Attention - Password and Security Update - MG-Rover.org Forums
 30Likes
Reply
 
LinkBack Thread Tools Rate Thread Display Modes
post #1 of 135 (permalink) Old 14-06-2016, 15:04 Thread Starter
Administrator
 
AdminC's Avatar
 
Join Date: Jul 2012
Car: CityRover
Posts: 758
Attention - Password and Security Update

Hello all,

Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

1) We are asking everyone to change their passwords (and will force a one time reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.

We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

Thanks all,

Helena

Community Management
RoverRed25 likes this.
AdminC is offline  
Sponsored Links
Advertisement
 
post #2 of 135 (permalink) Old 14-06-2016, 18:55
Registered User
 
Join Date: Apr 2004
Car: MGZS180,MGZR160,MGF VVC,MG Maestro T16, Rover 111
Posts: 5,740
Hi Helena

This is a big forum and a lot of people only look at certain sections, I wonder if it's worth popping this message into all the sub-sections to get the best coverage.

I only thought to look for this message as I'd seen the same on the X-power forum.

James
Talkingcars is offline  
post #3 of 135 (permalink) Old 14-06-2016, 20:34
Registered User
 
Join Date: May 2004
Location: Under a car near scunthorpe
Car: Maestros, 200, 600, ZTT
Posts: 25,350
Send a message via MSN to E_T_V
May I also suggest that users in the database who have an expired password for say 365 days, get pruned from the database. This will significantly reduce its size and overhead. And if a user hasn't logged in for 2 years it is pretty safe to say they aren't going to miss their account!.
E_T_V is offline  
 
post #4 of 135 (permalink) Old 14-06-2016, 20:37
Diesel Tuning Dude
 
Dakta's Avatar
 
Join Date: Jul 2007
Location: Wakefield
Car: 75 Tourer Conn SE & 45 TDi VNT
Posts: 17,817
Garages
Send a message via MSN to Dakta
crumbs, looks like I'll have to add yet another entry to my yellow pages thick book of unique passwords



Dieselpowered - file revisions ahead of the competition
Dakta is offline  
post #5 of 135 (permalink) Old 14-06-2016, 20:44
Stu
Administrator
 
Stu's Avatar
 
Join Date: Jul 2002
Location: Norfolk
Car: Merc E250 Convertible + Alfa Mito Turbo
Posts: 54,943
Garages
Send a message via MSN to Stu Send a message via Skype™ to Stu
Just went to add a global announcement and seen that Chris T has already done it. So you will see it at the top of every forum section as well as here.

As for unique passwords take a look at applications such as LastPass or similar (just search on password managers and read the reviews). These allow you to have a master password and then unique passwords for every site you use.

Stu

Get cash back on your Insurance and many other web purchases through Quidco
Stu is offline  
post #6 of 135 (permalink) Old 14-06-2016, 20:49
Administrator
 
Chris T's Avatar
 
Join Date: Feb 2005
Location: Leicestershire
Car: MG TF 135 Platinum Silver, Skoda Roomster
Posts: 32,606
Garages
Quote:
Originally Posted by Talkingcars View Post
Hi Helena

This is a big forum and a lot of people only look at certain sections, I wonder if it's worth popping this message into all the sub-sections to get the best coverage.

James
It effectively already is, albeit above all of the sticky treads so there is possibly no chance of it be viewed!!!

Quote:
Originally Posted by E_T_V View Post
May I also suggest that users in the database who have an expired password for say 365 days, get pruned from the database. This will significantly reduce its size and overhead. And if a user hasn't logged in for 2 years it is pretty safe to say they aren't going to miss their account!.
There are quite a number of members that do come back after 2+ years away, often after buying another MGR.
relston and The postman like this.
Chris T is offline  
post #7 of 135 (permalink) Old 15-06-2016, 17:10 Thread Starter
Administrator
 
AdminC's Avatar
 
Join Date: Jul 2012
Car: CityRover
Posts: 758
Quote:
Originally Posted by Chris T View Post
It effectively already is, albeit above all of the sticky treads so there is possibly no chance of it be viewed!!!



There are quite a number of members that do come back after 2+ years away, often after buying another MGR.
To add to this, it also can create database holes and issues in teh user tables, so we don't delete anyone.

