Happy weekend everybody!

Since a few weeks ago, some people are having trouble logging in, and it's completely my fault.

See what had happened was... I upgraded UMD's password system to a much more secure encryption method. The old password system only paid attention to the first 8 characters of your password, and anything after that was actually ignored.

So over time, a bunch of people had changed their passwords to something else, but probably only changed the ending after the 8th character. So any device that had saved the old password would continue to log in successfully, using the old password... Until now!

Our new system demands the entire pass be accurate, so you'd have to use that correct full password to log into all your devices again. So if you can still log in at all, I recommend to just go to your preferences and update your password (even if you want to use the same one) and then log into your other devices and browsers again with that known password.

If you can't log in at all, please email me from the address you signed up to UMD with, and I'll be able to reset it for you. I'm at messmaster@umd.net.

If you no longer have access to the email you signed up with, please email me with your username and as many of the following details as you can: 1) If verified, state your real name and address, 2) State any past email addresses you may have used here, 3) List some past purchases you've made, 4) If you've made a past purchase, state your name and zip code.

If none of this works then please sign up to a new UMD account and contact me via inbox. I'll maybe be able to run some checks between your new and old computer signatures to hopefully verify it's you and then update the email and pass of your original account.

I have a ton of emails to get back to people about this, and some of you have been waiting for a long time, so I apologize for that, plus for this issue to begin with. Could have been a much smoother rollout and better communication.

Peace
Messmaster

I had that problem this morning - another option (which I used) is to click "Forgot my password". I then got a link sent to my email address, and I used that to enter a new password.

I had this but when I sent the forgotten password email. The returning like wouldn't work.

With the updates to the passwords and things, have you thought about allowing MFA? Not sure how people would feel about it.

"If you're having issues logging in..." then you probably won't be able to read this message!!

You know you don't have to log in to browse the forums right.....

I've always thought multi-factor authentication was a pain in the ass to require of the end user. I usually try to see if there's a way to do things without introducing extra steps. But as an option to recover a password it seems to make sense. I'd just have to start storing people's phone numbers and you know how I hate storing any personal info, so that might be off the table Thanks for the suggestion!

I just found it amusing thats all...

I have umd automatically set up on my laptop and phone but my work computer? lol....i dont know why but it has a different password saved i guess....or it could have been this! ill check it out again today! thanks for the heads up! I thought i was going crazy! wait.....i mean....im deffo pretty crazy...

Just had to reset my password (with the password link) even though I had the correct one saved (and it wouldn't take it when I typed it in). It seems to have reset ok - demonstrated by this response, but it was weird.

If the first 8 characters of our passwords were encrypted, so you had no access to them and couldn't tell what they were, and the rest of the password was ignored

Then where did you get our full passwords from to be able to encrypt those?

They must have been stored unencrypted somewhere, or at least encrypted in a way that you could access.

I don't see how this upgrade would have been possible without you having access to our passwords in plain text. Unless you had made everybody reset their password, which isn't the case.

Whilst this is unrelated, I've been meaning to ask a question for a while now, and this seems like a good thread to do it on!

When I log in, there is a part of the landing page which says 'last on' or something similar. I normally visit the page every 5 or 6 days, and try to go through the forums from the point in which I was here last. Recently, it has always just said 'Just Now' rather than 6 days ago etc. I've cleared cookies and temporary internet files, but nothing seems to change this. For example, I was 'last on' last Sunday, some 7 days ago. But logging in just now, I was last on just now according to the site.

Is this something I'm doing wrong, or a wider glitch?

Don't worry about it. We're all at least a little crazy on here.

Just updated the site to allow upgrading from the old password system to the new one.

So if you've been having troubles, it should let you in now using your original pass, and then it'll prompt you to update your pass real quick.

The thing is that a bunch of folks had the *wrong* passwords auto-saved, but they still worked anyway. Some people change their passwords, but only like the last few characters instead of the whole thing. So devices would still be logging in successfully with the old auto-saved passwords, and you wouldn't know the difference! With our new system that won't fly any longer.

All password encryption (old and new systems) are one-way, and nothing is ever stored or logged in plain text. I can't tell what they are, and if a hacker got ahold of them they wouldn't be able to see them either.

The only time UMD can see your plain password is right when you log in. So upon successful authentication on the old system, UMD immediately re-encrypts that same password into the new system, and then you are on the new system going forward. Since the password you just submitted was verified good, we just use that without you having to do anything (we see how that turned out tho )

So it's not like all passwords have been upgraded at the same time from some unencrypted list. It can only do it one by one, when each user logs in. Hope that answers

A lot of pages have a timer reset function on them that updates the time of your last hit on the site, so people know you're here online. It's also the same timer that knows to automatically log you out after a period of inactivity.

Ideally this timer should be reset on every page load, but it's "heavy" on our databases to be updating this for every user on every page load, especially some of the more heavily-trafficked pages. So I only put it on some specific pages like the inbox main page, profile homepages, any page that had a form that you might take some time to fill out, etc. If you happened to never hit one of those pages, your Last Online time would become woefully inaccurate or even disappear altogether.

Since upgrading servers, I've been able to slowly add the timer update to more and more pages. Like, a lot of them. So everybody's Last Online times are a lot more accurate now. Just check the Who's Online section of the People page and the whole grid is usually in the seconds, not minutes anymore.

I guess the timer used to be so inaccurate that it was reading like a "last login" time

There are 3rd party multi-factor tools that you do not have to store phone numbers etc. People would just need to have the app on their phones. You do the base authentication and then push it to the 3rd party app.

Thanks for the suggestion and I'm aware of the 3rd party services. I'm just really weary about integrating those types of products into UMD because I don't trust anybody lol Could be an option in the future though if I want it and don't want to store yall's phone numbers.

Thanks

This info solved the problem I was having. The main system at the Hall and my phone were both logging in fine, but when I tried to log in on a new laptop, even though I knew I was using the right password, no joy.

Just did it typing the first 8 characters only of the password, and it let me in. Have now reset it to the full one, and will presumably have to re-log-in the other devices in due course, but for now am using the new laptop with no issues.

So using the first 8 chars only until reset seems to be a solution to the issue.

Removing this post as it seems like I misunderstood something and I don't want to concern other people. Apologies!

I can't speak for MM but I think you're misunderstanding.

At the point at which you log into a system, that system can see your credentials. This doesn't mean that it's stored insecurely, but rather that it's there in the incoming data from your browser. The system then hashes the received password and checks it against the existing stored hash to see if they match. This applies to all systems everywhere, not just UMD.

Using TLS/SSL secures the password in transit so a mid-point third party can't read it, but when it arrives at the system you're logging into, it's visible to that system in plain text. If it wasn't, there'd be no way to check if, when hashed, it matches the stored hash or not.

As long as the system you're connecting to hasn't been compromised and isn't doing anything silly like loging the entire received data to a plain text log file, it's still perfectly secure.

Note an attacker would have to be actually inside the Apache process to read the incoming passwords, someone using WireShark on the ethernet ports would still only see the SSL encrypted string, but the actual web server process sees the unencrypted text once its beyond the SSL connection.

I love when you speak geek to me.

YAAY finally got my old profile back

Personally I am a fan of password-free login systems where you don't need a password anymore.
It works like this:
- you click on Login on the website and get a input field where you enter your email or username.
- Press OK and the system sends you a login link to the emailaddress (that is attached to the username)
- open your email and click on the link that just arrived
- you are taken back to site and are logged in

Reason why i like this, is because most email systems have far better security then the login system here. So why not take advantage of that.

And if you really wanna step into the future of login systems, then take a look at Passkeys: https://www.tomsguide.com/news/what-are-passkeys
That will take over login systems in the near future and is 100% safe and doesn't use passwords either.

I could not logvin to the computer but the phone worked fine. Thought it was just my computer.

I had the issue on my desktop; laptop stayed logged in. So I changed the password on the laptop and cleared website data. Was able to login thereafter on both just fine. Figured it was a caching issue or similar but this makes more sense. Thanks for shining some light, MM.

I like passkeys. Hell we could go to individual certificates.

Any time I arrive at a site that requires 3rd-party systems to use it, I leave and never return. I run Adblock, NoScript, and Privacy Badger everywhere. I don't install apps for ANY website. A web browser is the only thing needed to access a legitimate web site. Anything "app only" is bullshit spyware that I will never use.

I've been locked for months, not knowing why was my biggest concernbut it's all good now.