Warning about password change email.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Luerssen
    Member
    • Aug 2007
    • 33
    • 3.6.x

    Warning about password change email.

    Hello.

    Today i got email with my newly password, but i dont found login of a customer, cause i got ~20 vBulletin accounts with licenses. And that was trouble to find, what account's password changed.

    Best regards.
  • Comtech
    Banned
    • Nov 2004
    • 323
    • 3.6.x

    #2
    Originally posted by Luerssen
    Hello.

    Today i got email with my newly password, but i dont found login of a customer, cause i got ~20 vBulletin accounts with licenses. And that was trouble to find, what account's password changed.

    Best regards.
    Every customer had their password changed.
    Thus each account you have with licenses have a new password.

    Comment

    • Colin F
      Senior Member
      • May 2004
      • 17689

      #3
      Hi

      You can retrieve the customer number associated with a specific email address here: http://members.vbulletin.com/lostpw....lostcustomerid
      Best Regards
      Colin Frei

      Please don't contact me per PM.

      Comment

      • ChipTz
        Senior Member
        • Jan 2005
        • 303
        • 4.0.0

        #4
        Hello,

        This topic is being discussed also in the chit chat area, but since I think this is the correct forum to do it, I have two concerns regarding this change:

        1. the password was sent on a plain text e-mail... not too secure... and I don't know where to change it also

        2 .I 'd like to request that the question + password hint isn't mandatory, after all, looking at the questions, I'd say that someone who knows me (and it hasn't got to be my best friend) and knows that I have a vB licence wouldn't have too much trouble on finding the correct answer to most of the questions. In fact, some of them are quite easy... like, your favorite colour... look at the rainbow and guess... you favourite ice cream flavour... choose round abour 5 or 6 flavours and you'll have the flavours 90% of the people most like... the same for the other questions. At least the user should be able to not use a secret question hint for password. Have a reset code sent by mail, the same mail you used to send the new password or any other way to retrieve lost passwords but do not force us to use secret question + answer, especially if this was due to security + licence stealing concerns...

        Comment

        • Wayne Luke
          vBulletin Technical Support Lead
          • Aug 2000
          • 73978

          #5
          You can request a new password to be sent to you here:


          If you use SSL/TLS to access your email, then any direct attacks on you will be circumvented.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment

          • Cool Matty
            Senior Member
            • Jul 2006
            • 101
            • 3.7.x

            #6
            Originally posted by Wayne Luke
            You can request a new password to be sent to you here:


            If you use SSL/TLS to access your email, then any direct attacks on you will be circumvented.
            Except, of course, for the numerous servers it needs to travel through to reach our email.

            Why was it deemed necessary to reset? Wouldn't just expiring the current passwords and having users change them themselves on login be a far better approach?

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73978

              #7
              The system isn't built to allow users to change passwords. This dramatically reduces the amount of issue with hijacked accounts.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • Cool Matty
                Senior Member
                • Jul 2006
                • 101
                • 3.7.x

                #8
                Originally posted by Wayne Luke
                The system isn't built to allow users to change passwords. This dramatically reduces the amount of issue with hijacked accounts.
                So instead of using this method that supposedly involves more hijacked accounts, you send the password, insecurely, over email, one of the most insecure methods of communication on the internet.

                Not to mention you are forcing users to keep a password they can't easily remember, meaning many will do stupid things like keep it in text files, put it on a post-it note, save it in their browser, or worse.

                Comment

                • ManagerJosh
                  Senior Member
                  • Jun 2002
                  • 9922

                  #9
                  Originally posted by Cool Matty
                  So instead of using this method that supposedly involves more hijacked accounts, you send the password, insecurely, over email, one of the most insecure methods of communication on the internet.

                  Not to mention you are forcing users to keep a password they can't easily remember, meaning many will do stupid things like keep it in text files, put it on a post-it note, save it in their browser, or worse.
                  I don't seem to recall a similar complaint when the passwords were first delivered to a customer.
                  ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                  Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                  Comment

                  • Cool Matty
                    Senior Member
                    • Jul 2006
                    • 101
                    • 3.7.x

                    #10
                    Originally posted by ManagerJosh
                    I don't seem to recall a similar complaint when the passwords were first delivered to a customer.
                    So? The issue remains, regardless of how long it's been in effect.

                    Comment

                    • ManagerJosh
                      Senior Member
                      • Jun 2002
                      • 9922

                      #11
                      I think you're missing the point. Passwords were originally delivered plain-texted and I don't recall a single complaint. Passwords are now updated, and once more delivered plain-texted but there are complaints? That seems like a huge double-standard.
                      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                      Comment

                      • Cool Matty
                        Senior Member
                        • Jul 2006
                        • 101
                        • 3.7.x

                        #12
                        Originally posted by ManagerJosh
                        I think you're missing the point. Passwords were originally delivered plain-texted and I don't recall a single complaint. Passwords are now updated, and once more delivered plain-texted but there are complaints? That seems like a huge double-standard.
                        Apologies for not having time to complain the first time?

                        Comment

                        • ChipTz
                          Senior Member
                          • Jan 2005
                          • 303
                          • 4.0.0

                          #13
                          I still don't get the need of a reset/reminder question.

                          Comment

                          • Wayne Luke
                            vBulletin Technical Support Lead
                            • Aug 2000
                            • 73978

                            #14
                            Originally posted by ChipTz
                            I still don't get the need of a reset/reminder question.

                            We get emails all the time that go something like this:
                            Hi, I am the owner of xyzforums.com and I forgot my customer ID and password. Please send a new one to this address.
                            Now many of these are legitimate requests and they are the owner of the site. They just have a new email address. However quite a few are people trying to steal the license. Now we used to ask for the purchase information including name, address, email, billing type and transaction ID. People complained this is too personal. So we instituted the secret question/answer thing.

                            This has been in place for 3 years now and must be answered before you download for the first time. Using this allows another level of validation on your license to protect your investment. Some people will say its only $160.00 piece of software and this isn't necessary but for some customers that is a hefty investment and even if it isn't it is something you paid for and could cost you a lot more if your license is compromised because we were not diligent.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment

                            • Selrion
                              Member
                              • Nov 2007
                              • 50
                              • 3.8.x

                              #15
                              Mr. Luke, please don't say about a vBulletin price.This price was determined by Jelsoft, not by us. I think a lot of us would pay much more for vBulletin, 'cause I can not emagine such forum software, that could be a little better than vBulletin and more expensive than $160. I mean, Jelsoft is positioning vBulletin as a low-cost software. I just can not emagine a high-cost software. But this is not the case. I think that customer must have an ability to change their password to prevent their license to be stolen as fast as it possible to do...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...