The New Password Rules Are Stupid - Page 2 - LotusTalk - The Lotus Cars Community
 30Likes
Reply
 
LinkBack Thread Tools Display Modes
post #21 of 47 (permalink) Old 06-25-2016, 08:20 AM
$3(uR3 u$3r
 
SCamper's Avatar
 
Join Date: Aug 2008
Location: Austin, Texas
Posts: 430
Hi.

So VS gets hacked and someone gets all the username and password info and as a result WE need to make our passwords stronger.

VS fix your system security. Do not give the false impression that a complex password for this site by us little people would have prevented your security issue. Just have us all change our passwords and keep it simple.

-Alex

2008 Elise SC - Solar Yellow
SCamper is offline  
Sponsored Links
Advertisement
 
post #22 of 47 (permalink) Old 06-25-2016, 09:14 AM
not your dad's puns
 
Turbopun's Avatar
 
Join Date: Aug 2009
Location: Big D
Posts: 1,751
Quote:
Originally Posted by srfntrf View Post
never had these worries on either my Smith-Corona or Royal.
I was always partial to Olivettis, wanted a Lettera so badly.

because racecar
Turbopun is offline  
post #23 of 47 (permalink) Old 06-25-2016, 11:51 AM
Registered User
 
XHILR8N!'s Avatar
 
Join Date: Dec 2006
Location: 2 laps down
Posts: 6,791
Garage
Went out to the garage this morning, going to use our Tundra to haul a few things, and to just enjoy the freedom of the road in a big loud orange fuel hungry beast.

And the doors were locked. Somehow it had decided we needed an extra level of security. So in a locked garage in a place where we never lock our cars outside, the thing followed the fears of some paranoid engineer somewhere and managed to lock itself.

Of course this aggravating situation reminded me of all this nutty password stuff. And then to what we'll get to experience in airport security leaving the country next week. Someone somewhere in essentially another world did something malicious and now everyone everywhere gets to suffer forever.

The worst part, what all these situations have in common, is that well meaning authorities are the ones who perpetuate the harm.

Password hassels on sites that do not need protecting, vehicles that lock themselves in totally safe places, and long lines bare feet and other restrictions on planes no one would attack are just daily life now.

And site hacks, stolen cars, and terrorism will go on anyway.

Anyone can make something complicated. It takes genius to make it simple. Einstein.
2011 Evora S Racing Heritage Edition (#3 of 4) (Now with alexsharkeyross)
2005 Elise LRG, track prepped ,
1974 Lotus Europa Special 3841R in JPS livery
2007 Toyota Tundra (about 10 cup holders), traded for 2015 Tundra TRD PRO
2007 Audi S4 DTM (RIP) 1980 Rover SD1 (new home) 2015 Honda Civic Si
2016 370Z Nismo
2013 Bentley Continental GT Speed 2019 Lexus LC500
XHILR8N! is online now  
 
post #24 of 47 (permalink) Old 06-25-2016, 07:21 PM
Nein Kinder
 
Glen's Avatar
 
Join Date: Feb 2011
Location: Golden, Colo.
Posts: 1,568
Quote:
Originally Posted by SCamper View Post
Hi.

So VS gets hacked and someone gets all the username and password info . . .
It's a little more convoluted than that.

The hackers didn't get your password, they got a salted and hashed version of it. When you submit your plain-text password to LotusTalk, the web site salts it (adds some additional characters to it), then hashes it using an algorithm called MD5. Then the web site compares the hash it just calculated to the stored hash for your account's password. If the hashes matches, you're in. This method avoids ever storing your password as plain text, a very big security risk.

Hashing is supposed to be a one-way math operation so that you can't use the result and work backwards to the original password. But the MD5 hash has been easily defeated for over ten years now. VerticalScope is probably still using MD5 because it is fast to calculate when you try to log in and they don't think there's a big security risk if your account is compromised. MD5 is like a cheap lock . . . it's only going to stop someone who doesn't want to exert any effort. There are much better hashing algorithms available, and Vertical Scope doesn't have much excuse not to be using one of them.

