GM Volt Forum banner

1 - 10 of 10 Posts

·
Administrator
Joined
·
618 Posts
Discussion Starter #1
Hello all,

Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

1) We are asking everyone to change their passwords (and will force a one time reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.

We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

Thanks all,

Helena

Community Management
 

·
Registered
Joined
·
1,623 Posts
It would be nice if the headline alert no longer appears after I change my password. Alternatively, if the alert cannot be dismissed on a user-by-user basis, it should include a date so that any new alert would be immediately apparent without having to click through.

Thank you.

KNS
 

·
Registered
Joined
·
89 Posts
I'm not sure that making it difficult to access a low-risk site is wise.

I have 3 levels of passwords:

1) No Risk accounts. These are passwords for devices that cannot cause financial harm. These have short passwords that are nonsensical.
2) Limited risk passwords. These are passwords that have the potential for financial harm, but cannot directly access money. These have long and tight passwords.
3) High Risk. These have both a unique username, unique long/tight password that is changed often.

This site isn't even a #1. Exactly how much damage can it do when it uses a junkmail address, unique username, and nonsense 8 char password?

I will not remember this username or password, and it's sort of stupid to write a password down unless you carry paperwork with you everywhere.

I'm not using my old username or email here. (Remember, you published that on the web once already?)
 

·
Registered
Joined
·
147 Posts
10-character minimum length??? Completely ridiculous. Not even banks or credit card companies have a requirement like that.
 

·
Registered
Joined
·
3,770 Posts
Around the time of the hack I started getting lots of emails from 'businesses' with a similar look and feel to the email.
The sender has no relation to the 'business' and the 'unsubscribe' link is an even weirder address, so I never click to unsubscribe.
They are not filtered as junk.
I report each as a phishing scam. This if from my low priority email address (hotmail), but still, how do you make this stop?
 

·
Registered
Joined
·
414 Posts
Around the time of the hack I started getting lots of emails from 'businesses' with a similar look and feel to the email.
The sender has no relation to the 'business' and the 'unsubscribe' link is an even weirder address, so I never click to unsubscribe.
They are not filtered as junk.
I report each as a phishing scam. This if from my low priority email address (hotmail), but still, how do you make this stop?
Once your email address is out, there is not much you can do. I use "disposable" email addresses for this type of thing. If too much spam starts getting through, then just close the address and open another one. If you use Outlook make sure the all updates are applied so you have the current spam filters.
 

·
Administrator
Joined
·
618 Posts
Discussion Starter #7
It would be nice if the headline alert no longer appears after I change my password. Alternatively, if the alert cannot be dismissed on a user-by-user basis, it should include a date so that any new alert would be immediately apparent without having to click through.

Thank you.

KNS
This is there for those who have not seen it or need to be directed properly. as for advanced changes to something that will be in fact brief would take longer to create from the programmers, since the situation had to be addressed immediately, this was the quickest and most effective way at the time. Once the dust settles, It will be removed.

I'm not sure that making it difficult to access a low-risk site is wise.

I have 3 levels of passwords:

1) No Risk accounts. These are passwords for devices that cannot cause financial harm. These have short passwords that are nonsensical.
2) Limited risk passwords. These are passwords that have the potential for financial harm, but cannot directly access money. These have long and tight passwords.
3) High Risk. These have both a unique username, unique long/tight password that is changed often.

This site isn't even a #1. Exactly how much damage can it do when it uses a junkmail address, unique username, and nonsense 8 char password?

I will not remember this username or password, and it's sort of stupid to write a password down unless you carry paperwork with you everywhere.

I'm not using my old username or email here. (Remember, you published that on the web once already?)
for more information on the breach and situation, please read the following: http://www.verticalscope.com/about-us/notice-of-data-breach.html

Also, we did not publish your information on the web. The brute force attack on the database was a breach from a third party plugin.

as for damage control, this is not about just your account. some users use the same password across all sites. this could include online banking, shopping online, even paypal accounts. We are also doing this as a "just in case". we have patched and improved security on our end. but we are covering all areas now.

10-character minimum length??? Completely ridiculous. Not even banks or credit card companies have a requirement like that.
of course they dont. They have a 128-256 bit encyption which shifts salts and hashes quite frequently to make it almost impossible to breach. it can be though.

But you are not speaking about the very servers protecting your account, you are speaking of 4-6 digit pins for machines.
let me ask you this. If i acquired your pin number for your account, how strong and fool proof is a 256 bit encryption when i know your password or pin? online banking requires the account number and whatever password you put on there.

some people use the same password for email, where they have direct links and account info visible for online banking as well. a quick search in a google inbox can reveal sensitive information.

point im trying to make is not to induce fear or worry. all your pay information or paypal stuff if you did use it on the sites is not kept on any databases (see link above i posted). but.. that password could be linked to other sensitive information that is out there on the net. we are issuing mandatory password changes here by law regardless, but even with all this, you should be taking extra steps and changing your passwords elsewhere.

Around the time of the hack I started getting lots of emails from 'businesses' with a similar look and feel to the email.
The sender has no relation to the 'business' and the 'unsubscribe' link is an even weirder address, so I never click to unsubscribe.
They are not filtered as junk.
I report each as a phishing scam. This if from my low priority email address (hotmail), but still, how do you make this stop?
Hotmail has a very poor spam filter on it. upon seeing these accounts, i would flag them and mark them as spam. hotmail has also had breaches in the past. Its not a very sought after email any longer due to its security flaws of the past. be cautious anywhere when clicking things.

If you are worried and need clarification of these emails, you may post them here and ill take a look for you.

Any further questions, please let us know and i will answer them as best as I can. im here to help with any issues you have with password resets as well. thanks all.

~Shane
 

·
Registered
Joined
·
1,024 Posts
how come I can't log in from my second computer thats at my other house,?and yes,I know my user name and password(the new changed one)
 

·
Registered
Joined
·
677 Posts
Ironically, research has shown that this leads to less secure passwords as users are more inclined to use simpler passwords and reuse them so that they can remember them.

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.
 

·
Administrator
Joined
·
618 Posts
Discussion Starter #10
how come I can't log in from my second computer thats at my other house,?and yes,I know my user name and password(the new changed one)
What message are you receiving when you attempt to log in?
Are you typing the password in manually, or allowing it to auto-fill?

Try clearing your cache and cookies from your browser, and see if that helps out.

Richard.
 
1 - 10 of 10 Posts
Top