New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Posts: 1407
- Joined: Tue Oct 27, 2009 12:58 pm
Re: New Password Requirements and Password Reset
20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?
-
- Posts: 21706
- Joined: Tue Jul 15, 2003 7:33 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): A lot of them
- Graphics Processor: Not Listed
Re: New Password Requirements and Password Reset
That's what we have done the last 3 times, by deactivating accounts last active before a certain date. This time around, the accounts getting compromised had been last active within the last 5 months, with no password or email changes on record.
-
- Posts: 2114
- Joined: Thu May 02, 2013 1:27 am
- Operating System Version (Optional): Windows 10
- Graphics Processor: nVidia with Vulkan support
- Location: Brazil
Re: New Password Requirements and Password Reset
They do, in fact, do exactly that. The problem is that it's not enough and spam posts are still coming through. I personally saw one recently. (someone else had already reported it but it hadn't been deleted yet)
I'm pretty sure it's also not just old accounts, either. Probably a non-zero amount of amount of LastPass users who got pwned in the breach and didn't change their passwords had their accounts here stolen too.
Another site I use has been victim to forum spam recently, and they also suspect the influx of spam comes from the LastPass breach.
Anything would be either too complex for the average user (public key crypto through a challenge system), require costly physical devices (abusive to poor people) or just be passwords but worse.Graf Zahl wrote: ↑Wed Jan 18, 2023 2:32 pm Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...? :?
The only more secure alternative to passwords is MFA. TOTP is perfectly good for this, and if you really hate smartphones that much, then just get something like a YubiKey, those support TOTP just fine, just like your smartphone, and can be used for that. They even have the bonus that they're dedicated devices, so someone can't just find a way to hack them directly.
Or if you're particularly paranoid and more electronics-inclined, grab some open-source single-board computer with support for acting as a USB device and build your own authenticator yourself.
-
- Posts: 582
- Joined: Sun Nov 11, 2007 4:20 am
- Graphics Processor: nVidia with Vulkan support
- Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.
Re: New Password Requirements and Password Reset
Since I cannot remember 20+ characters of passwords after some weeks and months(even the password is something that only myself can know...I still can forgot it totally), I let Firefox's password manager(not really trust those passwords storage websites) helped me to deal with that...at worse, just reset it if something went wrong...oh well, not big deal.
-
- Posts: 1407
- Joined: Tue Oct 27, 2009 12:58 pm
Re: New Password Requirements and Password Reset
Well damn, I guess 2FA is the only way to really combat that.
-
- Posts: 582
- Joined: Sun Nov 11, 2007 4:20 am
- Graphics Processor: nVidia with Vulkan support
- Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.
-
- Posts: 21706
- Joined: Tue Jul 15, 2003 7:33 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): A lot of them
- Graphics Processor: Not Listed
Re: New Password Requirements and Password Reset
That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.
-
- Posts: 582
- Joined: Sun Nov 11, 2007 4:20 am
- Graphics Processor: nVidia with Vulkan support
- Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.
Re: New Password Requirements and Password Reset
Thanks for tell me about that, good to know. I'm glad I only use web version of Discord(as I know web version is safe from those exploits but never understand how were their inner works).wildweasel wrote: ↑Wed Jan 18, 2023 10:28 pm That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.
--
Still, using 2FA or something like that should be better solution...longer passwords can still drove people away and never really solved the problem totally...
-
- Lead GZDoom+Raze Developer
- Posts: 49143
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
2FA will also drive people away - if not more - so you'd be between a rock and a hard place.
-
- Posts: 1748
- Joined: Fri Sep 23, 2005 9:17 am
- Location: Czech Republic
Re: New Password Requirements and Password Reset
This is still just a hobby forum. Excessive security is really not appropriate here.
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
What if I reset my device? Too bad then/Blzut3 wrote: ↑Wed Jan 18, 2023 5:04 pmIt does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
Rachael also dismissed the idea due to 2 things.
1. You can't trust a random phpBB plugin.
2. She doesn't want to lock herself into phpBB.
It's sad that most websites still claim SMS 2FA is secure. No it's not.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters? I have only seen special characters requirement, and it was for a bank website (on top of 2FA of course).yum13241 wrote: ↑Thu Jan 19, 2023 1:42 am I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.
That's certainly not the problem with users choosing insecure passwords.
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
At the same time it's been proven that nothing else worked.