I always worry about changing my password 'right away' during these attacks, mainly because a compromise that got the forum or its hosting web server to serve up a 'change password' page could capture both new and old password.
When they were attacking Sourceforge.net, I had the same reaction. If you have a more secure kind of password that a dictionary attack won't get, and have no indication that your account has been accessed, changing the password is just putting your password out on the internet, up for grabs....
Pingnak, your password advice can be misunderstood so easily, and there are better ways of going about it.
First, if you think that a system might be compromised, and the login page might be iinsecure, first check the source code of the page, and the page address. Was the web page redirected -- are you seeing the right page address in the URL? In the source, any strange redirects on it? Is it mailto'ing a funny address in china or russia when you hit submit? Search for the "@" symbol to see what emails are contained in the source code on the pages.
If you still doubt it at all, or you don't know what to check, email the admin of the system through the standard webmaster or admin email address for that site asking about it. Until you get a reply or feel the danger is passed, don't use the site.
Also, if you used that same password on other sites or systems -- change the password on those other sites, PRONTO.
Second, when it is time to make a new password... make a new password. NEW. Never seen before. If you think it could become compromised in a future wave of phishing/spam/DB cracking, then make it a unique password that you don't share with similar systems (which is a good practice no matter what.) Also, retire the old password from all uses. Never use it again. Get it off of all systems.
When you make them, make them strong passwords. Like Madbunny suggested, make it a complicated acronym. I suggest taking a lyric from a song, using the first letter of every word, adding numbers or punctuation. Example from an old '70's tune: S!ITNOL (Stop! in the name of love), if you can't use punctuation, use numbers, S1ITN0L. Now that this particular example password is shown, don't use it, it is compromised.
If you need to, keep a piece of paper (well hidden) in your house with a hint of passwords (NOT the passwords themselves). Or keep the same thing on your phone or pda, or whatever. Secure your phone or PDA, while you're at it with a unique and secure password. It is far better to have to use a hint-cheat-sheet for rarely used passwords, than to have weak or similar passwords all left on systems.
But, generally, right now...
- It is time to make a new password
- It is time to turn off the "allow members to email me" function
in the user account settings.
- It is time to remove IM, YIL, ICQ or MSN email or contact information
from the forum profile settings. The spammers and bots are reading that stuff. For the moment, only rely on in-system PM's for member to member communications. There are many members of this forum who are allowing their information be seen too easily. You are handing out your contact info and email address to spammers and strangers.
- When you are done with a session -- LOG OUT by clicking the Log Out button.