EDIT - WMW is looking into this issue now. Thanks for the prompt response. If you have have an account with WMW, I would encourage you to change your password on other sites where you may be using the same credentials. I still stand by WMW as one of the best vendors we have in the Mini community, and I greatly appreciate them taking this seriously.

Hey all,

First I just want to say that WMW has been amazing to talk to in the forum, and their customer service has been great. A step above the rest for sure!

However, I do have a major security concern with their website...
I hit forgot password to reset my password today, as I couldn't remember what it was, and to my surprise, WMW sent me my password in plain text to my inbox.

As a software engineer, this chills me to the bone, as it means they are leaving your passwords (maybe credit card info too) vulnerable.

For those less tech savy... When you sign up for an account on any website, if the site is implemented securely, the company should never actually see your password ever! It is converted into a long hash of characters and stored in a database. Hashes are one way, so the same password always produces the same hash, but you can't convert a hash to a password. This means that a company can verify you know your password, without ever having to risk storing or leaking your password to employees or the outside world. WMW is not doing that, because if they were storing your password securely, they would have no way of sending you your password in an email. Beyond that, emails are not private or secure in anyways, as they touch hundreds of servers along the way to your inbox.

If you share your password on WMW with any other account on the internet, it is a safe assumption that your password is cracked and you should change your password on every other site.
I'm a little disappointed and honestly a afraid how long they have been storing user's passwords in such an insecure manner.

I hope WMW can respond and commit to fixing this major security flaw ASAP.

 

Thanks Mr Internet hero.....whoever you are.

Been purchasing MINI parts from many vendors who advertise here and never a problem, THAT includes Way Motor Works. He's the most honest and trustworthy vendor we've ever had in North American Motoring.

Who the hell knows who you are Mr 27 posts ! Did you bother to call him and express your concerns or just figured you could score some brownie points with your fake friends by admonishing here in public ?

 

I’m not sure what your problem is. I am merely urging users to change their other passwords if they use a similar one on WMW. I have nothing against WMW and I will continue to do business with them, in fact I placed an order today. However, I do think it’s critical and important that people are aware that their information is vulnerable. I’m sure you weren’t happy to find out about the Equifax breach or Target or any other retailer...

I understand this site is sacred in the community I lurk here every day. That is why I brought it here, where it would gain the most visibility to users who may have their information vulnerable.

This site is a font of wisdom for me, but please don’t push aside a major security flaw for some arbitrary ********. I’m not here for fake internet points, you can gather that from my small number of posts.

 

The OP is correct. I just did the password recovery for my account and got plaintext. This is the way the internet worked 20 years ago and hackers quickly took advantage of it. Way needs to update his website. (Yes I'm in technology, since the internet was called arpanet and unlike Al Gore I really did help create the internet.)

We have many great vendors here and Way has been a huge contributor to NAM for many years, we should all be grateful for that. Let's keep it civil and give Way a chance to respond.

 

Agreed Squaw,

I’m sure WMW will be quick to rectify the problem, they are great people!

 

Appreciate the heads up 👍

 

No "Mr. 27 posts", you made a baseless suggestion that the way he peforms interstate commerce and business is compromised suggesting members not do business with this vendor....and the fact you didnt bother to contact Way yourself and publicly call him out, and the fact that you cannot see a problem with this.........IS a problem.

Maybe you have no friends, maybe you just see some sort of need to hide behind a key board and prop up your pathetic life. Either way the method of which you have chosen to solve your quandry here is not ethical nor appreciated. Especially during a pandemic when business are taking such a hard hit.

His phone number is available on his website. How about you call him and express those concerns and get it over with already.

 

With all due respect I'm responding to this message for clarity. However, I will not be responding to you any further. I have no bone to pick with you, it is not my intention to argue. I have better things to do with my life.

My concern is based on PURE mathematical information nothing more. If WMW can send me my password, then they are storing my information insecurely. If you don't care about that information, cool, you can move along. However, other people have a right to know that their passwords are compromised.

I do intend to call them, however it is a weekend, and they are not currently open for business. That however does not change the fact that people should be aware of the security risk that WMW have introduced by storing passwords insecurely.

Here is a link to one of the big players in network security, explaining why password security is important.
https://auth0.com/blog/hashing-passw...d-to-security/

I'm sure others will get a benefit, but I doubt you will be reading it as you are more interested in starting an argument than understanding facts.

Apologies to all who read this and see this completely unnecessary argument. In any other scenario I would let things like this slide, as there is no benefit from arguing with random people over the internet. However, I cannot stand to let someone push aside a factual security risk as baseless. People may use these passwords for their bank accounts, credit card accounts, loan accounts, or any site at all. They have a right to know.

 

Thank you for your concern as no one has ever pointed this out to us. WMW can not see your password and we keep all of our customer's information safe and private. I have sent this concern to my website manager to see what they can do as I am a MINI expert and the website programming is left up to experts in that department.

As experts say and we agree you should also never use the same password for different logins.

Also as others have stated I wish you would have emailed this concern directly to us as I would have known sooner and dealt with it privately. People often don't read all of a thread here on the forum and this is now just a post that appears to tell people not to buy from WMW. I don't think that was necessarily your intention, but can easily be misconstrued.

 

Thanks for the quick response WMW,

I understand your sentiment regarding the way the post appears, and I do genuinely apologize for that. I do not intend to stop purchasing products from you, and as stated earlier, can't be happier with the service your team provides. I have recommended it to many. However, I do disagree with you on dealing with the matter privately in order to avoid public visibility. I have every intention of calling during business hours and having a discussion about this security concern, if you are open to it. I am happy to help out and share my expertise in the industry where I can, but this isn't a private matter... everyone that has an account on your site has a right to know about this important security flaw. You may not recommend using the same password on multiple sites, but either way, more than 50% of the population does it anyways. [source] I appreciate you deferring to your website manager on this, and I am happy to have a conversation with them if you think it would benefit the situation. However, I can assure you that your customers' passwords are not stored "safe and private". If anyone tells you otherwise, I would strongly urge you to seek assistance elsewhere.

Again, I apologize if any of this comes off as blunt or rude. It is not my intention at all. I simply wan't resolve issue, and to draw awareness to those that have an account, in the hopes that they will change their password anywhere else on the internet that they believe they share credentials.

Please feel free to DM if you would like to set up a time to talk. I am happy to explain in more detail as to why this is a concern, and how best to move forward with this information.

 

Bottom line is this. Way it taking care of the issue . I can say from an independent stand point that when I saw the thread title. I was thinking that some one had a bad sales issue with wmw. Let the thread die. Or lock it out.

 

Thanks to most of the folks in this thread for being polite and civil. Way will get this looked after. He's one of the best MINI vendors and knowledge bases out there.

 

Locking this thread for now as WMW is working on addressing the problem.

Way when you have an update, please PM the moderators and we'll unlock this for your response.

 

Just a quick update here. We haven’t heard from WMW regarding a fix, and a test today of the recovery system still send your password in plain text. The recommendation to use a unique password for the WMW website (which is recommended regardless, but doubly so in this situation) stands.