Attention - Password and Security Update - Page 3 - Kia Forum
 26Likes
Reply
 
LinkBack Thread Tools Display Modes
post #21 of 30 (permalink) Old 06-24-2016, 12:32 PM
Super Moderator
 
ron1004's Avatar
 
Join Date: Jun 2005
Location: Louisville, KY
Posts: 6,741
Drives: 1999 Kia Elan
Gallery: 13
Mentioned: 12 Post(s)
Tagged: 0 Thread(s)
Quoted: 362 Post(s)
Garage

Just as a test, I logged out and when trying to log back in it rejected the last password that I created and saved, so had to go through requesting a new password be emailed.


Lets hope that they get this sorted and free themselves up to eliminate the Social Media registration and sign-in, which in my opinion is the greater security risk to the forum and members.


Quality and not quantity counts.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Sig image is 500X100 at 11.7 kb
ron1004 is offline  
Sponsored Links
Advertisement
 
post #22 of 30 (permalink) Old 06-24-2016, 04:08 PM
Expert
 
sblake5's Avatar
 
Join Date: May 2014
Location: San Bernardino, Ca.
Posts: 803
Drives: 2014 Kia Rio, 2010 Mercedes Benz C300, 2005 Ponitiac GTO, 2004 Ford Ranger EDGE Supercab
Gallery: 0
Mentioned: 2 Post(s)
Tagged: 1 Thread(s)
Quoted: 196 Post(s)
Garage

Yeah, I've had a couple of issues signing in since being 'asked' to create a new password. I do hope they get this sorted out also.

2014 RIO LX: Added cruise control, EX/SX console, Ford Taurus spoiler, 3" exhaust tip, K&N filter, dual horns, Proline 950S wheels, catch can. Retired HVAC/MVAC tech.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
sblake5 is offline  
post #23 of 30 (permalink) Old 06-25-2016, 02:49 AM
Super Moderator
 
ron1004's Avatar
 
Join Date: Jun 2005
Location: Louisville, KY
Posts: 6,741
Drives: 1999 Kia Elan
Gallery: 13
Mentioned: 12 Post(s)
Tagged: 0 Thread(s)
Quoted: 362 Post(s)
Garage

@The Wizard it looks like your comments were taken on board.

Quality and not quantity counts.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Sig image is 500X100 at 11.7 kb
ron1004 is offline  
post #24 of 30 (permalink) Old 06-25-2016, 12:41 PM
Senior Member
 
The Wizard's Avatar
 
Join Date: Dec 2014
Location: NE Florida
Posts: 226
Drives: '15 Sorento EX
Gallery: 0
Mentioned: 6 Post(s)
Tagged: 0 Thread(s)
Quoted: 65 Post(s)

I'm impressed... someone was listening.

Of course, by their own admission, the problem had nothing to do with members using insecure passwords in the first place. The problem was the much more common situation of having the site's data hacked. In this situation, forcing artificially complex passwords isn't going to help much in the long run. Preventing the hack in the first place is the more effective response.

I don't disagree with using better passwords. I just don't think that the extreme nature of the new password requirements is warranted. Ten character minimum and both numbers and symbols is uncommonly complex. Even bank sites don't require that level of complexity. Most people are used to eight character minimums with upper and lower case and either a number or a symbol. That would have been quite sufficient for an online forum.
ron1004 and engineered like this.
The Wizard is offline  
post #25 of 30 (permalink) Old 06-26-2016, 08:17 AM
Super Moderator
 
ron1004's Avatar
 
Join Date: Jun 2005
Location: Louisville, KY
Posts: 6,741
Drives: 1999 Kia Elan
Gallery: 13
Mentioned: 12 Post(s)
Tagged: 0 Thread(s)
Quoted: 362 Post(s)
Garage

Quote:
Currently Active Users: 1498 (17 members and 1481 guests)
I don't recall seeing the logged on member numbers that low.
engineered likes this.

