Hello, I know this has probably been asked and asked again, and I am too lazy to look for the answer. I am fairly new to this world of technology. But tell me as an administrator how can I reset a classmates password, they forgot.

You don't need to reset it. Just log out of your website, go to your home page, then click FORGOT PASSWORD and paste in their e-mail address.

If you decide to reset it, go to Manage Classmates, then Enter/Edit Classmates, then click on the DETAILS for the classmate and change their password.

If the classmate hasn't joined your website yet, tell them to click on Classmate Profiles, then click on their name, then click JOIN HERE and follow the instructions.

I was very surprised to read that this was possible. Why is Class Creator storing users' passwords instead of well-salted hashes?

This puts users at great risk, because most folks re-use the same passwords at multiple sites. They shouldn't, but they do. We all know this.

Password databases are stolen all the time (see Stratfor, Sony, Gawker, etc.). If Class Creator gets hacked and password files are stolen, my less-savvy classmates could find many of their important accounts (email, banking, shopping, etc.) compromised.

Class Creator can and should protect its users from themselves. If I don't see a commitment to address this soon, I'm probably going to blast a cautionary message to the class. I'm reluctant to do this—it will surely scare a good number of folks off of the site—but I feel that it would be irresponsible of me not to.

No need to reinvent the wheel. The BCrypt library in PHP 5.3 and up handles hashing with salt and adaptive key-strengthening. Links to BCrypt libraries for other languages are collected in the first paragraph here.

Ben,

The admin cannot see a user's existing password. All they can do is set it to a new value, in which case the user will be informed by email that their login information has been changed.

Eric—

Class Creator should not have these passwords. Period. It places my classmates at risk, completely unnecessarily.

The only reason that I cannot access a classmate's password is that I am not a 1337 h4x0r with the m@d 5Ki11z to steal and crack Class Creator's password database. Some of the many thousands of people who could easily penetrate Class Creator's servers (we can safely assume that Class Creator's security is not as good as, say, RSA's or Google's) are bored kids, and some are sophisticated criminals. Also, can any of us be 100% certain that Class Creator will never slip up and hire a less-than-scrupulous employee or consultant?

If Class Creator can email me my password, then it has my password. Maybe it is stored in plaintext, or maybe it is obscured or encrypted. Doesn't matter. Either way, it can be stolen.

Class Creator has hundreds of thousands of users. That makes it a potentially attractive target. Not so much because individual user accounts are particularly valuable (although identity thieves would have a field day with all of the personal data), but because a fair number of the passwords are. The weaker a user's password, the easier it is to crack and the more likely that the user of the password is careless and uses a single, simple password all over the web. If you do not do your best to protect these users, you are hanging them out to dry.

You are also hanging my site out to dry. My account password is gibberish, with mixed-case letters, numbers, and special characters, but if you are storing the password instead of a hash then I might just as well use 123456. I don't reuse passwords, so you aren't jeopardizing my email and bank accounts the way that you are the accounts of less careful users, but a hacker can still pwn my class website and impersonate me, and there's absolutely nothing that I can do to prevent it.

Class Creator should be using a good cryptographic library like BCrypt or scrypt to create and store salted, key-stretched hashes of my and my classmates' passwords so that when (to say "if" would be naïve) the password database for www.pikesville75.info is stolen the attacker will be unable to crack strong passwords, might not want to invest the time to crack halfway decent passwords, and will have to do at least a bit of work to brute-force even the weakest passwords, one-by-one.

I am disappointed to find no CC Admin response to Ben's last post above. There are beginning to be too many posts in these forums that fall into the abyss without closure.

A few short years ago, I would at least have expected to read a reassurance about what Class Creator is doing to protect our passwords database(s) or, in lieu of that, an explanation about why Ben's recommendation is not the best solution here (i.e., would it somehow require a process that is too complicated for our users? for example).

Was Ben's suggestion ever escalated to a review team? If it was reviewed/discussed, perhaps a status update is warranted on this topic.

Thank you.

Terry—

Kyle and Eric report in another thread that there has been real and gratifying progress on this front. It appears that Class Creator is now storing hashes rather than passwords, although Eric has declined to disclose the hash algorithm that CC is using. Also, passwords of all but the newest users may still be retrievable off of backup tapes. I haven't asked all of my admins to change their passwords in order to better secure my class website, but maybe I should.

