Honda Insight Forum banner

1 - 20 of 56 Posts

·
Registered
Joined
·
1,616 Posts
Discussion Starter #1
Why? I have been here for many years and have promoted the Insight and contributed a huge amount of information to the forum. But one of my strengths is SECURITY. I spent 17 years of my life in TOP SECRET and SECRET government work. We learn in that field what is good and what is bad security.

One bad security practice is to write your password down. It should ALWAYS be something that you remember, not something you have to write down. An old girlfriends name, an old address.

Another security faux Pas is to announce to the "code breakers" what your password parameters are. Like telling the ISIS when you will attack. A password should be un restricted otherwise the people trying to break it know that the passwords they dont have to try are the ones not allowed by Big Brother. This simplifies their search. A minimum length is the ONLY parameter that should be used.

My security is very important to me. I will not let it be subverted by a robot program that isnt as smart as a human. And wants me to generate a password that I will have to write down to remember where it can be discovered, and a password that is more easily broken than one that has NO PARAMETERS

After all these years I am leaving this list because my original password (that has never been broken) is no longer acceptable to the administration of this list. I am not sure how they would know its not acceptable unless the program is reading it....another security breach....Who else is reading that password?

I still have two 1st gen insights, one is a daily driver. but I think I can keep it alive without this list. I hope no one needs my help that will not be able to get it in the future.

If you would like to keep in touch with me, try [email protected] or 1-361-238-0711

I am GONE.
 

·
Premium Member
Joined
·
613 Posts
A bit early for April Fool's
 

·
Registered
Joined
·
1,622 Posts
your post and knowledge will be missed,,i never had the chance to meet you,but do enjoy reading some of your post.good luck,,in future endevors
 

·
Super Moderator
Joined
·
5,175 Posts
I HAVE met Jim, and he's a great guy. I'll miss you, Jim. I'll email you my personal information.

Sam
 

·
Registered
Joined
·
1,834 Posts
My security is very important to me. I will not let it be subverted by a robot program that isnt as smart as a human. And wants me to generate a password that I will have to write down to remember where it can be discovered, and a password that is more easily broken than one that has NO PARAMETERS

If you would like to keep in touch with me, try [email protected] or 1-361-238-0711

I am GONE.
Jim, after you use their fancy temp p/w just change it to whatever you want.
 

·
Registered
Joined
·
3,295 Posts
Jim, after you use their fancy temp p/w just change it to whatever you want.
No,

Must be at least 10 characters
Must contain lower-case characters
Must contain upper-case characters
Must contain numbers
Must contain symbols

total BS. I've had the same PW with just a few slight easy to remember variations for the almost 20 year I've been on the internet on probably 500 different forums with not one issue in that time.
 

·
Premium Member
Joined
·
1,051 Posts
wow, talk about an over-reaction. Odds are, many of your online passwords have compromised without your knowledge. Insight Central has been proactive by resetting everyone's passwords, of which should have already been unique to this forum. If you're using the same password all over the internet, you're going to have a bad time. Reset your password, use a decent password manager (LastPass comes to mind), and update your passwords frequently.
 

·
Registered
Joined
·
3,295 Posts
wow, talk about an over-reaction.
Over-reaction by the forum administrators. I remember the last time some internet based entity had a breach of security they only RECOMMENDED everybody change their password. They never forced everyone to. And certainly not to the level currently required to here now. They say to have a password you can remember and not have to write down. Must be at least 10 characters, contain lower-case characters, upper-case characters, numbers and symbols. Gimmie a brake. Nobody can remember that for one forum let alone for dozens or hundreds of them when you're supposed to have a different one for each.
 

·
Premium Member
Joined
·
1,051 Posts
Must be at least 10 characters, contain lower-case characters, upper-case characters, numbers and symbols. Gimmie a brake. Nobody can remember that for one forum let alone for dozens or hundreds of them when you're supposed to have a different one for each.
Yes, the days of easy to remember passwords are over. Use a password manager.
 

·
Registered
Joined
·
3,295 Posts
Not familiar with pw managers. Don't you need to create a name and password to get into one? Kinda defeats the purpose. And for what used to take 5 seconds to type in a password to log into a forum, I would have to take a minute to log into the PW manager, find the correct PW for the forum I want, then cut and paste that into the forum PW box?
 

·
Premium Member
Joined
·
613 Posts
Smdh

As someone studying for computer/network security certifications and a 20+ year holder of various levels of government clearance, I can offer some perspective. This sort of action suggests there was some sort of database compromise. The decision to invalidate all passwords and add additional password security requirements was likely the only valid option. It would be valid to assume this was done for our benefit.

You could perhaps interpret this action as some kind of personal attack and throw a hissy fit about how grossly inconvenient this is. At my current day job, I have to change passwords for 3 login screens every 90 days, and passwords may not be reused. Forgotten/expired passwords require a phone call to validate your identity. Annoying? It can be, but a more productive choice is to accept that which you lack influence over and figure out a solution. Some have suggested using a password manager application. I've never used one but probably valid. I don't think any of you would find it the slightest bit amusing if you saw posts not made by you under your forum name. While that won't affect your savings account balance or your credit score, it's still a compromise and you would not appreciate admin inaction.

A more adult/appropriate choice of reaction to this, IMO, is show some appreciation for the IC admins having the testicular fortitude to do what is necessary so that we may continue doing this forum thing as usual with minimal interruption.



And no, I am not an admin... but I have stayed at a Holiday Inn Express at least a few times.
 

