Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Not able to log into my previous account, and there's no "Forget Password"

Status
Not open for further replies.

tLegacyExplorer

Programmer
Aug 15, 2024
1
Hi,

Do you know what email or forum I can ask about this? How do we contact the webmaster?

I know this isn't the correct forum for asking, but there doesn't seem to be a correct forum.

I had an account with Tek-Tips under 2 different emails, but I can't log into either of them now. And I'm suddenly getting all sorts of threads from Tek-Tips in one of those emails.

There's no "Forget Password" or Reset option when trying to re-configure the accounts. If I try to register those emails as if they were new accounts, Tek-Tips responds that an account already exists.
 
Solution
There's also a contact us link on the bottom of the site which will come to me. I sent you an email directly as well.

If you access the login page try using your email address along with your old password to login.
The forgot password link is under the username/password prompt on the home page.
That being said, you may be using a no-longer-valid link. Since it's a new site, the links have changed.
Please click on "Home" and you should see "Forgot Password" right under the username/password on the right.
 
There's also a contact us link on the bottom of the site which will come to me. I sent you an email directly as well.

If you access the login page try using your email address along with your old password to login.
 
Solution
On my computer at least, the entire site seemed to suddenly change its appearance, its structure and its underlying philosophy three or four days ago. If there was any advance warning that this was going to happen, I missed it. I used to get a start-up screen that simply showed me a summary of recent activity on my small number of selected forums, from where I could dive quickly into posts that caught my attention. Now I find myself drowning in stuff that is 99% irrelevant to me.

Is there somewhere I can find some instructions that might help me get back to a more "focussed" view? Otherwise it's a case of "So long, and thanks for all the fish" (with appropriate apologies to DA).
 
Thanks Jon/gbaughma/doubledriveline,

I found the Forgot Password link that you pointed out, and am back in the official profile.

I don't know the answer to your question, Deniall. If I find out, I'll forward a reply.
 
seemed to suddenly change its appearance, its structure and its underlying philosophy three or four days ago

Yep. Whole site was ported off the old custom ColdFusion-based platform onto a newer platform PHP-based platform, Xenforo, that is utilised by a fair number of different sites.

As a result the initial interface does indeed have a somewhat different look and feel. Interestingly, much of the old functionality is still there, hidden away. And hopefully feedback to the site operators will result in it being exposed in a better way!
 
No wonder I cannot navigate like before.

How do I stop these incessant email notifications coming to my email, hence my cell phone.

ANNOYING!!!!
 
How do I stop these incessant email notifications coming to my email, hence my cell phone.
Go to your profile (your name top right) and select Preferences. Whole host of email and alert notification settings available there. Looks like the site operators erred on the side of maximum notification to start with> There are also settings on a per fora and per thread available, although setting and unsetting them seems to be a bit cumbersome (I may be missing something obvious, but given this new interface doesn't exactly exude discoverability, perhaps not)
 
Regarding the original topic/question.

Besides the password reset you can use, try your old password changed to all lowercase and cut off at 10 characters.
When you successfully logged in change your password.

Edit: Without the intent to panic anybody, this cut off was done at the old site and so the stored password hash was based on that not on the full password you may have entered (unless you used the remember me feature), so the new site not doing this lowercase cut off of the entered password computes the hash of the full password which does not match. Considering an already older video on password security hashing with md5 is pretty insecure as you can brute force the hashes of a hall of fame list of mostly used passwords for lengths up to 16 characters. I have no idea what the old Cold Fusion based website used as password hashing algorithm, the new one uses modern algorithms like Argon2, as can also be deducted from an image of a hash at https://xenforo.com/features/security/

The manual (likely adressing not tech savy users) at https://xenforo.com/docs/xf2/user-security/ is encouraging forum maintainers to encourage their users to use password managers generating long and secure passwords, which to me points out the Xenforo forum won't do password simplifying and shortening methods like the old site did. Therefore the new tek-tips is more secure in that regard.

By the way, if you think knowing details like the hash algorithm of a forum undermines the security of it, ask me for a 101 on cryptography, it's not my core expert knowledge but I can tell you enough about how actually completely open sourced cryptography algorithms are the basis of a high security, I won't go into details before there are doubts posted.

One thing is for sure, when your old password worked for you, it can only work because the stored hash is still the old one marked as being generated by the hash algorithm used by the Cold Fusion system and so the migration to the new Xenforo software basis of this forum did not improve your password security in itself. It could be that your first login also causes a rehashing with the newe,r better algorithm, but even if Argon2id (current contender for most secure cryptographic hash) was used to hash your old password and is now stored into your profile data, you're better off renewing your password.

Tip: Think of a sentence you can easily remember, maybe even two. Take the first letter of each word and you have a good basis for a secure password you can remember without needing a password manager. Add in digits to not only have letters, add in punctuation and you also cover the category of special characters.

