Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • MSE Andrea
    • By MSE Andrea 9th Feb 18, 3:09 PM
    • 8,974Posts
    • 21,733Thanks
    MSE Andrea
    Password update prompt
    • #1
    • 9th Feb 18, 3:09 PM
    Password update prompt 9th Feb 18 at 3:09 PM
    Hi everyone

    As eagle-eyed regular forum members have noticed already, we're asking you all to update your passwords. You should be doing this regularly for your own peace of mind.

    Some hadn't been updated for some time and we want to make sure you change them regularly.

    Thanks for your patience. Have a great weekend.

    Andrea
    Could you do with a Money Makeover?


    Follow MSE on other Social Media:
    MSE Facebook, MSE Twitter, MSE Deals Facebook, MSE Deals Twitter, Forum Twitter, Instagram, Pinterest
    Join the MSE Forum
    Get the Free MoneySavingExpert Money Tips E-mail
    Report inappropriate posts: click the report button
    Point out a rate/product change
    Flag a news story: news@moneysavingexpert.com
Page 3
    • keepcalmandstayoutofdebt
    • By keepcalmandstayoutofdebt 9th Feb 18, 8:42 PM
    • 3,135 Posts
    • 1,637 Thanks
    keepcalmandstayoutofdebt
    Oh my goodness I've just spent nearly an hour stressing that I'd never seeing my account again, that will teach me to go 2293 days without a password change!

    Please disregard my contact us message tonight.
    "If you are caught in a rainstorm, once you accept that you'll receive a soaking, the only thing left to do is enjoy the walk"
    • davidmcn
    • By davidmcn 9th Feb 18, 9:41 PM
    • 7,383 Posts
    • 7,447 Thanks
    davidmcn
    This isn!!!8217;t the first time we!!!8217;ve sent a prompt out in this or other ways.
    Originally posted by MSE Andrea
    Well, it's the first time you've done it to me in 3915 days, apparently...
    • AnotherJoe
    • By AnotherJoe 9th Feb 18, 9:43 PM
    • 9,058 Posts
    • 9,960 Thanks
    AnotherJoe
    Hi everyone

    As eagle-eyed regular forum members have noticed already, we're asking you all to update your passwords. You should be doing this regularly for your own peace of mind.

    Some hadn't been updated for some time and we want to make sure you change them regularly.

    Thanks for your patience. Have a great weekend.

    Andrea
    Originally posted by MSE Andrea
    I really don't want to change my password here regularly thank you , and especially not over an insecure form. My peace of mind was fine before.

    And, FWIW even the U.K. security authorities now say there's no point in regularly changing your passwords since it doesn't enhance security. If you think it does I'd like to see an explanation. Eg Exactly how does me changing my password from abcde to defgh makes me more secure ?
    • Moneyineptitude
    • By Moneyineptitude 9th Feb 18, 10:06 PM
    • 20,002 Posts
    • 10,985 Thanks
    Moneyineptitude
    It's just an internet forum, why should we be updating passwords "regularly"?

    Retail sites don't require regularly changed passwords and they have credit card details stored!
    • miriamac
    • By miriamac 9th Feb 18, 11:07 PM
    • 274 Posts
    • 634 Thanks
    miriamac
    This reminds me of the 'disappearing threads' discussions - I believe that some of those discussions probably helped the people who were making threads disappear!

    It would be nice to know why MSE are doing this - but that's just because I'm inquisitive . Also because I have my own theories and it would be nice to have them confirmed - but that's vanity as well as inquisitiveness.
    • xylophone
    • By xylophone 10th Feb 18, 12:00 AM
    • 25,187 Posts
    • 14,834 Thanks
    xylophone
    It has been utterly maddening - changing to that ghastly blue skin/being told the old password didn't match/resetting password/being unable to log in at all......aargh!

    As if trying to cope with my in specie ISA transfer wasn't already "putting me away in the head" (to quote my dear old dad)!
    • Sayschezza
    • By Sayschezza 10th Feb 18, 12:53 AM
    • 247 Posts
    • 2,292 Thanks
    Sayschezza
    I got that, bit confusing.... changed it and logged in, but it said I'd got it wrong, so did it again, manually - it then told me I'd got my password wrong and try again, but I thought "bugg4h you then, b4st4rds, I CBA with this nonsense".... but, as you can see, I was somehow logged in anyway.
    Originally posted by PasturesNew
    Same thing happen to me. I changed it but new one was refused twice then tried old one but was in anyway.
    • tealady
    • By tealady 10th Feb 18, 7:13 AM
    • 2,773 Posts
    • 3,306 Thanks
    tealady
    I just re used my old password when I was told to change it!
    Proud to be an MSE nerd
    Judge people by their achievements, not by their mistakes
    • iris
    • By iris 10th Feb 18, 7:25 AM
    • 988 Posts
    • 3,376 Thanks
    iris
    This also happened to me and was very frustrating. I have been a member since 2003.
    • centsible
    • By centsible 10th Feb 18, 8:41 AM
    • 874 Posts
    • 138,742 Thanks
    centsible
    The website is not even using https for the password change page. So all passwords (old and new) are send in plain text over the internet and we can keep using our existing password. So this is a complete non-action.
    I think that MoneySavingExpert may have serious problems with the upcoming Data Protection Legislations coming into force in May this year .
    Well, at least it made me aware that MSE doesn't take security very serious.
    Originally posted by steppevos
    And there is also (or was at 30 November 2017) the use of Session Replay Scripts on MSE....

    Follow the link through from https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you and you'll find MSE one of the 400 major sites recording keystrokes.
    • thescouselander
    • By thescouselander 10th Feb 18, 8:50 AM
    • 5,372 Posts
    • 4,990 Thanks
    thescouselander
    I've been having all sorts of problems with this today. I changed my password as requested (using a password manager) but the site didn't recognise the new password when I tried to log in. I then spent a while doing battle with the reset procedure which was equally reluctant to let me in until suddenly it started working again and I changed my password.

    The problem is I keep getting logged out now for unknown reasons.
    • pollypenny
    • By pollypenny 10th Feb 18, 9:05 AM
    • 23,818 Posts
    • 61,999 Thanks
    pollypenny
    I was concerned as I!!!8217;d only just changed my password, after MacBook trouble and losing lots of stuff. It was so long ago that I joined MSE that I couldn!!!8217;t remember my password and no longer use the original email.

    Password expired after 13 days!

    Grateful for prompt response from team, though.
    Member #14 of SKI-ers club

    Words, words, they're all we have to go by!.

    (Pity they are mangled by this autocorrect!)
    • Pollycat
    • By Pollycat 10th Feb 18, 11:29 AM
    • 19,700 Posts
    • 52,624 Thanks
    Pollycat
    Hi,

    Im sorry for the delay replying.

    This isnt the first time weve sent a prompt out in this or other ways. MSEs priority is to ensure your security so weve prompted everyone to change them.

    We realise it might be frustrating but your security comes first.
    Originally posted by MSE Andrea
    So to "ensure our security" you ask us to set a new password using a non-secure connection.
    That sounds crazy (at least to me).

    Andrea - perhaps you could comment on the security concerns expressed by a number of posters.

    But our security isn't coming first when we are being asked to put a new password in over an unsecure connection leaving us open to hackers.

    This is taken from Chrome and is the same for firefox surely a massive site like mse should be a lot more secure.

    Info or Not secure
    The site isn't using a private connection. Someone might be able to see or change the information you send or get through this site.
    You might see a "Login not secure" or "Payment not secure" message. We suggest that you don't enter sensitive details, like passwords or credit cards.
    On some sites, you can visit a more secure version of the page:
    • Select the address bar.
    • Delete http://, and enter https:// instead.
    If that doesn't work, contact the site owner to ask that they secure the site and your data with HTTPS.

    Originally posted by frankennsteiny
    • Lorian
    • By Lorian 10th Feb 18, 12:34 PM
    • 4,303 Posts
    • 2,432 Thanks
    Lorian
    As a matter of good security you should make sure your email address and password on other sites, like Amazon and Ebay are NOT the same as you have here or on any other forum.

    Without any further information it would still be prudent to change your password on any other sites where you may have used the same password with the same email address.

    And as annoying as it may seem, don't change your password here back to the same as it was.
    • tronator
    • By tronator 10th Feb 18, 12:48 PM
    • 2,655 Posts
    • 1,470 Thanks
    tronator
    Hi,

    Im sorry for the delay replying.

    This isnt the first time weve sent a prompt out in this or other ways. MSEs priority is to ensure your security so weve prompted everyone to change them.

    We realise it might be frustrating but your security comes first.
    Originally posted by MSE Andrea
    I wish there would be a "No Thanks" button. Have you even read the comments? There were people who were asked to change their password after just 11 days.

    Why is this site not using HTTPS if "our security comes first"? In the day and age of Let's Encrypt there is absolutely no excuse for not using HTTPS.

    Finally, changing passwords doesn't increase any security. The NIST changed their recommendations about it last year. If someone uses a strong password and don't use it anywhere else, it doesn't make it more secure. But first YOU should make YOUR site more secure as all passwords are sent in PLAIN TEXT OVER THE INTERNET.

    </rant over>
    • kuohu
    • By kuohu 10th Feb 18, 12:52 PM
    • 873 Posts
    • 487 Thanks
    kuohu
    Pointless waste of time.

    WHY?
    DFW Nerd 035
    • Jinhao159
    • By Jinhao159 10th Feb 18, 1:23 PM
    • 13 Posts
    • 88 Thanks
    Jinhao159
    If this was planned and is meant to improve security by making us change passwords on a regular basis that would be OK. However, if that was the case I would have expected to have been warned about the change of policy.

    I refuse to change my password on an insecure page. What is wrong with using https://

    I have signed up as a new user, using an old email address that I haven't used for several years. At least if my details are intercepted they wont get any current info that is connected to my old log in.

    Also having trouble posting as I keep getting messages saying the site is experiencing technical problems.

    Lack of response from MSE and timing makes me more and more suspicious that there has been a security breach and they don't want to comment until they know exactly what has happened.

    MSE would be quick to criticise other companies and sites for such a lack of response and forcing users to use an insecure method of changing passwords

    No need to be nice in any replies, I am not really a newbie :-)

    Last edited by Jinhao159; 10-02-2018 at 1:25 PM. Reason: Comment about not being newbie
    • parkrunner
    • By parkrunner 10th Feb 18, 1:41 PM
    • 1,058 Posts
    • 1,650 Thanks
    parkrunner
    Hi,

    Im sorry for the delay replying.

    This isnt the first time weve sent a prompt out in this or other ways. MSEs priority is to ensure your security so weve prompted everyone to change them.

    We realise it might be frustrating but your security comes first.
    Originally posted by MSE Andrea
    That simply isn't true as you have asked us to update on a non secure connection, so how about the real reason?
  • jamesd
    how does me changing my password from abcde to defgh makes me more secure ?
    Originally posted by AnotherJoe
    When you use a site with unencrypted login details in a public place it's possible to collect and sell them to be exploited. Forcing you to change the password prevents the old one from working and reduces the time span during which exploitation here is possible.

    Attempts to use the old details for your accounts elsewhere are still possible and it's particularly unwise to reuse unencrypted login details at other places for that reason.

    MSE has an ongoing project to add encrypted connection support. It's not supported by this version of the forum software and it's not easy for the biggest places to upgrade or change forum software.

    This place started in a much lower threat environment than we have today and the increasing use of mobile devices in public places further increases the risk.

    So the regular changes are a workaround for an inherent weakness in the forum software login process.
    • Pollycat
    • By Pollycat 10th Feb 18, 2:21 PM
    • 19,700 Posts
    • 52,624 Thanks
    Pollycat
    The other thread on this subject has now been closed with the comment that it's confusing having 2 threads on the same subject (I agree).
    However, the thread that's been closed was started before this - the 'official' one.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

284Posts Today

3,383Users online

Martin's Twitter