New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49177
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

Very true indeed. Also, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.

Can someone please end this nonsense?
User avatar
eharper256
Posts: 1060
Joined: Sun Feb 25, 2018 2:30 am
Location: UK

Re: New Password Requirements and Password Reset

Post by eharper256 »

All I can say to this is WTF.

20 characters is mental; I use various character names from obscure sci-fi novels I have written in the past and none reach 20 characters. How the heck is anyone meant to remember a phrase that long?!?

I work for the government and only need to use 12 characters including a number and symbol. Password managers are nonsense, I don't wish to use random noise. All this means is that I have to save my password under the notes on my bookmark for the site. -_-'
User avatar
Rowsol
Posts: 975
Joined: Wed Mar 06, 2013 5:31 am

Re: New Password Requirements and Password Reset

Post by Rowsol »

I would've preferred to opt out. If I want my password to be weak, let me.
User avatar
Chris
Posts: 2954
Joined: Thu Jul 17, 2003 12:07 am
Graphics Processor: ATI/AMD with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by Chris »

yum13241 wrote: Wed Jan 18, 2023 8:26 am The most important part of security is availability. If you can't remember the password, it's useless. I recommend BitWarden as a good password manager.
I would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.

Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).
User avatar
CandiceJoy
Posts: 95
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Chris wrote: Wed Jan 18, 2023 1:45 pm
yum13241 wrote: Wed Jan 18, 2023 8:26 am The most important part of security is availability. If you can't remember the password, it's useless. I recommend BitWarden as a good password manager.
I would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.

Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).
As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them :P
User avatar
Ihavequestions
Posts: 168
Joined: Mon Jul 12, 2021 1:45 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by Ihavequestions »

Graf Zahl wrote: Wed Jan 18, 2023 12:49 pmAlso, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.
THIS.

The whole 2FA madness is the main reason why I have two smartphones using two different carrier services. It's always good to have a backup, anyway, but due to 2FA, you are completely lost without even if everything works fine otherwise.
User avatar
Chris
Posts: 2954
Joined: Thu Jul 17, 2003 12:07 am
Graphics Processor: ATI/AMD with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by Chris »

CandiceJoy wrote: Wed Jan 18, 2023 1:50 pm As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them :P
I heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.
User avatar
CandiceJoy
Posts: 95
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Chris wrote: Wed Jan 18, 2023 1:58 pm
CandiceJoy wrote: Wed Jan 18, 2023 1:50 pm As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them :P
I heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.
The master password should be something very secure and something you can remember. Yes, the idea is that it takes the place of all your other passwords, effectively, but it should also be a very secure password. If it’s remotely decent, the only way anyone is getting it is through phishing or if you tell them or something like that. :P
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49177
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...? :?
User avatar
Caligari87
Admin
Posts: 6190
Joined: Thu Feb 26, 2004 3:02 pm
Preferred Pronouns: He/Him

Re: New Password Requirements and Password Reset

Post by Caligari87 »

Hardware USB keys are a thing. That's literally the only other possible option I can imagine to replace passwords, besides biometrics.

(I'm sure y'all would love biometrics for logging into random internet sites, right?)

8-)
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

SMS 2FA is the WORST 2FA. Reason? Port out attacks.

Google Authenticator doesn't let you back up your codes. Alternatives exist though.

So 2FA kinda sucks, let alone 3FA.

Just use a passphrase, like "iHaveABrutalDoomAddiction666!" (that isn't a good idea to use since I posted it)

IMO, this insanity needs to calm down.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49177
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

I'd opt out of 2FA if I could, but ever more services want to enforce it. So my Google mail account is linked to my Outlook mail account, but I obviously cannot do the reverse so I have to link it to SMS. To add insult to injury, my trusty old smartphone broke down a few weeks ago - and it uses an old large format SIM card which does not fit into modern phones, so I'm shut out of nearly everything because I need 2FA to access stuff but cannot get it changed without authorizing it with the defunct phone. It's a total shitfight.

And I seriously doubt that all this shit is safer than when I had my banking TAN numbers on a sheet of paper. But that one just worked, unlike 'secure' alternatives.
Blzut3
 
 
Posts: 3178
Joined: Wed Nov 24, 2004 12:59 pm
Graphics Processor: ATI/AMD with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by Blzut3 »

yum13241 wrote: Wed Jan 18, 2023 3:07 pm Google Authenticator doesn't let you back up your codes. Alternatives exist though.
It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.
User avatar
AFADoomer
Posts: 1337
Joined: Tue Jul 15, 2003 4:18 pm

Re: New Password Requirements and Password Reset

Post by AFADoomer »

My browser still tries to auto-fill my original three-character password from 2003... That I think was originally my notgod password, but... Is that bad? :shock: :D

EDIT: Oh God, I'm old.
User avatar
Ihavequestions
Posts: 168
Joined: Mon Jul 12, 2021 1:45 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by Ihavequestions »

Blzut3 wrote: Wed Jan 18, 2023 5:04 pm
yum13241 wrote: Wed Jan 18, 2023 3:07 pm Google Authenticator doesn't let you back up your codes. Alternatives exist though.
It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.
Good to know. Authenticator is my single biggest point of concern when moving to a new phone.

Return to “ZDoom (and related) News”