Password reset

As part of a periodic review of security on the UsingEnglish.com site we have forced a password reset for all of our users. We have also configured the site to request that passwords are changed every 180 days (every 6 months).

We realise that this causes a minor inconvenience to our users but hope that you appreciate the steps we are taking to ensure the safety and security of your accounts and data.

Sorry for any inconvenience caused.

Regards,

Red5

Mine was only 805 days old!

You beat me - mine was 414 days old.

Red5 said:

We realise that this causes a minor inconvenience to our users ...

Click to expand...

Minor indeed. I'm simply glad that the "seniors' moment" I experienced before reading your announcement was not of my own creation. Whew!

Mine was 1506 days old! I thought that was an odd limit to set for everyone!

Quick question - does it recognise passwords you have used before or, in six months, will I be able to change it back to the one I was using until yesterday?

emsr2d2 said:

Quick question - does it recognise passwords you have used before or, in six months, will I be able to change it back to the one I was using until yesterday?

Click to expand...

It doesn't have any rules like that set up yet, so you can alternate if you wish to - it just requires a change every six months. Just be aware that it is not ideal to keep using the same passwords.

Here are some 'interesting' reads for you all along these lines:

• Change Passwords | Create Strong Passwords | Microsoft Security
• How to choose a strong password | Naked Security
• https://support.google.com/accounts/answer/32040?hl=en

And as a bonus tip, here's a password manager that I highly recommend:

• https://lastpass.com/

;-)

My reaction to "Sign In Failure" ...:shock:...:-o...:-(...:?: but it is OK now.

I was also a victim of the new policy of password which was adopted without informing the members. I tried all my best but in-vain. Ultimately I had to use the forgot password option and this password I had used for last 5 years and no untoward thing had happened. When I set this new password this morning and posted a couple of posts. When I opened my eMail folder there was this message - "your password is vulnerable and it has been changed by the administrators". We are giving you a new password. I kept wondering what was wrong with the new password I had generated(with great difficulty) this very morning and how it was found to be vulnerable? I tried this new password given by the authorities but failed three times, and then I used the password I had generated this very morning and it worked. It means that the software department is not working properly and sending eMails even without checking things. The members were never taken into confidence and not even a simple intimation or hint was given. It puzzled me more in the morning and by evening the whole thing turned out to be a mockery.

SUDHKAMP (I believe this name is not vulnerable or they would change it too!)

Last victim here! Only I didn't think of checking my email account , or else I would've known better! Hope I remember this in six months!

charliedeut said:

Last victim here! Only I didn't think of checking my email account , or else I would've known better! Hope I remember this in six months!

Click to expand...

Charliedeut I became a victim after changing my password and after it had been set, the UsingEnglish.com authorities sent me an Email about vulnerability. But I think it is their system which is vulnerable which is not able to discern what to communicate. A software decision gone haywire. Hope the administrators would take note.

There appear to have been a few hiccups today.

However, we have a site to which many dozens of posts are submitted every day. In the language forums, thousands of people have received help that they have been unable to find elsewhere. In the members' area, many people enjoy showing off their poetry and playing games in English. As I write this, 1,395 people are visiting the site.

It's no mean achievement to keep this going - especially as, like many popular sites, UE is targeted by spammers and trolls who love causing havoc.

That our webmaster manages to keep this running smoothly 99.9% of the time is an achievement that most of us take for granted. Let's not get too annoyed if a blip occurs from time to time.

We cannot see passwords, so the email is not about the quality of individual passports. Yesterday, we had to upgrade the forum software to a newer version. There was a potential exploit, and the best thing is to get everyone to change passwords. However, asking people is an ineffective way, so the most effective way is to change them en masse. It's not a subtle solution, but it works, though it causes inconvenience.

There probably was nothing wrong with your individual password, but if there's a security risk at a certain point in time, then changing is important- it removes the risk. We've updated the software and everyone has a bright shiny new password, so we're all safer. Some will have been inconvenienced when accessing the forum, but when these things happen, time is of the essence.

We're sorry for the inconvenience and are dealing with the access issues people are having. In your case, you changed the password, so that overwrote the one that you had been sent in the email. If you had seen the email first, that password would have worked (for 24 hours). The system will recognise the latest password saved.

As for me, it was not such bad. If I had checked my emails, I would have known what happened and what I should have done.

Tdol said:

We're sorry for the inconvenience and are dealing with the access issues people are having. In your case, you changed the password, so that overwrote the one that you had been sent in the email. If you had seen the email first, that password would have worked (for 24 hours). The system will recognise the latest password saved.

Click to expand...

