Changing Tesla Account Password?

[jpfive]

I'm nearly two months into ownership and ready to change my Tesla password. This is how I understand the process. Go to Tesla Motor Co. website. Using account maintenance, change your password there. Next, log into the Tesla App using new password. At this point I think that fobs and key cards follow along without any additional steps. Is this correct? Are there any consequences in settings that I should anticipate?

If I was considering abandoning third party apps, I guess this would be the time to do it. I'm a little nervous about the far reaching access given to TeslaFi once password information is passed onto them. Also Tesla Screen. Is there a way to use either without hacking exposure? Am I missing some other third party apps commonly used by our members? I know there are other discussion threads on this subject, but frankly, they have left me a little befuddled. A new look at the subject might be helpful.

Should we expect ongoing improvements in the Tesla App that would make the third party attempts superfluous? As often as our car software is updated I have not noticed any updates to the app. Thanks for your comments/help.

 

[ewoodrick]

The fobs and the key cards don't have password.
I'm pretty sure that you don't pass password to third party apps, they get an app key.
Not really sure why you seem to have such a high worry about the Model 3 security. It's pretty good at this point.

The fobs on the older Model S and X are a different story.

 

[camalaio]

I'll plug a previous thread I started since you seem to already be thinking of its content: PSA: Don't use third-party apps and services, period.

Anyhow, yepp you've got the right idea. Just change it online. It may take a few minutes before the new password works on the smartphone app (it should log you out immediately though). I've had it not take before on the first try. Just try resetting it again (log in with your old password) if it fails to set. The only "consequence" is that all apps tied to the account should require you to re-enter the new password.

As for a way to use third party services in a safer manner... I'm working on something for that but it requires participation from each app/service. The most you can do right now is use the "token" method if they allow it instead of giving your username/password. Please don't give any of them your password directly.

 

[jeffnz]

I don’t see where giving a 3rd party app a token is really much more secure than giving them your password. The token is just another form of password and since there aren’t any permissions associated it let’s them do most anything. I guess there’s probably a few account related things they can’t do like changing your password, but not much else.

Anyway, for those that want to share a token I was thinking it wouldn’t be hard to put together a simple webpage that gets a token solely with your browser and the username/password never sent anywhere other than directly to Tesla to generate the token. But I imagine someone’s already done that.

And check out TeslaMate if you haven’t already. You host it yourself so no password or token sharing.

 

[ewoodrick]

I don’t see where giving a 3rd party app a token is really much more secure than giving them your password. The token is just another form of password and since there aren’t any permissions associated it let’s them do most anything. I guess there’s probably a few account related things they can’t do like changing your password, but not much else.

Anyway, for those that want to share a token I was thinking it wouldn’t be hard to put together a simple webpage that gets a token solely with your browser and the username/password never sent anywhere other than directly to Tesla to generate the token. But I imagine someone’s already done that.

And check out TeslaMate if you haven’t already. You host it yourself so no password or token sharing.

BIG DIFFERENCE.
They can't change your password. They can't create tokens for others.

 

[jeffnz]

BIG DIFFERENCE.
They can't change your password. They can't create tokens for others.

Right, but so what. With the token they can locate the car, unlock it, start it and drive away. As well as all the other controls. And all it takes is for whoever’s site has it to be compromised for this to happen.

[Edit: I just checked and I was wrong about remote start as the API requires your password for that, but not the others. So unless you have pin-to-drive enabled, they can still do the above]

 

[camalaio]

Right, but so what. With the token they can locate the car, unlock it, start it and drive away. As well as all the other controls. And all it takes is for whoever’s site has it to be compromised for this to happen.

[Edit: I just checked and I was wrong about remote start as the API requires your password for that, but not the others. So unless you have pin-to-drive enabled, they can still do the above]

So this:

1. For most people to this day, they re-use passwords between websites and services. If you give someone the password for one account, you are also giving them the password to any other account where you use that password. I'm not advocating to re-use passwords, just acknowledging that is what many people do.
   
