I got an e-mail on one of my e-mail accounts this morning. Interestingly I only got it on one of our accounts, not the other three accounts that my wife and I have.
At first I thought it was phishing, but it appears that people who use certain e-mail clients (like Outlook) will have to reconfigure those clients for a "new password" (app password). Webmail doesn't appear to require the change.
The e-mail states:
Important: You must update your Rogers email account settings.
Protecting your data is as important to us as it is to you. Rogers is making several security upgrades and implementing a new authentication system to further protect you and your data.
Rogers requires you to update your email settings to continue using your email account.
It only takes a few minutes of your time to ensure you have uninterrupted access to your email.
There is a link as follows indicating the people who need to do this, as well as instructions on how to do it:
Please excuse me if this is discussed elsewhere. I did try searching and didn't find a thread on this specific topic.
My concern has always been that it seems we are expected to have Outlook (etc) store the password, as opposed to best practice of always entering it each time. Wont be long before someone figures out how to have a virus or whatever hack the saved passwords. And if we just write it down and enter it each time that's really cumbersome / error prone.
And with 4 or 5 accounts, 3 devices (currently) that's a lot of passwords.
My prediction .. extended call centre wait times as people phone or for help understanding the email / web page and then also keep calling back on ongoing basis for help when their passwords get in a muddle.
This is a CSR full employment program. (Sorry... no disrespect to CSRs lol).
Could this be a plot to discourage use of mail clients and drive people to web mail?
Received this email from Rogers today and it seems like a major headache to me. I don't use my @rogers email for anything except getting my Rogers bills and I'd be fine using the Rogers webmail to get these if necessary. However, I do have a custom email through a domain hosting company, for which I use a desktop email client to send & receive emails, using my Rogers Internet service. Do I need to make a change if this is to continue working? I am not clear from Rogers' email, and reading through this thread, whether it is just Rogers email accounts that are affected or whether whatever SMTP authentication is required to send/receive emails through Rogers (smtp.broadband.rogers.com) is also affected. Can someone from Rogers or otherwise please clarify? Thanks.
Welcome to the Community Forums.
Just to clarify, this change will only affect @Rogers email addresses and shouldn't impact your custom email. Is there a reason your host provider doesn't supply you with their own outgoing server info? I'd imagine they have their own SMTP server you can use?
I have tried many times but still cannot generate the required App Password. I am able to sign in with my @rogers.com email address and password and view my emails. But when I click on "My Account" and get the Welcome screen for the Rogers Member Centre and re-enter my email address and password, I get the following message: "We are sorry but the system is not available." I have been monitoring this forum for the past couple of weeks, and have not seen anyone else report this issue.
Just as an FYI, I got an e-mail from Rogers when I started this thread several weeks ago on all my e-mail accounts. Recently I got a second e-mail on some of these accounts. (Rogers appears to spread out the times in my case over a period of days).
Today, we got a phone call regarding the issue. Unfortunately, my wife took the call, listened to some of it and then hung up thinking that I was already aware of the situation and was not interested in any more news on the topic, so I don't know the specific contents of that call.
Seems pretty difficult to avoid this in my case anyway. I have not yet made the changes since I'm letting this play out. I have learned from years of experience not to be the first in such cases.
Yes I got a call today. They gave a number to call for help 1-866-515-3047. Not sure if that's their standard tech support number (I have a different one but I've been using that for years). I called it quickly and there is indeed an intro msg and then a press 1 for help with this issue , press 2 for other. Don't have time now but will call them later and see if I can get my questions answered
I have 3 yahoo accounts. I received 3 emails. 2x now for each account. i am here but do not know what or how i am suppose to update my account. I could have sworn i did it already. now im sitting here saying wth.
One week later. I experimented. I followed the instructions and generated a password for my laptop that runs Outlook 2016 (POP3) . Entered it and it worked. My main PC running T'bird ( PoP3) also continued to work with the old password. So I tried that with the password I made last week and it didn't work. Generated a new T'bird password , entered it and it did work. I suspect these new passwords have a short life if they are not entered and used.
