If you got Logged out and forum is Asking for a Password Reset... That is OK.

BB.

Everyone,

Our forum hosting service (Vanilla), released a patch today (Friday, November 15th) in the afternoon (4:30pm CST) to fix a possible security vulnerability for some accounts/users.

The patch also forces the user to request a Password Reset or a New Password. This is a valid request and just follow the instructions (ask for an email to be sent to your email account on file, then click link in email and enter new password twice, save)... And you should be good to go.

It only affects some (few?) users--So, hopefully, few or none of you will be affected (I was, took a while with support to figure out what was happening).

-Bill

Horsefly

Since I had to reset my password, I guess I feel... ummm.... special?   

No worries. I thought at first I'd been kicked off the island. Whew!

BB.

I thought I had been kicked off the island too... 

I am always a bit paranoid when password change requests come out of the blue.

-Bill

softdown

That makes three of us. I suspect that most will be affected, perhaps all. 

mcgivor

BB. said:

I thought I had been kicked off the island too... 

I am always a bit paranoid when password change requests come out of the blue.

-Bill

The prinary reason in the message given was an administrator decision, or something along those lines, having to keep track of passwords is a PITA for the most part, but a restrictive imperatives whilst dealing with syber technology seems to be the norm, if I can deal with them, I'm sure most can or perhaps I'm becoming somewhat skilled without knowing it, I don't know....somehow I doubt it. 

littleharbor2

Same password change here.  I'm surprised at the need to change passwords requested by some while others never ask.  For example, aside from this one, I have to change my Social Security password every 6 months while my main bank that has the majority if my financial accounts and info has NEVER asked for a change. My bank has  the most basic requirements of all the password rules I've come across.   That being said, I am now going to change my banking password.:#

littleharbor2

OK Houston, we have a problem here.
  I have changed my password and now have had to log in every time I click onto the discussion page. I haven't even logged out. It's like I'm timing out or something. I have checked the "Keep me logged in" box from the first time I have logged in and it shows I have checked it but keeps logging me out. Anybody else???!

BB.

Not me... Are you using a cookie control app?

Clear cookies and cache, and try again?

-Bill

mike95490

I had to renew the password 2x. but have not had to log in since.

Estragon

Is there a place on the site to do routine password changes?  

I did the password thing yesterday to log in, but set it to the old password.  Tried to set a new one, but the reset thing keeps saying the token is expired.

mike_s

Me, too. And I use highly randomized and unique passwords. Best guess is that the password hashes weren't properly salted when stored.

icarus

I’m getting logged off, and locked out each time....Tony

BB.

To change your password... Top right, click on your username, and navigate to edit profile/change password... Or use this link (you have to be logged in to change your password with this link):

https://forum.solar-electric.com/profile/password

Or, if you are logged off (or are having password problems) the login page has "forgot your password" link... Clicking and entering your user name (or possibly registered email address), that will send an email to your registered email address with another encoded link... Click that link, and you will get the change password screen.

If you change your password too often, or get messed up (I did, I think I got out of sync with the reset password emails... I think the link is a one time use, and if messed up, need to get another new link--I think, not sure)...

I did trip the internal security software because of the password change(s)--And I could never log in until Vanilla cleared the security alert.

-Bill

BB.

And if you cannot login, here is the password reset via your forum email registered address:

https://forum.solar-electric.com/entry/passwordrequest

-Bill

littleharbor2

icarus said:

I’m getting logged off, and locked out each time....Tony

Let us know if you find a fix. This is aggravating. 

Aguarancher

When I log into the site I stay logged in, but when I log out and try to log back in to the site my saved password is incorrect. I then have to put in my correct password  and all is well till I log out again. Kind of a pain..

littleharbor2

Wish it were that simple on my end. The site continually logs me out after only a few minutes even though I have checked the keep me logged in box

BB.

I have forwarded this thread to Vanilla support... If anyone else is having problems, please post here.

-Bill

BB.

From our support folks:

Hey Bill, 

We haven't had any reports of this nature yet, but we're checking into it.  

