Full Size Ford Bronco Forum banner

21 - 40 of 61 Posts

·
Man of endless projects
Joined
·
8,917 Posts
i dont mind a more complex password but seems abit overboard, especially with a special character. that makes my password more complex for a free forum than i use for my own bank account. not that i will forget it but still. most people wouldn't use the same password for a forum as they would something more important mainly because the important password would require the extra complexity. but that we have our passwords needing to be stronger, people may use the same password for both which would be worse off if either server was hacked

soo far this is the second place i received the same email. guess i may as well use the same password for both
 

·
Registered
Joined
·
374 Posts
Thanks for watching over this PeePee; you are not in an enviable position.

I admit, it is rather irritating. There was a music forum that I belonged to that got bought out by Musicians Friend (who Guitar Center bought a few years later). They destroyed the website. In the transition, they did a massive sweep like this though and I had a VERY old email address that hotmail gangstered from me that they used to send the password reset links when the whole site updated. It sucks loosing 10 years (now, 15) of history because of an administrative oversight.
 

·
Registered
Joined
·
2 Posts
...

The days of a script looping through 10,000 dictionary words to try to log into your account are long gone. Even when it doesn't work, it's a huge drain on server resources. Here's one example of how this should be protected against:

...

With 10 attempts, you could have a 4 character unrestricted password and would likely never see a compromised account.

...
To be fair, though, schwim, your argument is only valid if the passwords are successfully protected in the first place. Passwords are stored in an encrypted manner (and if they are not, then whatever system they are tied to should not exist) not to prevent brute force login attempts but to protect the passwords in the case that the database is compromised. If the database is protected, then it does not matter if if the passwords are encrypted. An administrator with direct access to the database could view the passwords stored in plain text, but this would be not visible to any end users.

However, if the database of passwords was compromised, this is where encryption and password security comes into play. As long as an attacker knows the encryption scheme that was used, (and there are some other little details that can also make this more difficult) then the attacker does not need to burden the login server with failed password attempts. Furthermore, any lockout mechanisms would have no effect if the attacker was trying to crack the password database by brute force on their own machine (with their own copy of the compromised database). They would have unlimited retries, and never be "locked out".

Therefore, if the sites security is breached, and encrypted passwords are leaked, then password complexity is still important.
 

·
Registered
Joined
·
822 Posts
To be fair, though, schwim, your argument is only valid if the passwords are successfully protected in the first place. Passwords are stored in an encrypted manner (and if they are not, then whatever system they are tied to should not exist) not to prevent brute force login attempts but to protect the passwords in the case that the database is compromised. If the database is protected, then it does not matter if if the passwords are encrypted. An administrator with direct access to the database could view the passwords stored in plain text, but this would be not visible to any end users.

However, if the database of passwords was compromised, this is where encryption and password security comes into play. As long as an attacker knows the encryption scheme that was used, (and there are some other little details that can also make this more difficult) then the attacker does not need to burden the login server with failed password attempts. Furthermore, any lockout mechanisms would have no effect if the attacker was trying to crack the password database by brute force on their own machine (with their own copy of the compromised database). They would have unlimited retries, and never be "locked out".

Therefore, if the sites security is breached, and encrypted passwords are leaked, then password complexity is still important.
You posted an entire explanation of why this password complexity requirement is pointless and then added a final sentence of "ignore that it's actually important".

If they have the database they have unlimited attempts to crack whatever protection it has whether it be Salted or what. So you made your password more complex, doesn't change the end result.

This approach of "password complexity" smacks of some decision maker stuck in an early 00s technology battle. Password complexity is dead. It does nothing and helps no one in 2016. Password complexity only protects against Dictionary Attacks that have long since been thrown to the wayside as a waste of the criminals' time. That's why financial institutions and major corporate websites have moved on to Two Step Verification for security.

If FSB had moved to a Two Step Verification system that would have made sense. This does not.
 

·
House of Windsor 4ever!
Joined
·
10,479 Posts
Interesting you bring up two-step verification; the XenForo "bulletin board" program has two-step verification built in but IIRC, it can be selected to not work, work on a voluntary basis or be required.
 

·
Premium Member
'95 XLT: 5.8/MAF/E4OD/6" lift/4.56's/33x12.5x15
Joined
·
35,245 Posts
ATTENTION: If you are one of those members and still had your old account connected to a bad email account, so you were forced to make a new login profile to get back on FSB, PLEASE NOTIFY A SITE ADMINISTRATOR. No bullshit though... we will be cross-referencing IP addresses to verify your claims.
We will merge your new account with your old account, so you will be properly tied to all your past postings and can avoid any of our Post Limit settings. Thank you all and our apologies for the inconvenience.
I'll be back on tomorrow... probably around 9 am, PST.
If you need help, just let me know and I'll do whatever I can.
Regular Moderators don't have the access to deal with your profiles directly, Redwagon is kinda hit-or-miss and jopes is "out fishing"... so I'm trying to do the best I can for everyone but I've got a life to deal with outside of FSB as well, so please be patient.