So I had already generated for my wife's machine, she also has T'bird (POP3) and her old password is still working. I bet the password I had generated won't work. Maybe next week I will generate and enter and see what happens. If it works then ok it is done but I still don't see the point.
Out of curiosity, previously in, say, Outlook did you
a) enter password every time
b) save password but change frequently
c) save and change infrequently
Also, did you have the same password for a given account on every client?
i suspect people answering a) or b) and 'yes' will have a fine old time under the new regime.
Just want to make sure that I understand.
My wife and I use Outlook Mac 2011 but with two separate identities. Mainly we use our iMac but we do use a MacBook Pro when travelling. We would need 4 App Passwords, Correct!?
Also we each have an iPhone and and iPad with account set up, so another 4 App Passwords??
And if, for what ever reason, I did have another email client we would need App Passwords for each account set up. Am I correct in these assumptions??
That is my understanding. I spoke to a CSR yesterday who was good at confirming what has to be done. He mentioned that there is a paste to clipboard option on the page to generate the passwords.
He was not able to answer any of my questions or comments as to how this will all work out in practice.
He did seem aware of the weaknesses in OAuth and thought that might be why Outlook was not using it. He suggested I could talk too Yahoo help centre.
He he thought cut over was imminent, maybe a week away.
So so I will probably go with the flow next week and see how it goes.
I don't relish the idea of moving off Rogers.
Thanks for the confirmation. This does not make a great deal of sense to,me as I/we will have to manage, perhaps, 16 password on all,the devices and clients. I guess that I should get started setting things up. Thanks again.
@RichardF Yes, the question I have had about OAuth is that Rogers has been using the term OAuth, which there are legitimate concerns about the security issues of the first 2 version of the security protocols. I would hope they have implemented OAuth 2 which is the most current and secure version to date and I would hope that they keep moving with the changes in that protocol as it becomes compromised over time. As with any security protocol model developed, the hackers are always one step ahead of them.
So the concerns are legitimate, but my experience is that Rogers has not always been up to date on security protocols, or their third party providers are not always up to date.
The challenge with the email clients is that they are not "baked" into the operating systems, which is providing the authentication by device, so it is just using a model of creating a reasonable unrepeatable or memorable password, requiring it on each device, and creates some kind of link to the software and device it sits on, so it mimics the OAuth.
And just a clarification on what I have learned - for those who are thinking that they can put the same passkey on every software/device, if implemented properly as Yahoo already has, it will not work - you will have to create a separate password from the Rogers member centre - it is a pain yes, but you only have to do it one time.
And for those talking about others seeing your email because the password is now saved. Put a lock password on your Windows, MAC, whaterver device, and if Windows, learn how to do user passwords and always log out when walking away - like corporate settings have done for over 15 years with outlook and Microsoft Exchange.
It is again, just a one time process to do it, and just search setting up secure individual outlook accounts, or setting up secure Windows users accounts. That is where your true security lies - unless you have password locked your .pst files in outlook, it was never secure anyway if you used POP and stored your email.
So yes, just do it as per the steps provided, and then you are ready.
Yes of course my various devices all have passwords (pin for iOS).
To be fair I can see the convenience of having passwords saved.
But I am nervous at losing control over the passwords, or more precisely the hassle of "changing passwords". I do that from time time and additionally whenever there is a concern.
I will now have 4 passwords per account to manage (and about 4 or 5 accounts including my wife's). Obviously I'm going to have all those those written down somewhere.
If OAuthxxx is so fantastic, why is Microsoft not incorporating that into Outlook?
Am am I right that the ideal model would be a password to authenticate the client / device to the server, and then one user controlled password per account (common to all clients)?
so 4 system generated hidden passwords, and 4 user defined passwords in my case. Not 16 generated passwords that in effect are my user passwords.
A separate question.. I assume that this process would also apply on a Blackberry? My wife will need access to her Rogers email on her phone.
