Mercedes-Benz Forum banner

The recent password unpleasantness

14K views 46 replies 13 participants last post by  emeshuris 
#1 ·
Is anyone having issues to the extent that you've had to create a new account just to log in? If so, let me know via PM and I'll fix it for you.

Let me know what your original screen name is and if you have a new email address, include that as well.

Alternatively, you can reach me at digmenow@aol.com.

I'd also ask that you provide some nugget of proof of who you are, such as your old email that you forgot to update so that I know that you are who you say you are.
 
#4 ·
#7 ·
i was wondering myself whether this was more widespread, possibly a weakness
with the forum infrastructure as I've seen at least one other forum of similar
design structure go through the same password resetting within 24 hrs. So
when I received the resetting notification by email I thought some preventative
measures were being taken as a result of some potential hack. it was just a
guess on my part
 
#9 ·
Just when I get "my system" to remember all 47 passwords I have....... I get one that has a requirement my system has no provision for. Herw is my rant.....DGOEGPRJGPOERGPFKBGIERJkdnmvgdoihvdopjvglken'oejvbglkdijgriegjbvlkdjnvoeirgiogirfkjhgqwertyuiolkjhgfzsdgfhjkm,l.,mnbvcxzcfghjkl;kjuhgfrjhkl;kjhgfdghjkil;p'kjhgfxcdvbghj.mkl,/;.lkiujyfcgjvhk;l'ppkojgfdghykiolp';koijuyhtrsedfgyhjik;lp'/l.k,jmnghbfvcdxcfvgbhnj;./lkijyrtfdfxfctresfdzgrtdgfcvhyhvbjknliub,m klolm.,;p'okl,lkjnl,;oiujyhgfvbnmkjhgfrdscxvb nm,./;lokijuyhgtfdcx vbnm,;,lkjuhgfbv n,lkijuhgfbv n?bfv nm,kjhgbvnm,./:lokiujytredsxdcvb nm, ./l;kjhnb m,./lk,jmhnbg vmn,jkhgfdxcvghytgfdcvbnmjkl/;.,mjghfvc bnm,.;/,ghnbf cvnm,k,ljmn b


I feel better and much safer now.
 
#12 ·
Here's an interesting post from the 107 forum. While quite lengthy, it does offer a solution to the problem of remembering one's passwords. By the instructions below, your password could be something like...

WhyamIloggingintoBenzworld@2AM?

Hello everyone. Let me chime in on the whole password security thing. I'm currently studying in computer science at one of the top universities in Canada, but since this is primarily a car forum, I will try to keep my epxlanations simple.

One constant mistake I see I.T. people doing is to ask for strong passwords by means of complexity (having a whole bunch of nonsensesical special characters and randomly generated garbage that is impossible to remember) rather than asking for a strong password by means of entropy (having a long password, but one that is easy to remember for humans). Let me explain why complexity is irrelevant, and why entropy is what actually makes a strong password. For that, we need to understand the 2 methods of finding a user's correct password in order to log into his account.

The first method is called a rainbow table attack, and all you need to know about this method is that it doesn't work.

The second method is just good old bruteforcing, try combinations of letters (and numbers and special characters) until you find one that works. So why is complexity irrelevant? Because in bruteforce attacks, special characters are also tried, and while for humans it may seem impossible to guess a password with a special character, for a computer trying to bruteforce its way into an account, special characters and number aren't what's going to save it. To understand why, you only need to know very basic math, but it's all about them exponential numbers!