Quality and not quantity counts.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Sig image is 500X100 at 11.7 kb
ron1004 is offline  
post #26 of 30 (permalink) Old 07-02-2016, 09:11 AM
Newbie
 
Join Date: Aug 2015
Location: Dallas, TX
Posts: 6
Drives: 2011 Sorento Base w/stick
Gallery: 0
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)

Quote:
Originally Posted by administrator View Post
Hello all,
<...>new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community.<...>
Why? It's pretty widely accepted in the security community that these types of restrictions don't make us safer. Here are but two quick articles on the topic:

Turns Out Your Complex Passwords Aren?t That Much Safer | WIRED
Why you don't need long, complex passwords | InfoWorld
engineered likes this.
mrand is offline  
post #27 of 30 (permalink) Old 07-05-2016, 12:11 PM Thread Starter
Administrator
 
administrator's Avatar
 
Join Date: May 2006
Posts: 1,859
Drives: Kia Spectra
Gallery: 14
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 213 Post(s)
Garage

Thread Starter (Thread Starter)
Hey Guys,

I just want to post here to shed a little more light on the situation, at least as much as we can provide at the moment.

A 3rd party plugin that we and other networks use had it's developers' compromised. Their DB was breached and data was scraped. I can't ID the plugin as it's under legal investigation. However I can say that it had access to user data because it functions separately from the vb software. Many plugins do this, chats, news letters, mobile apps etc. This is not an active breach, however as a precaution we did initiate security updates including password changes and new pass requirements.

Their system was compromised and they grabbed user data for us and thousands of others.
We cleared our part of the breach and went this route to further security.
This is also in place as many members on the internet use the same or similar passwords across all things they use.

Hackers who have access to these accounts, may be able to access other platforms where the same email and/or passwords are used.
Other platforms have been compromised as well, including Twitter, Linkedin etc. We are just trying to get ahead of this, and nip it in the bud as soon as possible.

We cannot go into detail at the moment as it is being dealt with on a legal level.

Though this breech happened in Feb, we were not notified until very recently. We worked hard to find a solution for this mess, and acted on it. Though it may not be ideal in some eyes, it is the best we have access to ATM.
Once the storm settles we may look into other methods for our security, but right now we ask that you be patient with us.

As for us not responding to members, you have to understand our community support team watches over many sites. Luckily this week and last, we have had many members from other teams offer help. With that said all emails sent to our Contact Us email will be dealt with. Granted, it may take a little time for us to get to all of them, but please be patient with us as we are working really hard to catch up and help everyone.

If there are any other questions/concerns/feedback, please feel free to post them here.

Thank you for your patience and understanding,

Richard.

NEW!:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

NEW!:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
administrator is offline  
post #28 of 30 (permalink) Old 07-23-2016, 12:26 AM
Full Member
 
Join Date: Aug 2012
Location: Toronto, ON
Posts: 183
Drives: 2012 Kia Sportage LX, 6spd manual
Gallery: 0
Mentioned: 1 Post(s)
Tagged: 1 Thread(s)
Quoted: 21 Post(s)

Quote:
Originally Posted by PLP View Post
the new password is a killer... or I should say overkill.
Quote:
Originally Posted by The Wizard View Post
Sorry, I can't agree. I've been in the IT business for over 30 years and have seen many attempts to "improve security" that have ended up being abject failures. Forcing passwords of minimum 10 characters including upper and lower case AND numbers AND symbols is just going to create problems for most users. As has already been mentioned, the only security risk for users of an online forum applies to those users who are dumb enough to use the same password on other (more sensitive) sites. I tend to use differing user names and simple variations of a short password for all the online forums I belong to or moderate. Basically I don't care if someone discovers it - what are they going to do, post a nasty message as me?

Adding complexity to password requirements is not the answer. Doing so actually encourages the very action you want to avoid - people reuse the password on other sites because it's too complex to remember for just one forum. Hackers seldom attack online forums with brute force password guessing. They get passwords by hacking into the site and downloading them (or from lists that have already been discovered). That means that users with artificially complex passwords that then get reused are at much greater risk (because they also tend to use the same user names as well).

