Attention - Password and Security Update - Page 6 - Jeep Wrangler Forum
Jeep Wrangler Forum

Go Back   Jeep Wrangler Forum > Community Forums > WF Site Help & Support

Join Wrangler Forum Today


Like Tree1Likes
Reply
 
Thread Tools

Please support our sponsors and let them know you heard about them on WranglerForum.com
Old 09-22-2016, 10:16 AM
Thread Starter
  #151
Administrator

WF Supporting Member
::WF Administrator::
 
HelenaAG's Avatar
 
Join Date: Apr 2008
Location: Toronto, Canada
Posts: 2,818
Send a message via MSN to HelenaAG
Quote:
Originally Posted by HardRockRubi View Post
Thanks for the lecture, but I deal with this stuff every single day at work.

Yes, I know intrusions are hard, but not impossible, to detect. You're fixating on but a small part of my overall message.

The larger, and much more important point I have hammered on is the lack of appropriate (and frankly, basic) security measures.

The points that I have constantly reiterated, the lack of HTTPS, the lack of strong data encryption, and the lack proper data segregation, are all things that are easily remediated and would have reduced the scope of the breach, and perhaps even neutralized the method of attack by which the breach was carried out. I'm not saying these things would have eliminated the threat or successfully defended their system from intrusion, as nothing is impenetrable. But, given what we have learned from the breach, it's clear that they were not taking proper precautions to protect their user data.

If they had even just implemented proper data segregation perhaps the scope of the breach might have been 4.5 million records instead of 45 million? Maybe 450,000. Maybe 4,500. Maybe it would have still be 45 million, but at least we wouldn't be able to fault them for not trying to protect our data.

Yes, I get it - they're not a bank or other financial services institution, however as an Internet-based company, they should be taking proper care to ensure their user's data is reasonably protected from attackers, and at this, they have failed. What's worse is they've failed for lack of trying. Negligence.
HTTPS wouldn't have prevented how the data was taken as this wasn't a "Man in the Middle attack" and data was and still is encrypted based on industry best practices.
Quote:
Originally Posted by crofford View Post
Am I getting O'Reilly spam because of the hack or because Wrangler Forum gave away/sold my email address?
The site hasn't sold your email however have you used it on any of the following sites that have also been revealed to be hacked recently? Dropbox in 2012 LinkedIn 2012? I only ask because you do have a unique address.
Quote:
Originally Posted by Wranglertampa View Post
Yep, this sucks. I used to be thegreyman.. now wranglertampa. Starting all over again.
Please PM me I'll try and get you back on your old account

Kyle

HelenaAG is offline   Quote
Old 09-23-2016, 05:46 AM   #152
Jeeper
 
Join Date: Jan 2016
Location: Bel Air, Maryland
Posts: 459
Quote:
Originally Posted by JimmyW View Post
Remember that nothing is fail safe........
Quote:
Originally Posted by JimmyW View Post
As a fellow computer scientist, I'll suggest again that folks experiment with a password tool like LastPass.
If it is on a computer and that computer is hooked up online ...... it is vulnerable.

I have made the painful decision to go old school...and protect all of my passwords myself.

It's a bit of a pain, but I have the assurance of knowing my passwords cannot be taken electronically.

I thought about using LastPass or KeePass os something similar but I realize that nothing is failsafe.

We have five safes here each with their own combination ..... but I only have to remember one combination.

Now all of my passwords are stored under that one combination .... yeah it's a book, and passwords are written there.

It's a pain ..... but probably the best protection one can have.

Oh and even that book has security measures ..... just incase someone gets the book ..... LOL

__________________
1995 Wrangler 2.5L Automatic Trans. Daystar )' Lift Tow Shackles, New Springs, New Shocks
harcosparky is offline   Quote
Old 09-23-2016, 02:10 PM
Thread Starter
  #153
Administrator

WF Supporting Member
::WF Administrator::
 
HelenaAG's Avatar
 
Join Date: Apr 2008
Location: Toronto, Canada
Posts: 2,818
Send a message via MSN to HelenaAG
Quote:
Originally Posted by harcosparky View Post
If it is on a computer and that computer is hooked up online ...... it is vulnerable.

I have made the painful decision to go old school...and protect all of my passwords myself.

It's a bit of a pain, but I have the assurance of knowing my passwords cannot be taken electronically.

I thought about using LastPass or KeePass os something similar but I realize that nothing is failsafe.

We have five safes here each with their own combination ..... but I only have to remember one combination.

Now all of my passwords are stored under that one combination .... yeah it's a book, and passwords are written there.