Hi Teresa,

Right we did complete a lot of work on this. We've had a lot of people out for the Holiday, however we really do still to this day read every single post here.

We have a boatload of new features coming up. I'm thinking about moving these entire forums to "old" forums and starting anew, as so many things in the system will work differently now. For instance, the entire way you edit your site pages has changed (well at least on dev anyway, you'll be seeing it in the live system this month). Many more changes after that too. I'm concerned people searching the forums for answers will now continually run into old, outdated information, that reflects the system of yesteryear and not the system of today.

Plus I think I can better organize the forums so finding answers is easier. Lemme think on that. We will still show a link to the old (now current) forums so people can get to them if they're looking for something.

What do you think? I think it would make it easier for all of you to start anew, and I think it will be easier for the Support staff as well to be managing questions and answers regarding the new system without having to contend with a bunch of threads that have become antiquated.

Just quoting Eric's response here too so it's readily available for anyone looking:

"The vast majority of login failures are due to typos when entering the email address or password, followed by memory lapses about which email address or password is the right one. Once in a while there is a failure due simply to a hiccup in transmission between your computer and the server or vice versa.

We have been hashing passwords for months now, and at the time of implementation we replaced all non-hashed passwords with hashed versions and replaced retrieval links with reset links. That should not have affected anyone's ability to log in. We do not enforce strong passwords. There are legitimate and detailed arguments for and against this, and we have chosen what is most workable for our customer base."

Brad—

I don't like the idea of having to search in two different places.

Search results are already sorted by date. If you want to clearly differentiate between "Class Creator 2.0" threads and older threads, you could more clearly show the demarcation in search results.

You could also close older threads to new user comments, but I can see pros and cons to doing so.

Okay. Will discuss with staff next week (camping out on a Colorado mountain until Monday). The important thing to me is the new stuff is easily findable and answers obtainable.

Excellent updates. Thank you very much (and so good to hear from you personally, Brad, every now and again! I know how much Class Creator has grown since I joined in late 2008...)

I suspected that there might have been an update elsewhere in the forums, it's too bad there is no easy way to link/combine identical topics. I always try to search for existing discussions before starting a new topic, but I know that is not always possible for others... and search criteria is so arbitrary. I actually stumbled onto this conversation while looking for updated language to use in my site FAQs for "forgot password" after I noticed today that the system now send users a reset link instead of their password. On reflection, I should have realized that in itself indicated a different method of storing email addresses... (so, can anyone direct me to a new set of written instructions for password reset? I'd rather not recreate the wheel if it already exists elsewhere. Thanks!).

As far as the Help Forums, I'm not sure what to recommend that I'd consider an improvement--except for a way to streamline the questions and answers.

I'm still a big fan of Class Creator and I'm really looking forward to hearing more about the new interface--especially the facebook integration!

Cheers to you all, and THANK YOU!!!
Happy New Year!

Teresa "Terry" Alers wrote:

Facebook integration? What's up with that?

Your Eric Bassey posted the following about six months ago:

Quote:

My class site here has far more members than the class Facebook group, and a big part of the reason is a fairly widespread aversion to Facebook. If Facebook integration becomes an option, I hope that there will be a way to opt out.

It's important everyone on this thread also read this thread.

We are not "integrating" with Facebook. I think that's a confusing choice of words (yes I realize we said it). There are various ways to connect via Facebook, just like there are various things you can set up on Facebook itself, for instance creating your own Facebook page (there's several different types of those), creating your own Facebook group, or creating your own Facebook application.

What we have chosen to do is create a Facebook app. Essentially, the way this works for us, is Facebook has a wrapper with their name and notification icon (the globe). Our app can push notifications up to that globe. Our app can also PULL data from Facebook. They keyword here is PULL so this is very important. Facebook allows us to pull various information from their system into ours. Prior to using an app on Facebook you must accept the "permissions" that go along with it, very similar to using an app on your mobile phone. Permissions can be things like you're allowing our app to pull your name and email address from Facebook. If you don't like the permissions, you can opt NOT to use the app at all.