It won't take much time or effort for a hacker to discover the plain-text passwords for likely 70% - 90% of the MD5 hashes, so Vertical Scope might as well have just stored most user's passwords as plain text. Login and password reuse is so common that many of VerticalScope's customers will have other accounts that use the same login and password. It's not your LotusTalk account that really needs a password reset, it's your Amazon, Gmail, EBay, Twitter, Facebook or bank account that uses the same login and password. So when VerticalScope makes you change your LotusTalk account, they are really telling you that if you reuse passwords, those other accounts are exposed.

Glen
LeMadChef likes this.

2011 Lotus Elise SC
Glen is offline  
post #25 of 47 (permalink) Old 06-25-2016, 07:46 PM
Registered User
 
CALtd's Avatar
 
Join Date: Feb 2005
Location: San Luis Obispo, CA
Posts: 1,258
I suspect, based upon the data retrieved, that the SQL port was not secured. The cracker, (not hacker) was able to go through an old exploit to extract data out of the database. This is more likely a firewall problem rather than a server issue. The server could put extra protections in but if the room is secure then why bother.
CALtd is offline  
post #26 of 47 (permalink) Old 06-25-2016, 10:09 PM
Registered User
 
Lancia's Avatar
 
Join Date: Dec 2006
Posts: 2,376
Might be safer to stop hiring black hats?

When was the last time you went through airport security that screened for glass and plastic knives?
Lancia is offline  
post #27 of 47 (permalink) Old 06-26-2016, 03:13 AM
Registered User
 
PLAY-DOH's Avatar
 
Join Date: Dec 2014
Location: Hickory, NC
Posts: 876
Garage
Wouldn't be so bad if the passwords we choose would actually work. They don't. Go ahead and try, you won't even be able to go back to the issued one. At least for me that was the case. I just want it simple. I don't have tons of money to be accessed from anywhere!
It's a forum and that's all.

To those hackers who have thumbs the size of carrots... Go outside and get some sun on your face. Better yet go build something with your hands, quit ruining people's lives by sitting in your mommas basement and trying to mess up the world.
XHILR8N! likes this.

2011 Lotus Evora N/A Quartz Silver
PLAY-DOH is offline  
post #28 of 47 (permalink) Old 06-26-2016, 05:13 AM
Registered User
 
XHILR8N!'s Avatar
 
Join Date: Dec 2006
Location: 2 laps down
Posts: 6,791
Garage
Quote:
Originally Posted by Glen View Post
Login and password reuse is so common that many of VerticalScope's customers will have other accounts that use the same login and password. It's not your LotusTalk account that really needs a password reset, it's your Amazon, Gmail, EBay, Twitter, Facebook or bank account that uses the same login and password. So when VerticalScope makes you change your LotusTalk account, they are really telling you that if you reuse passwords, those other accounts are exposed.

Glen
This is precisely what gives relevance to the title of this thread. I will continue using the same un and pw for the zillion sites that require a log in (everything nowadays) but have zero security risks, like LotusTalk. And like always, I'll use a little sophistication for sites that actually do have sensitive data.
SCamper and KCZ like this.

Anyone can make something complicated. It takes genius to make it simple. Einstein.
2011 Evora S Racing Heritage Edition (#3 of 4) (Now with alexsharkeyross)
2005 Elise LRG, track prepped ,
1974 Lotus Europa Special 3841R in JPS livery
2007 Toyota Tundra (about 10 cup holders), traded for 2015 Tundra TRD PRO
2007 Audi S4 DTM (RIP) 1980 Rover SD1 (new home) 2015 Honda Civic Si
2016 370Z Nismo
2013 Bentley Continental GT Speed 2019 Lexus LC500
XHILR8N! is online now  
post #29 of 47 (permalink) Old 06-26-2016, 09:16 AM
Registered User
 
Elise8206's Avatar
 
Join Date: May 2006
Location: L.A.
Posts: 575
Garage
This new rules does not make any sense...I keep getting password reset here?????