Doing a bit of research, Microsoft integrated Oauth support into Outlook beginning with 2013, it is just that the process was a manual process as we see in the Yahoo Rogers model - when you consider setting an email connection say for Gmail, or Outlook.com on a phone now, using the defined yahoo, gmail, or outlook autoselection, it sets up the connection and setup of a secure device application related secure connection to the server by usually sending an SMS to a phone, or an alternative email, and you just confirm that you have set up the new email client.
Outlook and other apps that currently have OAuth did not have this ability to link back to the server and do the dual autorization with the confirmation to your other email or phone number by text, so the model became what Yahoo is currently doing.
Gmail and Yahoo and Outlook.com (hotmail) were using similiar models, such as a captua entry, or you could do 2 step authoriziation, or you could set using an unsecure app setting (which still exists in the full yahoo security settings, but Rogers is not giving access to those options, forcing directly to the creation of the individual passkeys per device/client.
I have taken a lot of time to review how we got to here with the Auth model - it has been backed into our phones for almost 4 years now - you could bypass it by setting up your email using the other, and POP server/IMAP server, SMTP server and appropriate SSL settings if needed. But up until now Yahoo gave you the option to opt out totally (and still does, but I wouldn't be surprised if they removed the option in the future).
All major email companies were allowing for opting out by declaring your older clients as "unsecure apps", bypassing Oauth completely.
Basically they made it easy for the older client users to bypass, but never told us that we were compromising our own security. Now Yahoo has forced us in this direction, subsequently Rogers with them, and this whole business a workaround to allow those apps to use the OAuth protocols that were added since 2013, and now OAuth2 in 2016 onwards - 2013 does not support Oauth2, only Office 365 and 2016 onwards supports it, again the reason for the workarounds.
It is a pure workaround, to get a slightly higher level of security, but definitely an awkward workaound.
As for writing down the password, there is absolutely no reason to do so. Once it is saved, you don't touch it again, unless you want to change it (good idea once in a while and yahoo actually in their system does force it at random times) You have one created passkey per device/client(on each device) so in your case, yes quite a few, but if you can create it from the member page, copy and paste into each client, or if on a computer say, copy and past it to an email and then copy and paste it, then for security purposes, delete it.
So whether we like it or not, whether their seems to be better models, this is not a model that was created by Microsoft. After lots of research it is a movement to requiring the highest security standard for all email services and clients, with a short term compromise for older clients where we had to use passwords, and the creation of the password in the member centre creates a one time passkey to enter in the password field, once you log in the first time, that client/device combination (each client on the device). which associates that client device combination with the server and then does not let you use that passkey again for any other device.
If you lose the password somehow in your configuration, then you just go back, delete it in the member centre, and create a new one.
This is an industry wide change that most of us were unaware of, I spoke with a friend who supports on an international scale Outlook with connection to Exchange mail servers, and he said, the Oath (first one) was implemented in 2013, and companies could choose to not use it as it was off by default on the servers and Outlook clients, but they always enforced it, then by 2016, it became required by Exchange/Outlook 2016 clients, and we have seen it on our phones for a while in the comfirming the email setup through text or email. We just didn't know anything about this change the most of us (I have worked in the industry for years, but now retired from it for almost 10 years, and have followed most things, but did not know about this one at all, but did recognize that something was happening, and didn't know about the outlook and other email client issue becauase I haven't used that model in 5 years now, so never knew it was happening. No reason to know.
I have yet to figure out a short way to say all this - it is definitely complex, and I am just understanding it now after a lot of calls to my past buddies and research on my own.
But to close allow me to responde to this quote from @RichardF
"Am am I right that the ideal model would be a password to authenticate the client / device to the server, and then one user controlled password per account (common to all clients)?
so 4 system generated hidden passwords, and 4 user defined passwords in my case. Not 16 generated passwords that in effect are my user passwords. "
What ever we may personally feel may be the ideal model, this is what the industry internationally came up with as a standard, and now email servers and companies are now beginning to enforce it rather than allowing for Oauth or 2 (as a user it appeared the same), a 2 step authorization, or just setting to allow use of less secure apps.
