Password reset

[5jj]

There appear to have been a few hiccups today.

However, we have a site to which many dozens of posts are submitted every day. In the language forums, thousands of people have received help that they have been unable to find elsewhere. In the members' area, many people enjoy showing off their poetry and playing games in English. As I write this, 1,395 people are visiting the site.

It's no mean achievement to keep this going - especially as, like many popular sites, UE is targeted by spammers and trolls who love causing havoc.

That our webmaster manages to keep this running smoothly 99.9% of the time is an achievement that most of us take for granted. Let's not get too annoyed if a blip occurs from time to time.

[Tdol]

We cannot see passwords, so the email is not about the quality of individual passports. Yesterday, we had to upgrade the forum software to a newer version. There was a potential exploit, and the best thing is to get everyone to change passwords. However, asking people is an ineffective way, so the most effective way is to change them en masse. It's not a subtle solution, but it works, though it causes inconvenience.

There probably was nothing wrong with your individual password, but if there's a security risk at a certain point in time, then changing is important- it removes the risk. We've updated the software and everyone has a bright shiny new password, so we're all safer. Some will have been inconvenienced when accessing the forum, but when these things happen, time is of the essence.

We're sorry for the inconvenience and are dealing with the access issues people are having. In your case, you changed the password, so that overwrote the one that you had been sent in the email. If you had seen the email first, that password would have worked (for 24 hours). The system will recognise the latest password saved.

[GoldLight]

As for me, it was not such bad. If I had checked my emails, I would have known what happened and what I should have done.

[SUDHKAMP]

We're sorry for the inconvenience and are dealing with the access issues people are having. In your case, you changed the password, so that overwrote the one that you had been sent in the email. If you had seen the email first, that password would have worked (for 24 hours). The system will recognise the latest password saved.

Had you informed me to open my Email first and then visit the website then I would certainly do so. I am saying that not a simple hint or information was there anywhere on the website and I had to struggle for 25 minutes to straighten up the things. Your Email arrived an hour later and how could I read it before it was sent. The changes were made first and then you have sent the Emails. I have got proof for the same. Would you like to see the timings Tdol and 5jj?

[iannou]

I've written and then cancelled at least two draft messages now. I think I need to reduce my message to point form to avoid losing track. The points are in no particular order, and they are not necessarily related, or even relevant.

• I think the admins do a heck of a job
• Hiccups happen when software changes
• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual
• Is traffic down? Are failed login attempts up? Are these things easily quantifiable?
• Is it possible that some members would benefit from an additional email to clarify the password situation?

I've sent Stan an email message through his user profile. (It's too soon to expect a reply.) I don't want to read too much into Stan's temporary absence, but if he hasn't managed to log in successfully, could others be in the same boat?

Probably this is an overreaction on my part, but I'll accept the risk of appearing foolish if some good might come out of speaking up.


Thank you
Ian

[Tdol]

• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual

He hasn't logged in, so he could be having trouble. Please let me know when he replies to you. If he has any problems, please let me know.

• Is traffic down? Are failed login attempts up? Are these things easily quantifiable?

It's hard to say- traffic's actually considerably up in terms of logins, as many people who have not visited the forum in a long time have logged in after getting the email.

• Is it possible that some members would benefit from an additional email to clarify the password situation?

Possibly, but it would be hard to target them.

[Red5]

Had you informed me to open my Email first and then visit the website then I would certainly do so. I am saying that not a simple hint or information was there anywhere on the website and I had to struggle for 25 minutes to straighten up the things. Your Email arrived an hour later and how could I read it before it was sent. The changes were made first and then you have sent the Emails. I have got proof for the same. Would you like to see the timings Tdol and 5jj?

I take full responsibility for this. I'm afraid I had to take the decision very quickly to reset everyone's passwords due to the discovery of serious security issues as described in Tdol's post above. It is obviously never our intention to inconvenience our members, but in this case I had to make a personal judgement what was best for everyone and the site as a whole.

Due to limitations of both the software and of time, I first had to reset everyone's password which then allowed me to be able to email everyone their new passwords. It is unfortunate, but it takes time to email over 440,000 members - a LOT of time, and sadly some people seem not to have received the email before trying to log in - which is what has caused some confusion. This is why I also placed this post in the announcements area to let everyone know as soon as they entered the forum. You asked why we hadn't contacted you to tell you about this happening before you logged on... well, I hope this shows you that I tried to let you know as soon as possible.

The vast majority of members have not had issues with this process and have been able to log in and continue to use the site perfectly well. I would much rather some people had a few temporary issues logging in, than to find out that there had been a security breach which had exposed our member's personal data and put you at risk. It is our highest priority to make sure that you and others can use this site safely and securely, and it always will be. If this means that I need to take difficult decisions like I did when I reset everyone's passwords then I'm afraid that's what I must do. Our members trust us with their data and expect it to remain safe.

[iannou]

Dear Red5 and the rest of the administrative team,

You'll have to take my word for this, but my slow connection just ate my reply to Tdol's post in which I recognised that these things take time and effort on the part of our admins. Frankly, it was a great letter -- much better than this one.

Now the supper hour is upon me and I don't have the time or inclination to try to recreate that other message.
As far as I know, our admins are all unpaid volunteers. I appreciate your efforts, and if there is an occasional burp or hiccup along the way, I can live with that. There are paid membership sites that don't offer nearly as much value as this free site, imo.

I would ask everyone to bear in mind that we're getting a hell of a deal here, and to try to maintain a sense of perspective when problems occur. You're not dealing with your electrical utility or your ISP here. Please keep it friendly. Show some respect and appreciation.

[konungursvia]

Charliedeut I became a victim after changing my password and after it had been set, the UsingEnglish.com authorities sent me an Email about vulnerability. But I think it is their system which is vulnerable which is not able to discern what to communicate. A software decision gone haywire. Hope the administrators would take note.

Ask for your money back!! ;)

[iannou]

• I haven't seen a post from Stan(islaw Masny) in nearly 20 hours, which is unusual

He hasn't logged in, so he could be having trouble. Please let me know when he replies to you. If he has any problems, please let me know.

I got a reply from Stan. He is having difficulty logging in. He has asked his grandson to stop by and guide him through the password reset process.

I was very pleased to find that UE's software includes an option to send messages to a user's email address. Stan is happy to know he was missed, and I am glad that he will soon be back with us.