And if I may, your handling of the change was less than stellar. As mentioned, nobody bothers to look in this section during their normal browsing. I didn't even know this section existed until today. Posting in each of the major sections really wouldn't have been as much of a problem as you suggest. Or using the announcement capability of the forum software would have reached more members. But really, the issue I have is that the passwords were changed rather than just changing the setting to force users to change their own password at next login. I get my email on my phone but browse on my desktop so trying to type in the cryptic new password became a minor issue.

Obviously my lone opinion will have absolutely zero effect on your processes but I figured I'd voice it anyway.
Quote:
Originally Posted by The Wizard View Post
I'm impressed... someone was listening.

Of course, by their own admission, the problem had nothing to do with members using insecure passwords in the first place. The problem was the much more common situation of having the site's data hacked. In this situation, forcing artificially complex passwords isn't going to help much in the long run. Preventing the hack in the first place is the more effective response.

I don't disagree with using better passwords. I just don't think that the extreme nature of the new password requirements is warranted. Ten character minimum and both numbers and symbols is uncommonly complex. Even bank sites don't require that level of complexity. Most people are used to eight character minimums with upper and lower case and either a number or a symbol. That would have been quite sufficient for an online forum.
Quote:
Originally Posted by mrand View Post
Why? It's pretty widely accepted in the security community that these types of restrictions don't make us safer. Here are but two quick articles on the topic:

Turns Out Your Complex Passwords Aren?t That Much Safer | WIRED
Why you don't need long, complex passwords | InfoWorld
I have to agree with the others here. This needlessly complex password is actually less safe. Most users will have to write it down somewhere to remember it, defeating the purpose of a password. Or like me, have reset it every time I need to log in because it's ridiculous to remember.
ron1004 likes this.
engineered is offline  
post #29 of 30 (permalink) Old 07-23-2016, 02:36 PM Thread Starter
Administrator
 
administrator's Avatar
 
Join Date: May 2006
Posts: 1,859
Drives: Kia Spectra
Gallery: 14
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 213 Post(s)
Garage

Thread Starter (Thread Starter)
Quote:
Originally Posted by engineered View Post
I have to agree with the others here. This needlessly complex password is actually less safe. Most users will have to write it down somewhere to remember it, defeating the purpose of a password. Or like me, have reset it every time I need to log in because it's ridiculous to remember.
The problem with those two articles is that they are referring to plain text password storage, which we don't do and in the time I've been with the company have never done. We always incrypted them per industry standards. The ask for numbers and symbols is to prevent someone from decrypting it with what's called a dictionary script. If you're having to reset it every time then please go into your browsers settings and delete the save password(s) you have for this site as most browsers will try to autofill even if you manually input.

Thanks

Kyle

NEW!:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

NEW!:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
administrator is offline  
post #30 of 30 (permalink) Old 07-25-2016, 11:04 AM
Senior Member
 
The Wizard's Avatar
 
Join Date: Dec 2014
Location: NE Florida
Posts: 226
Drives: '15 Sorento EX
Gallery: 0
Mentioned: 6 Post(s)
Tagged: 0 Thread(s)
Quoted: 65 Post(s)

A "dictionary attack" does not mean trying to guess passwords using an actual English dictionary... it refers to using a "dictionary" of commonly used passwords as a source to try getting passwords by brute force. Those dictionaries already include numbers and symbols such as "123456" and common substitutions such a "p@55w0rd". Requiring numbers and symbols generally does not make a password more secure unless it is randomly generated.

Besides, when the attack vector is a hack of your credential storage, brute force password guessing isn't the issue. Even with encryption of the data, the hackers have plenty of time to work on the stolen data and once they find the hash, the entire database becomes accessible.
The Wizard is offline  
Reply

  Kia Forum > General > Kia-Forums.com Site Issues and Website Help



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
User Tag List

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On