Ford Bronco Forum

Ford Bronco Forum (https://www.fullsizebronco.com/forum/)
-   Suggestions, Feedback & Site Help (https://www.fullsizebronco.com/forum/19-suggestions-feedback-site-help/)
-   -   Attention - Password and Security Update (https://www.fullsizebronco.com/forum/19-suggestions-feedback-site-help/424529-attention-password-security-update.html)

fullsize 06-14-2016 10:58 AM

Attention - Password and Security Update
 
Hello all,

Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

1) We are asking everyone to change their passwords (and will force a one time reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.

We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

Thanks all,

Helena

Community Management

Gacknar 06-14-2016 12:10 PM

Do you have the guidelines for the new passwords ready?
Minimum number of characters, numerals, upper/lower case?

fullsize 06-14-2016 04:48 PM

A good password/required would include 1 Upper case character, 1 lower case, 1 number and 1 special character. At least 10 characters long.

Lee

SRWillis 06-14-2016 05:05 PM

Just saw this exact same message on the only other forum I regularly visit. Hmmm...

schwim 06-14-2016 05:44 PM

Quote:

Originally Posted by SRWillis (Post 6055041)
Just saw this exact same message on the only other forum I regularly visit. Hmmm...

There's usually a bandwagon mentality in the site management community that does this type of thing after an exploit is found in the software they're using.

The fallacy of forcing password changes and complexity notwithstanding, my suggestion is always this:

To protect yourself from these "making you more secure" types of interruptions in your web browsing, come up with a password that matches the most common requirements:

letters and numbers
caps and lower case
one special character
around 12 characters

That's about all site owners can force on you, so "USMC0341yut! is a password that will get accepted almost anywhere.

When you're forced to change a password and you'd rather not, change your password and then immediately change it back to what you'd like. Almost no canned and premade web scripts are written to store old passwords to make sure you're not reusing them. Us scripters and programmers seem to be pretty lazy :)

For safety's sake, ignore everything I've said above, change your passwords every 7 hours and use a different password everywhere so you have to write them down somewhere to remember them. Only then will you be completely secure.

BikerPepe` 06-22-2016 12:16 AM

1 Attachment(s)
Just an FYI... in-case you didn't get/see it for yourself.
http://www.fullsizebronco.com/forum/...1&d=1466568959

Gacknar 06-23-2016 11:37 AM

No, I didn't see it, not until after they changed my password.
So when I went to get on today I had been logged out, which is unusual, and it would not let me log back in.

Checked email and there's a reset notice.

So whats the plan for the Many, Many members who didn't see this announcement and have there FSB account tied to a defunct email account?

BikerPepe` 06-23-2016 01:06 PM

Those guys are likely screwed. They'll probably have to make another log in identity to get back on FSB.

================================================== ============================


ATTENTION: If you are one of those members and still had your old account connected to a bad email account, so you were forced to make a new login profile to get back on FSB, PLEASE NOTIFY A SITE ADMINISTRATOR. No bullshit though... we will be cross-referencing IP addresses to verify your claims.
We will merge your new account with your old account, so you will be properly tied to all your past postings and can avoid any of our Post Limit settings. Thank you all and our apologies for the inconvenience.

pollux 06-23-2016 01:15 PM

What a huge waste of time for everyone. Like I'm worried about people stealing my account on a forum about trucks.

Congrats, your password requirement is more ridiculous than my financial institution's.

BikerPepe` 06-23-2016 01:28 PM

always a ray of sunshine, eh pollux? :rolleyes:

Many users are guilty of using the same passwords for many different sites, so having your profile info and the password could lead to other accounts you have being hacked.
If your financial institutions password requirements are less than those here at FSB, your financial institution sucks!

Thanks for your input and Have a nice Day.

schwim 06-23-2016 01:28 PM

Quote:

Originally Posted by pollux (Post 6071417)
What a huge waste of time for everyone. Like I'm worried about people stealing my account on a forum about trucks.

Congrats, your password requirement is more ridiculous than my financial institution's.

Not only that but their breach was caused by their lack of security and had nothing to do with the strength of our passwords. Using special characters in my PW isn't going to help them secure their code.

WTB: some logic, paying handsomely.

BikerPepe` 06-23-2016 01:32 PM

oh jeez... seriously? you too schwim?

so... would you rather they did nothing at all? we don't know what kind of other changes were made on the back end.
fwiw, my bank just did a similar update to the password requirements about 6 months ago, so I pretty much expected this to happen all over the place... sooner or later.

As hackers get better, as p-word breaking code and computing speed improve, we all have to upgrade to keep our shit safe.




oh well. whatever. Haters gonna hate. :shrug

pollux 06-23-2016 01:38 PM

You still aren't acknowledging what schwim is saying. It does not matter what our passwords are if the databases with the passwords in it are stolen which is what's been happening all over the web. This is not our problem, this is site management's problem and they're obfuscating responsibility to those who don't understand how this all functions.

My password could be DoD level and it wouldn't matter because they will have it when they take the entire poorly protected datasets. Throwing the responsibility on the end user to make up a ridiculous 10 character length password with special characters and numbers and upper and lower case doesn't help anyone besides hugely increase the odds that this forum's generally older population will keep having to reset their accounts.

schwim 06-23-2016 01:48 PM

Quote:

Originally Posted by BikerPepe` (Post 6071465)
oh jeez... seriously? you too schwim?

so... would you rather they did nothing at all? we don't know what kind of other changes were made on the back end.
fwiw, my bank just did a similar update to the password requirements about 6 months ago, so I pretty much expected this to happen all over the place... sooner or later.