It's a pain ..... but probably the best protection one can have.

Oh and even that book has security measures ..... just incase someone gets the book ..... LOL
I've heard arguments for both sides. Using password programs, and going old school.

I used to take it to another old school level, where as I would choose a part number on one of my computer's items (video card, processor). If I forgot I would have a boo inside the desktop and pull it from there.

Food for thought. Clearly the more secure your password, the better it is, but I have heard good things about LastPass and 'the book' styles of password security.

- JB
HelenaAG is offline   Quote
Sponsored Links
Advertisement
 
Old 09-24-2016, 02:33 AM   #154
Supporting Member

WF Supporting Member
 
m998dna's Avatar
 
Join Date: Jan 2012
Posts: 9,242
Quote:
Originally Posted by rgreen65 View Post
The prudent thing is to use different passwords on different accounts. I have an encrypted spreadsheet file with all my passwords, and it is always off line. I have way too many to remember. On forums and inquiry sites I generally let the site remember so I don't have to put the PW in all the time. But that PW is not used anywhere else. Unfortunately too many people are like a friend of mine who use the same PW for everything. It will bite him one day.
^^ This is exactly what I've done... I have up to 50 combinations of personal and work related passwords, upper/lower case.. alphanumeric, with a special character.

I also store them offline on an encrypted spreadsheet..

Social forums get a different syntax than the websites I use for banking, eCommerce and work.

Ironic, I just learned that 500 million Yahoo accounts got hacked.. user IDs, passwords, and extra security layer.. mobile phone numbers. I'm glad I never give up my mobile number for the extra layer of security.

.
m998dna is online now   Quote
Old 10-05-2016, 06:19 PM   #155
Rube Goldberg

5-Year WF Supporting Member
 
OVRLND's Avatar
 
Join Date: Sep 2015
Location: Denver, CO
Posts: 2,347
Quote:
Originally Posted by HelenaAG View Post
HTTPS wouldn't have prevented how the data was taken as this wasn't a "Man in the Middle attack"
Maybe not in this particular instance, but being that HTTPS is easy and relatively inexpensive to implement, you see how perhaps, just maybe, Vertical Scope is leaving the door open for the types of attacks that HTTPS can prevent? It's security 101 these days, and I'm sure Vertical Scope has the dollars (from ad revenue, sponsoring vendors, and paid supporting members - like myself) to implement HTTPS and increase security of its domains (you know, to protect those vendors and users that pay to support these domains, and those users that drive ad revenue by using the site).

Quote:
Originally Posted by HelenaAG View Post
and data was and still is encrypted based on industry best practices.
Really? Industry best practices... from 2001?

From LeakedSource (which broke the news of the hack):
"Passwords were stored in various encryption methods but less than 10% of the domains which account for a very small amount of leaked records used difficult to break encryption (less than a couple million). Most of the records (over 40 million) were just MD5 with salting and this is insufficient."

In summary:
  • Less than 10% of the domains which account for a very small amount of leaked records used difficult to break encryption (less than a couple million) [out of 45 million]
  • Most of the records (over 40 million) [over 89%] were just MD5 with salting (insufficient)

So, excuse me if I don't believe your bit about encryption.
__________________
2015 Baja Yellow JKURHR 6MT | Build Thread: "The Rube Goldberg Machine" | Rubicon Goldberg on Instagram
MetalCloak 3.5" Game-Changer RockSport Edition | 17" AEV Pintlers | 35" BFGoodrich KO2 | WARN 9.5CTI-S | AEV Tire Carrier & Fuel Caddy | Magnaflow Y-Pipe | JWM4x4 Grille Insert | Rhino-Rack Backbone Pioneer Platform | Vector Off-road JKE-Dock | Tepui Ruggedized Autana 3 RTT
OVRLND is offline   Quote
Old 02-06-2017, 02:15 PM   #156
Jeeper
 
Lusus_Naturae's Avatar
 
Join Date: Oct 2012
Location: OKC, missing WI
Posts: 3,884
Not sure if this is new or if I just haven't noticed it, but I logged in today for the first time in ages since my computer usually has everything saved. I had a warning pop up that the site is unsecured and passwords could be stolen, or course, to get here to post, I had to log in. Is this a new issue I'm seeing or how it's been?
Attached Thumbnails
Click image for larger version

Name:	odd.jpg
Views:	27
Size:	57.0 KB
ID:	3444434  
__________________
2013 JKU Sport, billet, auto, 3.73, LSD, 315/75/16 Duratracs on MB 72, 2" Mopar lift, Bushwacker flatties