So, the alphabet has 26 lowercase characters, if we include the uppercase characters, we have 52 possible characters that can make up one character in your password. Now let's add the 9 digits, so we are at 61, and let's round that number up to a generous 70, to include the typically allowed special characters. Like @#$ or whatever. I'll use rather small numbers from now, just to demonstrate my point. Suppose you ask your user to have a random password of 6 characters total, that gives a total possible amount of combinations of 70 * 70 * 70 * 70 * 70 * 70, or simply 70^6 which is equal to 117649000000 combinations, and suppose the attacker could manage to try 1000 attempts per second (this seems like a large number, but given no other security measures, it could be much higher), it would take 3.73 years to guess that passowrd. Now that seems satisfactory, but like I said, it could take much less time. Now let's see what happens when you just make yourself a long but simple password, that is easy to remember. Let's say your password is: MercedesAreBetterThanBMWs which has 25 characters. The possible amount of combinations for a 25 character long, only alphabetical password, is 52^25, which is about 7.945 * 10^42 (if you haven't seen this notation before, it's called scientific notation). To bruteforce that at our previous rate of 1000 attempts per second, it would take 2.52 * 10 ^ 32 years. In other words, it will not happen. Just to give you an idea of how long that is, 1 * 10 ^ 9 is a billion years.

Simply put, stop this complexity nonsense. If a forum requires you to use a special character and a number, just put it in some really simple combination, like 3#. Make your passwords long, but easy to remember. I could name at least 5 other ways an attacker could break into an account, some of which requires the user to take special care, others require that the I.T. crew running the servers take special care. And in none of these cases does a complex password help, but in at least one of these, a long but simple password would.
 
#13 ·
Yeah, the NYT or WP ran an article to this effect a year or two ago. The upshot was that the ridiculous password 'complexity' nowadays required by everyone from your gardener to your car forum is totally pointless, for exactly the reasons given above.

BTW, I just received one of my password emails from this site a couple of hours ago. Another one never arrived...
 
#23 ·
I think this is their spam that does that. I have that all the time I click on some illegal downloads and I am getting lot of warnings, or porno sites.
Coming to "sleep tight" in the past spring boxes did not exist, but beds had wood frame and ropes stretch into the holes.
Natural ropes did like to stretch and require tightening sometimes every night for comfort .
Therefore "sleep tight"
 
#28 · (Edited)
I did not read all the responses, hopefully this is not a repeat.

Maybe I am missing something here. A notice was sent out to all regarding this issue, some or most of us would have received a new password by now and the process is simple. With all due respect to forum member Digmenow, I don't know who you are and don't understand why you would request my account info - this is the exact thing we are trying to prevent. In the midst of published intrusion, why would anyone allow you access to their account. Isn't this what the Admin should do? Actually, I'm surprised Admin "LIKED" this idea. The credentials on your sig look good and I'd like to trust you, but I don't think that you can just ask folks to handover their accounts to you for a fix without telling them who you are, your affiliation to the forum and who gave you the authority to make such a request. I'm not trying to be a PITA but I think that you understand where I'm coming from.

UPDATE
During my site browsing, I have found out that Digmenow is actually part of the forum admin - moderator. I still think that an intro in the Original Post would have been more welcoming to keep folks like me at ease.
 
#30 ·
Fair point, well taken. Up until the recent unpleasantness, there was little reason to make a big thing of my position within the forum and the ability to change the title was a coveted moderator's prerogative. As Raymond correctly notes, you'll find my screen name in the moderator box at the bottom of the forum. Probably a bit more esoteric is the color ranking system of screen names.

Blue = Regular Member
Green = Moderator
Purple = Super Moderator
Red = Administrator

Regardless, I have adjusted my profile to show my forum credentials to be more easily identifiable to members.

This has been a learning experience for us. I've placed myself in the unenviable position of knowing people's passwords (temporarily) in order to alleviate the frustration of members who have been unable to navigate this mandatory password change. In each case, I have advised the member, once signed in, to immediately change their password, sign out and back in to test it and then notify me of their success so that I can merge or delete the new account that they created to get back onto Benzworld. It's been clumsily inelegant but effective.

BTW, it is a good idea for everyone to periodically check what email address you have provided in your user profile in the event that you have changed email providers. This has been the leading cause of frustration for many members. In many cases, once members have found a way to contact us, we have corrected the email addresses which allows the process to work for those who were completely locked out.

Thanks for the feedback.
 
#29 · (Edited)
Digmenow is on the up n up. He outranks me and has more super powers in resetting your profile. Since his profile isn't clear that he is a member of the forum host/team, it is understandable your confusion. Note (the oh so fine print) that his sobriquet is shown at the bottom of the 210 forums front page as being one of the moderators. r-
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top