·
Registered
Joined
·
20 Posts
Pretty new here and I don't know Jim, but I'm sure that his insights (sorry, had to do it) will be missed. I agree with Gadget01, this was likely a required passwd reset and I also think that Jim overreacted. My work involves IT and I run two servers at work and I daily log into into several other computational servers that have similar passwd requirements, plus a forced 90 day change.

It may not seem too critical on a forum from the user's standpoint. After all, what are they going to access, your avatar and hobby list? However, depending on internal server security/firewalls and how good the hacker is, once they are "in" it may not be just your acct. they have compromised. If they somehow manage to get higher level admin. or even root access, they could bring down the whole forum or multiple forums, if this site is being hosted on a server that also hosts other forum urls. So as Gadget pointed out, someone had likely managed to get in and the only way to ensure they would be purged was a forced reset of all passwds.

Another thing that many are probably unaware of is that servers are continually bombarded with login attempts from IPs originating in, primarily, Russia and China. Most firewalls block these after a certain number of failed attempts, but many forums do not, or at least have a higher failed authentication setting, since people often forget both their username and passwds. These hacks run algorithms that try billions of authentication combinations, hence the passwd requirements mandated here attempt to make those permutations very large. If you looked at a server's log from just one day and saw the failed attempts and blacklisted IPs it would be a "Wow!" moment.
 

·
Registered
Joined
·
551 Posts
For those who don't read the announcements subforum (you should) VerticalScope, the corporation that owns and "monetizes" IC and a bunch of other forums, was hacked and had 45 million accounts stolen. While the passwords were encrypted and can't be used directly, they are requiring all passwords be changed as a precaution.
http://www.insightcentral.net/forums/insightcentral-net-site-help-rules-announcements/90866-attention-password-security-update.html

No,
[...]
total BS. I've had the same PW with just a few slight easy to remember variations for the almost 20 year I've been on the internet on probably 500 different forums with not one issue in that time.
Security experts would say you are a fool. If you haven't been hacked yet, a very lucky fool.

Passwords are like underwear: Change them often, don't wear the same pair everywhere, don't share them with anybody, don't wear pairs that are too small, don't leave them lying around. No two sites that you visit should have the same password. I usually have completely different usernames and email addresses for every site I use.

Not familiar with pw managers. Don't you need to create a name and password to get into one? Kinda defeats the purpose.
No, it does not defeat the purpose. Read a little:
Why You Should Use a Password Manager and How to Get Started
How and why to set up and use a password manager - CNET


If I use a password manager and store all my passwords somewhere on the cloud, who is to say that that site won't get compromised and create even larger compromises?
Not if they have proper security in place. That would include a "zero knowledge" system where the data is encrypted on their service, and only decrypted locally on your machine or device. I personally eschew the cloud password services in favor of a personal password manager, though I pass the encrypted password file through cloud services.

I use KeePass Password Safe to store unique username and passwords for about 240 systems. There are clients for Linux, Mac, Winduhs, Android, and iPhone. I share the file between devices using a cloud service, but of course it's encrypted during the transit so it's secure. It's a breeze to use.
 

·
Banned
Joined
·
1,353 Posts
I have to agree with Jim.

Yes, changing passwords often is ideal, and so is flossing everynight and never breaking the speed limit and never eat a burger, only salad.

But this is forcing BEST PRACTICE on everyone, and frankly, the requirements are a bit excessive. Requiring uppercase and lowercase is silly when you have a 10 digit password AND require a symbol.

I have been using the same passwords* for years, without issue, and no, I'm not going to use a password manager. If that gets compromised (which it will) then EVERYTHING you do will be compromised.

My solution is to use a common password that is modified to fit each application. So password for this forum would be XXXXXXinsight#, and my password for somethign else might be XXXXXXsubaru#, etc.

But these new requirements? Great. So many ****ing requirements I have to create a password that breaks my pattern. Also I am subscribed to tons of other car forums, and none of them made me do this.

This is an example of a car that embraces technology and the admins doing the same thing, to eleven.
 

·
Super Moderator
Joined
·
5,175 Posts
Coincidence? My Comcast account was compromised a couple of days after this all happened on IC. My password was the same, and it wasn't very complex.

Those of you like Atikovi and Addvanced who think you have a cute way of getting around the "best practices" of password management are only making it easier for hackers. Patterns are easier for robots to crack. Thank you. When the bot figures out your pattern maybe it will stay away from mine.

Which house is the burglar going to break into? The house with bars and security cameras, or the one next door with nothing?

This isn't just about IC. We all should give some serious thought about how we manage and protect our passwords. Think of this as a wake up call.

Sam
 

·
Banned
Joined
·
1,353 Posts
Who cares? What if my account here is compromised, how will it affect me? Worse case, I create a new account.
 

·
Premium Member
Joined
·
1,051 Posts
I have been using the same passwords* for years, without issue, and no, I'm not going to use a password manager. If that gets compromised (which it will) then EVERYTHING you do will be compromised.
same passwords for years? Your passwords are likely compromised without your knowledge. You only know about your IC password being compromised because they told you. Here's some good information on the LassPass password manager. https://twit.tv/shows/security-now/episodes/256
My solution is to use a common password that is modified to fit each application.
security through obscurity is not secure.

I am subscribed to tons of other car forums, and none of them made me do this.
me too. I just assume that the more lax their security guidelines, the more likely they have been or will be comprimised. I use a password manager, so it only takes seconds to update any of my passwords.
 
1 - 20 of 56 Posts
Top