New Security Measures

Blog Discussion in 'BeerAdvocate Talk' started by Todd, Jul 17, 2020.

Thread Status:
Not open for further replies.
  1. Todd

    Todd Founder (13,254) Aug 23, 1996 Finland
    Staff Super Mod Pooh-Bah Society Trader

    In addition to the numerous measures that we've taken since the 2012-2013 data breach, we just applied the following updates to help protect our services and your accounts.

    Mass Password Reset
    To secure all accounts, all passwords have been changed and password resets are required.
    • Important: If you no longer have access to the email that's associated with your account, please contact us with your username, existing email address, and new email address.
    • Important: You won't be able to change your password (different than resetting) or email address from your account settings until you reset your password (see below).
    How to Reset Your Password
    https://www.beeradvocate.com/community/lost-password/
    • If you're logged out, use the above link to reset your password.
    • If you're logged in, you'll need to log out (desktop: mouseover your avatar/name; mobile: click your avatar in the main navigation) and reset your password using the above link.
    • No action is required if you created your account after 3pm PT on July 17, 2020.
    Forced Password Changes
    Passwords will eventually expire based on various criteria.

    Login Sessions
    Do you log in from multiple devices? Head to your account settings to view all active login sessions for your account and remove sessions from your devices. Handy if you forgot to log out from a public or work computer.

    Security Watchers
    We've installed watchers to help detect abnormal or malicious site activity.

    Questions on these measures and protecting your account? Let us know.

    We also recommend that you read: How to Secure Your Account.
     
    Shanex, WoodBrew, larryi86 and 10 others like this.
  2. Bitterbill

    Bitterbill Grand High Pooh-Bah (6,772) Sep 14, 2002 Wyoming
    Pooh-Bah Society

  3. SFACRKnight

    SFACRKnight Grand Pooh-Bah (3,274) Jan 20, 2012 Colorado
    Pooh-Bah Society Trader

    Ditto. Didnt see the email, figured my account got haxored. :rolling_eyes:
     
    ChicagoJ, Shanex and BrewsOverHoes like this.
  4. Jugs_McGhee

    Jugs_McGhee Grand Pooh-Bah (5,956) Aug 15, 2010 Colorado
    Pooh-Bah Society Trader

    There's literally no way to actually read your privacy policy or terms of use before clicking the checkbox to agree to them. The links to them aren't active until after you've agreed.

    What is this...amateur hour?
     
  5. jvgoor3786

    jvgoor3786 Grand Pooh-Bah (4,186) May 28, 2015 Arkansas
    Pooh-Bah Society Trader

    Forced password changes are not necessarily an industry best practice. I believe NIST guidelines recommend against it. Just make us choose a strong password with 2FA.
     
    #5 jvgoor3786, Jul 18, 2020
    Last edited: Jul 18, 2020
  6. DIM

    DIM Grand Pooh-Bah (4,134) Sep 28, 2006 Pennsylvania
    Pooh-Bah Society Trader

    Comic Book Guy from The Simpsons is only funny as a cartoon, that kind of snark doesn't work in real life. Be nice.
     
  7. LarryV

    LarryV Grand Pooh-Bah (4,754) Jun 13, 2001 Massachusetts
    Pooh-Bah Society

    I totally agree, and for 2FA, why can't you just text us a code, I really don't want to download and install an app for that purpose. Amazon, Google, all the financial institutions I deal with just text the authorization code to my cell.
     
    Shanex, Jaycase and jvgoor3786 like this.
  8. Todd

    Todd Founder (13,254) Aug 23, 1996 Finland
    Staff Super Mod Pooh-Bah Society Trader

    May have been some caching going on. Just tested multiple times. Working fine. More than happy to reset this for you or anyone else. Just DM me.
     
    meefmoff, sulldaddy and officerbill like this.
  9. MNAle

    MNAle Initiate (0) Sep 6, 2011 Minnesota

    re: forced password changes. Hopefully, it will be a bit more graceful than having to go through the "forgot password" rigamarole.
     
    Todd likes this.
  10. Todd

    Todd Founder (13,254) Aug 23, 1996 Finland
    Staff Super Mod Pooh-Bah Society Trader

    As mentioned, we'll be looking at forcing updates based on various criteria. For example: that could be users who don't have 2FA activated. :wink:
     
    jvgoor3786 likes this.
  11. jvgoor3786

    jvgoor3786 Grand Pooh-Bah (4,186) May 28, 2015 Arkansas
    Pooh-Bah Society Trader

    Awesome. Can we get a text code option?
     
    Todd likes this.
  12. Todd

    Todd Founder (13,254) Aug 23, 1996 Finland
    Staff Super Mod Pooh-Bah Society Trader

    Yeah. It's a PITA, but the only other option was emailing everyone new passwords. Hard pass on that.
     
  13. Todd

    Todd Founder (13,254) Aug 23, 1996 Finland
    Staff Super Mod Pooh-Bah Society Trader

    You can use an app, email confirmation, or backup codes. Visit the Two-Step Verification setting under your account to learn more.
     
    Scrapss, vurt and jvgoor3786 like this.
  14. officerbill

    officerbill Pooh-Bah (2,228) Feb 9, 2019 New York
    Pooh-Bah Trader

    I don't think most folks on BA want to go through the hassle of 2 factor logins at each visit. This is a beer forum, not a bank.
     
  15. MNAle

    MNAle Initiate (0) Sep 6, 2011 Minnesota

    Yeah. If I have to choose one or the other, I would choose periodic forced password change. I have a pretty slick method for dealing with that, since it was required by my former employer.
     
    Bitterbill and officerbill like this.
  16. jvgoor3786

    jvgoor3786 Grand Pooh-Bah (4,186) May 28, 2015 Arkansas
    Pooh-Bah Society Trader

    It's only required when you log in. If you stay logged in on a specific device, you'll never have to deal with it. It prevents people from logging in from other devices. While I understand most people don't really care of someone hijacks a beer account, if you use the same password on any other account, the added protection is important. For example, if you use the same password for BA and your email, then if someone steals your BA info, they could use it to log into your email. I'm guessing your email is where all your password resets are sent.

    Sorry, I can rant about passwords a bit too much....
     
  17. ovaltine

    ovaltine Grand Pooh-Bah (5,811) Apr 6, 2010 Indiana
    Pooh-Bah Society Trader

    It took me about 48 seconds to update, and I'm a moron, so you made the right choice, IMHO. This was a minor, minor inconvenience.

    The heart attack I almost suffered when I couldn't access the WBAYDN thread for about an hour, OTOH, was a mind-bending inconvenience. I almost started to hypervenilate.

    [​IMG]
     
  18. DEdesings57

    DEdesings57 Pooh-Bah (2,472) Aug 26, 2012 New Jersey
    Pooh-Bah Society Trader

    Wait what? We are being told about a breach that happened 8 years ago and to take protective measures against it today?!?!
     
  19. jarrettbrown

    jarrettbrown Initiate (0) Jan 14, 2013

    Done
     
    Todd likes this.
  20. CSO

    CSO Savant (1,098) Jan 31, 2014 Illinois
    Trader

    The email attached to my account is no longer valid. How do I go about resetting my password?
     
    BeastOfTheNortheast likes this.
Thread Status:
Not open for further replies.