If only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.
New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
-
- Posts: 255
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
cyber_cool wrote: ↑Thu Jan 19, 2023 2:25 am
That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters?
You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:
If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
Yep. I say use a password manager with an extremely memorable master password, but very hard to guess. I recommend bitwarden obviously. I can't trust LastPass. LessPass also seems cool, but it's the same old "randomly generate garbage passwords" thing that every corporation uses.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.Professor Hastig wrote: ↑Thu Jan 19, 2023 2:51 am
You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:
If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.cyber_cool wrote: wait for a while before another password attempt
Don't forget that hackers can use password breaches to try and guess your password.
Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.cyber_cool wrote: Noone bruteforces passwords
Fuss:
Spoiler:Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.
-
- Posts: 255
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
This site disagrees with your assessment:cyber_cool wrote: ↑Thu Jan 19, 2023 3:40 am I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.
https://www.quora.com/How-long-would-it ... r-password
Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Rainbow tables are used when a breach has already occured. If it did, maybe just require a password change or notify users about it? And while using a longer password increases the amount of time you need to find a reduction function, the same wikipedia article you link suggests than you can add salt to generated hashes in order to make such attack more difficult.yum13241 wrote: ↑Thu Jan 19, 2023 3:59 am Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.
Don't forget that hackers can use password breaches to try and guess your password.
Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.cyber_cool wrote: Noone bruteforces passwords
Fuss:Spoiler:Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.
And remember that you are securing a video game forum account. Why would it require more security than a bank account?
I am not trying to tell you that having a 10 character password is a middle finger to every attack. It's just overkill trying to force a 20 characters password for something that holds little to no value.
A totally accurate information source you provided suggests that 11 character password takes almost a year to brute-force (again, locally). Who would spend a year to crack a gzdoom account? (Besides, 13 characters is already more than enough. Yet alone 20.).Professor Hastig wrote: ↑Thu Jan 19, 2023 4:04 am This site disagrees with your assessment:
https://www.quora.com/How-long-would-it ... r-password
Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!
-
- Posts: 255
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
You are making a false assumption here. First, I do not know what computing power this requires, and second, this is mainly a protection against those users who reuse their passwords all over the place. Enforcing more characters makes that impossible. If people recycle a 20 character password and it is stolen off another site the chance of it getting cracked and used here is very slim. With a shorter password - not so much.
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
Regarding the “just a hobby forum” thing…it’s not. I personally know several people that make money off of projects posted (or at least posted about) on here. See Hands of Necromancy, Disdain, Hedon, etc. More make money using the knowledge and skills learned here, problems fixed here, documentation and tools disseminated here, etc etc etc. For many, or most even, it is a hobby and nothing more, but for some, it is a source of income…possibly their only source of income, and it’s important to keep that in mind
Regarding what’s been tried before, I’m a relatively new staff member, so I don’t know all the details or anything, but I do know the question at signup was implemented to help fix the issue, and they’ve started to make it past that. I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity. That being said, we will continue to look into alternative options so long as this remains an issue, but at the present time, none appear viable :/
We honestly and sincerely do apologise for any inconvenience this causes. Rest assured that this was not done to annoy you or anything, and that we’re doing our best to try to keep your accounts and data stored on ZDoom Forums safe and secure. ^_^ <333
Regarding what’s been tried before, I’m a relatively new staff member, so I don’t know all the details or anything, but I do know the question at signup was implemented to help fix the issue, and they’ve started to make it past that. I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity. That being said, we will continue to look into alternative options so long as this remains an issue, but at the present time, none appear viable :/
We honestly and sincerely do apologise for any inconvenience this causes. Rest assured that this was not done to annoy you or anything, and that we’re doing our best to try to keep your accounts and data stored on ZDoom Forums safe and secure. ^_^ <333
-
- Posts: 1748
- Joined: Fri Sep 23, 2005 9:17 am
- Location: Czech Republic
Re: New Password Requirements and Password Reset
No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
-
- Posts: 255
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
I sincerely hope you are just being sarcastic here. At the very least you should consider the work it means for the moderators to deal with people's laziness with their password maintenance.
-
- Posts: 21706
- Joined: Tue Jul 15, 2003 7:33 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): A lot of them
- Graphics Processor: Not Listed
Re: New Password Requirements and Password Reset
This has already been explained, especially back when the incidents were still fresh - the last three times we've seen compromised accounts, we made the decision to Deactivate all accounts not active since before a certain cutoff date. This is why you may or may not have had to contact an admin to have your account Reactivated. But as the recent string of hits has shown us, the cutoff date doesn't even seem to matter, as we're seeing accounts get compromised that were active within the last few months.cyber_cool wrote: ↑Thu Jan 19, 2023 2:43 amIf only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.
Our options are fairly limited by what software and hosting we have available to us.
It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?neoworm wrote: ↑Thu Jan 19, 2023 8:11 am No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
-
- Posts: 13793
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
One thing you absolutely fail to understand - every single time *anything* comes up - is there's a lot more to a problem or situation than you think, and you are unwilling to admit that you do not actually know every nuance or circumstance of a situation.neoworm wrote: ↑Thu Jan 19, 2023 8:11 am No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
We're never going to see eye to eye, but you're sure as shit not going to convince us with your "factual" statements that fail to take into account anything beyond what you see or are even willing to understand. Let's make one thing clear here - your refusal to acknowledge certain facts does not magically turn them into untruths, and you still have to deal with them whether you want to or not. Sorry you don't like it, but we didn't do it to please you. (Nor did we do it to annoy you quite frankly, but your favorite thing seems to be to bitch and moan anyway, so seems we did you a favor in giving you the opportunity to do that ...)
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
To add, @neoworm blatantly ignored what:
Maybe this thread needs a lock?
Having someone hack such a person's account would mean that they could give the game away for free, or post an update that ruins the project's rep. Again, I don't get the fuss.CandiceJoy basically wrote: People make money here.
Maybe this thread needs a lock?
-
- Posts: 13793
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
Locking it might be a good idea later on, but not right now, let people fuss about it for a bit, at least this thread contains it in one spot, for now.