New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

User avatar
Valherran
Posts: 1410
Joined: Tue Oct 27, 2009 12:58 pm

Re: New Password Requirements and Password Reset

Post by Valherran »

20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: New Password Requirements and Password Reset

Post by wildweasel »

Valherran wrote: Wed Jan 18, 2023 8:56 pm 20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?
That's what we have done the last 3 times, by deactivating accounts last active before a certain date. This time around, the accounts getting compromised had been last active within the last 5 months, with no password or email changes on record.
User avatar
phantombeta
Posts: 2119
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

Valherran wrote: Wed Jan 18, 2023 8:56 pm 20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?
They do, in fact, do exactly that. The problem is that it's not enough and spam posts are still coming through. I personally saw one recently. (someone else had already reported it but it hadn't been deleted yet)
I'm pretty sure it's also not just old accounts, either. Probably a non-zero amount of amount of LastPass users who got pwned in the breach and didn't change their passwords had their accounts here stolen too.
Another site I use has been victim to forum spam recently, and they also suspect the influx of spam comes from the LastPass breach.
Graf Zahl wrote: Wed Jan 18, 2023 2:32 pm Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...? :?
Anything would be either too complex for the average user (public key crypto through a challenge system), require costly physical devices (abusive to poor people) or just be passwords but worse.

The only more secure alternative to passwords is MFA. TOTP is perfectly good for this, and if you really hate smartphones that much, then just get something like a YubiKey, those support TOTP just fine, just like your smartphone, and can be used for that. They even have the bonus that they're dedicated devices, so someone can't just find a way to hack them directly.
Or if you're particularly paranoid and more electronics-inclined, grab some open-source single-board computer with support for acting as a USB device and build your own authenticator yourself.
User avatar
PlayerLin
Posts: 582
Joined: Sun Nov 11, 2007 4:20 am
Graphics Processor: nVidia with Vulkan support
Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.

Re: New Password Requirements and Password Reset

Post by PlayerLin »

Since I cannot remember 20+ characters of passwords after some weeks and months(even the password is something that only myself can know...I still can forgot it totally), I let Firefox's password manager(not really trust those passwords storage websites) helped me to deal with that...at worse, just reset it if something went wrong...oh well, not big deal.
User avatar
Valherran
Posts: 1410
Joined: Tue Oct 27, 2009 12:58 pm

Re: New Password Requirements and Password Reset

Post by Valherran »

Well damn, I guess 2FA is the only way to really combat that.
User avatar
PlayerLin
Posts: 582
Joined: Sun Nov 11, 2007 4:20 am
Graphics Processor: nVidia with Vulkan support
Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.

Re: New Password Requirements and Password Reset

Post by PlayerLin »

Valherran wrote: Wed Jan 18, 2023 9:59 pm Well damn, I guess 2FA is the only way to really combat that.
I just remembered Discord's hacks can even skip 2FA by click a server invite link and the user got hacked. Well, that's more like Discord's site problems but just saying.
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: New Password Requirements and Password Reset

Post by wildweasel »

PlayerLin wrote: Wed Jan 18, 2023 10:22 pm
Valherran wrote: Wed Jan 18, 2023 9:59 pm Well damn, I guess 2FA is the only way to really combat that.
I just remembered Discord's hacks can even skip 2FA by click a server invite link and the user got hacked. Well, that's more like Discord's site problems but just saying.
That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.
User avatar
PlayerLin
Posts: 582
Joined: Sun Nov 11, 2007 4:20 am
Graphics Processor: nVidia with Vulkan support
Location: XinZhuang, XinBei/New Taipei City(Former Taipei County), Taiwan.

Re: New Password Requirements and Password Reset

Post by PlayerLin »

wildweasel wrote: Wed Jan 18, 2023 10:28 pm That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.
Thanks for tell me about that, good to know. I'm glad I only use web version of Discord(as I know web version is safe from those exploits but never understand how were their inner works).

--

Still, using 2FA or something like that should be better solution...longer passwords can still drove people away and never really solved the problem totally...
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

2FA will also drive people away - if not more - so you'd be between a rock and a hard place.
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

This is still just a hobby forum. Excessive security is really not appropriate here.
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

Blzut3 wrote: Wed Jan 18, 2023 5:04 pm
yum13241 wrote: Wed Jan 18, 2023 3:07 pm Google Authenticator doesn't let you back up your codes. Alternatives exist though.
It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.
What if I reset my device? Too bad then/
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

neoworm wrote: Thu Jan 19, 2023 12:56 am This is still just a hobby forum. Excessive security is really not appropriate here.
I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

Graf Zahl wrote: Thu Jan 19, 2023 12:11 am 2FA will also drive people away - if not more - so you'd be between a rock and a hard place.
Rachael also dismissed the idea due to 2 things.

1. You can't trust a random phpBB plugin.
2. She doesn't want to lock herself into phpBB.

It's sad that most websites still claim SMS 2FA is secure. No it's not.
User avatar
cyber_cool
Posts: 150
Joined: Tue Aug 13, 2019 8:40 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by cyber_cool »

yum13241 wrote: Thu Jan 19, 2023 1:42 am I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.
That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters? I have only seen special characters requirement, and it was for a bank website (on top of 2FA of course).
That's certainly not the problem with users choosing insecure passwords.
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

At the same time it's been proven that nothing else worked.

Return to “ZDoom (and related) News”