On our side of the equation, I've flushed your community's cache in case there was a conflict there that was causing issues and I've done a quick audit of a few of your settings to make sure no automatically sign-outs had been toggled on. 

I would advise your users to do the following: 

1) As you suggested, clearing cache/cookies is a good first step.  
2) Update any browser apps or programs they might have that auto-fill passwords.  Most of these prompt the user when a password is changed, but if missed the popup, it could be causing a problem.  
3) Verify that they're signed in with their new password on all devices and browsers that they user to view the forum.  
4) Make sure that the 'Keep me signed in' box is checked off when signing in with the new password

You have a user reporting a "token is expired" issue.  That means they already used that password reset link.  For security reasons, those are one-use only.  They should request a new password change email.  

I'm unsure if you had a chance to see our status page since the issue on Friday, but our dev team has updated it with an incident report that details what happened: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

Let us know if your users continue to have issues.  Also, don't hesitate to reach out if you have any questions or concerns about the security vulnerability that we patched on Friday!

--
Sincerely,
Vanilla Support

-Bill

icarus

I’m getting logged off every time as well....Tony

photowhit_crap

After an hour of so, AFTER it said it had sent a new password, I had not received one (yes, I checked my junk folder) I created a new account on a different Email  address. When  things are working again, please create a new post stating such.

BB.

Photowhit,

Check you PM mailbox (forum messages)... I sent your "on file" email address to this new persona.

Take care,
-Bill

photowhit_crap

BB. said:

Check you PM mailbox (forum messages)... I sent your "on file" email address to this new persona.

Hi Bill I've 2 email addresses for almost 20 years now.  I use 1 for family and one for groups and other stuff I subscribe to and will likely  get junk mail.

I tried  again and have  NOT received the password reset info, though  I get a popup saying it's been sent. I do  check my 'junk mail' folder. Please pass this along to "Vanilla Support". It's a hotmail account FWIW as you have seen.

wellbuilthome

Hi bill , I’ve been cut off all so , the only way I could get back on line was to start a new account ? 

  My other screen name was just wellbuilt thanks  John 

BB.

I have just reported the lack of password emails for Whit and John above to our support folks. I will let you know if I hear anything.

If anyone else is having problems, please feel free to create a new/temp user account and post above... And I will add it to the list. You can also PM me with a new password, and I will enter it into your old account to get you reactivated (I did this for photowhit, but have not heard back from him yet if this worked or not).

Sorry for the mess.
-Bill

Estragon

FWIW, I changed my password using the link in post #13, and have had no problems so far.

To clarify the reset issue though, using the reset in post #14 I got the reset email with a token.   Using that token resulted in the token expired message.  I did this several times using a newly requested token each time.  The token appeared to be unique for each.

BB.

Always more fun:

Hey Bill, 

Both those users' emails (@yahoo.com and @hotmail.com) had been set to Blocked in our system.  That means at one point they marked a forum email (likely a notification) as spam, which triggers a response in our system that stops us from sending them further emails.  I've removed that status from their emails, so they should be able to request the password changes now.  

Let me know if you need anything else!

If anyone else wants to limit the amount of email they get from our forum, you can select the notifications without flagging/returning as spam (assuming that is what happened to our members above):

https://forum.solar-electric.com/profile/preferences/

As always, let me know if stuff is working again or not.

-Bill

Photowhit

I'm back!
Thanks Bill!

BB.

You are very welcome photowhit.

And vanilla is working on telling their spam email flagging system. The present system needs to be optimized to reduce back office work on their side.

Bill

SpongeBobSineWave

It did not work for me so I had to create a brand new account.  The forum did not like my email addresses or passwords so could not update my password.  Also, I do not know if the password it showed as dots was supposed to be my old password or the new password.
Either way, I guess I've lost the account I've had here for 15 or more years.

EDIT:   Looks like you might be able to re-activate my old account, Bill ?

boB

BB.

Good Evening boB,

I was successful (I think) in assigning a new password for you. Check your email account, and it should be in there for your old tried and true account.

Take care,
-Bill