Last week that happened to me. Someone in the channel at the time -- I can't remember who -- said "I hope you don't use that password for anything else." As it happens, I used the same one for my hotmail account, which is my sorta 'throwaway' account for signups and for Meta*.

I didn't respond to this person. I remember thinking "That comment tells me a lot about you." The fact that this person's mind immediately leapt to password hacking was revealing. I decided to wait and see if anything happened.

Sure enough, I sign in today to discover 53 new emails in my inbox. This person had :

Signed me up for a newsletter from Iceberg magazine
a newsletter called The Source for Music Professionals;
Submitted some sort of order for printing at STS designs;
Sent some music submission to a movie soundtrack called "Pressure",
And a bunch of other dumb shit. The dweeb who has done this may be sitting there with a preteen hard-on to see what his effect on the world has been, and I'm sure he's very proud.

I share this story not because I'm surprised -- as I said, I didn't really care what happened with this account, and I actually sort of considered it an experiment; but because I'm not the only one who accidentally let a password slip, and because it's another illustration that we don't really all know one another in this huggable little world here. Some folks hanging out in IRC aren't to be trusted.

I can't figure out why they would need to use your account to do these things.

I also can't figure out why your password would be necessary to do these things.

They would need the password because any proper mailing list that is not run by incompetant fools requires "closed-loop opt-in" where you can't just enter someone's email address in a form to sign them up, they have to respond to a probe email to assure that they are in control of that account.

Now, actually taking someone's password and doing Bad Things (tm) with it is one thing. But pointing out that you've accidently revealed your password is beneficial. If you did it by accident wouldn't you want to know that you'd made the mistake so that you can change it? I would be upset if someone /didn't/ tell me if I accidently did that.

On a sidenode: Chatzilla?!?!? Are you kidding me?? Why in the world aren't you using a real chat client like mirc?

I remember thinking "That comment tells me a lot about you." The fact that this person's mind immediately leapt to password hacking was revealing.

Well, it tells me that they possibly do IT work professionally. If a cop sees your open window and warns you to beware of burglars, it doesn't mean that he is one.

That sucks though. At the risk of sounding (apparently) suspicious, I hope that you don't use that password for other, important stuff. I imagine that you've changed all the passwords anyway though.

On a sidenode: Chatzilla?!?!? Are you kidding me?? Why in the world aren't you using a real chat client like mirc?

Not everyone is equally experienced with IRC

Well that's kind of my point -- using a less capable client just makes your life harder. For example in mirc you can just type "/query nickserv" and now you've got a nice little window where you can type all of you nickserv commands directly without having to prefix them with "/nickserv" or "/msg nickserv" -- everything you type there goes to nickserv so there's no chance of accidently typing something in public.

And then after you've registered you can add your "/msg nickserv identify" to the "Peform on Connect" action in mirc and it will happen automatically from there on, so you never have to even think about nickserv again.

It's really not fair to blame this sort of thing on the use of ChatZilla. Like many people at this site, I am not much interested in computery stuff; I'm here for the conversation and I want to know just enough about computers to communicate and no more. I need the rest of my brain space for other things. I didn't know IRC chat even existed until I joined MeCha, and it's amazing I figured out how to use any client in the first place. This is and will remain the only chat I ever do and I don't want to get into studying the relative merits of chat clients. I'm not sure it's fair to say that anyone who uses Chatzille and has this happen to them to is somehow 'asking' for it.

As I said, it's not a big deal and I wouldn't cry if I just had to totally kill that email account. But it's worth being aware of.

Sure, someone may have been just trying to be helpful and maybe I'm reading it all wrong. But it's a funny coincidence, if so. I agree with the cop analogy to a point; but if I don't close the window, and the cop climbs inside and robs my house, he's no longer being helpful, you know? And regardless of whether I should have closed the window or not, he's still committed a crime.

This perp didn't do any real harm, but if they just were trying to make a point, what a juvenile way of doing it.

1. mIRC isn't free.
2. Chatzilla is really simple, free, and seems to be the default client. Do you know of any better clients that are just as easy and free?
3. I would probably have said "I hope you don't use that password for anything else."


How many people were in the channel? It could have been any one of them.

I can't remember who it was, and there were only about 8 people there at the time.

I'm less interested in who it was than in sharing the cautionary tale aspect. I'm saddened that anyone here would do this, is all.

It certainly is lame. Thanks for sharing the cautionary tale.

With no offense intended, and speaking as someone who's also using Chatzilla, and doesn't know much about IRC:

How would one accidentally reveal a password? How can I prevent myself from doing so? And should I ditch Chatzilla?

