Password Leaks

[trog]

I can remove the Require location field from the user Registration setup.

It would certainly be a quick fix until a better solution is found if the issue is still able to affect new members.

 

[Brian]

It would certainly be a quick fix until a better solution is found if the issue is still able to affect new members.

I have just done this.

 

[trog]

I have just done this.

That may have not pleased BH if he has not used his new account yet but is for the best I think

 

[Black Hole]

No that was fine, it was after I registered. FWIW I had no problems with it:



It is a shame to lose the Location field as "required", because it provides context if the user sets it up properly (which, obviously, I didn't!). However, if it is the forum causing it to malfunction, I agree it's not worth it.

@Brian: you can kill that account now if you like, it is of no use now and I'm not sure I even remember what password I set.

 

[Brian]

@Brian: you can kill that account now if you like, it is of no use now and I'm not sure I even remember what password I set.

Would you like me to ban this account, then you can try to log in again to see if you can access anything on the forum, or whether you keep getting any error messages?

 

[Black Hole]

Good idea (now, what was that password?...)

 

[Brian]

Good idea (now, what was that password?...)

Done, see what you can do now, and report back with any screenshots if relevant.

 

[Luke]

The fact that I have spotted at least 3 members affected recently and never before suggests to me that something in the system has changed rather than Brians "user error" reason, clearly it is an important enough problem to given its own thread and immediate attention by those in power here so feel free to start it off.

A recent change (some where from May 2025 to August 2025) was that the location became mandatory.

I tried a second registration this afternoon. Miss the location out (when it was mandatory) and try to proceed and it comes up with an error message that a field is mandatory. Although the field is highlighted the error message does not include the field name I.e. "Location". It is quite easy to presume that as the highlighted entry field is immediately below the password, that it is just a common registry screen that asks for the password twice and not check what that field is really for.

 

[prpr]

Why aren't people using 2FA?
Relying on passwords is just daft in the current world.

 

[prpr]

And why does this happen?

It said "2 minutes" before I could capture it. Is the clock wrong on the server by this much?
It's frequently been late by 15s which causes "In a moment" but this is another level.

 

[Black Hole]

Why aren't people using 2FA?
Relying on passwords is just daft in the current world.

2FA isn't a replacement for passwords! Do you mean biometric? I see there is now a biometric login available on the forum, I didn't know about that.

Anyway, as a banned user I wasn't able to do or see anything at all. In fact, I couldn't even access the menu required to log out!

A recent change (some where from May 2025 to August 2025) was that the location became mandatory.

Are you sure? How have you managed to put a date on it?

 

[prpr]

2FA isn't a replacement for passwords!

Well obviously I know that. But it saves somebody who's had their password leaked from having their account compromised.

Do you mean biometric?

Not necessarily. I use an authenticator app. where possible (with backup codes). Other organisations only do the SMS thing for generating the number, which is itself open to SIM swap abuse and takeover.

 

[Luke]

Are you sure? How have you managed to put a date on it?

getawaycar registered on the 9th May 2025 and does not have a location. I've also seen a couple dated April 2025 with a blank location.

August is an educated guess. There weren't many registrations that I came across during June and July, but after that all later registrations in 2025 I came across had a location. That would be a bit unusual compared to pre-2025 registrations if location was not mandatory. Plus the earliest member that I came across with what appeared to be a password in the location was 15th September 2025 (now updated to have a blank location).

 

[antipodean]

Why aren't people using 2FA?
Relying on passwords is just daft in the current world.

I don't like 2FA because I don't want my phone buzzing with something I need to enter to continue entry to the site every time I want to access it. I can understand using 2FA for initial confirmation as a new user, and to establish a backup channel for contact, but provided the password is "strong enough" then from then on 2FA shouldn't be needed.

 

[EEPhil]

I don't like 2FA because I don't want my phone buzzing with something I need to enter to continue entry to the site every time I want to access it.

You'd really love GOV.UK One Login. Every flippin' time I need to enter the ruddy code sent to my phone to access the webshite on my computer.

 

[Owen Smith]

You'd really love GOV.UK One Login. Every flippin' time I need to enter the ruddy code sent to my phone to access the webshite on my computer.

Yes it is rather annoying.

 

[prpr]

Wow, I'm amazed at the opposition. Perhaps you people would all like others accessing your stuff. I prefer otherwise.

In the case of hummy.tv it's once every 30 days which is fairly non-onerous.

 

[Owen Smith]

Wow, I'm amazed at the opposition. Perhaps you people would all like others accessing your stuff. I prefer otherwise.

In the case of hummy.tv it's once every 30 days which is fairly non-onerous.

gov.uk is every time I change to a different page within the gov web site. It can take a dozen text messages to do my tax return in one session of a few hours. That's way too much.