'05 Lotus Elise Magnetic Blue
'02 Toyota MR-2 Spyder
'17 Mazda Miata MX-5 RF
'19 Acura RDX A-Specs
'09 Mini Cooper S

Tech Library!
http://wiki.seloc.org/a/Category:S2
Elise8206 is offline  
post #30 of 47 (permalink) Old 06-26-2016, 11:12 AM
Registered User
 
Lancia's Avatar
 
Join Date: Dec 2006
Posts: 2,376


XHILR8N! and PLAY-DOH like this.
Lancia is offline  
post #31 of 47 (permalink) Old 06-26-2016, 01:28 PM
cph
Registered User
 
cph's Avatar
 
Join Date: Dec 2008
Location: Christchurch, New Zealand
Posts: 431
Garage
I use iCloud Key Chain [Apple] and no problems.
I do use separate passwords for Bank access etc ... probably dont need to but like the idea of having total control of those passwords... as against letting the machine decide.

2-11 : BOE Built Engine / Rev 400 SC / Quaife Sequential / Dry Sump / Fastworks Tune SOLD
https://www.lotustalk.com/forums/f16...roject-339234/

ELISE : K20 / TVS 1320 / EP sequential / Dry Sumped / Motec M1

https://www.lotustalk.com/forums/f16...ealand-439105/

JUNO SSE K20 NA
cph is offline  
post #32 of 47 (permalink) Old 06-27-2016, 11:59 AM
Administrator
 
Join Date: Jul 2008
Location: Toronto, Canada
Posts: 1,336
Hey Guys,

I just wanted to clarify some things for you regarding this issue;

A 3rd party plugin that we and other networks use had it's developers' compromised. Their DB was breached and data was scraped. I can't ID the plugin as it's under legal investigation. However I can say that it had access to user data because it functions separately from the vb software. Many plugins do this, chats, news letters, mobile apps etc. This is not an active breach, however as a precaution we did initiate security updates including password changes and new pass requirements.

Their system was compromised and they grabbed user data for us and thousands of others.
We cleared our part of the breach and went this route to further security.
This is also in place as many members on the internet use the same or similar passwords across all things they use.

Hackers who have access to these accounts, may be able to access other platforms where the same email and/or passwords are used.
Other platforms have been compromised as well, including Twitter, Linkedin etc. We are just trying to get ahead of this, and nip it in the bud as soon as possible.

We cannot go into detail at the moment as it is being dealt with on a legal level.

Though this breech happened in Feb, we were not notified until very recently. We worked hard to find a solution for this mess, and acted on it. Though it may not be ideal in some eyes, it is the best we have access to ATM.
Once the storm settles we may look into other methods for our security, but right now we ask that you be patient with us.

If there are any other questions/concerns/feedback, please feel free to post them here.

Thank you for your patience and understanding,

Richard.
Administrator is offline  
post #33 of 47 (permalink) Old 06-27-2016, 01:26 PM
Registered User
 
David Craig's Avatar
 
Join Date: Jun 2009
Location: Toronto
Posts: 2,858
Luckily my leg was not stolen, so I can continue with my leg behind the head photos.

Seriously though, changing the password was not a burden. However the screen that popped up had an X in the corner that didn't seem to work. By that, I mean clicking on it did not close the screen. I eventually was able to close it using the backspace key though.

2009 Saffron Elise
1986 Toyota Tercel - RIP Oct 20/2012
David Craig is offline  
post #34 of 47 (permalink) Old 06-27-2016, 01:26 PM
Registered User
 
Join Date: Jun 2016
Posts: 55
I think most of the complaints are really not directed at this site, but at the profusion of sites bothering with long password BS and all this

Everything will get hacked, and 500 digit passwords will eventually bow to faster computers. Only your brain cannot be hacked, so the most secure password is one you can remember.

