Attention - Password and Security Update - Page 2 - MR2 Owners Club Message Board
 5Likes
Reply
 
LinkBack Thread Tools
post #21 of 29 (permalink) Old June 22nd, 2016, 14:38
Administrator
 
Join Date: Dec 2015
Location: Chicago
Posts: 71
OldTrader Rating: (0)
Garage
Quote:
Originally Posted by edmcguirk View Post
I think you are missing the real issue here. Yes it's a PITA to change our passwords but that's just what we have to do when your server gets hacked. All we can do is ask that you improve your security so that your server does not get hacked again.

My problem is your new requirement for very strong passwords that expire every year. Yes, that is one way of ensuring that we, as users, do not reuse passwords between different sites but it really does not address the problem of bad server security. If your servers get hacked again, the strength of our passwords is unimportant. We will have to change our passwords again because you can't assume passwords are good enough after a hack, you just have to change them. Our strong passwords will not prevent us from having to change passwords. Our strong passwords will not prevent your servers from getting hacked.

All strong passwords will achieve is that we will be inconvenienced by having to remember the new password. Strong passwords will also prevent us from reusing passwords. That's a nice goal but you are not my mother. I don't need you to tell me what passwords I can or cannot reuse. I have a simple method of creating and remembering simple passwords for all my low priority sites. Your new rules prevent me from using that method, and even if it did not, it will expire in a year. I have a different method of remembering all my high priority passwords and this site does not merit being included with all my high priority sites.

Essentially you have just demanded that I treat MR2OC as if it was as important as BankOfAmerica. It is just not that important and your new rules are an annoyance I do not want.

The new rules are just a show intended to distract us from the real issue of whether your server security is strong or not.
I see your point but I think it is being blown out of proportion.

This whole issue has nothing to do with our server security. A third party plugin got hacked and got limited access to some info for our sites and thousands of others. We got stuck cleaning up the mess and have legal and authorities on it.

The time you have posting all this is more than the time you will spend for the next few years updating a password with a few extra characters once a year.

Using (Passw0rd1234#!) versus using (Password1234) should not be that big of a deal, use Google Chrome password manager and you will be fine, I have 700+ passwords in it.

https://support.google.com/chrome/answer/95606?hl=en

Jeff M
AG Jeff is offline  
Sponsored Links
Advertisement
 
post #22 of 29 (permalink) Old June 22nd, 2016, 20:25
Registered User
 
Join Date: Mar 2004
Location: northern nj
Age: 60
Posts: 763
OldTrader Rating: (1)
Quote:
Originally Posted by AG Jeff View Post
I see your point but I think it is being blown out of proportion.

This whole issue has nothing to do with our server security. A third party plugin got hacked and got limited access to some info for our sites and thousands of others. We got stuck cleaning up the mess and have legal and authorities on it.

The time you have posting all this is more than the time you will spend for the next few years updating a password with a few extra characters once a year.

Using (Passw0rd1234#!) versus using (Password1234) should not be that big of a deal, use Google Chrome password manager and you will be fine, I have 700+ passwords in it.

https://support.google.com/chrome/answer/95606?hl=en

Jeff M
I think you should rephrase that from:

"A third party plugin got hacked and got limited access to some info for our sites and thousands of others."

To:

A third party plugin got hacked and exposed a security weakness we were unaware of."

Also, please don't tell me that my inconvenience is one I should be able to live with. Clearly I am going to live with it if I am going to continue using this site. However this inconvenience is among a list of items I will consider as I decide which MR2 site I will make my next post on.

My point still stands. Strong password enforcement would have made no difference in this recent hack and will make no difference in any future hack. The benefit of forcing good password hygiene on me does not balance the annoyance for a non-critical non-monetary site.

The only true benefit of strong password enforcement is for those very very few people who insist on both using weak passwords and also reusing those same weak passwords on financially important sites.

Clearly I have already wasted more of my time ranting about this than the actual strong password enforcement. It's just one of my hot buttons when someone does something just so they can be seen as doing something especially if it has no relation to the actual problem.
edmcguirk is offline  
post #23 of 29 (permalink) Old June 22nd, 2016, 20:30
Registered User
 
Join Date: Mar 2004
Location: northern nj
Age: 60
Posts: 763
OldTrader Rating: (1)
Or perhaps I should just blame the lawyers because I am sure that somewhere along the line they said, "Just to minimize liability, set all security options to maximum."
edmcguirk is offline  
Sponsored Links
Advertisement
 
post #24 of 29 (permalink) Old June 22nd, 2016, 21:49
Administrator
 
Join Date: Dec 2015
Location: Chicago
Posts: 71
OldTrader Rating: (0)
Garage
Quote:
Originally Posted by edmcguirk View Post
I think you should rephrase that from:

"A third party plugin got hacked and got limited access to some info for our sites and thousands of others."

To:

A third party plugin got hacked and exposed a security weakness we were unaware of."

Also, please don't tell me that my inconvenience is one I should be able to live with. Clearly I am going to live with it if I am going to continue using this site. However this inconvenience is among a list of items I will consider as I decide which MR2 site I will make my next post on.

