Oooops... We have reset your passwords

Forums › Geekzone › Oooops... We have reset your passwords

1 | 2 | 3 | 4 | 5 | 6

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#774686 4-Mar-2013 23:52

That'd be handy too...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#774687 5-Mar-2013 00:03

Lets call it "security awareness day" instead off "oops I flicked the wrong switch!" :p everyone should change their passwords sometime!

EagleKiwi

2 posts

Wannabe Geek

#774697 5-Mar-2013 01:49

No problem, Maurice.
These things happen, and seems to me you've dealt with it extremely well. :-)

I must say that I too had some confusion with the entering of username OR email address, but eventually figured something that worked.
Oh, but when asked to enter my "new" PW twice I was really perplexed, I could see only ONE box! Well, I entered a PW there then "Send", hoping it might then ask me for the 2nd version, but no. SOOOO, I entered my PW plus a blank plus my PW again. No joy.
Well, gently seething I tried simply my PW twice back to back - STILL zilch. :(

THAT was about when I noticed the "second" box, away over to the right - not beneath as almost every other site I've seen, AND box outlines quite faint to see on my laptop here.

So, all's well that ends well. :) :)

eviagra

3 posts

Wannabe Geek

#774700 5-Mar-2013 03:34

I had no problems and used my username

farcus

1626 posts

Uber Geek
+1 received by user: 437

#774705 5-Mar-2013 06:01

jtbthatsme: Well I just reset my password however I might want to point out it asks for ones username or email address if you enter the username it came up saying not recognised or words to that effect. I just changed it to my email address and did it that way instead.

I got this as well.
username not recognised - or some similar error message.
Tried multiple times ensuring I was entering my username correctly
Entered my email address instead and it worked first time.

Pinkfish

49 posts

Geek
+1 received by user: 1

#774709 5-Mar-2013 06:41

No problems Mauricio.

It happens occasionally, and there was less damage done than when I stuffed up a sql update and set the price to $0.00 on everything my (then) employer sold... It was a fun hour, or two, restoring from pricing history tables.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#774715 5-Mar-2013 06:55

One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.

muppet

2643 posts

Uber Geek
+1 received by user: 1660

Trusted

#774717 5-Mar-2013 06:59

I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.

sqlpro

516 posts

Ultimate Geek
+1 received by user: 2

#774722 5-Mar-2013 07:12

just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#774724 5-Mar-2013 07:16

timmmay: I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.

Yes, this would be a higher security than we need, although it could be done anyway.

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

muppet: I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.

You're logged in because your browser has a token. The password has been changed, so when you logout you will need to reset it - just go to your profile page now and change it.

sqlpro: just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!

I use Chrome as my default browser all the time and used it to reset my own password. You have to make sure you don't have a password add-on such as LastPass filling the password fields for you.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

sqlpro

516 posts

Ultimate Geek
+1 received by user: 2

#774725 5-Mar-2013 07:16

timmmay: One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.

atleast in this case, if all passwords are reset , how its going to re-authenticate before allowing new password?

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#774726 5-Mar-2013 07:16

if my password still works do i still need to reset it?

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#774728 5-Mar-2013 07:20

joker97: if my password still works do i still need to reset it?

Your password was changed. If you are logged in with the option to stay logged on your browser has a token. You will need to set a new password when you logout.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

kenkeniff

628 posts

Ultimate Geek
+1 received by user: 88

#774730 5-Mar-2013 07:27

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#774732 5-Mar-2013 07:42

kenkeniff:
muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?

a) NULL password

As for c) if I had stored a plain-text string then no one would be able to login either since the password is hashed and the likelihood of an English word matching a hash is pretty low...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3 | 4 | 5 | 6