It would be nice if the system answered emails. I have received zero emails from the site and since they don't respond to the only email address that the site says is a valid in use one, I guess my old account is gone
exigeg2 is offline  
post #35 of 47 (permalink) Old 06-27-2016, 02:48 PM Thread Starter
Asst. Helmet Tester
 
jet37ski's Avatar
 
Join Date: Dec 2012
Location: CA
Posts: 1,229
Garage
I covered my computer in foil now, so I feel like I should be pretty safe.
XHILR8N! and srfntrf like this.

"I think you should name her Pippa, because she's British and has a nice looking rear end."

An ALS Ice Bucket Challenge unlike the rest The ALS Association Golden West Chapter Presents The PanAmerica Crew IBC
The most recent big adventure in the fight against ALS SailingforALS.com
and don't forget the epic charity road trip ThePanAmerica.com
jet37ski is offline  
post #36 of 47 (permalink) Old 06-27-2016, 03:43 PM
$3(uR3 u$3r
 
SCamper's Avatar
 
Join Date: Aug 2008
Location: Austin, Texas
Posts: 430
HI.

I would also like to point out the link for the security breach looks like a fake banner ad. Maybe change it to a sticky or something that looks like a legit notice. When I first saw this I thought it was some BS ad.

Fix it please.

-Alex
Attached Images
 

2008 Elise SC - Solar Yellow
SCamper is offline  
post #37 of 47 (permalink) Old 06-27-2016, 09:04 PM
Registered User
 
cdn_alien's Avatar
 
Join Date: Dec 2006
Location: Chandler, AZ
Posts: 784
Garage
This password thing totally f*cked.

I can still access my account, but I have no idea what my password is. I tried my old password, my new password and the one they gave me in my email, and none of them worked. I can't change it because it wants my current password, and I don't it. I guess when I get a new tablet or a new phone, I'll be signing off from this forum!

And all of this because someone is afraid they might hack in and find out what kind of car I drive??

'10 Solar Yellow Evora
'06 Chili Red Elise (sold)
cdn_alien is offline  
post #38 of 47 (permalink) Old 06-27-2016, 11:46 PM
Registered User
 
Lancia's Avatar
 
Join Date: Dec 2006
Posts: 2,376
When my mobile service was bought by ATT, they changed the webhouse.
They have changed my password countless times.
I have never been able to access their new site.
They had to stop charging for paying bills by all other methods.

Having to change passwords encourages using simpler passwords, not more complex.

Lancia is offline  
post #39 of 47 (permalink) Old 06-28-2016, 10:58 AM
Elise Guru
 
fzust's Avatar
 
Join Date: Oct 2003
Location: Tempe, AZ
Posts: 3,048
As long as we don't have to change the password every 90 days and can't repeat. I had that happen at a company I worked for where it had to be 9 characters, symbol, upper/lower case and changed every 90 days with the buffer of old passwords 20 deep. The IT admin said "some supercomputers can hack the old passwords in 1 year so we needed to step it up."

I said, "That's great! I'll just write this password on my desk so I won't forget it!" :P
Lancia likes this.


Multiple SCCA Solo National and Pro Solo National Championships


Blackwatch Racing - Better for the Street, Proven on the track

Lotus Performance Parts and Accessories

Winning Suspension
- Larini Exhaust - BWR Close Ratio Gearset
We build the toughest Lotus Transmissions for the Elige. From Stock to SCCA-NASA-World Challenge Winners.

6UL wheels
fzust is online now  
post #40 of 47 (permalink) Old 06-28-2016, 12:17 PM
Registered User
 
Lancia's Avatar
 
Join Date: Dec 2006
Posts: 2,376
Lancia is offline  
Sponsored Links
Advertisement
 
Reply

  LotusTalk - The Lotus Cars Community > Community > Lotus Talk Forum Feedback and Site Issues

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the LotusTalk - The Lotus Cars Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome