Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Carmiq

This site may earn commission on affiliate links.
#24
Thank goodness for the Apple Password Generator in Safari. I find myself changing my password SO OFTEN I would be struggling to come up with yet another password. Seems like ALL the API apps cause my car to lose 20 miles of range when I give them access. If I reset my password and only sign into my iPhone Tesla app and give access to EV-FW.com I only lose 1/10th of that.

-Randy
 
#26
Whoooaaa. I know this thread is old and the service seems dead, but I just have to bring attention to this for current readers. If anyone used this service, please change any accounts that use a same or similar password to the one given to Carmiq (your Tesla password).

haydn said:
Hey everybody, thanks for your interest in Carmiq. I'm Haydn, one of the co-founders. Of course, user security is a paramount consideration of ours. The authorization process is a standard 'OAuth' that is hosted on Tesla servers. Therefore, we never have access to view/store the Tesla account credentials. When you input your account credentials, we receive the same token that provides temporary and limited access to the account. This is the same process used when you sign up to a site using Facebook or Google. While allowing users to input a token is a possibility, doing so does not actually provide any security advantages and requires users to generate their own token (through a different third-party site).

Many of Carmiq's features rely on individual data from users' Teslas, which is why we require this information to sign up. All vehicle API calls are done through the official Tesla fleet API's, which we have been granted a license to use. Furthermore, all features/data-sharing must be explicitly opted in to by the user. Carmiq will never spam you with ads for services or share your data without your permission.

If anybody has any additional questions, please respond below or direct message me and I'll be happy to answer.
Thanks!
Click to expand...

100% certified organic bullshit covered by words to make the user feel better. Classic.
  1. It is not the same process as the familiar "Login with Google/Facebook". I really wish it was. You don't give the third party your password in that case.
  2. There is nothing "limited" or "temporary" about the access given by the token. It is full and permanent for as long as you don't change your password.
  3. Tesla doesn't grant licenses to use their public API...
Don't fall for any company that says there is no security advantage to not handing them your password. The clear advantage is not giving them your password, which statistically you are likely to use with other accounts (you, the reader, may not, but it is very common). The token is at least unique to the Tesla API.

haydn said:
Thanks for the feedback. Unfortunately, Tesla has not yet developed its own authentication window yet. However to clarify, allowing users to input their own tokens would not increase security. When somebody enters the credentials on the page, they are saved in local memory until the form is submitted. At that point, it is sent to Tesla which verifies and grants/denies the token. At no point is the information accessible by Carmiq. Therefore, allowing users to input their own token adds friction while creating a misleading narrative that inputting the token is more secure.
Click to expand...

The only misleading narrative here is yours.
 
#28
camalaio said:
Whoooaaa. I know this thread is old and the service seems dead, but I just have to bring attention to this for current readers. If anyone used this service, please change any accounts that use a same or similar password to the one given to Carmiq (your Tesla password).
Click to expand...
I'd like to understand your warning.

Are you saying that giving a password to a bad actor is dangerous because passwords tend to be similar or identical ?
I'll agree with you there, but then giving a password of that type to any one carries the same risk.

I did not sign up for Carmiq and I don't have any skin in this game. However, I also don't see any evidence that Carmiq is/was a bad actor. Going out of business is not a red flag.
 
  • Like
Reactions: Matsayz
#29
SageBrush said:
I'd like to understand your warning.

Are you saying that giving a password to a bad actor is dangerous because passwords tend to be similar or identical ?
I'll agree with you there, but then giving a password of that type to any one carries the same risk.

I did not sign up for Carmiq and I don't have any skin in this game. However, I also don't see any evidence that Carmiq is/was a bad actor. Going out of business is not a red flag.
Click to expand...

Partly, yes. And you're correct that providing a password for even legitimate use would be risky in that case. The best option if you are re-using passwords is to have an account in as few places as possible, so that there's less surface area for your password to be either unintentionally leaked or maliciously retrieved.

The password carries additional risks specific to the Tesla account:
  • Remote start of the car requires the password (token alone can't do this). This lets someone drive the car without a registered key/phone.
  • Your email and password can be changed, making your account difficult to recover (this is Tesla we're dealing with, not currently known for stellar support). Could be only a couple days before your account is recovered, could be weeks.
Carmiq's statements (or whoever that person was) earlier in this thread isn't evidence per se. It does show they either misunderstand their own work (I'm not sure how they could provide a service and have this be true) or they were being intentionally misleading about the need for passwords. Neither option is all that admirable. The statements are the red flag, not the apparent lack of business.
 
  • Helpful
Reactions: SageBrush
#31
Randy Spencer said:
Not without access to one's email. Hopefully, EVERYONE has turned on Two Factor Authentication on their email considering how many places allow you to reset your password by clicking reset and responding to an email you received, making your email a target for hackers.
Click to expand...

Unless this was an extremely recent change, you can literally just change the email and password, no confirmation. I did it to our Tesla account (switched from my wife's email to mine and also changed the password) in one swoop and needed no confirmation from the wife's email.
 
You must log in or register to reply here.

Similar threads

3
What functionality is not available when not connected to the network?
Replies
5
Views
310
Model 3
E90alex
E90alex
A
Can't you keep wifi always OFF ?
Replies
4
Views
313
Model 3
MJB-CO
MJB-CO
G
Solaredge 2G network
Replies
2
Views
561
Tesla Energy
getakey
G
M
LTE slow to connect = long wait for voice commands like navigation
Replies
2
Views
456
Model 3
EVRider-FL
EVRider-FL
F
Network not working (MY LR 2023)
Replies
29
Views
695
Model Y: User Interface
mspohr
mspohr
Top
Back
Blog
New
Forum list
Marketplace
Menu