Well, it is true that mirc is shareware and not freeware, but it is still free to try and it never stops working, just just have a small messagebox at startup, then you press "OK" to dismiss it and that's that. I dare say that millions of people use mirc for years without ever registering.

box - In order to make use of the NickServ service you have to type a command that identifies you with a password. This is optional, but it's a good idea to do it anyway. The command typically looks something like "/msg nickserv identify mypasswordhere" and if you were in a channel at the time and accidently omitted the leading "/" you would end up saying that to the channel, revealing your password to be 'mypasswordhere'.

Like I said though, with a good client you don't have to do any of this by hand after the first time, and so if you set it up this way you never have to worry about accidently typing the command incorrectly.

Miko, I'm sorry that happened, and I agree it's got nothing to do with Chatzilla. It was a lame thing for someone to do.

It was me, and I was hoping you would take my advice to change any accounts that share that password, one friend to another. None of this sounds like anything you'd need a password for; sounds like someone either plugged your e-mail address into a whole bunch of stuff, or a spider/bot got ahold of it and submitted it to a bunch of stuff.

I'm not familiar with ChatZilla, but if anyone has any mIRC questions, I will be more than happy to answer them. Please, speak up.

Anything that is being Frequently Asked about IRC, btw, should be posted to the MetaChat Wiki in the IRC FAQ section.

A couple of things:
1. Automate your password/login. This prevents it from going into the main window, and prevents you from losing your nick if you have to look away/open IRC in the background and don't get to it right away.
2. Do not type your password in the main window. If you insist on doing it manually, use the console window, or a query window as Rhomboid suggested. If you're doing it because you don't know how to automate it, ask for help!
3. If you broadcast your password to the channel accidentally, please change that password wherever you use it.

Registering your nick is good! It opens up memoserv, so we can send you quick little notes if we haven't seen you online in awhile.

It was me...
erm, Eideteker, you mean that you were the one to warn Miko about revealing her password, right?

Surely if no bizarre animated gifs have been posted with your accound on metafilter, then it's unlikely that it was someone from IRC.

They would need the password because any proper mailing list that is not run by incompetant fools requires "closed-loop opt-in" where you can't just enter someone's email address in a form to sign them up, they have to respond to a probe email to assure that they are in control of that account.

None of this sounds like anything you'd need a password for; sounds like someone either plugged your e-mail address into a whole bunch of stuff, or a spider/bot got ahold of it and submitted it to a bunch of stuff.

Again, with no offense intended, and seeing as how this kind of stuff isn't my strong suit: is this a difference of opinion, or is one statement accurate and the other not?

Also, as I'm reading it, the advantage to registering your nickname is that people can send you little notes, and the disadvantage is that you might inadvertantly reveal your IRC password? Or are there additional aspects I'm not seeing?

Registering means you own the name. If someone else signs on to IRC, they can use the name "box" unless you specifically register it, and put a password on it. You know if you see someone in #bunnies with my nick acting a fool, it's me (well, if they keep the nick for more than a minute, which is how long NickServ gives you to enter your password before it changes you to Guest141215).

If you take proper precautions, you won't even chance broadcasting your password to the channel. For times when I do want to manually log on, I have an alias in mIRC (basically, a shortcut) that does it for me. It'll be something like /pw, which messages nickserv my password. So the worst I could ever do is type "pw" to the channel accidentally if I forget the slash. Like Miko said, not everyone is an IRC savant, but we are out there, and are more than willing to help. I would acutally really appreciate it if someone would add Chatzilla's automation sequence to the FAQ; I'll try to add mIRC's later today/tomorrow.

Again, with no offense intended, and seeing as how this kind of stuff isn't my strong suit: is this a difference of opinion, or is one statement accurate and the other not?

One of us is assuming competent list owners, the other is assuming scummy spamlords (who care not for protocol) or simple submission sites that don't verify. I grew up in the age of "Enter your e-mail address" to sign up and then forget about ever unsubscribing, so you can guess which way I lean.

My IT perspective is that the password wasn't necessary, and this may be an insanely bad coinkydink thing. In Hotmail, is there evidence of mail sent that you would not have? That's the key to showing a break-in. (Yes, they could have then deleted that stuff, but most vandals wouldn't bother.)

Also, stop the mirc/chatzilla pissing match, people. I have my password automated in chatzilla, which is a sufficient client for people who don't do a lot of IRC. Step by step:

* Chatzilla menu. Preferences.
* Pick irc.slashnet.org (or the network you need to log into)
* Pick the Lists tab.
* In Auto-perform, click Add.
* Type /msg nickserv IDENTIFY password
(where password is your password)

That's all.

Thanks for the tutorial, stilicho! That's very helpful.

is there evidence of mail sent that you would not have?

Yes, there is. It looks like someone is sending stuff to a lot of people from this address.

I'm gonna have to kill the account, aren't I?