As hackers get better, as p-word breaking code and computing speed improve, we all have to upgrade to keep our shit safe.




oh well. whatever. Haters gonna hate. :shrug

No hate at all good sir. Some of us just understand that our passwords had absolutely nothing at all to do with their loss of stored information. What happened to them is like someone taking your wallet out of your back pocket and handing it to a bad guy, then telling you that it wouldn't have happened if you had owned a nicer wallet.

Speaking of wallets, can anyone name the movie this was in without Googling? I got it for Christmas a few years ago.

https://c3.staticflickr.com/8/7135/2...ae7d30df3f.jpg

Personally, it's no bother to me. I store all my passwords in my browser and it automatically updates the info when it detects a new one.

I promise not to derail the topic any further. I've changed my password and am now more secure for it.

BikerPepe` 06-23-2016 01:56 PM

Quote:

Originally Posted by pollux (Post 6071489)
You still aren't acknowledging what schwim is saying.

Really? Pretty sure I did.

Quote:

Originally Posted by BikerPepe` (Post 6071465)
we don't know what kind of other changes were made on the back end.

I would assume... the same as my own bank did, they upgraded the back end and the new updates to secure the database on the server from getting hacked would also require a new, tougher password scheme. This is just a PART of the security upgrades put into place after they got hacked.

I would expect that schwim should know this already. :shrug


Your local staff (moderators and administrators) don't work for Auto Guide/Vertical Scope or anyone else for that matter. We just volunteer our time to help out the members of our site... because we love the place and want to contribute to keeping it as good as we can.
We are not privy to the deeper goings on of Auto Guide/Vertical Scope and can't answer questions about the technology that drives the forums. We can only assist members with the more basic and rudimentary functions of the site.
So... I don't really know anymore than you guys but applying a little common sense and not having a flat out pissed off and negative view of the company who has run and owns this forum lead me to believe that this change is just a part of the larger picture.

Do they screw up now and then. Absolutely.
Are they perfect? Not only no... but hell no.
Did they piss of about 80% of the members when they upgraded the forum to a new format... obviously.

Do they do as good a job as they can considering they own, probably 75% of all the successful automotive related forums on the internet... I don't know, but I'd like to think so.


Nobody blamed our passwords for them getting hacked. Our passwords obviously would NOT have given them that kind of access.
I don't know why you guys are taking this so personally... other than your pissed off at being a little inconvenienced this morning, despite everyone being notified in 3 different threads for the last week.
Obviously... it wasn't that big of a deal or we wouldn't be logged in here bitching about it. :shrug

schwim 06-23-2016 02:06 PM

Hi there Pepe,

I just wanted to explain the flaw in thinking that you need a password that's unbreakable by machines.

The days of a script looping through 10,000 dictionary words to try to log into your account are long gone. Even when it doesn't work, it's a huge drain on server resources. Here's one example of how this should be protected against:

Allow up to 10 consecutive attempts to log in. Provide visual warnings to the visitor that they are nearing lockout. Once locked out, the IP addresses used in the attempts are blacklisted to save on wasted server responses and the forum sends an email to the address on record letting them know of the lockout with a link to reactivate their account. Only the holder of the account should have access to the email address, so this would be considered sufficient in regards to security to regain access to the account and would not involve a mod or admin to help.

This method also doesn't have to worry about spoofing IP addresses and UA strings. The forum wouldn't care about the location of the login attempt. 10 tries and you're done. You can reset the attempts field at 24 hours to keep the database table clean.

With 10 attempts, you could have a 4 character unrestricted password and would likely never see a compromised account.

More important than a complex pattern is to not use the most common passwords as that is what scripts are designed to use to try to log in.

BikerPepe` 06-23-2016 02:23 PM

ok schwim. first off... you are definitely more up to date with technology than I am. I got out of the tech field many years back.
that said... I've worked for internet access supply companies, I've worked tech support for microsoft and I managed an office for another database management company out of 'Frisco for a few years. I'm not totally ignorant when it comes to online security.

I have no direct information from AutoGuide about this recent problem or the security upgrades they had to make after getting their database hacked.
But what I do know is that it wouldn't be out of standard procedures for updates on the back end to include updates to the front. Again... I have to assume that the upgraded passwords being forced on us are just a part of the overall upgrades done to the back end to protect the servers and the databases stored on them.
I would expect that as an IT Professional, you might see this and agree.

I'm not saying the passwords are an integral part of this and I'm not saying that it's necessary... but what I am saying is that when you upgrade deeper functions related to server security, the entire system gets upgraded and any and all potential security weak points get upgraded along with the rest. It's not that uncommon in my experience.
I also noted that my own financial institution just forced a similar upgraded security scheme within the past 6 months, so I would also have to assume that this is standard for recent updated security models.


oh well. I'm not going to argue to defend a company that won't defend itself.
I am one of you guys, I just volunteer to help out here as much as I can. I'm done.

schwim 06-23-2016 02:33 PM

Quote:

Originally Posted by BikerPepe` (Post 6071593)
stuff.

http://sd.keepcalm-o-matic.co.uk/i/l...hug-it-out.png

offroadkarter 06-23-2016 02:43 PM

Hey, I want to jump on the angry IT bandwagon!

Can we pool our money and buy FSB back from autoguide? Corporate forums blow hard... This whole ordeal is just one example why, this password list theft affects me on more than one forum...

TJSmoot 06-23-2016 04:13 PM

Pulp Fiction.


All times are GMT -4. The time now is 07:20 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.

 
For the best viewing experience please update your browser to Google Chrome