If you got Logged out and forum is Asking for a Password Reset... That is OK.

BB.BB. Super Moderators, Administrators Posts: 29,802 admin
Everyone,

Our forum hosting service (Vanilla), released a patch today (Friday, November 15th) in the afternoon (4:30pm CST) to fix a possible security vulnerability for some accounts/users.

The patch also forces the user to request a Password Reset or a New Password. This is a valid request and just follow the instructions (ask for an email to be sent to your email account on file, then click link in email and enter new password twice, save)... And you should be good to go.

It only affects some (few?) users--So, hopefully, few or none of you will be affected (I was, took a while with support to figure out what was happening).

-Bill
Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
«1

Comments

  • HorseflyHorsefly Registered Users Posts: 368 ✭✭✭✭
    edited November 16 #2
    Since I had to reset my password, I guess I feel... ummm.... special?    :|

    No worries. I thought at first I'd been kicked off the island. Whew!
    Off-grid cabin: 6 x Canadian Solar CSK-280M PV panels, Schneider XW-MPPT60-150 Charge Controller, Schneider CSW4024 Inverter/Charger, Schneider SCP, 4 x Vmax XTR12-155 12V, 155AH batteries in a 2x2 24V 310AH bank.
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    I thought I had been kicked off the island too...  :o

    I am always a bit paranoid when password change requests come out of the blue.

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • softdownsoftdown Solar Expert Posts: 2,749 ✭✭✭✭
    That makes three of us. I suspect that most will be affected, perhaps all. 
    First Bank:16 180 watt Grape Solar with  FM80 controller and 3648 Inverter....Fullriver 8D AGM solar batteries. Second Bank/MacGyver Special: 10 165(?) watt BP Solar with Renogy MPPT 40A controller/ and Xantrex C-35 PWM controller/ and Morningstar PWM controller...Cotek 24V PSW inverter....forklift and diesel locomotive batteries
  • mcgivormcgivor Solar Expert Posts: 3,201 ✭✭✭✭✭
    BB. said:
    I thought I had been kicked off the island too...  :o

    I am always a bit paranoid when password change requests come out of the blue.

    -Bill
    The prinary reason in the message given was an administrator decision, or something along those lines, having to keep track of passwords is a PITA for the most part, but a restrictive imperatives whilst dealing with syber technology seems to be the norm, if I can deal with them, I'm sure most can or perhaps I'm becoming somewhat skilled without knowing it, I don't know....somehow I doubt it. 
    1500W, 6× Schutten 250W Poly panels , Schneider MPPT 60 150 CC, Schneider SW 2524 inverter, 400Ah LFP 24V nominal battery bank 
    Second system 1890W  3 × 300W No name brand poly, 3×330 Sunsolar Poly panels, Morningstar TS 60 PWM controller, no name 2000W inverter 400Ah FLA 24V nominal used for water pumping and day time air conditioning.  
    5Kw Yanmar clone single cylinder air cooled diesel generator for rare emergency charging and welding.
  • littleharbor2littleharbor2 Solar Expert Posts: 1,449 ✭✭✭✭
    Same password change here.  I'm surprised at the need to change passwords requested by some while others never ask.  For example, aside from this one, I have to change my Social Security password every 6 months while my main bank that has the majority if my financial accounts and info has NEVER asked for a change. My bank has  the most basic requirements of all the password rules I've come across.   That being said, I am now going to change my banking password.:#

    2.1 Kw Suntech 175 mono, Classic 200, Trace SW 4024 ( 15 years old  but brand new out of sealed factory box Jan. 2015), Bogart Tri-metric, 700 ah @24 volt AGM battery bank. Plenty of Baja Sea of Cortez sunshine.

  • littleharbor2littleharbor2 Solar Expert Posts: 1,449 ✭✭✭✭
    edited November 16 #7
    OK Houston, we have a problem here.
      I have changed my password and now have had to log in every time I click onto the discussion page. I haven't even logged out. It's like I'm timing out or something. I have checked the "Keep me logged in" box from the first time I have logged in and it shows I have checked it but keeps logging me out. Anybody else???!

    2.1 Kw Suntech 175 mono, Classic 200, Trace SW 4024 ( 15 years old  but brand new out of sealed factory box Jan. 2015), Bogart Tri-metric, 700 ah @24 volt AGM battery bank. Plenty of Baja Sea of Cortez sunshine.

  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    Not me... Are you using a cookie control app?

    Clear cookies and cache, and try again?