Sold - 2005 TJ, red, auto, 3.73, 33" Duratracs, 4" lift
Ice storm casualty in 2007 - 2003 TJ, green, auto, 3.73, 33" Duratracs, 4" lift
Lusus_Naturae is offline   Quote
Old 02-06-2017, 08:46 PM   #157
I am JD & It's my dream

WF Supporting Member
::WF Administrator::
 
JDsDream's Avatar
 
Join Date: Jan 2009
Location: The Peach State
Posts: 30,756
I haven't seen that one before. Which browser are you using?
__________________
The kind of woman that when my feet hit the floor each morning the devil says "Oh Crap, She's up!"

To All Of Our Forum Veterans and Active Service Members.
Our Debt To You Is Greater Than We Could Ever Repay.
Thank You

__________________ThinBlueLine_________________


Become a Supporting Member!
JDsDream is offline   Quote
Old 02-07-2017, 12:44 PM
Thread Starter
  #158
Administrator

WF Supporting Member
::WF Administrator::
 
HelenaAG's Avatar
 
Join Date: Apr 2008
Location: Toronto, Canada
Posts: 2,818
Send a message via MSN to HelenaAG
I've seen it before, though it's a recent development. The answer is little technical, but here's the gist.

First off, your password is safe. That's for those who don't want to read the whole thing.

Most browsers use a rating system for how secure a site is that they get from Google, and recently that rating has been changed in regards to what is considered "secure" or not. They are now pointing out what sites are vulnerable to a MIM attack, or "Man in the Middle", someone who is intercepting your key strokes as you enter them. Since everything you type is being put on a public forum, it's never made sense for us to protect against one. Passwords are encrypted, so they aren't affected, and passwords protect your email.

So as long as you aren't posting passwords or banking information in plain text in the threads, you are fine.

All that said, to keep the site in good standing with Google's ranking system, the protection is going to be added in key areas, though I don't know when yet.

Kevin
HelenaAG is offline   Quote
Old 09-23-2017, 07:34 PM   #159
Jeeper
 
wjfawb0's Avatar
 
Join Date: May 2008
Location: Tennersee
Posts: 782
I just got locked out of my account again for 15 minutes. All of these complexity requirements for unimportant sites is getting old. I could just bite the bullet and reset my password every time I come to this site, but that's too much work for just occasional browsing. I'm sure you all are losing a decent amount of traffic due to all of this. You've been removed from my Chrome start up pages.
wjfawb0 is online now   Quote
Old 09-25-2017, 11:24 AM
Thread Starter
  #160
Administrator

WF Supporting Member
::WF Administrator::
 
HelenaAG's Avatar
 
Join Date: Apr 2008
Location: Toronto, Canada
Posts: 2,818
Send a message via MSN to HelenaAG
Quote:
Originally Posted by wjfawb0 View Post
I just got locked out of my account again for 15 minutes. All of these complexity requirements for unimportant sites is getting old. I could just bite the bullet and reset my password every time I come to this site, but that's too much work for just occasional browsing. I'm sure you all are losing a decent amount of traffic due to all of this. You've been removed from my Chrome start up pages.
if you save your password using chrome password manager you'll need to make sure that chrome isn't saving multiple passwords. https://support.google.com/chrome/an...DDesktop&hl=en

Lee
HelenaAG is offline   Quote
Old 09-27-2017, 08:32 PM   #161
Jeeper
 
wjfawb0's Avatar
 
Join Date: May 2008
Location: Tennersee
Posts: 782
I never let any browser remember passwords.
wjfawb0 is online now   Quote
Old 09-28-2017, 09:40 AM
Thread Starter
  #162
Administrator

WF Supporting Member
::WF Administrator::
 
HelenaAG's Avatar
 
Join Date: Apr 2008
Location: Toronto, Canada
Posts: 2,818
Send a message via MSN to HelenaAG
The password requirements come from higher up and are unfortunately out of our hands. They're in place to provide maximum security for the user as most users use the same password for multiple sites. So it might not seem like a big deal if someone gets your password for this site, but the same password might work for your banking, email etc. This is what we're trying to avoid.

Niall

HelenaAG is offline   Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off






All times are GMT -5. The time now is 12:29 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.1
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.

Jeep®, Wrangler, Liberty, Wagoneer, Cherokee, and Grand Cherokee are copyrighted and trademarked to Chrysler Motors LLC.
Wranglerforum.com is not in any way associated with the Chrysler Motors LLC