There's absolutely nothing to say against password managers that even can remember much longer and better passwords for you. A manager should enable you to use your password database on multiple devices, but I always like to have my passwords memorized for myself, no matter how bad a worst case scenario must be to lose your managed passwords.


How do I know about the password modification and cut off? You might be even more interested as Staff member:
Well, by accident - One day I slipped on the enter key before the full password was entered and was logged in anyway. Then I tested what number of characters are enough and also whether upper or lower case matters. It's really a bad habit by systems to not allow all characters, even worse cutting passwords off. But you're not alone with this kind of restrictions - or were not.
 
Last edited:
Since the code bloat to run this site is 1500% more code than the old site, does that mean my password must be 1500% longer to maintain the same level of security? Or, instead of linearly, does my password need to be geometrically ( len(pw)^15 ) longer to maintain the same site security as the old site?
 
Neither is the code 1500% of the old site, just the main page HTML has that much more lines than the main page of eng-tips (I know where you got that number from). The html output of code does neither go linear nor logarithmic with the output length, even a simple PHP include (1 line of code) can insert a block of 1000s of lines of HTML, (and Javascript), so your conclusions about the code complexity are concluded from thin air.

If you cut off passwords at 10 characters, that's clearly lowering their security, isn't it? I don't really know what I need to explain to prove the obvious. Your choice of password length determines the domain of possible values. If you pick a small domain by picking a short password, that highers your risk of the password being cracked simply by trying all the billions of short passwords. They might already be billions even only choosing letters 26^n for passwords of length n, so 26^10 for 10 character passwords. Still all 26^16 password combinations possible with letters and even more with digits and other characters are doable for older hash algorithms like md5 using GPU cards with massive parallel execution of code.

Read https://www.spiceworks.com/it-secur...icles/tackling-gpu-enabled-password-cracking/ or search youself in that direction.

Anyway, let me correct myself in this way: As your effective password was only 10 characters even if you had a password manager generating 100 character long passwords for you, then your old paswsword is strong, just the old password hash was only taking 10 of these 100 characters into account and made any strong password weak. You can use your long password now as that is secure enough and this new version of tek tips will take it into account fully. Anyway, new or migrated site also suggests changng password anyway.

PIcking a new password guarantees that the default more secure hashing algorithm for this site is used for it. Keeping your old password means keeping your old hash, including the old weaker shorter password and hashing algorithm. If you used the remember me mechnism and it meant you didn't had to log in even into the new site as it recognized you, then congrats, but that doesn't make your accout security not depend on the stored password hash generated with an older hash algorithm from a 10 character cut off password.
 
Last edited:
Ok, so with a universe of approx 100 or so printable characters (did not count them, just guessing), are you saying that a 10 character password is virtually unbreakable for all practical purposes for this site? I use hundreds of different passwords on hundreds of different sites and in 40 years have never had any of them compromised.

Yes, compared those two pages since I do not have the old code for TT. Assumed, yeah I know, that the rest of the site would follow suit. Apparently not.

Just because 1000s of lines can be inserted at once, does not lessen the potential number of attack points hackers can use. It actually increases the points because there is more code that can have potential security issues. Further mass insertions can result in mass insertions of unknown security issues if the code has not been thoroughly debugged. More code always equals more potential problems and usually harder problems to fix since many fixes seem to generate even more problems.

I am a firm believer in the KISS rule. Fix what is broken, don't always start over from scratch.
 
are you saying that a 10 character password is virtually unbreakable for all practical purposes for this site?
I said the complete inverse of that. A 10 character password is weak. And the previous programming of this site cut off passwords that were longer than 10 characters to 10 characters.
That was broken.

If you had followed the link I posted last and read it you could have read their recommendation to use no less than 12 caharacters for a password.
 
Let me boil it down to the essence you need to understand to make the recommended action evident.

I assume many people use password managers not only to remember site passwords, but also generating safer passwords than you thought of and remembered yourself. Password managers don't necessarily generate 100 character passwords, but they can and can obviously remember them for you. 100 character passwords are from a "universe" as you call it, a domain of possible passowrds I would call it that is so vast, that it's over the top, actually, but it won't harm to have a safer password than necessary.

Now take in the fact that the old site cut it off to 10 characters at max. Your password strength was that of a 10 character password, not that of a 100 character password. And what migrated was the hash of that shorter password.

That makes this short password your password for the new tek-tips, too. If you want to actually protect your account with a longer than 10 character password the only way to get there is to change your password and go through the process of thereby changing the stored hash of it. So change your password, no matter if your previous (or still current) password was shorter or longer than 10 characters.

Well, or even shorter:
When you managed to log into your old account, congrats. I'd recommend to change password to ensure you really profit from the upgrade of forum login security.
 
Last edited:
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top