Okay, so, as many AO3 authors have noticed, there's been a spate of bot comments making the rounds lately.
This batch seems kinda hateful and keeps talking about how horrible our fics are and how we're gonna be fired, arrested, and alone on Christmas.
[Roll eyes, mark as spam, hope this nonsense ends soon. Stubbornly refuse to turn off guest commenting 'cause I LOVE MY GENUINE GUEST COMMENTERS.]
This one, however, caught my attention.
I have indeed been getting Reddit password reset emails -- seven in less than a week. (Prior to Sunday I'd only ever received one.) I did not request any of them.
They do appear to be genuinely from Reddit, which leads me to believe someone/something has targeted my Reddit profile for some reason...?
Has this been happening to others?
Is there some kind of coordination between the AO3 bots and the Reddit password emails or is it just a coincidence?
You should always be able to make assessments based on risk.
The issue is that calculating the risk of being hacked isn't what you think it is (probably).
Most people look at the risk like this:
Why would a hacker target me? I'm nobody, I'm unimportant. This is just my fanfic account, if they want my smut, they can have it. If they want my spam mails from Amazon, they can have my email.
But that's not the actual risk.
So let's look at that together.
Let me start by asking you about your password.
How did you create it?
Do you use it anywhere else?
If it's generated by a password manager, is that password manager the one built into your browser?
How long is it?
When you added complexity to it, did you just add a 1 to the end? Your birth year? Maybe an underscore between words?
All of these things should be factoring into your risk calculation.
You can see my password advice and how easy it is to crack a password here.
So why the hell does this matter to the odds?
Let's say you use the browser-native password manager to create that password - what else could they potentially have access to, if they have that password? Your Google account? Do you have a banking app on your phone? Do you store your banking password in your browser-native password manager? What else is in there?
Risk isn't just inherent to the one thing that someone may have access to, it's lateral.
If someone gains access to one thing, what else can they gain access to?
Crowdstrike has a good summary of lateral movement here.
Effectively, any attacker, once they have access, may try to access other things - the higher the value, the higher the odds.
Do you value your banking information? Of course you do! So how can someone get from accessing your Gmail to your banking? Is the app installed on your Android phone? Is the password the same? Is the password stored in your Google password manager? All things you have to consider for risk.
I know what you're thinking: that's all well and good, but what are the actual odds someone's going to target me?
You specifically? Some random unknown person on the internet? A direct target on you yourself? Probably not that high, to be honest.
But that's not where the conversation ends.
Because you don't have to be the specific target to get hacked, you just have to be the easiest.
Let's look at an example: call centre scammers.
They have no idea who's calling them.
They didn't specifically put that fake virus message on your computer, they just put it out in the wild and let it go nuts. Whoever calls, calls.
It's the same for your online accounts and information.
A bad actor can obtain your login information from any given data breach on the dark web. (You can check haveibeenpwned to see if your email's been in a breach - if it has, change your password right away anywhere you use that password/email combination, and check your account activity/logins)
Which means that in a majority of cases, they already have your login information.
And not because you necessarily were the target, but because you were easy.
Also, you have to consider the version of something you're using.
I know we all hate updating our software.
Upgrading from Windows 10 to 11.
Installing that next update that gives the app a new look you just don't like, so you avoid it to keep the old look.
But hidden behind those updates are security patches, things that make your system more secure against attacks.
And if you're avoiding those updates and your computer is on the internet, someone can easily find you.
There's a whole-ass tool online out there that people can use to look for out of date systems.
Again, they're not targeting you, they're targeting the weakness that you're broadcasting to the world.
All it takes is one quick search and a random click on a red dot that happens to be your computer.
Update your computer, get a different operating system if you have to.
If you're not using your system for anything too heavy or Steam games, try something like Linux Mint or ZorinOS, which are designed to have a similar feel to more classic Windows experiences.
Get a password manager.
PC Mag has a list of free password managers for 2026 here, if you can't afford a paid version.
When considering risk, considering the odds that you specifically are the target, stop right there. And instead consider whether you are an easy target instead.
And FFS get MFA set up. If you don't want to use Google or Microsoft, Proton has one you can use.
Someone just asked me about password systems that work without password managers (for those who simply don't trust them). My advice is based on this XKCD comic, but modified because now most password systems require a capital letter, a number, and a special character in addition to at least 12 characters overall. Here's how I do it.
You still want the phrase with the common words. At least one of those letters has to be a capital, and I tend to capitalize the first letter of the word; maybe that can be easily figured out by a computer, but I think the higher number of entropy points takes care of that. So, with the words from the comic, you'd have:
CorrectHorseBatteryStaple
Then you decide which one of those letters is a number. Every time you use the phrase it should be the same one so it's easy for you to remember. Example, you could say: the first o is always a zero/0. Or, with this particular phrase you could even say that all the o's are zeros since there are only two. Now we have:
C0rrectH0rseBatteryStaple
I always put the special character needed at the end of the phrase.
C0rrectH0rseBatteryStaple?
You want all passwords to be unique, which is hard, but this system still works for that because now you add one final thing to the end: the name of the thing being logged into. Examples:
C0rrectH0rseBatteryStaple?Amazon
C0rrectH0rseBatteryStaple?Gmail
C0rrectH0rseBatteryStaple?Spotify
Using a 4 word passphrase can get long! And if you're adding the name of the service to the end, that still creates many points of entropy, meaning your core passphrase can be shorter. So:
C0rrectBatteryStaple?Amazon
C0rrectBatteryStaple?Gmail
C0rrectBatteryStaple?Spotify
Remember to decide if service names will have a capital letter in front or not. I like doing that as it adds another capital. But choosing all lowercase is fine, too.
For systems that force you to change passwords and to create a new one each time you change, I suggest changing the special character. And keep a list of the special characters and the order you use them in. Like so:
?
!
@
&
and on and on. Having that saved somewhere won't tip off password stealing jerks cuz it's just a list of punctuation.
Another thing I like about this system is that it means you can keep a digital or paper list of passwords and still not worry if it falls into the wrong hands because you don't put the full password on there, you put:
?Amazon
?Spotify
!Gmail
Because you can likely remember the passphrase easily, whereas you might have trouble with the less easy to remember service names (like ones you log into maybe once a year or something).
Passwords may not contain employee identifying information. The password 'wesker4william' is invalid. Please choose a new password to access the lab system.
Hackers have encryption keys for some of the stolen GoTo data.
The LastPass hack in November was much worse than we were initially led to believe. Catastrophically worse. And it came after an earlier breach last August. The entire situation has been a disaster of opacity, sparse information sharing and the company making efforts to retain business at the expense of user security, which was the only thing we were paying them for.
I’ve just migrated over to 1Password, which was fortunately a very easy process, because now I begin the painstaking and time eating process of updating every password that I haven’t changed since that November breach. Nothing can be assumed safe.
If you stuck with LassPass, you should really change that today. And if you’re an iOS/MacOS premium account holder, demand a refund; if Apple is processing refunds to third-party Twitter app users for something that those companies didn’t do (Twitter shut off their access) then they should certainly do likewise here when the company is wholly at fault.
Look at that copy, blunt as f#$%. Works best given that it's in a country that doesn't have English as a first language and isn't problematically conservative - anywhere else (like US or Aus) and it would cause some serious shit.