2. With the password, your email and password can now be changed by someone else. Given the rest of Tesla's operation that's a bit sub-par for customer service, I wouldn't count on recovering your account for at least a couple days, if not a week or two. This is just a big inconvenience for what is probably your primary method of transportation.

 

[M3BlueGeorgia]

So this:

1. For most people to this day, they re-use passwords between websites and services. If you give someone the password for one account, you are also giving them the password to any other account where you use that password. I'm not advocating to re-use passwords, just acknowledging that is what many people do.
   
2. With the password, your email and password can now be changed by someone else. Given the rest of Tesla's operation that's a bit sub-par for customer service, I wouldn't count on recovering your account for at least a couple days, if not a week or two. This is just a big inconvenience for what is probably your primary method of transportation.

People who re-use passwords on critical sites tend to get what they deserve.

I have some re-use on totally non-critical sites, but most of my sites have unique passwords and there are a minimum selection of sites where everyone should have unique passwords, and your Tesla account is one of them. (also banking, email, phone and credit card)

 

[jeffnz]

Right on password reuse which is probably the leading cause for people getting “hacked”. But my point was that giving someone a Tesla account token is essentially the same as giving them your password, regardless of how unique it is. Yes, there are a couple of things they can’t do with the token but for the most part they, and most importantly anyone who gets their hands on that token, can find your car and will have control over it.

 

[jpfive]

People who re-use passwords on critical sites tend to get what they deserve.

I have some re-use on totally non-critical sites, but most of my sites have unique passwords and there are a minimum selection of sites where everyone should have unique passwords, and your Tesla account is one of them. (also banking, email, phone and credit card)

I use two password managers, one as a backup to the other. They generate, and secure, all of my critical passwords. I make up my own for non-critical sites that I have occasion to access from memory - similar to your practice.

I'll pick a nit with your first thought. Nobody 'deserves' to be hacked, though that is a foreseeable - and preventable - consequence of poor password management. Now, hackers - they 'deserve' to be outed, punished and shamed. They are no different than burglars and house invaders IMHO.

 

[jpfive]

Right on password reuse which is probably the leading cause for people getting “hacked”. But my point was that giving someone a Tesla account token is essentially the same as giving them your password, regardless of how unique it is. Yes, there are a couple of things they can’t do with the token but for the most part they, and most importantly anyone who gets their hands on that token, can find your car and will have control over it.

What to do , what to do. You are absolutely correct. I will really miss TeslaFi.

 

[jeffnz]

TeslaFi may have more features but for data logging and slick graphs check out TeslaMate. You have to self host it but the install directions are pretty good. It costs nothing and you won’t be sharing a token.

adriankumpf/teslamate

 

[ewoodrick]

So this:

1. For most people to this day, they re-use passwords between websites and services. If you give someone the password for one account, you are also giving them the password to any other account where you use that password. I'm not advocating to re-use passwords, just acknowledging that is what many people do.
   
2. With the password, your email and password can now be changed by someone else. Given the rest of Tesla's operation that's a bit sub-par for customer service, I wouldn't count on recovering your account for at least a couple days, if not a week or two. This is just a big inconvenience for what is probably your primary method of transportation.

And you can see it and still know where the car is.

 

[jeffnz]

And you can see it and still know where the car is.

I suppose if someone is knowledgeable enough to steal your car this way, they will know to pull out the SIM. And even without stealing the car they can simply go to it, unlock, and take anything inside or in the extreme strip it. Pin-to-drive won’t stop that. If this was a traditional car, you’ve simply told someone where to find it and given them the keys. But in this case that person could be any number of random strangers and without your knowledge.

Anyway, it sounds like you are saying this isn’t a big risk so not to worry about it. And it may not be, but each person should be informed so they can decide for themselves whether the benefit of giving the virtual car keys to someone is worth the associated risk. Credential leaks from large and small web sites are quite common these days.