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • mike95490mike95490 Solar Expert Posts: 8,490 ✭✭✭✭✭
    I had to renew the password 2x. but have not had to log in since.
    Powerfab top of pole PV mount | Listeroid 6/1 w/st5 gen head | XW6048 inverter/chgr | Iota 48V/15A charger | Morningstar 60A MPPT | 48V, 800A NiFe Battery (in series)| 15, Evergreen 205w "12V" PV array on pole | Midnight ePanel | Grundfos 10 SO5-9 with 3 wire Franklin Electric motor (1/2hp 240V 1ph ) on a timer for 3 hr noontime run - Runs off PV ||
    || Midnight Classic 200 | 10, Evergreen 200w in a 160VOC array ||
    || VEC1093 12V Charger | Maha C401 aa/aaa Charger | SureSine | Sunsaver MPPT 15A

    solar: http://tinyurl.com/LMR-Solar
    gen: http://tinyurl.com/LMR-Lister ,

  • EstragonEstragon Registered Users Posts: 4,283 ✭✭✭✭✭
    Is there a place on the site to do routine password changes?  

    I did the password thing yesterday to log in, but set it to the old password.  Tried to set a new one, but the reset thing keeps saying the token is expired.
    Off-grid.  
    Main daytime system ~4kw panels into 2xMNClassic150 370ah 48v bank 2xOutback 3548 inverter 120v + 240v autotransformer
    Night system ~1kw panels into 1xMNClassic150 700ah 12v bank morningstar 300w inverter
  • mike_smike_s Registered Users Posts: 99 ✭✭
    Me, too. And I use highly randomized and unique passwords. Best guess is that the password hashes weren't properly salted when stored.
  • icarusicarus Solar Expert Posts: 5,389 ✭✭✭✭
    I’m getting logged off, and locked out each time....Tony
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    To change your password... Top right, click on your username, and navigate to edit profile/change password... Or use this link (you have to be logged in to change your password with this link):

    https://forum.solar-electric.com/profile/password

    Or, if you are logged off (or are having password problems) the login page has "forgot your password" link... Clicking and entering your user name (or possibly registered email address), that will send an email to your registered email address with another encoded link... Click that link, and you will get the change password screen.

    If you change your password too often, or get messed up (I did, I think I got out of sync with the reset password emails... I think the link is a one time use, and if messed up, need to get another new link--I think, not sure)...

    I did trip the internal security software because of the password change(s)--And I could never log in until Vanilla cleared the security alert.

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    And if you cannot login, here is the password reset via your forum email registered address:

    https://forum.solar-electric.com/entry/passwordrequest

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • littleharbor2littleharbor2 Solar Expert Posts: 1,449 ✭✭✭✭
    icarus said:
    I’m getting logged off, and locked out each time....Tony
    Let us know if you find a fix. This is aggravating. 

    2.1 Kw Suntech 175 mono, Classic 200, Trace SW 4024 ( 15 years old  but brand new out of sealed factory box Jan. 2015), Bogart Tri-metric, 700 ah @24 volt AGM battery bank. Plenty of Baja Sea of Cortez sunshine.

  • AguarancherAguarancher Solar Expert Posts: 291 ✭✭✭
    When I log into the site I stay logged in, but when I log out and try to log back in to the site my saved password is incorrect. I then have to put in my correct password  and all is well till I log out again. Kind of a pain..

  • littleharbor2littleharbor2 Solar Expert Posts: 1,449 ✭✭✭✭
    Wish it were that simple on my end. The site continually logs me out after only a few minutes even though I have checked the keep me logged in box

    2.1 Kw Suntech 175 mono, Classic 200, Trace SW 4024 ( 15 years old  but brand new out of sealed factory box Jan. 2015), Bogart Tri-metric, 700 ah @24 volt AGM battery bank. Plenty of Baja Sea of Cortez sunshine.

  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    I have forwarded this thread to Vanilla support... If anyone else is having problems, please post here.

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    From our support folks:
    Hey Bill, 

    We haven't had any reports of this nature yet, but we're checking into it.  

    On our side of the equation, I've flushed your community's cache in case there was a conflict there that was causing issues and I've done a quick audit of a few of your settings to make sure no automatically sign-outs had been toggled on. 

    I would advise your users to do the following: 

    1) As you suggested, clearing cache/cookies is a good first step.  
    2) Update any browser apps or programs they might have that auto-fill passwords.  Most of these prompt the user when a password is changed, but if missed the popup, it could be causing a problem.  
    3) Verify that they're signed in with their new password on all devices and browsers that they user to view the forum.  
    4) Make sure that the 'Keep me signed in' box is checked off when signing in with the new password

    You have a user reporting a "token is expired" issue.  That means they already used that password reset link.  For security reasons, those are one-use only.  They should request a new password change email.  

    I'm unsure if you had a chance to see our status page since the issue on Friday, but our dev team has updated it with an incident report that details what happened: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

    Let us know if your users continue to have issues.  Also, don't hesitate to reach out if you have any questions or concerns about the security vulnerability that we patched on Friday!

    --
    Sincerely,
    Vanilla Support
    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • icarusicarus Solar Expert Posts: 5,389 ✭✭✭✭
    I’m getting logged off every time as well....Tony
  • photowhit_crapphotowhit_crap Registered Users Posts: 3
    After an hour of so, AFTER it said it had sent a new password, I had not received one (yes, I checked my junk folder) I created a new account on a different Email  address. When  things are working again, please create a new post stating such.
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    Photowhit,

    Check you PM mailbox (forum messages)... I sent your "on file" email address to this new persona.

    Take care,
    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • photowhit_crapphotowhit_crap Registered Users Posts: 3
    BB. said:
    Check you PM mailbox (forum messages)... I sent your "on file" email address to this new persona.
    Hi Bill I've 2 email addresses for almost 20 years now.  I use 1 for family and one for groups and other stuff I subscribe to and will likely  get junk mail.

    I tried  again and have  NOT received the password reset info, though  I get a popup saying it's been sent. I do  check my 'junk mail' folder. Please pass this along to "Vanilla Support". It's a hotmail account FWIW as you have seen.
  • wellbuilthomewellbuilthome Registered Users Posts: 8 ✭✭
    Hi bill , I’ve been cut off all so , the only way I could get back on line was to start a new account ? 
      My other screen name was just wellbuilt thanks  John 
    Out back  flex power one vfx3648A 15 295 watt panel . 
     Out back fx80 CC 
     16  GC 215 amp ah battery’s 
       9 295 watt panels for ground mount  will be installed next year 
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    I have just reported the lack of password emails for Whit and John above to our support folks. I will let you know if I hear anything.

    If anyone else is having problems, please feel free to create a new/temp user account and post above... And I will add it to the list. You can also PM me with a new password, and I will enter it into your old account to get you reactivated (I did this for photowhit, but have not heard back from him yet if this worked or not).

    Sorry for the mess.
    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • EstragonEstragon Registered Users Posts: 4,283 ✭✭✭✭✭
    FWIW, I changed my password using the link in post #13, and have had no problems so far.

    To clarify the reset issue though, using the reset in post #14 I got the reset email with a token.   Using that token resulted in the token expired message.  I did this several times using a newly requested token each time.  The token appeared to be unique for each.
    Off-grid.  
    Main daytime system ~4kw panels into 2xMNClassic150 370ah 48v bank 2xOutback 3548 inverter 120v + 240v autotransformer
    Night system ~1kw panels into 1xMNClassic150 700ah 12v bank morningstar 300w inverter
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    Always more fun:
    Hey Bill, 

    Both those users' emails (@yahoo.com and @hotmail.com) had been set to Blocked in our system.  That means at one point they marked a forum email (likely a notification) as spam, which triggers a response in our system that stops us from sending them further emails.  I've removed that status from their emails, so they should be able to request the password changes now.  

    Let me know if you need anything else!
    If anyone else wants to limit the amount of email they get from our forum, you can select the notifications without flagging/returning as spam (assuming that is what happened to our members above):

    https://forum.solar-electric.com/profile/preferences/

    As always, let me know if stuff is working again or not.

    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • PhotowhitPhotowhit Solar Expert Posts: 5,033 ✭✭✭✭
    I'm back!
    Thanks Bill!
    Home system 4000 watt (Evergreen) array standing, with 2 Midnite Classic Lites,  Midnite E-panel, Prosine 1800 and Exeltech 1100, 660 ah 24v ForkLift battery. Off grid for @16 of last 17 years. Assorted other systems, and to many panels in the closet to not do more...lol
  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    You are very welcome photowhit.

    And vanilla is working on telling their spam email flagging system. The present system needs to be optimized to reduce back office work on their side.

    Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
  • SpongeBobSineWaveSpongeBobSineWave Registered Users Posts: 1
    edited November 22 #30
    It did not work for me so I had to create a brand new account.  The forum did not like my email addresses or passwords so could not update my password.  Also, I do not know if the password it showed as dots was supposed to be my old password or the new password.
    Either way, I guess I've lost the account I've had here for 15 or more years.

    EDIT:   Looks like you might be able to re-activate my old account, Bill ?

    boB

  • BB.BB. Super Moderators, Administrators Posts: 29,802 admin
    Good Evening boB,

    I was successful (I think) in assigning a new password for you. Check your email account, and it should be in there for your old tried and true account.

    Take care,
    -Bill
    Near San Francisco California: 3.5kWatt Grid Tied Solar power system+small backup genset
Sign In or Register to comment.