Now, the way a Facebook app works (and sorry if this gets a little technie now but this is super important) is via a thing called an iframe. Essentially that's just a container running under the Facebook logo that our stuff populates. All of that stuff pulls right off of our own server. Names, email addresses, passwords, etc. are under our full control just like they are here. In fact it's literally the exact same control. Facebook has no ability to "snoop" into the data pulling into the iFrame coming from our server. It simply doesn't. It's not possible. In fact Facebook has absolutely no awareness whatsoever about what we're doing other than this:

1) It knows what we pull from them
2) It knows what we push to them

Obviously #1 is not a concern because what we can pull from them has nothing to do with your data here. So #2 is the only relevant issue. If we wanted to take your personal information (like your personal email address) and say, push it into the Facebook globe notification bar of another user we could. Of course, we never would. We wouldn't do that any more than we'd do it right now, which of course we've never done. We have access to 1.3 million private email addresses, 1.3 million street addresses, so forth. That data is very secure and we've never had a single incident with that data in our history. In fact we've recently made various security improvements including password improvements to make it even more secure (you can't be too secure).

I apologize for the long windedness here but the bottom line is this: We will never push private data to Facebook. In fact, the ONLY data we're pushing to Facebook via our app is notifications. For instance, somebody sent you an email, so we trigger the Facebook notification icon to let you know you have an email waiting. Or somebody commented on your Profile. We trigger the Facebook notification icon to let you know that. Those are the ONLY types of data interactions we're exchanging with Facebook and the rest of everything is sitting right here on our servers, our system, fully secured, just like always. It's just running within the Facebook shell if (and only if) you the Administrator want that type of Facebook sharing in the first place. The power has always been in your hands, is in your hands right now, and will always remain in our hands. So shall it be forever more, so says me, and frankly I'm charged with making the rules. You can count on this to be the case the exact same way you've counted on it to be the case for years here. It will, not, change. Period.

One more thing as we're getting some more private comments on this. Let me say it like this: It's the APP that can steal your Facebook data. It's not Facebook that can steal your app data.

So - what you need to be concerned about when adding an app to your Facebook account is permissions. And the reputation of the company that is asking for those permissions. So it's US, Class Creator, where your concern needs to lie. I.E. what will we do with your Facebook data if we pull it into our app.

The simple answer to that is nothing. If we did anything with it we'd violate our own Terms & Conditions and our own Privacy Policy. We're not going to take your Facebook info and let a single living soul ever have it unless you personally have chosen to share it. Honestly we have most of it already anyway. There's very little else we could pull that we don't already maintain here.

We have a long track record of being an ethical company (because it's run by a group of ethical people) that pays particular attention to privacy. You'll never find a single person here who's ever had an issue. We don't even look at that data ourselves. We'd have no reason to. No form of Facebook integration will ever compromise that. That is our rock solid promise so for anyone who remains concerned about this (and you should and have every right to be of course), no worries. Every bit of data will be treated the exact same way it is now. It's yours. It belongs to you and only you and will never be shared without your consent, sold, or compromised.

Oh -- Terry -- in the shuffle I missed your post but just caught it. Thanks. It's going to be a year of changes (all of which I think are for the better). But, whenever there's concerns, problems etc., we'll sort it out together. While I know we can't please 100% of the people 100% of the time, that certainly won't stop me from trying. Stay tuned, the 2013 adventure is just beginning.

Thank you, Brad. Looks like I created a beehive of activity with the misleading word "integrate". Sorry! I am looking forward to your "facebook app"!

You can count on me to work with you on reporting bugs and suggesting improvements. I haven't had to do a lot of that though, because my class sites pretty much run themselves!

As far as TYRING to please 100% of the people 100% of the time---you Da Man!

Heh, thanks Terry. Actually we said integrate, but you know what, things change, people's knowledge of things change, we all want to take back something sometimes. This is one of those times. I think when everyone sees the way this works we may well just achieve the 100% satisfaction point (or close to it I surely hope). But like you said, if that's not the case you guys well tell us so. This is know, he he he!

From your description of the app, I think it will be a big hit and, yeah, no doubt you'll hear right away about any bugs/issues!

Aren't you off in the mountains of Colorado? Sorry to pull you away from your festivities... Go have some fun!

Cheers,
Terry

Yes I am. But, never too far from my baby.