SwedeSpeed - Volvo Performance Forum banner

Site Security Update, PLEASE READ!

11K views 28 replies 16 participants last post by  HUB 
#1 ·
Hello Everyone,

Per the latest announcements we will be resetting everyone's passwords. Shortly you should be receiving an email directing you how to change your password. It will look like this:

Subject: Your new password for *site name*
Dear *username*,
Your password has been reset by an administrator. Your new details are as follows:
Username: *username*
Password: *Randomly generated temp password*
To change your password, please visit this page: *link to password reset edit page from USERCP*
If you suspect this email is a scam, you can confirm the legitimacy of this email by manually navigate to the forum URL yourself and use your new password to log in.
All the best,
Site Name
As you can see it will give you a randomly generated temporary password, as well as telling you where you need to go to updated it accordingly.
If you do not receive this email please go to the contact us page and select Other, and type in Security Password Update Issues
We're sorry for the inconvenience.

-Admin Team
 
#2 ·
I'm assuming we should choose a new password, because your password vault was breached and someone got all the passwords? Which means if we use algorithms for our password, we are now at risk anywhere we used the same algorithm?
 
#4 ·
Your passwords in plain text where not compromised but if you have a simple password it can be cracked. If you used the same password on LinkedIn, Twitter, eBay etc. There is a good chance someone has your password already since they have all been part of multiple data breaches.

Why strong passwords, per unique website, are important:

In the event of any data breach, be it malware sniffing encrypted passwords over the wire, or a database grab of encrypted data, hackers focus their efforts on decrypting what they found. Forums generally use a double md5-hash + unique user salt. This means that, to get your password, they would try one of two ways:

1) Setup their own staging area and try and brute force crack your password with a dictionary file (using software like John the Ripper). This method means they try variations of words, names, numbers and upper/lower case letters. If your password is Helena22, you will be an easy target. If your password is 5v23dWWdg,L!2 the dictionary won't match it. Or,

2) They look at other data sources where they stole info from and already cracked (Twitter, Ashley Madison, Badoo, Linkedin, etc) and match your email address up. If you re-use your password anywhere else, they try the password they have on file first.

The more complex (and unique!) your passwords are for each of the various web services you use, including this forum, the lower the odds they will crack it, and you make option #2 less probable.

-Philip
 
#3 ·
Yeah, what's the deal? Password requirements don't seem to have changed.
 
#5 · (Edited)
The joys of using LastPass and not having a single password used anywhere else. One of the places I use gets hacked, no one else is at risk. Especially when the passwords are like oEi,w*)ePQ8l32L@ haha.

For those interested in a password manager, LastPass, Keeper Security are my favorites as an IT Engineer. Below is a great article on them, http://www.pcmag.com/article2/0,2817,2407168,00.asp
 
#8 ·
so in other words your breach included everything needed to crack just about any password regardless of complexity.

You fully dropped the ball on this and have denied that it was even a problem, blaming users with terrible passwords was your scapegoat. It took three days for you to even start notifying users. It's been a week before this notice even showed up. Way to go VS.

Signed,
Pirate 4x4 user, where we grabbed pitchforks and torches.
http://www.pirate4x4.com/forum/gene...rate-passwords-vertical-scope-got-hacked.html
Don't click that link if cursing offends you.
 
#9 ·
Encrypted password hashes are not easy to solve for complex passwords. I doubt anyone will go to that much effort.
 
#10 ·
lol.

it's likely that this information was compromised in february, so there's already been months of cracking.

read the pirate thread, it took less than 24 hours to start cracking passwords, and no one there has access to a botnet.
then they sent me a new password in plain text email, but don't force a password change for a year. So you're letting users use plain text passwords for the next year? Awesome.

inept.
Thanks VS for ruining message boards across the internet. you bought them all and then you proceeded to suck.
 
#17 ·
So for those non computer code folks how does one keep track of passwords is there a good program to use ? I'm getting so many password reset notifications it's getting hard not to have a hard copy with them all.
 
#21 ·
It used to be that reusing passwords was dumb. "Reusing" is the standard word used for using the same password for multiple accounts. But today with almost every site wanted to get into data mining you are asked for a user/pass even if it cost nothing (at least upfront). Having password management applications is great and I recommend you do it even on your "very" secure home computer as storing passwords in text files, emails, etc. is not wise. But those solutions are not very portable and you will find yourself in a place where you will need the password that you do not remember w/o access to your vault. That's why password reuse is now an acceptable practice.

The industry issue is not with the reuse but with the password itself. Most people have easy to guess passwords even if they are "complex". You only need access to a few of the publicly available info about that person in order to guess it. And that does not count the many people that have passwords like 12345.

So, until the use of passwords is obsolete and replaced with newer id schemas just have a strong hard to guess password and be careful where you type it.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top