Kyle
AdminC is offline  
post #8 of 135 (permalink) Old 16-06-2016, 03:45
Registered User
 
Join Date: Jun 2008
Location: ROCK FERRY, WIRRAL
Car: 25X, 25 1.6, 25 2.0D Rep:■■■■■■■■■■
Posts: 35,336
Quote:
Originally Posted by Dakta View Post
crumbs, looks like I'll have to add yet another entry to my yellow pages thick book of unique passwords

Flippin' annoying, not too bad for something like this site you use regularly but
can be an issue to sites you hardly use.
ROVER-25X is offline  
post #9 of 135 (permalink) Old 16-06-2016, 08:33
Registered User
 
Join Date: May 2004
Location: Washington
Car: Other Manufacturer
Posts: 19,226
Phew,






For a moment I thought someone was trying to steal my account
John is offline  
post #10 of 135 (permalink) Old 16-06-2016, 14:38
Registered User
 
Join Date: May 2013
Car: Other Manufacturer
Posts: 2
Just received an e-mail with my new password. A few comments:

1. E-mailing passwords in plain text is extremely bad practice. E-mail is not secure and can be intercepted.
2. The login/change password forms don't use https by default, so even if you've got the most secure password in the world it could be intercepted without you knowing.
3. Enforcing strong passwords (you have 10 char minimum, mixed case, number and symbol requirements) means users are more likely to write them down. Many users also re-use passwords because it's difficult to remember a different one for every site you visit. Enforcing strict password requirements in this way makes it more likely that people will re-use a password that would normally be strong like an e-mail account or online banking. Not everyone is aware of password managers or wants to use them.

If someone hacks my forum account because I have a weak password then I don't really care as the only information they'll be able to get is my e-mail address. I have used a weak password for many forums for 10+ years and never been hacked, probably because forums are not really a lucrative target for hackers. Most cases of forum hacking are probably targeted at mods/admins (which of course should have strong passwords) or someone that bears a grudge. In the event of a breach in either of those cases it would be pretty easy just to shut down the single account that has been breached.
fvdb likes this.
ZSTom is offline  
post #11 of 135 (permalink) Old 16-06-2016, 14:39
Registered User
 
Join Date: May 2013
Location: Nottingham
Car: MG TF 160
Posts: 212
So, for security reasons, you just emailed out everyone's new passwords in plain text. Sigh.

Why passwords should be hashed Stack Exchange Security Blog
Dronevil is offline  
post #12 of 135 (permalink) Old 16-06-2016, 14:42
Registered User
 
Join Date: May 2013
Car: Other Manufacturer
Posts: 2
Quote:
Originally Posted by Dronevil View Post
So, for security reasons, you just emailed out everyone's new passwords in plain text. Sigh.

Why passwords should be hashed Stack Exchange Security Blog
Indeed! Hashing is a separate issue to e-mailing them in plain text though. If this forum is using off the shelf software (which it looks like it is) then hopefully it's hashing/salting passwords properly.

I did write a more detailed reply before this but it isn't showing up yet as it needs to be approved by a moderator.
ZSTom is offline  
post #13 of 135 (permalink) Old 16-06-2016, 16:57
Registered User
 
Join Date: Dec 2011
Car: MG GS Exclusive DCT
Posts: 279
Just received an email and had my password reset. Now need a 10 letter password where other websites only need 8 at most. All these security just for a forum.

As another person said all these different password requirements for all different websites, will need a big book to write it all down.
mervyncp likes this.
R8NMG is offline  
post #14 of 135 (permalink) Old 16-06-2016, 17:01
Registered User
 
Join Date: Jun 2006
Location: East Yorkshire
Car: ZT-T remapped to 160 using map from my old car ;)
Posts: 682
Unhappy

Been trying to get on all day.Even tried the "forgot password" and nothing.
I could see that there 15 members viewing and over 200 guests so I dare say almost everyone else is the same.
There are a lot of swear words in my new password I can tell you!
HotTubRepairer likes this.
Shawn is offline  
post #15 of 135 (permalink) Old 16-06-2016, 17:08
Registered User
 
Join Date: Apr 2016
Location: Manchester
Car: Rover 75
Posts: 109
LOL Same here, I have so many email addresses I'd forgotten which one I used D'oh, note to self.... WRITE THE USERNAME/PASSWORD/EMAIL ADDRESSES down because I wont remember lol. I used my 5 attempts to log in so they'd send me an email.
skeleboy is offline  
post #16 of 135 (permalink) Old 16-06-2016, 17:37
Diesel Tuning Dude
 
Dakta's Avatar
 
Join Date: Jul 2007
Location: Wakefield
Car: 75 Tourer Conn SE & 45 TDi VNT
Posts: 17,817
Garages
Send a message via MSN to Dakta
  • ten characters MINIMUM
  • capital letter required
  • lowercase letter required
  • number required
  • special character/symbol required

This is too much, this is just too much. Nobody could get into my account before, now it looks like as much as a challenge for me.

I have a password, a simple but secure password, it's something that means something to me, no-one else and it's been secure for years.

Given that my browser keeps forgetting passwords, and I'm not going to install software just to use this site, this website has become unusable, regardless of whether I otherwise like the site. And my enthusiasm for the site itself is becoming a liability because it's becoming easier to use facebook, and I hate facebook.

There is never ever going to be genuine security with this in place.



