Announcement

Collapse
No announcement yet.

Warning about password change email.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Warning about password change email.

    Hello.

    Today i got email with my newly password, but i dont found login of a customer, cause i got ~20 vBulletin accounts with licenses. And that was trouble to find, what account's password changed.

    Best regards.

  • #2
    Originally posted by Luerssen View Post
    Hello.

    Today i got email with my newly password, but i dont found login of a customer, cause i got ~20 vBulletin accounts with licenses. And that was trouble to find, what account's password changed.

    Best regards.
    Every customer had their password changed.
    Thus each account you have with licenses have a new password.

    Comment


    • #3
      Hi

      You can retrieve the customer number associated with a specific email address here: http://members.vbulletin.com/lostpw....lostcustomerid
      Best Regards
      Colin Frei

      Please don't contact me per PM.

      Comment


      • #4
        Hello,

        This topic is being discussed also in the chit chat area, but since I think this is the correct forum to do it, I have two concerns regarding this change:

        1. the password was sent on a plain text e-mail... not too secure... and I don't know where to change it also

        2 .I 'd like to request that the question + password hint isn't mandatory, after all, looking at the questions, I'd say that someone who knows me (and it hasn't got to be my best friend) and knows that I have a vB licence wouldn't have too much trouble on finding the correct answer to most of the questions. In fact, some of them are quite easy... like, your favorite colour... look at the rainbow and guess... you favourite ice cream flavour... choose round abour 5 or 6 flavours and you'll have the flavours 90% of the people most like... the same for the other questions. At least the user should be able to not use a secret question hint for password. Have a reset code sent by mail, the same mail you used to send the new password or any other way to retrieve lost passwords but do not force us to use secret question + answer, especially if this was due to security + licence stealing concerns...

        Comment


        • #5
          You can request a new password to be sent to you here:
          http://members.vbulletin.com/lostpw.php

          If you use SSL/TLS to access your email, then any direct attacks on you will be circumvented.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API - Full / Mobile
          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #6
            Originally posted by Wayne Luke View Post
            You can request a new password to be sent to you here:
            http://members.vbulletin.com/lostpw.php

            If you use SSL/TLS to access your email, then any direct attacks on you will be circumvented.
            Except, of course, for the numerous servers it needs to travel through to reach our email.

            Why was it deemed necessary to reset? Wouldn't just expiring the current passwords and having users change them themselves on login be a far better approach?

            Comment


            • #7
              The system isn't built to allow users to change passwords. This dramatically reduces the amount of issue with hijacked accounts.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                Originally posted by Wayne Luke View Post
                The system isn't built to allow users to change passwords. This dramatically reduces the amount of issue with hijacked accounts.
                So instead of using this method that supposedly involves more hijacked accounts, you send the password, insecurely, over email, one of the most insecure methods of communication on the internet.

                Not to mention you are forcing users to keep a password they can't easily remember, meaning many will do stupid things like keep it in text files, put it on a post-it note, save it in their browser, or worse.

                Comment


                • #9
                  Originally posted by Cool Matty View Post
                  So instead of using this method that supposedly involves more hijacked accounts, you send the password, insecurely, over email, one of the most insecure methods of communication on the internet.

                  Not to mention you are forcing users to keep a password they can't easily remember, meaning many will do stupid things like keep it in text files, put it on a post-it note, save it in their browser, or worse.
                  I don't seem to recall a similar complaint when the passwords were first delivered to a customer.
                  ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                  Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                  Comment


                  • #10
                    Originally posted by ManagerJosh View Post
                    I don't seem to recall a similar complaint when the passwords were first delivered to a customer.
                    So? The issue remains, regardless of how long it's been in effect.

                    Comment


                    • #11
                      I think you're missing the point. Passwords were originally delivered plain-texted and I don't recall a single complaint. Passwords are now updated, and once more delivered plain-texted but there are complaints? That seems like a huge double-standard.
                      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                      Comment


                      • #12
                        Originally posted by ManagerJosh View Post
                        I think you're missing the point. Passwords were originally delivered plain-texted and I don't recall a single complaint. Passwords are now updated, and once more delivered plain-texted but there are complaints? That seems like a huge double-standard.
                        Apologies for not having time to complain the first time?

                        Comment


                        • #13
                          I still don't get the need of a reset/reminder question.

                          Comment


                          • #14
                            Originally posted by ChipTz View Post
                            I still don't get the need of a reset/reminder question.

                            We get emails all the time that go something like this:
                            Hi, I am the owner of xyzforums.com and I forgot my customer ID and password. Please send a new one to this address.
                            Now many of these are legitimate requests and they are the owner of the site. They just have a new email address. However quite a few are people trying to steal the license. Now we used to ask for the purchase information including name, address, email, billing type and transaction ID. People complained this is too personal. So we instituted the secret question/answer thing.

                            This has been in place for 3 years now and must be answered before you download for the first time. Using this allows another level of validation on your license to protect your investment. Some people will say its only $160.00 piece of software and this isn't necessary but for some customers that is a hefty investment and even if it isn't it is something you paid for and could cost you a lot more if your license is compromised because we were not diligent.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API - Full / Mobile
                            Vote for your favorite feature requests and the bugs you want to see fixed.

                            Comment


                            • #15
                              Mr. Luke, please don't say about a vBulletin price.This price was determined by Jelsoft, not by us. I think a lot of us would pay much more for vBulletin, 'cause I can not emagine such forum software, that could be a little better than vBulletin and more expensive than $160. I mean, Jelsoft is positioning vBulletin as a low-cost software. I just can not emagine a high-cost software. But this is not the case. I think that customer must have an ability to change their password to prevent their license to be stolen as fast as it possible to do...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X