New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

You need at least one uppercase letter in that bad password.
User avatar
ramon.dexter
Posts: 1562
Joined: Tue Oct 20, 2015 12:50 pm
Graphics Processor: nVidia with Vulkan support
Location: Kozolupy, Bohemia

Re: New Password Requirements and Password Reset

Post by ramon.dexter »

yum13241 wrote: Wed Jan 18, 2023 10:05 am You need at least one uppercase letter in that bad password.
Already had that. And a special characters...
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

What's up with the password enter page here? I needed 5 tries to finally get through it and it wouldn't work with Firefox's securely generated passwords, apparently they are not long enough.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

ramon.dexter wrote: Wed Jan 18, 2023 10:02 am What about normal password and twofactor authorization?
2FA will drive away people for sure. Myself included. I find Discord's verification mails barely acceptable, but if something requires 2FA I'll be gone - with the sole exception of my online banking access. I have already quit some services once they started requiring installing shit on my smartphone.
User avatar
ramon.dexter
Posts: 1562
Joined: Tue Oct 20, 2015 12:50 pm
Graphics Processor: nVidia with Vulkan support
Location: Kozolupy, Bohemia

Re: New Password Requirements and Password Reset

Post by ramon.dexter »

Graf Zahl: well, I meant something like link sent in email, no local app in computer.
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

20 characters is just stupid, like that will stop database breaches. It just makes the password unwieldly for use.
User avatar
ramon.dexter
Posts: 1562
Joined: Tue Oct 20, 2015 12:50 pm
Graphics Processor: nVidia with Vulkan support
Location: Kozolupy, Bohemia

Re: New Password Requirements and Password Reset

Post by ramon.dexter »

No, 20 characters is just too long to remember. And yes, I come from the old times where the password manager was called 'memory'.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

Of course you can remember 20 character passwords, just use passphrases, like "IAmTooLazyToRememberMyPasswords00"
(Ok, that one's not secure anymore now that I posted it, but I hope you get the idea.)

Also, the old times when the password manager was called "memory" is precisely where all these insecure passwords come from that occasionally get hacked.
It's still a lot easier to remember a handful of words than a random sequence of characters.
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

That too. A short sentence is better than number. I hate when pages want upper, lower, special and number, but don't let you have a whitespace.
Kzer-Za
Posts: 516
Joined: Sat Aug 19, 2017 11:52 pm
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Kzer-Za »

Graf Zahl wrote: Wed Jan 18, 2023 10:33 am 2FA will drive away people for sure. Myself included. I find Discord's verification mails barely acceptable, but if something requires 2FA I'll be gone - with the sole exception of my online banking access. I have already quit some services once they started requiring installing shit on my smartphone.
I couldn't agree more!
User avatar
ramon.dexter
Posts: 1562
Joined: Tue Oct 20, 2015 12:50 pm
Graphics Processor: nVidia with Vulkan support
Location: Kozolupy, Bohemia

Re: New Password Requirements and Password Reset

Post by ramon.dexter »

Graf Zahl wrote: Wed Jan 18, 2023 10:45 am Of course you can remember 20 character passwords, just use passphrases, like "IAmTooLazyToRememberMyPasswords00"
(Ok, that one's not secure anymore now that I posted it, but I hope you get the idea.)
Thanks, that's actually good point.
User avatar
Caligari87
Admin
Posts: 6191
Joined: Thu Feb 26, 2004 3:02 pm
Preferred Pronouns: He/Him

Re: New Password Requirements and Password Reset

Post by Caligari87 »

Longer actually is better when it comes to passwords.

If the password database is stored correctly, all that leaks would be an encrypted table of hashed/encrypted passwords. The longer those passwords are, the longer it'll take to brute-force them into plaintext. Each additional character adds an exponential amount of complexity. This is where most leaks come from.

Compromised accounts on this forum are coming from people who use old, insecure passwords which bots already have in The Big List Of Cracked Common Passwords And Usernames. This makes it a lot easier for a bot to just try a bunch, especially if that person used the same password on other sites that were already leaked and cracked. By making our requirement longer than other sides, it's less likely that the same password gets reused.

Phrase-based passwords are... fine. Unfortunately they're also a known factor in password cracking, meaning that it's possible to attack them by simply listing a bunch of words from the dictionary together, so CorrectHorseBatteryStaple, although technically 25 characters, is actually more like a 4-character password where the number of possible "letters" is "semi-common english words".

These days, some kind of password manager is pretty much a necessity. Most browsers (and mobile platforms) actually have good built-in ones, so there's no need to use 3rd-party databases and paid apps like LastPass unless you want extra features. Generating passwords can be done easily with various free services (which avoids the problem like we've seen here that FireFox doesn't generate enough characters and isn't customizable). That said, I do like LessPass because it allows algorithmically generating passwords on-the-fly using some "master password" as a hash, so you really only need to remember one password, and it doesn't need to keep a database either. PasswordCard is also a very good choice if you like physical reminders but still want to practice proper security.

I wouldn't mind 2A support if it's optional. OAuth is an open free standard so there's plenty of one-time-code generators which don't have any sort of tracking or online database features, you don't need to use Google Authenticator or the like.

8-)
User avatar
armymen12002003
Posts: 1420
Joined: Wed Jun 01, 2011 10:25 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Castle Wolfenstein

Re: New Password Requirements and Password Reset

Post by armymen12002003 »

This seems to be a good idea i myself make it a point for me to change my passwords once a year only thing i have a gripe with is the 20 character long password generator lol
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

Caligari87 wrote: Wed Jan 18, 2023 11:39 am Phrase-based passwords are... fine. Unfortunately they're also a known factor in password cracking, meaning that it's possible to attack them by simply listing a bunch of words from the dictionary together, so CorrectHorseBatteryStaple, although technically 25 characters, is actually more like a 4-character password where the number of possible "letters" is "semi-common english words".
That might be true if there were merely 50 or 60 English words. But even with an available dictionary of just 1000 words a 4 word passphrase would have 1000 * 1000 * 1000 * 1000 permutations. This will far more quickly explode into unmaintainable dimensions than short words. Add one word that makes sense only to you and it's gonna be even harder to crack it with a brute force dictionary attack
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

especially if the word isn't in the dictionary, or an acronym you made up.
Caligari67 wrote: Longer actually is better when it comes to passwords.
If you cannot remember your password then it doesn't matter how long it is. And don't say "the password manager will!". Maybe I need to login to smth critical on a new device. (I bought it new) if I can't remember it then I'm locked out.

Return to “ZDoom (and related) News”