PLEASE READ: Forced logout and password reset

[SarahMumsnet]

Hello everyone,

Our apologies again for the stress and upset of the last week, and in particular the last 24 hours - and thanks for your patience and support in helping us deal with it.

Thanks to everyone who’s raised concerns about the strength of passwords on Mumsnet. We’ve now built new code which will oblige anyone logging in to create a new, complex password that conforms to higher security standards.

In the next hour, we’re going to force all users to be logged out. Then we'll change all users' passwords so they MUST reset their password to log back in. To make absolutely certain that everyone has a new, secure password, you’ll be logged out even if you’ve already changed your password in the last two days.

We’re sorry that this is the second mass password-reset in the space of a couple of days, but now we have code in place to strengthen security, we want to implement it as soon as possible.

Please don’t worry when you’re logged out: it’s MNHQ, not the hacker, behind it.

Thanks again
MNHQ

I tried to reset my password last night at about 11pm and it wouldn't let me choose a new password. Kept getting a red error message.

This morning it took me 20mins to reset it again. Very slow and kept giving me error messages.

I don't have capital letters in my password and it still allowed it this morning?

My iPhone has gone really slow since all this started. I hope mt phone isn't hacked. I use it for everything but everything has different passwords.

The important thing is not to change your MN password but make sure you change that email/password combination wherever else you use it.

Sorry for the bold font but I think people need to be reminded that it is not to read your PMs that these were hacked. It's because they think we would use the same email & password on EBay, Amazon, bank websites, etc.

Keep the faith everyone, keep the faith. This too shall pass!

I've just managed to log in without any forced password change?

I've not been forced out on either mobile site or desktop site.

Hello all and really sorry about the lack of instructions for choosing a new password. Tech were somewhat under the cosh last night - the error message on the desktop site let's you know what's required, but the mobile site version doesn't.

The standards for new, strong passwords are:

10 characters or more
A mix of letters and at least one symbol or number
It must be a brand new password, and not one you've used previously

So how come some of us were able to log straight back in with our old passwords?

Hi Kate. I'm still not being prompted to change my password - it doesn't meet the new guidelines and I didn't get kicked out last night, but I logged in and out a few times to try and prompt it. I can still log in and out this morning without needing to change it.

Just so you know!

KateMumsnet it's the kicking out bit that doesn't seem to be happening......
RebeccaMumsnet advised on another thread to password change anyway to the criteria you state above. But then the whole site crashed offline.....

I would like to know WHY SOME OF US HAVE NOT BEEN KICKED OUT AND CAN STILL USE OLD PASSWORDS - Please.

I can get my new password accepted either - have logged in via Facebook this time, but hoping it will be sorted soon!

I can't, not can!

Aaah, that's why it accepted my super long pw this morning .

Sorry to be picky but if it really was a phishing attack surely it doesn't matter how good your password is? They'd have got it through clear text!!! A strong password protects from a brute force attack but unless they got the encrypted database and decrypted, or got the encrypted passwords between user and mumsnet then decrypted surely it's not relevant? I know people have been criticising the lack of enforcement of strong passwords but everyone would be better off ensuring they don't use the same ones on each site!!!

I couldn't get it to accept any of my new passwords that I came up with so I have re-registered with a new email address.

Having read KateMumsnet's message above it would help if the password criteria was actually on the password change page

I just got an email claiming to be from Mumsnet telling me to reset my password but it was sent to an email address that I do not, and never have, used on Mumsnet

Watch out folks.

Hello again - we're looking into why some of you mightn't have been booted out and forced to set a new robust password right now - thanks very much for letting us know.

The 'can't use an old password' rule only applies only to the last two that you've used.

So if you've used a password that's older than the last two passwords you chose, AND it coincidentally meets the new, robust password standards (more than ten characters, a mix of letters and at least one symbol or number), it will have been accepted and able to log in.

If you've been allowed to reset your password to one that either
a. doesn't meet the new security standards
b. Is one of the two old passwords you used most recently

could you possibly email [email protected] with details, and they'll look into it as soon as possible?

And THANK YOU for your patience.

Perhaps instead of being so bloody snarky and unpleasant about the free website you use for free to chat on the internet you should spare a thought for those who are no doubt working their socks off to fix this? Those people who haven't seen their partner or children and have had a really awful few days?

What moving up said

@JustMeOverHere

Having read KateMumsnet's message above it would help if the password criteria was actually on the password change page

Agreed, JustMe, and apologies - this should be being updated as soon as possible.

I logged myself out last night and couldn't log back in this morning with my old password. I did a password reset, but was then logged straight back out. Re-reset my password and I am in. But it is still messed up as I can only get in though one method :/

I am guessing this is due to the IT changes that were made to do this password reset that were (understandably) rushed through without proper testing first.

In case I disappear again, good luck to all at MNHQ today. I really hope today is smoother for you all. I hope the evil hackers are caught and we can get back to normal with Parking threads again.

I have not been forced to reset yet.

What about the list they've published of the companies they claim Mumsnet shares data with? Has anyone checked that out? - published on the new dadsec twitter account a few hours ago.

right...this may get confusing...

Username CXXXXX ...I could never name change as I could not remember the password, so I ditched it and re registered about 3 months ago, all good
...this account/email has had warning emails from MN about the current situation/required password/forced log outs/resets

New username Sxxxxxxxx, with a new email and set up a name change yesterday, before all the forced log out, and again and again malarkey

NOW on the new username account I have had no MN emails at all received so far, other than any associated with my actions in resetting passwords ...so not sure why that should be??

Also despite resetting the password for email/username Sxxxxxxxx I can subsequently only log in as the name change tondelayadellaventamiglia