For instance, think of your favorite song, then turn the first letter of each word of it's name into your password. For instance, I Love a Rainy Night, could be turned into Ilarn. It's by Eddie Rabbit, so I'll add his initials to the end as well and get IlarnER.

Nobody is going to guess that password, but it's still very easy to remember. It doesn't have to be song titles. Any easy to remember phrase can work. "A penny saved is a penny earned" could turn into "ApsiapeBF". Throw in a couple of numbers for good measure. "ApsiapeBF1776" perhaps.

I'll update the site to reject these easily guessed passwords soon, but I won't force those of you with poor passwords to change. But it's highly recommended, though. You can change your password at any time from the Account Info page.

Be safe. Choose your passwords wisely.

*** This public service has been brought to you by Ryan. No accounts were harmed in the making of this announcement.

Saturday, May 19, 2007

Plant-a-Letterbox Day is around the corner!

Yes, the 2nd annual International Plant-a-Letterbox day is just around the corner. Next Thursday, May 24th, to be exact. Last year, was thrown together at the last minute, all in a feeble attempt to crash Atlas Quest. ;o)

This year is a bit more organized, even including an event listing for your planting pleasures. Additionally, for those who want to follow minute by minute with the number of boxes being planted and how many people are planting, I've created the official Plant-a-Letterbox Day page on Atlas Quest. The countdown has started. Just 390,530 more seconds before the event begins, at least at the time I write this.

Some of the eagle-eyed readers out there may notice that the numbers won't necessarily match the What's New? list. The What's new list is based on the most recently listed letterboxes, while the Plant-a-Letterbox page is only counting the boxes as being planted on May 24th. So technically, even if you plant your letterbox on the 24th but don't have a chance to list it until the 25th, it would still count towards Plant-a-Box day.

For those of you wondering about the discrepancies between last year's counts that I announced last year and the counts listed on the Plant-a-Box page, I've counted only boxes that were planted on May 24th of last year to be consistent with how the numbers are counted this year. Last year, I added both the boxes that were listed on May 24th and those that were planted on May 24th, and those were the numbers I announced. To simply the counting this year, I'm only counting boxes based on the plant date and not the listing date.

Did that make sense? The listing date is the date a box is listed on Atlas Quest while the plant date is specified by the person who listed the box and is supposed to be the actual day the box was put into place. Two dates, same box, but this year, it's the plant date that counts. If you're planting a box for Plant-a-Box day, be sure the plant date is May 24th.

Now.... I need to get cracking myself. I haven't carved any stamps or found any hiding places for my contributions this year, and OH MY GOSH! I'm down to 389,578 seconds before the 2nd annual International Plant-a-Letterbox Day is here!

Friday, May 18, 2007

Tired of my posts?

If so, have I got news for you. =) You can now opt out of them! In fact, you can opt out of any blogs you don't want to read anymore, and opt into a slew of new blogs now available. You can now customize Letterboxing News to suit your own needs instead of the one-size-fits-all that used to be the norm.

For the quick-eyed folks out there, you might have noticed a new option under the People menu option called Read Blogs. This is where all the magic happens. You can add your own blogs that other members may subscribe to, or browse through other people's blogs and subscribe (or unsubscribe) to the ones that seem most interesting to you.

Posts to your subscribed blogs will show up automatically as Letterboxing News on My Page.

By default, everyone is subscribed to the blogs you've always seen and enjoyed. If you'd rather not read some of these defaults, don't! Unsubscribe to them. Premium members, who've had a sneak peek of this feature, have already added several of their own blogs that you can now subscribe to as well. I'm a big fan of the Dorks Anonymous blog myself. Hilarious stuff there, even if it's not usually about letterboxing. =)

And if you don't want to see posts like this one in your Letterboxing News? Unsubscribe from the Letterboxing is Fun blog. There's often good information in it about updates to Atlas Quest--such as this one--however, so of all the blogs, it's probably the most useful to know what's going on on this site. You can unsubscribe, but I wouldn't recommend it! ;o) I have three other blogs I've listed, though, two of which you are not subscribed to automatically since they aren't about letterboxing. The last blog of mine, Ryan's Great Adventures, isn't usually about letterboxing, but a lot of people seem to enjoy that so it's still a default. If you don't want to hear about my travel adventures, however, feel free to unsubscribe.

This feature has been brought to you by Ryan. No bloggers were harmed in the making of this feature.

Monday, May 14, 2007

Help Wanted

There's a major problem with Atlas Quest. Most of the time you guys don't notice it, but whenever I'm out of Internet access for any length of time, a serious problem could occur and I won't be around to handle it. That's a problem. I am the sole webmaster on Atlas Quest.

There are a couple of admins who can edit inappropriate messages or investigate "personality clashes." I sometimes use them to bounce ideas off of as well. =)

But Atlas Quest needs another webmaster. Not someone to develop the website--I'm more than happy to do that myself--or even maintain the day-to-day aspects of the site. But rather, I need someone with a technical background who can repair the database if it becomes corrupted while I'm off backpacking deep in the forests without an Internet connection. Someone who can hop into action when the server locks up and needs to be reboot.

So I'm looking for an honest-to-goodness webmaster who I can depend on to handle the emergencies of the website when I'm not available to do so. Preferably a couple of them.

That's basically the main task. There's a message board for webmasters to chat here, but it's a lonely board since I'm the sole person who can read it. I use it to jot notes to myself at times, but it's not a very interesting board. Might be fun to have another webmaster or two to chat with about the technical details of the site.

The type of skills a person would need include:

* Database experience (MySQL preferred)

* Good understanding of object-oriented designs

* PHP experience preferred (though not required--you can learn as you go, and I don't expect you'd be handling that part of the website much)

* Apache experience preferred (again, not required, but someone who knows a lot more about it than I do would be greatly appreciated!)

* Experience wading around the Unix-flavored operating systems (again, you can learn as you go, but someone with a lot more knowledge than me would be greatly appreciated!)

* Someone who uses Atlas Quest, is familiar with how the site works, it's capabilities, and the other members who use it.

* Someone who'd be willing to help as a webmaster for a long, long time. =) I really don't want to have to retrain someone every couple of months!

* Someone who'd enjoy the job "for the glory." I can barely cover my own expenses much less start paying someone else to help. =) Perhaps free premium membership and my eternal thanks as a perk, but that's about it.

Ideally, it should be a pretty easy job with absolutely nothing to do most of the time. If someone is really interested in helping to develop a feature or improvement and taking a more active roll in the job, I'm sure we can work something out. It's certainly not a requirement, though, since I still intend to do all development myself.

Think you're qualified? Want to become one of the most powerful people on Atlas Quest? Top of the food chain that makes even the admins quake in the their boots? ;o) Send me an AQ mail and let me know. Be sure to include what sort of technical skills you have or may be short of. And it is okay to be short of some needed technical skills as long as you're willing to learn. When I started Atlas Quest, I wouldn't have even qualified for most of the skills I mentioned!

If you're interested, let me know!

Tuesday, May 08, 2007

Happy Cranmere Day!

Today, as only you folks with AQ calendars probably realize, is Cranmere Day. And even those people are probably looking at the calendar wondering.... What the heck is Cranmere Day? Wonder no more!

Cranmere Day was first held on May 8, 1937, to dedicate the new structure for the Cranmere Pool letterbox. It was a grand event where the letterboxing celebrities of the day waded out to the world's first letterbox.

I first learned about Cranmere Day last year while trekking around Dartmoor, but it wasn't until I created last year's Atlas Quest calendar when I started thinking about what sort of letterboxing holidays we had and I decided to revive this particular one. Mostly because I enjoyed the story behind Cranmere Day than the fact it has any real significance.

I posted an excerpt about that first Cranmere Day back in 1937. Seventy years would pass before Cranmere Day was celebrated again, so in honor of the second Cranmere Day, go find a letterbox. Sprinkle some leaves and dirt over it, and remember those pioneers that started letterboxing.

Additionally, for TODAY only, everyone can record all their finds, including finds on unlisted letterboxes. Just record a find like you normally would, but scroll past the list of listed letterboxes to the list of unlisted boxes and add your own today.

Happy Cranmere Day!