Oh well. It just means switching over my stored history. Oy vey.

Thanks for the info, stili.

And Eideteker, if it was you who said that, sorry I maligned you in my thoughts. But I really don't actually think it was, unless you were using under another name at the time. Because it was a name I didn't really recognize, which is why I can't remember it.

Anyway, all quite weird. And this in the same month when I managed to delete my own treasured old GMail accidentally. My internets batting average is quite low.

I've updated the IRC FAQ and created a new commands page. I added a more in-depth questions section to the FAQ, as well. All parts welcome contributions, but the bare outline is there. Thanks for the Chatzilla help, Dan; I added it to the FAQ already. And if I haven't made myself clear, PLEASE, IF YOU HAVE QUESTIONS, ASK ME! I will answer them as best I can, and I will add them to the FAQ so that others don't have to wonder. I can't answer Chatzilla-specific questions, but I'll try and find someone who does (or you could just FPP it).

I was indeed using a different name, Miko. I was under "NothingToSeeHere" because I originally signed on just to DCC send one user a file but I got sucked into chatting. At first I was upset that you would presume malice but then I 1. realized how much I hate junk mail and so could understand and 2. remembered I was using a different nick so you wouldn't have known it was me. Don't worry about it. I just want everybunny to be SAFE.

Ok, thanks, and sorry again, you know I loves ya. Let's hope the oddness ends here.

Miko, all you need to do is change the email's password. No need to kill it, unless you think there's going to be fall-out from the emails the Eid sent.

best. irc. client. EVER.

and totally free!

screenshot:
≡ Click to see image ≡

Miko, that's something I would have said too - and not out of malice, but out of a desire to help, for the reasons above. In fact, when I read this, I thought, "Hmm, did I say that?" I think maybe it was me. I certainly meant you no ill by it.

People can sign you up for junk without knowing your email password; and someone other than who commented can use the password on IRC.

Password security is very, very important. Not only that, every password must be different; if the admin at amazon.com isn't trustworthy, you don't want your chase.com bank account to be compromised, just to use one example.

Hotmail sells your email address to others for the purpose of marketing to you; also, many recipient sites, including hotmail, sell the email addresses of people who SENT email there, because those addresses are known to be "live ones."

The quickest way I've found to receive some state-of-the-art, filter-evading spam is to send an email to a hotmail account, and I wish all my friends would quit using them.

Anyway, sorry for your difficulties.

I have a personal scheme for coming up with a different password for all my accounts. It's not absolutely perfect, but it does allow me to access any site that lets me make up my own password, without having to look up anything, store anything, write down anything, and is different for each one. I can use it instantly at any computer anywhere, and I don't have to memorize anything (except the scheme itself, obviously). So. I won't tell you mine, of course, but here are some examples of the kinds of things you can come up with.

for site Metachat:

First and last letters of site name: mt, plus how many letters in site name: 8; plus phonetic pronunciation of first and last letters: emtee, gives you

mt8emtee

First three letters of site name, backwards: tem; plus how many letters in site name x2: 16; plus last three letters, backwards: hat, gives you

tem16hat

Second and third letters of site name, transposed to the next letter in the alphabet (e=f, t=u): fu; plus the second and third letters as they actually appear: et; plus these four letters backwards: teuf; plus the alphabet position number of the first letter of the password, twice ("f" is sixth in the alphabet): 66, gives you

fuetteuf66

How many letters in the site name (8) times three: 24; plus first and last letters of 8 if written out: et; plus last four letters of site name, backwards: tach (if site name is only three letters, do twice), gives you

24ettach

Those are sort of complicated (and, obviously, since I've put them here, you shouldn't use any of these, just use them as ideas for a way to do it), but if it's too easy, it's easy to crack by seeing only one example. If you can only memorize the scheme (write it down and put it somewhere nonobvious, just in case) it makes it easy to deal with your passwords on the fly.

I know that experts won't like it, because you should change your passwords often, yaddayadda, but I just want to be able to access my accounts without depending on anything outside my haid. If it were a bank account or something, I'd probably go with something safer.

Thanks for the commiserations, tips, and tricks, folks. I made some mistaken conclusions about the internet-security comment, and I'm sorry if any innocent party felt personally accused. I have a pretty good sense that most people here are trustworthy. But just to be completely clear, someone definitely did go into the account - it wasn't just signing up my address for a listserv; there were multiple messages sent from the account. I've had this hotmail for five years and nothing of the sort had ever happened before. So if a bunny wasn't getting cute, then it's just a very oddly timed coincidence.

Anyway, the whole thing has given me a good reason to ditch hotmail. It's not very good anyway, and I didn't know about the things ikkyu2 had to say about it.

If you need a gmail invite, miko, let me know.