TTAC parent company VerticalScope is implementing some security changes related to forum password strength and password expiration policies. These are in response to increased Internet awareness of security-related incidents on outside major social media websites with which we share many common users. In addition, we recently became aware of potential risks to community accounts (username, userid, encrypted password and email address) on many Forum online communities, including the forum associated with this site.
Our internal security team is investigating information we have received about potential risks to communities and collecting and recording the findings for Law Enforcement agencies. Unfortunately, password-sharing between sites is also compounding the issue as various social-media sites have reported breaches in recent months. We take our users and data very seriously, and are always working to provide both a safe (and fun!) environment for our users.
If you are a user of one of our forum communities, you will receive an email shortly to change your password.
We also encourage you to proactively update your password on this site. (Either through the WordPress blog comments section or through the forum).
Like every online service, we strongly recommend that you always use a unique, strong password (10 character, 1+ uppercase, 1+ number, 1+ special character) to better protect your online security.
Damn hackers ruin everything
I’m slightly annoyed that I had to find out about this from Jalopnik several hours before being notified here.
I also didn’t realize that I was on so many car forums owned by Vertical Scope.
It’s worth checking here to see if you are affected elsewhere:
http://www.verticalscope.com/automotive/site-list.html
It was a leakedsource article yesterday. I read it this morning. The disturbing thing to me is that if happened in February. That’s a lot of water under the bridge without users being notified.
I read it on /. yesterday.
Holy Crap. VerticalScope owns the whole damn internet.
Looks like I might need to confess soon… *sigh*
I hacked BTSR’s account and have been posting repetitive and meaningless comments for awhile. For my penance, I will buy a CR-Z and daily drive it.
SON PUT A HELLCAT ENGINE IN THE CRZ AND YOU WILL BE FORGIVEN, AND HAVE A COLD BEER TONIGHT FOR MAKING ME LAUGH.
Mine was the original gibberish password I got back in 2007 or whenever. I changed it anyway.
I updated mine before this post. Will I need to again??
Sure.
Password managers, people. I moved to Lastpass a long time ago. Even if they do have the password I use here, it’s worthless since it’s used nowhere else. Even *I* couldn’t tell you what it is without looking.
Maybe so. But if a hacker got the info, they got your email. Welcome to spamworld.
You also might also consider this Jim. Lastpass got hacked last summer.
This: http://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#101639e5a666
And this: http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
I knew about the Lastpass one when it happened. However, it didn’t really bother me; one because my master pw is ridiculously complex and it’s unlikely they’ll be able to get it, and two because I use 2 factor authentication; even if they had my login and password they couldn’t get in without a token.
Smart.
If you’re going to use a service like that you want one that requires two keys. One they hold and one you hold. A hacker can’t bust theirs without busting yours first.
Sites, like TTAC, where the worst that could happen in getting my password is posting inflammatory comments, get my std easy to remember pw. Places concerning money or my real identity get unique stronger passwords. And the number of consequential sites in my case is pretty small.
What email address will it come from? TTAC? WordPress?
It’s an internet forum. If someone breaks into my account, there’s not much they can do. TTAC has what info about me? My email address? That’s something I send all over the internet anyway.
Yep, I’d be annoyed if I had to create a new account, but that’s about it.
There’s no TLS for the login here (ie. no https page) so there’s no serious security here anyway. If you moved to https for the whole site you may have issues with third-party advertising, but at least the login page should be secured.
The biggest issue here is password re-use – one site gets hacked and your email address and password combination is leaked, and hackers will be trying to connect to other sites with the same combination. It is therefore important to have a totally unique password for every site – which is only manageable with a password manager which can also generate the passwords.
There are Lastpass fans here, I like KeePass (in spite of its questionably insecure upgrade options), which is a locally-installed program (the encrypted keyfile can be stored in the cloud).
For TTAC I have a 64-character random password generated by Keepass, unique to this site, and I have a separate email address for forum logins which is not my main email address.
A question for the TTAC admins – what is the maximum in terms of complexity I can use? You mention special characters, can I use a password like this? (Not my password!):
Tfe%>DRr}ar~1]nBd+78zqS”yGVg0,d)ZR6Fs@0k,zkI:c:4HBt;i)vy08Pt`1w
My password has alway been “password”. Is that a porbelm?
Just don’t tape it to your monitor and you should be OK.
What a relief..mine’s under the mouse pad!
We’ll know the hackers have taken over the comments when they become filled with replies touting the benefits of leasing, 84 month loans and rolling over negative equity into a new car.
Oh wait…!
Having expiration dates on passwords does nothing but push a lot of users to have numbered passwords like Hunter2, Hunter3, etc. You effectively remove at least one character from the password (the number), and your rule with having at least one numeric character is thus also useless.
See the last story on technologyreview regarding password strength for more information.