Password reset - Tom's Forum Driving me nuts

Toggle sidebar Toggle sidebar
Z

zappo

Distinguished
Oct 23, 2009
68
0
18,660
Can someone tell me what platform this forum is based on so that I NEVER make the mistake of recommending it to anyone.

Everytime I come here my previous password does not work (I use LASTPASS to keep track), so I have to click on the forgot password link, but that does not ask me for a username it asks me for an email.

So I go look that up, put it in and it emails me a link, I click on that and then I am in (FOR THAT SESSION ONLY) it sends a further email with the new password. I put that password into LASTPASS and save it.

Then I log out to verify it works, but it DOES NOT WORK (even if I enter it manually and so I have to do the forgot password all over again.

Can anyone give me an idea of how to resolve this.

 
Ah, a fellow LastPass user. I think you will find that your password does work. LastPass is being overzealous in filling out the login form and is adding in your email address into a hidden input field. The site will simply not log you in if the email field is not empty. I don't know why they don't remove it to be honest, or at least just ignore it. If you tell LastPass not to automatically log in or fill the form you should be able to log in without any trouble. Just copy the username and password and enter it manually.
 
That's interesting. I was having problems logging in to the UK site (with LastPass) but found I could log on via the US site if I cut and pasted the password. So maybe the problem is what you suggest. If so that's one of the worst pieces of programming I have seen on a web site (and that's saying quite a lot).

For God's sake, fix it!
 
At first glance, I'd have to say the best option here is not to use LastPass to log in to Tom's Hardware. We have a few anti-spam protection things going on with login, and using a non-browser-default password retrieval and storage extension may not be fully compatible.

If you need help resetting your password, send me an email at jpishgar@bestofmedia.com with your username, from the email associated with your account, and I'll manually reset your pass for ya.

Hope this helps!

-JP
 


I can't say for certain if it caused your particular problem, but I can say for certain that the behaviour I described occurs. I couldn't work out why it wouldn't log me in without me entering things manually, so I popped open Fiddler2 and started intercepting and editing browser requests. I then noticed that a successful login does not include the email field.

Pasting in the credentials and avoiding automatic form filling will work around this problem. You can also open up your browser dev tools and just delete the offending input from the DOM :lol:

It's a bit of a funny way to prevent spam but it's not unheard of. It is pretty good at stopping your average bot that just fills in every available input field. Perhaps it would be better if the field was named something not directly related to credentials though. That would reduce the likelihood of confusing password managers.
 

Sorry, but that's a complete cop-out IMO. LastPass is a very popular password manager and it shouldn't be that difficult to allow its use with a forum. Tom's is the only place where I know it to cause problem.

Workmen and tools and all that.
 
Back in May a year or so ago, LastPass lost the passwords for about 1.25 million of its users to hackers, and use fell after that breach. We don't typically develop for compatibility with extensions, but since there are at least three users (yourself, randomizer and the OP), I'll pass along the recommendation for login compatibility.
 

I believe that statement to be untrue. If so it is an irresponsible statement for someone in your position to make.

Do you have a link to that story?
 
As I thought, that article does not say that there has been a security breach. I did search and could only find references - like this one - to a possible problem, but no statement that there had been a loss of passwords.

I'm sure that your unwarrented assertion that there had been such a loss of passwords was not malicious. But I believe that, as a representative of this website, you should take a more responsible attitude to "news" stories.

Never ascribe to malice that which can be explained by incompetence.
 
From LastPass themselves on the breach:

...We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database.
 
Note the word "assume". Very sensible for a security company to assume the worst-case scenario - but that doesn't make the assumtion a fact. And I see no mention of numbers of users possibly compromised.

In reality, the fact that there were never any follow-up stories provides strong evidence that there was never any security problem.
 
I don't think it matters either way. What matters is if we can auto log in or not. It's only a minor inconvenience to have to manually log in so it's not a big deal to me, but I do think it at least needs to be more obvious that using LastPass (or indeed any auto form filling extension) may not work. At the moment there is zero feedback as to the reason for the failed login.
 
Disagreement over whether or not to trust the assumptions of LastPass about their program, LastPass, I'm happy to inform you that we are proceeding on bugging this up for investigation by the development team. Some of our spam prevention techniques may well be at the root of the recent incompatibility, and we'll be digging down to see if we can work the kinks out.
 
Thanks for the efforts, so first of all, I DID enter the passwords manually, I had them sent to me by the forum in an email, it s a two state process, first you enter your email, they mail you a link which gets you in and that kicks off a second email with the new password.

So as soon as I log out and try to log back in I have the problem

For me lastpass a just a support tool that managers over 2500 passwords for me and my client sites. If anyone is interested the passwords are stored on my PC's not online so the hack last year did not get anywhere. We were sent an advisory and they also increased the spec of security which makes it a bit slower.

Out of interest when I looked at the custom field for this site (lastpass grabs them and then leaves it up to the user to enter them) I saw
PHP: 
signin[username]
signin[email]
signin[password]
signin_username
username

These are fields it grabbed during the login or registration process, seems to be quite a few usernames, anyway lastpass allows me to enter my username which I did, I do not know if any of these were expecting an email address?

I just had to request password again, so I am going to post this, log out and log back in manually and see if the forum now supports the password it just emailed me, fingers crossed...
 
Did not let me log in, so I tried Chrome and WAS able to login. Nothing in my Firefox that should affect this, I turned off flashblock.

So issue seems to be to do with Firefox

After I enter username and password in Firefox I get a tickbox for both fields but the button down not seem to accept clicks
 
OK a bit more progress, is definately something to do with Lastpass, I logged out of Lastpass and the button now appears as normal (turns red when I go over it) and allowed me to login. Now I will test to see if I can disable lastpass for this site because logging out is tedious with a 43,000 character password.
 
Ahh, here's the problem. The issue with Lastpass arose when we switched forum platforms. To solve the issue, remove Tom's Hardware from your LastPass info. Re-login on Tom's, allowing LastPass to store the information new. It should work from then on.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom