Is this private message from MSE?

Treacle1983

Had a direct message on here from MSE Zorica saying:

Hi there,

As part of our Forum Redesign, we want to make sure forum users passwords are as strong as possible and our techies have asked us to get in touch to make yours more secure.
If you could you give us a hand by changing your password to something stronger when you next log in we would be very grateful.

To change your password go to your Edit Password page.

To make it stronger use a combination of upper and lowercase characters, numbers and letters.

Thanks in advance for your help

MSE Forum Team


Is this a genuine message from MSE or a scammer/spammer?

kazwookie

I got this as well! and I've changed it, may be I'll do it again now

Former_MSE_Ian

Treacle1983 wrote: »

Is this a genuine message from MSE

Yes. Please follow the instructions int he PM. Thank you.

Ian

Old_Wrinkly

Am I the only one that thinks there is more to this?

Or is that just my extreme suspicious nature coming to the fore?

Upsidedown_Bear

I haven't had a message about this so I'm assuming MSE think my password is secure.
But how do they know my password is secure as I thought they were supposed to be encrypted? If the people working at MSE can find out what your password is isn't that asking for trouble?

Candy53

I haven't had one either, so I thought my password must be a good one, but then, I also thought how do they know?



Candy

Former_MSE_Ian

hi Upsidedown Bear,

Upsidedown_Bear wrote: »

But how do they know my password is secure as I thought they were supposed to be encrypted?

They are encrypted. Even I cannot see your password. And would not want to. But it’s quite simple. If your password is "password", or "password123", or "password12345" then it doesn’t matter that it's encrypted on our servers. It’s not difficult to guess.

Upsidedown_Bear wrote: »

If the people working at MSE can find out what your password is isn't that asking for trouble?

Unfortunately there is only so much we can realistically do to make a weak password secure. And we are donig it now by getting to the root cause of the problem. Encouraging people to use stronger passwords.

It's as simple as that really. I hope that makes sense.

Ian

Mr_Ted

:mad: I also have concerns about this message as when i opened it a popup window attempted to open, THIS has never happened before and makes me extremely suspicious

Fortunately I have plenty of security which should stop any issues

BUT I DO have concerns that this is NOT genuine, perhaps someone should explain how and why this has occurred, particularly as my password IS how it is suggested a new one should be

Would it be correct to suspect that a hack has been attempted which has initiated this, as this is often the reason for such events :eek:

Old_Wrinkly

MSE_Ian wrote: »

hi Upsidedown Bear,

They are encrypted. Even I cannot see your password. And would not want to. But it’s quite simple. If your password is "password", or "password123", or "password12345" then it doesn’t matter that it's encrypted on our servers. It’s not difficult to guess.

Unfortunately there is only so much we can realistically do to make a weak password secure. And we are donig it now by getting to the root cause of the problem. Encouraging people to use stronger passwords.

It's as simple as that really. I hope that makes sense.

Ian

So how does that explain Monkeyballs getting a PM? :
http://forums.moneysavingexpert.com/showpost.php?p=64303126
Their password would seem to follow good practice.

(And now Mr Ted saying a similar thing.)

Is the PM being sent out to everyone (eventually), or just a few users that MSE considers (for some reason) to have 'less than secure' passwords?

StumpyPumpy

MSE_Ian wrote: »

Unfortunately there is only so much we can realistically do to make a weak password secure. And we are donig it now by getting to the root cause of the problem. Encouraging people to use stronger passwords.

Unfortunately, I think you are adding to the problem by sending what I assume to be a filtered message (I didn't get one, and nor did a number of others going by the replies to the various threads here who seemingly have passwords that pass your cracking algorithm)

You should really have had an alert on the forums (like the down time ones) ahead of the message so that people would know it was genuine without having to ask. This would also have helped to mitigate the numbers of people who are now posting in various threads saying they have received the message.

These threads are a hackers delight. They now have a list of usernames with people effectively announcing that they have an insecure password that is highly susceptible to brute force cracking. Thanks. Makes it a lot more trivial to get in. You need to make removing these messages a priority then enforce password changes on those that have done so because they have blown what remained of their security sky high, thanks to your unannounced message.

SP

Former_MSE_Ian

Hi Mr Ted,

Mr_Ted wrote: »

i opened it a popup window attempted to open

It's a standard feature. If you don't like it you can go to UserCP -> Edit Options, untick where it says "Show New Private Message Notification Pop-up", and click Save.

Please bear in mind though that some modern browsers have pop-up blockers which might block these popup windows and prevent them from openning even if you have this option ticked.

Ian