Dieselpowered - file revisions ahead of the competition
Dakta is offline  
post #17 of 135 (permalink) Old 16-06-2016, 18:04
Registered User
 
Join Date: May 2012
Location: Bury
Car: R75 Mk2 1.8t, Mazda6 (Gen 2) TS2- 2.2TD
Posts: 912
I to think the same as Dakta and others, the new security measure are just over kill. My bank is easier to log on to.
Mean & Green likes this.
the chauffer is offline  
post #18 of 135 (permalink) Old 16-06-2016, 18:20
Stu
Administrator
 
Stu's Avatar
 
Join Date: Jul 2002
Location: Norfolk
Car: Merc E250 Convertible + Alfa Mito Turbo
Posts: 54,943
Garages
Send a message via MSN to Stu Send a message via Skype™ to Stu
Aaaaaahhhh!!

The way that the admins had to do this last night was that we just got hit with a reset password screen when we tried to login. We assumed that was what would happen for everyone else, the email would just warn that the next time you tried to login you would get the same. Clearly not, emailing a new password is not good practice and surprised a company that deals with the internet so much would do that.

As for not being SSL, it has been raised before that the site does not use SSL. If I had my way HTTP would be switched off and SSL forced by default for everything, not just passwords, but its not my site.

Password complexity, ok, I get its quite secure, but not that bad at all and should be what you are all doing by default without needing to be prompted to keep yourselves secure. A good time is to use password phrases rather than words (e.g Got.2.remember.this.bloody.password! )

Maybe the owners can make it 8 characters and only require one of capital, number or special character. Up to them, but don't shoot them for trying to protect you with a reasonably strong password.

Use a password manager like Lastpass if you memory is that bad, or you really want to be secure and have complex passwords which are different for every site that you don't need to remember.

Stu

Get cash back on your Insurance and many other web purchases through Quidco
Stu is offline  
post #19 of 135 (permalink) Old 16-06-2016, 18:21
Stu
Administrator
 
Stu's Avatar
 
Join Date: Jul 2002
Location: Norfolk
Car: Merc E250 Convertible + Alfa Mito Turbo
Posts: 54,943
Garages
Send a message via MSN to Stu Send a message via Skype™ to Stu
Quote:
Originally Posted by the chauffer View Post
I to think the same as Dakta and others, the new security measure are just over kill. My bank is easier to log on to.
You really had better change bank then as if it is, its a joke and hugely insecure.

Don't know of any bank which is simpler than the requirement the owners have laid out.

Stu

Get cash back on your Insurance and many other web purchases through Quidco
Stu is offline  
post #20 of 135 (permalink) Old 16-06-2016, 18:28
Stu
Administrator
 
Stu's Avatar
 
Join Date: Jul 2002
Location: Norfolk
Car: Merc E250 Convertible + Alfa Mito Turbo
Posts: 54,943
Garages
Send a message via MSN to Stu Send a message via Skype™ to Stu
Quote:
Originally Posted by ZSTom View Post
Just received an e-mail with my new password. A few comments:

1. E-mailing passwords in plain text is extremely bad practice. E-mail is not secure and can be intercepted.
2. The login/change password forms don't use https by default, so even if you've got the most secure password in the world it could be intercepted without you knowing.
3. Enforcing strong passwords (you have 10 char minimum, mixed case, number and symbol requirements) means users are more likely to write them down. Many users also re-use passwords because it's difficult to remember a different one for every site you visit. Enforcing strict password requirements in this way makes it more likely that people will re-use a password that would normally be strong like an e-mail account or online banking. Not everyone is aware of password managers or wants to use them.

If someone hacks my forum account because I have a weak password then I don't really care as the only information they'll be able to get is my e-mail address. I have used a weak password for many forums for 10+ years and never been hacked, probably because forums are not really a lucrative target for hackers. Most cases of forum hacking are probably targeted at mods/admins (which of course should have strong passwords) or someone that bears a grudge. In the event of a breach in either of those cases it would be pretty easy just to shut down the single account that has been breached.
Valid points, but these are your only contributions to the site in 3 years?

Whether you have used weak password for 10+ years is not the issue. The fact they haven't been hacked is more luck than a justification. Users have had their accounts hacked over the years because they used weak passwords.

Sorry but is just not a defence for weak password.

Middle ground I'd agree with but not to allow weak passwords.

This action was also to counteract a possible breach in the past where multiple passwords (and yes they are hashed) may have been compromised. No proof for certain, but a prudent step to take.

And hashing of passwords does not really do much in this day and age with the technology out there. There are methods, but the site is at the mercy of the software developers of the forum to implement them. So you have what you have.

Stu

Get cash back on your Insurance and many other web purchases through Quidco
Stu is offline  
Reply

Bookmarks

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the MG-Rover.org Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in









Human Verification

In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes Rate This Thread
Linear Mode Linear Mode
Rate This Thread:



Similar Threads
Thread Thread Starter Forum Replies Last Post
Password on PC? StreetBoy PC Gen Chat & Help 5 23-06-2008 21:14

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome