Chicago

TER Needs to Update Their Site Security!!!angry_smile
girlsyxx See my TER Reviews 1658 reads
posted

Here's the sernerio.

Your wife finds your private email you've created just for hobbiest purposes. She then cracks your password because it wasn't that hard, you all have been married for years and she knows everything about you. Also, you didn't put much thought into it because you figured she never find it.

She begins to search your inbox for anything incriminating. She find an old email about a TER posting you responded and subscribed to. Doesn't sound that bad??? Yet!

Next, she follows the link to your posting and figures out which posted you are. Then she tries to login but doesn't know the password. Great, I'm really dodge that bullet, you think???.... NOT!

Go to the login page of TER. Act as if you've lost your password. Using your username (which she found in a posting) and the email address she stubbled across. She sends your inbox, Not a link to RESET, your password. But an email, giving her your full username and guess what? YOUR PASSWORD TOO! Talk about hitting the jackpot. Now, you're exposed, all your secret are no longer safe, she knows all and can even proceed to lock you out of your account.

I think that is the biggest breach of security ever. I rely on this site to keep my identity safe and secure. Instead, what I receive is an email including all the information to access my account.

I've only experienced this one other time, in recent years. My university was giving out online classroom usernames and passwords over the phone. All someone needed was your SSN and full name. When I locked myself out once because of a computer crash. I called the school and they gave me everything over the phone.

I did to them, exactly what I'm doing here. Exposing this lapse in security.

1. If some send a link for reset, then if someone does gain access illegally, I will know when I try to log in using the password I've used for months/years. Otherwise, I really smart person will just act as if they don't know anything and collect information on you quietly and you would probably never be non the wiser.

Whether it's a link to reset it to something else or the current password itself, the person will still get in and have access.

Seems to me that the REAL problem was being sloppy and letting someone find out your 'secret email' in the first place.   One slip up leads to a bunch of pain.

Let's look at this for a moment.

1. You are either married or have a significant other.

2. You have not exercised extreme caution with regards to your hobbying activity. Emails and passwords should be well thought out and very difficult to hack.

3. You are using a computer that your wife or s.o. has access to and have not fully cleansed it.


Being divorced for thr past 16 years, it is very difficult for me to understand why a man in your position would not exercise extreme measures of security to protect ones alter ego. Besides, you have sooooo much to loose. Your wife or s.o., your house, or at least 50% of it and half of your pension, not to mention possible child support and alimony.  How much more motivation do you need to be more careful. Oh, the possibility of being arrested also.

TER operates in a secure enviroment and makes the same protocol available that most other institutions do to help you recover a password. Heck, I think Chase bank does theirs the same way.

Look into the mirror and ask yourself, "why have I not been more careful with such potential damming information"? As you look back into the mirror, ignore the laughing person that you see. He is laughing at you and not with you.

There is no execuse for stupidity at this level. Either be far more creative in your deceptive ways or give up the hobby and remain loyal to your wife. The ladies don't need phone calls and emails from a pissed off spouse or s.o. and the guys on the board won't give you much moral support. They will be too busy wiping the tears from their eyes from laughing. Lets face it, everyone enjoys a train wreck.

Sorry for being harsh, but in the immortal words of Forest Gump, "stupid is as stupid does".

Funtimes61

I've had a Chase bank account and they don't send you an email including your login and password.

My put is that sending info in an email is obsulate. No one does this anymore, for exactlly the reason I illustrated. Almost all site will send you a link to reset the password because that is the only way to ensure the person will find out if a breach were to occur.

If you have that much of a problem with it, maybe its not for you. Funtimes was exactly right with his advice. Update YOUR security, and stop blaming others. It just annoys the masses.

Ha-ha Stupid is as stupid does!  Stop blaming others for your mer-fer mistakes gaytard!

Mwahz,
Giselle

seems to me u have to update YOUR security (also your spelling, but thats the teacher in me)
more importantly, so how did u resolve it with your significant other ?

Herr Professor821 reads

Jesus Christ. Sue the fuckers. You can't write worth a shit. I'd al least get a refund for that Eng. 101 class.

Mine landed on the floor while laughing at your post! In fact, I almost landed on the floor next to it I was laughing so hard! Thx for smile at the end of the night!!!

Xoxo
VC

Herr Professor1187 reads

read his other post just below. Sorry about the wine, hon. ;-)

The poster is in trouble and possibly not in the right frame of mind, when the long post was written.

Given the scenario and position the poster is in, I'd cut him/her some slack and attribute the errors to typos. I would surely not pile on using an alias.

Seriously. Yeah he messed up and he's venting, who wouldn't, but guess what... he has a point. TER could look at his complaint professionally, which appears to be that user names and passwords shouldn't be sent via plain text via email, and say hey maybe we'll take a look at updating the reset process. Instead you guys just start calling him names and criticizing. (Gaytard??? Really???) I had to re-read it a couple times and nowhere in that post does he say this is all TER's fault. He actually points the finger at himself for not being more careful about the email account's password in the first place.

This is the sense of community you show when you see a fellow member has made a life-altering mistake? No, this isn't Utopia-land but neither is it the hell you've given this guy. I normally enjoy these boards and rarely post but have to make an exception here. Neither am I afraid to say what I have to say without the need for an alias.

This is not the reaction I'd expect in a profession where we ALL must be as careful as we possibly can. This site may not be for everyone but there's no reason it can't be improved for those of us who choose to use it.

Wow, is that the pot calling the kettle black.  As another poster mentioned, if it is the full password or a link to do a reset, what is the difference (unless you use the same username and password on multiple 'secret' accounts)?  The problem here is that you, or the hypothetical person getting caught, got really sloppy leaving a trail to be found to the email account and used a non-secure password that could be cracked.  Speaking as one who has used his S.O's own laptop to access this site and log into the associated email, I know what I'm speaking about.  Cover your tracks, use a bulletproof email and site password, delete non-essential old emails just in case, and it will be better than anything TER can do to make you feel better about the 'reset/lost password' process.

SMEGMA!!

I couldn't log in yesterday either. When I got the password via email, I found that it was different. TER down-cased all the capital letters! Why would they do this? Mixed-case passwords are much more secure. Now I'm wondering if I can change it back to what it was without locking myself out completely.

Board Admin723 reads

This means in the past users could put their password in upper or lower case and still be able to log in.

You can change your password via "edit my profile" in your account manager to make it upper and lower case. You won't be locked out. :D

Admin

Register Now!