PASSWORD CHANGES

**Duncan Glenday** · 04-26-2017

We've had discussions with our ISP, and we believe we have the hacking situation resolved. Specifically:

1). They have migrated the site to a slightly different version of the software. You shouldn't see any difference. (If you saw a notice sayinbg "Alert: The forums are currently turned off!" - no need for concern. That was done during the upgrade.)

2). It is HIGHLY recommended that EVERYONE change their passwords.

I have set a parameter that will force everyone to change their password (at least once) in the next 24 hours ... and I'll turn the parameter off again soon. Sorry about the major PITA. In addition we've set a parameter tat will force all users to change passwords every 6 months.

3). If you use more than one email address, it would be advisable for you to change the email in your PE profile to one of your alternates. This is NOT a critically necessary step ... it's simply recommended as a caution.

4). Another non-essential step, but suggested in the interest of caution: If you have used the same password on PE as you use on your email system, it would be prudent to change that email system's password as well.

Again - DON'T PANIC

- but please follow these recommendations.

These steps reflect the best practices used in all responsible sites, and they have been recommended to help secure your data.

**smcfee** · 04-26-2017

I'm a bit surprised the password reset form here doesn't use HTTPS.

So if you change your password here, absolutely do not change it to a password you use anywhere else (a good practice in general, but especially important in the case of insecure transmission).

**Duncan Glenday** · 04-26-2017

I'm busy purchasing an SSL certificate, and the whole site will be "https" when that is done.

Meantime, if you're concerned, feel free to install "HTTPS Everywhere" : https://www.eff.org/https-everywhere - it will enable you to have HTTPS / SSL security.

**battema** · 04-26-2017

Duncan - apologies for the slight pushback...could you wait to force the password reset until the site is secure? I don't want to have to install HTTPS everywhere on my work machine just so I can safely reset my PE password. At this point I'm more inclined to delete my account and re-create it once things are sorted out.

Again, apologies...but Sean's right. I'm not really OK with a password change that isn't secure.

**Gruno** · 04-26-2017

A mass email message would have been good alerting us of this password change. With the recent hacking taking place, once I got to PE and the first message was to force me to change my password, I was leery of doing so. Since PE was down last night, it also raised my suspicion.

**Duncan Glenday** · 04-26-2017

'K

**Duncan Glenday** · 04-26-2017

The parameter has been reset ... but watch this space.

**Supersonic Scientist** · 04-26-2017

OK, all updated.

**Garyhead** · 04-26-2017

Originally Posted by Gruno

A mass email message would have been good alerting us of this password change. With the recent hacking taking place, once I got to PE and the first message was to force me to change my password, I was leery of doing so. Since PE was down last night, it also raised my suspicion.

Yup.....me too.....advanced warning would have been good

**battema** · 04-26-2017

I tried installing HTTPS Everywhere as an extension in Chrome, and while it seems to work for other sites, it goes inactive when I try to use it with Prog Ears. Is it just my ignorance of the tool? Anyone able to make that work?

**interbellum** · 04-26-2017

Originally Posted by Gruno

A mass email message would have been good alerting us of this password change. With the recent hacking taking place, once I got to PE and the first message was to force me to change my password, I was leery of doing so. Since PE was down last night, it also raised my suspicion.

That would indeed have been better, especially because we did get such a mail about the hacking.
To be shure it was a message from PE I locked out first, then locked in and got the same message, so I wasn't worried anymore.

**progmatist** · 04-26-2017

Now I have to remember something other than "password123."

**MissKittysMom** · 04-26-2017

A mass email would have missed me, since the email address for my account here no longer exists. Also, the forced password change let me re-use my old password, which is fine for me since it's useless without a meaningful email, but really not so good security-wise.

**helicase** · 04-26-2017

Originally Posted by Duncan Glenday

I'm busy purchasing an SSL certificate, and the whole site will be "https" when that is done.

Wouldn't a free Let's Encrypt certificate work?

**proggosaurus** · 04-26-2017

Originally Posted by battema

I tried installing HTTPS Everywhere as an extension in Chrome, and while it seems to work for other sites, it goes inactive when I try to use it with Prog Ears. Is it just my ignorance of the tool? Anyone able to make that work?

have you tried Tor? it's a better option than a redirect

**zravkapt** · 04-26-2017

I already changed my password because of the hack....I have to change it again?

**Duncan Glenday** · 04-26-2017

Originally Posted by MissKittysMom

A mass email would have missed me, since the email address for my account here no longer exists. Also, the forced password change let me re-use my old password, which is fine for me since it's useless without a meaningful email, but really not so good security-wise.

We've already changed that. Going forward, you won't be able to re-use a password you've used for [xxx] days. But the count from fay 1 to day [xxx] only starts now.

Originally Posted by proggosaurus

have you tried Tor? it's a better option than a redirect

Originally Posted by zravkapt

I already changed my password because of the hack....I have to change it again?

No!

**battema** · 04-27-2017

Duncan - just for saying: thanks for chasing down this stuff. Can't be fun, but it is really appreciated

**GuitarGeek** · 04-27-2017

Originally Posted by Gruno

A mass email message would have been good alerting us of this password change. With the recent hacking taking place, once I got to PE and the first message was to force me to change my password, I was leery of doing so. Since PE was down last night, it also raised my suspicion.

Same here, I asked on Facebook about it, but I wasn't sure if this was part of the hacking thing or not.

**aith01** · 04-27-2017

Originally Posted by battema

Duncan - just for saying: thanks for chasing down this stuff. Can't be fun, but it is really appreciated

Seconded!

**Gruno** · 04-27-2017

+1

**Dave (in MA)** · 04-27-2017

Thanks. I just changed my password to 4321 instead of 1234.

**Garyhead** · 04-27-2017

So can we blame all these Yes Threads on hacked passwords?

**Progbear** · 04-27-2017

Originally Posted by Dave (in MA)

Thanks. I just changed my password to 4321 instead of 1234.

$WørDʄ1șн

**Kavus Torabi** · 04-28-2017

Thanks for this Duncan.
Hey, here's a thing. Since the password change, the default on my telephone (iPhone 5) for PE is now a kinda 'computer website' version of the forum, which requires me making everything bigger and doesn't fit nicely on the screen.
Has anyone else experienced this? Is there a thing where I can change the parameters back?
Sorry if I'm acting like a total Luddite, it's because I largely am one...

Thread: PASSWORD CHANGES

Thread Tools

Search Thread

Display

PASSWORD CHANGES

Bookmarks

Bookmarks

Posting Permissions