My point still stands. Strong password enforcement would have made no difference in this recent hack and will make no difference in any future hack. The benefit of forcing good password hygiene on me does not balance the annoyance for a non-critical non-monetary site.

The only true benefit of strong password enforcement is for those very very few people who insist on both using weak passwords and also reusing those same weak passwords on financially important sites.

Clearly I have already wasted more of my time ranting about this than the actual strong password enforcement. It's just one of my hot buttons when someone does something just so they can be seen as doing something especially if it has no relation to the actual problem.
Quote:
Originally Posted by edmcguirk View Post
Or perhaps I should just blame the lawyers because I am sure that somewhere along the line they said, "Just to minimize liability, set all security options to maximum."
Understood, not to dismiss your points but I did not just want to give you a canned corporate response.

I totally get it, however this is what the powers at be have laid out and I have marching orders.

Community health and members security is my main priority but feel free to send in a message to the contact us page.

MR2 Owners Club Message Board - Contact Us

Onward and upward - hope you stick around and enjoy the community.

Jeff M
AG Jeff is offline  
post #25 of 29 (permalink) Old June 23rd, 2016, 00:21
Registered User
 
Join Date: Jan 2016
Posts: 4
OldTrader Rating: (0)
Great way to piss members off and not bother coming back.
I see some are already having issues. Hello!
Would be my call. Can you hear the DEATH KNELL ringing???????
I have only been lurking and have not had much to say being from another country.
But doubt I will be back.
I have never come across such stupidity getting logged in to just a form.
I think others have made some very valid points that you need to consider if you want this forum to survive.
clawnz is offline  
post #26 of 29 (permalink) Old June 23rd, 2016, 09:22
Administrator
 
Join Date: Dec 2015
Location: Chicago
Posts: 71
OldTrader Rating: (0)
Garage
Quote:
Originally Posted by clawnz View Post
Great way to piss members off and not bother coming back.
I see some are already having issues. Hello!
Would be my call. Can you hear the DEATH KNELL ringing???????
I have only been lurking and have not had much to say being from another country.
But doubt I will be back.
I have never come across such stupidity getting logged in to just a form.
I think others have made some very valid points that you need to consider if you want this forum to survive.
I will share feedback - also have any members with log in issues fill out this contact us section for a reset.

MR2 Owners Club Message Board - Contact Us

Jeff M
AG Jeff is offline  
post #27 of 29 (permalink) Old June 23rd, 2016, 17:12
Registered User
 
Join Date: Dec 2015
Posts: 28
OldTrader Rating: (0)
Hi Jeff,

I understand that you have increased password complexity (for security), but could you please provide a brief overview of what other changes are occurring in the management of the forum and in digital security going forward? (Excluding passwords being reset)

From my understanding, many of the articles state that a very minimal amount of passwords were actually encrypted. If this is the case and nothing is done, then we are setting up very long and complex passwords, and resetting them once a year, for absolutely no benefit.

Thanks,

-Eric
Eric manderson is offline  
post #28 of 29 (permalink) Old June 24th, 2016, 05:48
Lifetime Gold
 
Join Date: Mar 2004
Location: Vancouver Island
Age: 49
Posts: 4,395
OldTrader Rating: (6)
Pop-up Sign-In request from mr2 ownersclubDOTcom

I was already logged in here, and I just got a pop-up sign-in request from "mr2 ownersclubDOTcom"
I had already completed the (forced) password reset last week or so, I was immediately suspicious... I saw that it had the "oc" part written out.

I was able to re-create the popup by typing in the website above (no spaces). I never entered any password anywhere.

The site goes nowhere. Do not type passwords into that request popup. As if things aren't hard enough during this time, the actual password reset process is targeted too.

Last edited by Gandalf; June 24th, 2016 at 06:16.
Gandalf is offline  
post #29 of 29 (permalink) Old June 27th, 2016, 10:02
Administrator
 
Join Date: Dec 2015
Location: Chicago
Posts: 71
OldTrader Rating: (0)
Garage
Quote:
Originally Posted by Eric manderson View Post
Hi Jeff,

I understand that you have increased password complexity (for security), but could you please provide a brief overview of what other changes are occurring in the management of the forum and in digital security going forward? (Excluding passwords being reset)

From my understanding, many of the articles state that a very minimal amount of passwords were actually encrypted. If this is the case and nothing is done, then we are setting up very long and complex passwords, and resetting them once a year, for absolutely no benefit.

Thanks,

-Eric
Here is a posting about the issue:
VerticalScope.com


Quote:
Originally Posted by Gandalf View Post
I was already logged in here, and I just got a pop-up sign-in request from "mr2 ownersclubDOTcom"
I had already completed the (forced) password reset last week or so, I was immediately suspicious... I saw that it had the "oc" part written out.

I was able to re-create the popup by typing in the website above (no spaces). I never entered any password anywhere.

The site goes nowhere. Do not type passwords into that request popup. As if things aren't hard enough during this time, the actual password reset process is targeted too.
I would ignore anything that is not going directly to this URL.

Jeff M
AG Jeff is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the MR2 Owners Club Message Board forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: (0 members)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome