Password update prompt

MSE_Andrea wrote: »

Hi,

I’m sorry for the delay replying.

This isn’t the first time we’ve sent a prompt out in this or other ways. MSE’s priority is to ensure your security so we’ve prompted everyone to change them.

We realise it might be frustrating but your security comes first.

So to "ensure our security" you ask us to set a new password using a non-secure connection.
That sounds crazy (at least to me).

Andrea - perhaps you could comment on the security concerns expressed by a number of posters.

frankennsteiny wrote: »

But our security isn't coming first when we are being asked to put a new password in over an unsecure connection leaving us open to hackers.

This is taken from Chrome and is the same for firefox surely a massive site like mse should be a lot more secure.

Info or Not secure
The site isn't using a private connection. Someone might be able to see or change the information you send or get through this site.
You might see a "Login not secure" or "Payment not secure" message. We suggest that you don't enter sensitive details, like passwords or credit cards.
On some sites, you can visit a more secure version of the page:

• Select the address bar.
• Delete http://, and enter https:// instead.

If that doesn't work, contact the site owner to ask that they secure the site and your data with HTTPS.

MSE_Andrea wrote: »

Hi,

I’m sorry for the delay replying.

This isn’t the first time we’ve sent a prompt out in this or other ways. MSE’s priority is to ensure your security so we’ve prompted everyone to change them.

We realise it might be frustrating but your security comes first.

I wish there would be a "No Thanks" button. Have you even read the comments? There were people who were asked to change their password after just 11 days.

Why is this site not using HTTPS if "our security comes first"? In the day and age of Let's Encrypt there is absolutely no excuse for not using HTTPS.

Finally, changing passwords doesn't increase any security. The NIST changed their recommendations about it last year. If someone uses a strong password and don't use it anywhere else, it doesn't make it more secure. But first YOU should make YOUR site more secure as all passwords are sent in PLAIN TEXT OVER THE INTERNET.

</rant over>

If this was planned and is meant to improve security by making us change passwords on a regular basis that would be OK. However, if that was the case I would have expected to have been warned about the change of policy.

I refuse to change my password on an insecure page. What is wrong with using https://

I have signed up as a new user, using an old email address that I haven't used for several years. At least if my details are intercepted they wont get any current info that is connected to my old log in.

Also having trouble posting as I keep getting messages saying the site is experiencing technical problems.

Lack of response from MSE and timing makes me more and more suspicious that there has been a security breach and they don't want to comment until they know exactly what has happened.

MSE would be quick to criticise other companies and sites for such a lack of response and forcing users to use an insecure method of changing passwords:mad:

No need to be nice in any replies, I am not really a newbie :-)

AnotherJoe wrote: »

how does me changing my password from abcde to defgh makes me more secure ?

When you use a site with unencrypted login details in a public place it's possible to collect and sell them to be exploited. Forcing you to change the password prevents the old one from working and reduces the time span during which exploitation here is possible.

Attempts to use the old details for your accounts elsewhere are still possible and it's particularly unwise to reuse unencrypted login details at other places for that reason.

MSE has an ongoing project to add encrypted connection support. It's not supported by this version of the forum software and it's not easy for the biggest places to upgrade or change forum software.

This place started in a much lower threat environment than we have today and the increasing use of mobile devices in public places further increases the risk.

So the regular changes are a workaround for an inherent weakness in the forum software login process.

neilmcl wrote: »

Worth noting that your system allows the old password to be reused.

I tried that and was told my old password was too short and I needed to enter a minimum of eight characters.

I have been a member since 2005 and this is the first time I have been told I have to change my password.