Had you informed me to open my Email first and then visit the website then I would certainly do so. I am saying that not a simple hint or information was there anywhere on the website and I had to struggle for 25 minutes to straighten up the things. Your Email arrived an hour later and how could I read it before it was sent. The changes were made first and then you have sent the Emails. I have got proof for the same. Would you like to see the timings Tdol and 5jj?

I've written and then cancelled at least two draft messages now. I think I need to reduce my message to point form to avoid losing track. The points are in no particular order, and they are not necessarily related, or even relevant.

• I think the admins do a heck of a job
• Hiccups happen when software changes
• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual
• Is traffic down? Are failed login attempts up? Are these things easily quantifiable?
• Is it possible that some members would benefit from an additional email to clarify the password situation?

I've sent Stan an email message through his user profile. (It's too soon to expect a reply.) I don't want to read too much into Stan's temporary absence, but if he hasn't managed to log in successfully, could others be in the same boat?

Probably this is an overreaction on my part, but I'll accept the risk of appearing foolish if some good might come out of speaking up.


Thank you
Ian

• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual

He hasn't logged in, so he could be having trouble. Please let me know when he replies to you. If he has any problems, please let me know.

• Is traffic down? Are failed login attempts up? Are these things easily quantifiable?

It's hard to say- traffic's actually considerably up in terms of logins, as many people who have not visited the forum in a long time have logged in after getting the email.

• Is it possible that some members would benefit from an additional email to clarify the password situation?

Possibly, but it would be hard to target them.

SUDHKAMP said:

Had you informed me to open my Email first and then visit the website then I would certainly do so. I am saying that not a simple hint or information was there anywhere on the website and I had to struggle for 25 minutes to straighten up the things. Your Email arrived an hour later and how could I read it before it was sent. The changes were made first and then you have sent the Emails. I have got proof for the same. Would you like to see the timings Tdol and 5jj?

Click to expand...

I take full responsibility for this. I'm afraid I had to take the decision very quickly to reset everyone's passwords due to the discovery of serious security issues as described in Tdol's post above. It is obviously never our intention to inconvenience our members, but in this case I had to make a personal judgement what was best for everyone and the site as a whole.

Due to limitations of both the software and of time, I first had to reset everyone's password which then allowed me to be able to email everyone their new passwords. It is unfortunate, but it takes time to email over 440,000 members - a LOT of time, and sadly some people seem not to have received the email before trying to log in - which is what has caused some confusion. This is why I also placed this post in the announcements area to let everyone know as soon as they entered the forum. You asked why we hadn't contacted you to tell you about this happening before you logged on... well, I hope this shows you that I tried to let you know as soon as possible.

The vast majority of members have not had issues with this process and have been able to log in and continue to use the site perfectly well. I would much rather some people had a few temporary issues logging in, than to find out that there had been a security breach which had exposed our member's personal data and put you at risk. It is our highest priority to make sure that you and others can use this site safely and securely, and it always will be. If this means that I need to take difficult decisions like I did when I reset everyone's passwords then I'm afraid that's what I must do. Our members trust us with their data and expect it to remain safe.

Dear Red5 and the rest of the administrative team,

You'll have to take my word for this, but my slow connection just ate my reply to Tdol's post in which I recognised that these things take time and effort on the part of our admins. Frankly, it was a great letter -- much better than this one. ;-)

Now the supper hour is upon me and I don't have the time or inclination to try to recreate that other message.
As far as I know, our admins are all unpaid volunteers. I appreciate your efforts, and if there is an occasional burp or hiccup along the way, I can live with that. There are paid membership sites that don't offer nearly as much value as this free site, imo.

I would ask everyone to bear in mind that we're getting a hell of a deal here, and to try to maintain a sense of perspective when problems occur. You're not dealing with your electrical utility or your ISP here. Please keep it friendly. Show some respect and appreciation.

SUDHKAMP said:

Charliedeut I became a victim after changing my password and after it had been set, the UsingEnglish.com authorities sent me an Email about vulnerability. But I think it is their system which is vulnerable which is not able to discern what to communicate. A software decision gone haywire. Hope the administrators would take note.

Click to expand...

Ask for your money back!!

Tdol said:

• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual

He hasn't logged in, so he could be having trouble. Please let me know when he replies to you. If he has any problems, please let me know.

Click to expand...

I got a reply from Stan. He is having difficulty logging in. He has asked his grandson to stop by and guide him through the password reset process.

I was very pleased to find that UE's software includes an option to send messages to a user's email address. Stan is happy to know he was missed, and I am glad that he will soon be back with us.