G'night.
 

·
The Anti Yam!
Joined
·
22,681 Posts
ATTENTION: If you are one of those members and still had your old account connected to a bad email account, so you were forced to make a new login profile to get back on FSB, PLEASE NOTIFY A SITE ADMINISTRATOR. No bullshit though... we will be cross-referencing IP addresses to verify your claims.
We will merge your new account with your old account, so you will be properly tied to all your past postings and can avoid any of our Post Limit settings. Thank you all and our apologies for the inconvenience.
This needs to be worded slightly differently and placed at the top of the main forum page.

It should also be a message automatically displayed each time a log in attempt fails and should include a contact to get in touch with to work through the problem.

I can word smith it if you like.
 

·
Premium Member
'95 XLT: 5.8/MAF/E4OD/6" lift/4.56's/33x12.5x15
Joined
·
35,245 Posts
feel free Gack. I was fumbling about yesterday, trying to keep up with a lot of assistance requests and some of this debacle.
You know that any pop-up and failed log-in msg. creation is going to be on AutoGuide, afaik. :shrug
 
C

·
Guest
Joined
·
0 Posts
Those guys are likely screwed. They'll probably have to make another log in identity to get back on FSB.

==============================================================================


ATTENTION: If you are one of those members and still had your old account connected to a bad email account, so you were forced to make a new login profile to get back on FSB, PLEASE NOTIFY A SITE ADMINISTRATOR. No bullshit though... we will be cross-referencing IP addresses to verify your claims.
We will merge your new account with your old account, so you will be properly tied to all your past postings and can avoid any of our Post Limit settings. Thank you all and our apologies for the inconvenience.
Not sure what makes a bad email account, but i got locked out. Tried to reset password and got nothing. Tried "contact us" and nothing, granted that was only this morning.
 

·
Premium Member
Joined
·
4,004 Posts
check yer PM's bud. help is on the way! :thumbup
...And we're back. No power in the verse can stop you. Thanks for the assist. The horror's i seen as a new forum member, the adds oh so many adds. :toothless
 

·
Premium Member
'95 XLT: 5.8/MAF/E4OD/6" lift/4.56's/33x12.5x15
Joined
·
35,245 Posts
man... if I got paid for this shit, I'd be asking for a raise! :toothless

glad we're getting folks all straightened out though. Sorry for the hassles everyone, not that we (your local member staff) had any control or say in it... but we're trying like hell to get everybody back in and on and taken care of. :thumbup
 

·
Kitteh Commandaar!
Joined
·
4,198 Posts
Working in technology field related to what is going on right now, this amuses me and frustrates me greatly when people make decisions like this :rolleyes:. At any rate :thumbup to the fourm admins - this problem has been forced upon you and I've been in that position for a big system...it sucks :banghead:


BTW - Brute Force Attacks for the win, all you need is time and you can crack anything :rofl:

KC
 

·
Premium Member
'95 XLT: 5.8/MAF/E4OD/6" lift/4.56's/33x12.5x15
Joined
·
35,245 Posts
for anyone having issues... I'll keep checking back in throughout the day.
luckily for everyone having problems... the weather is crap today, otherwise I'd be out painting bike parts and you'd all be burnt! :goodfinge
ok... not really, but you know me. gotta be a smart-ass if/when possible. :toothless


seriously though... shoot me a PM or leave a note here and I'll keep checking back in and get you taken care of.
 

·
Registered
Joined
·
822 Posts
Proud to see the corporate ownership of the site is really breaking the trend of listening to users. They're not at all like the usual people who are given facts of why their decision is moronic and counter-intuitive but press ahead anyway and create more work for themselves.

Can't wait to hear when your database is stolen again in 8 months guys.
 

·
Administrator
Joined
·
1,139 Posts
Discussion Starter #38
Hey there,

We have posted to the sites letting users know how to go about changing their passwords. There are a few things that may have happened:
1) the email address wasn’t the current one you use
2) the email is getting blocked by spam or ending up in your junk folder.

If you have not received the password reset email, go to the site and use the password reset tool in the log in window. If this still is not working for you, please go to the contact us page at the bottom right hand corner of the screen and select the “other” field and insert the subject “password reset issue” .

sorry for the trouble. we are sorting out all the issues as they come in. thanks all!

~Shane
 

·
Registered
Joined
·
636 Posts
What about the banner on the home page that says this
"Notice
SECURITY AND DATA BREACH NOTIFICATION CLICK HERE"

Is that a scam or virus link, I have not clicked on it for that reason, it seems out of place being purple...
 

·
Premium Member
'95 XLT: 5.8/MAF/E4OD/6" lift/4.56's/33x12.5x15
Joined
·
35,245 Posts
It was Vertical Scope's official notice and was likely very generic to share across a multitude of forums owned by AutoGuide / Vertical Scope.
I verified it for myself when it first was put on. That said... I'm not seeing it at all today. :shrug
 
21 - 40 of 61 Posts
Top