So we have no choice but to learn to use it and become comfortable, and decide whether we want implemented user control on the app level or OS level to keep prying eyes out when we step away.
In your case, your 16 individual passkeys (note I did not say passwords), are not just simple passwords, they are directly associated via security tokens with the passkey generation server, your email server and your email client - it just happens to work like your password did. that is the way it works, so what more can I say, accept that we have to learn to use it, the current steps are very clear and specific and if unsure, call tech support.
And yes, if it is the Yahoo security model laying under the member centre, you will have to have one passkey, being put in and saved in your password under your email user name, for each client/device combination.
You don't need to write it down and save it, as you will not be using it again, and even if you did, and someone tried to use it on another device, it would not work (once Rogers turns it all on). I know from testing a yahoo account, that it has to be different, and once you use that first email and passkey, if you then try to open the next one with the same passkey, it will tell you you used a one time passkey, and to go to the settings and create a new one. For that you have to know your original password you have always remembered, and changed occassionally and made strong for security.
Sometimes in technology, we just have to grin and bare it.
I will now leave it to the techs to support people who need clarification on how to set it up, and I suspect that most techs may not either know why it is this way, or don't have time to actually explain the technical parameters and the history of first its weakness and changes 3 times to its current form, and that some older apps may just plain not be compatable. It is like trying to run a MS XP - there is no security updates anymore, so it won't work with many things, or you really shouldn't do it.
Best of luck everyone, it is not far away.
Isn't change fun - not always, sometimes it can just be a pain, but some people need to put multiple locks on doors, alarms, security cameras, security patrols, depending upon the level of security you need. Our personal information requires the highest levels of security that companies provide, and companies have, for our ease far too often let us opt out of the best practices. It is long over due to force us to take responsibility for security, because it is not just our security, but everyone's - obviously Yahoo got caught in a major situation with the major hacks and this is one of the steps they are taking.
This morning I started my PC, ran up email (Gmail and Rogers getting a normal message on each) and then, using Chrome as usual went to my first bookmark as I always do, the Canadian Governments weather site. Rogers superimposed a message on top of that site to tell me I needed to change my password etc. to go to the new scheme. One would have hoped that they would already know than and not need to send a message superimposed like that.
I assume that somewhere in these 15 pages, some answers have been found ...
After receiving these incessant emails all month, and twice wasting a lot of time trying to figure out wt* I was supposed to do at the page to which I was sent, I gave up and called Rogers.
Me: To start, I am using a desktop computer and Thunderbird for email.
Rep: DO YOU HAVE A CELL PHONE?
Rep: THEN THIS DOESN'T APPLY TO YOU.
I don't use a cell phone, I don't know what an app is, and I'm now mad as *.
NOTHING in the incessant emails says THIS APPLIES ONLY IF YOU USE A CELL PHONE.
The rep, who obviously gets a lot of calls about this, said she had sent notes to whoever is responsible for this. I said please send them again and give my name. She said do you want them to call you? I said yes. She said maybe they will call me, may be they will fix the emails.
Yeah, right. This is Rogers.
The emails will continue until June 5.
And whoever is editing my post: please stop. I have an opinion of Rogers and I plan to state it.
Me: To start, I am using a desktop computer and Thunderbird for email.
Rep: DO YOU HAVE A CELL PHONE?
Rep: THEN THIS DOESN'T APPLY TO YOU.
I don't use a cell phone...
This is totally counter to what has been discussed in this thread and the link in post 1. I suggest that the CSR, to whom you spoke, is mistaken.
quote: This is totally counter to what has been discussed in this thread and the link in post 1. I suggest that the CSR you spoke to is mistaken.
Well, I called the dedicated number in the email, 1-866-515-3047, and spoke to someone who deals only with this subject, from what I could tell.
I guess I could plough through 15 pages of this, with all the posts about things I neither know nor care about (cell phones and apps) and from people like me who haven't read all 15 pages, and try to find what has been said that actually relates to people using desktops only. But I'll probably wait until June 5 and see whether my email access dies, and then call Rogers and scream at somebody until they fix it.