Jump to content

I am going to just assume you've been breached by enforcing a password


michaelmurfy

Recommended Posts

michaelmurfy

As one who got one of the password reset emails I am going to just assume you've been breached by enforcing a password change. I use a password manager and so the likelihood of my account on here getting compromised is slim at best. To be perfectly honest getting an email with basically no context is either getting deleted as a phishing attempt, or getting marked as phishing likely hindering your ability to send forum emails in the future when it is blocked by email providers. There should have been more context to this.

Instead, you should be reminding users by encouraging best password practices:

1) Enforce a strong password on the site.
2) Use a forum plugin to check passwords against Pwned Passwords to see if they've been seen before: https://haveibeenpwned.com/Passwords
3) Encouraging those users to check https://haveibeenpwned.com/ to ensure they have actually not been compromised and to use a password manager with strong, random passwords going forward.
4) On a forum login or registration (when you can capture passwords in plaintext before encryption) you should be checking against Pwned Passwords to ensure it is a strong password. You'll note many sites do this now.

For those users, there is a very real risk if they're reusing passwords their personal Emby instance could also get compromised.

  • Agree 1
Link to comment
Share on other sites

12 minutes ago, michaelmurfy said:

I am going to just assume you've been breached

You are wrong, it look like you did not read the announcement as well here regarding why we force password reset for one group only and that "Member" with only 0 post as your at the moment before you post your first post.

Please do not assume false fact by yourself as a fact.

I do not need to answer the rest of your post, since that the the member matters to see what it best for his account.

BTW, "Member group = Newbie group that you have when you first register here"

We have higher groups as "Members" just to give you a light for the forum groups here.

We explain many times, as "Member" group with only 0 post need to change their password since we found out some old accounts (2013-1017) been using by some spammers groups, and if a sites these members member of and they using same user/pass everywhere, then that the problem with the rest of the sites they join, as here example our community.

I hope now you understand.

Link to comment
Share on other sites

michaelmurfy
7 hours ago, Abobader said:

You are wrong, it look like you did not read the announcement as well here regarding why we force password reset for one group only and that "Member" with only 0 post as your at the moment before you post your first post.

Please do not assume false fact by yourself as a fact.

Oh, I did fully read the announcement else I wouldn't be here in this thread. I had to however search for it as an email with " For security reasons, the administrator of Emby Community has required you to reset your password." isn't exactly what you said above. You have to see it from the eyes of somebody who got a password reset email out of the blue on a forum they have not posted in which is normally "oh, this has been breached" and that is what I mean. I am also still going to assume that regardless of what you say as this is the very first time I have gotten this from any community.

My other points are correct. Take it as you will. My other points are fully valid and instead of disregarding them somewhat rudely you should take them on board as a lesson and not assume for yourself I have no idea what I am talking about here... I do in-fact run a couple large communities myself one of which actually has a few million members...

Checking against https://haveibeenpwned.com is an excellent way to combat spammers also as it enforces stronger passwords and prevents what you're describing from occurring in the first place...

Edited by michaelmurfy
  • Like 1
  • Agree 1
Link to comment
Share on other sites

2 minutes ago, michaelmurfy said:

My other points are correct. Take it as you will. My other points are fully valid and instead of disregarding them somewhat rudely you should take them on board as a lesson and not assume for yourself I have no idea what I am talking about here... I do in-fact run a couple large communities myself one of which actually has a few million members...

Sorry if I sounded rude in my reply, it not meant to be, I did not say that your suggestion are wrong, it good one and we used to look for that. The thing stop us from doing these good suggestions that most of our "Member" group with 0 post coming from our emby connect, and it will hard for them to go by that route.

Again, sorry about all this, thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...