New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

User avatar
cyber_cool
Posts: 150
Joined: Tue Aug 13, 2019 8:40 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by cyber_cool »

yum13241 wrote: ↑Thu Jan 19, 2023 2:31 am At the same time it's been proven that nothing else worked.
If only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.
Professor Hastig
Posts: 255
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

cyber_cool wrote: ↑Thu Jan 19, 2023 2:25 am
That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters?

You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:

If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

Yep. I say use a password manager with an extremely memorable master password, but very hard to guess. I recommend bitwarden obviously. I can't trust LastPass. LessPass also seems cool, but it's the same old "randomly generate garbage passwords" thing that every corporation uses.
User avatar
cyber_cool
Posts: 150
Joined: Tue Aug 13, 2019 8:40 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by cyber_cool »

Professor Hastig wrote: ↑Thu Jan 19, 2023 2:51 am
You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:

If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!
I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

cyber_cool wrote: wait for a while before another password attempt
Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.

Don't forget that hackers can use password breaches to try and guess your password.
cyber_cool wrote: Noone bruteforces passwords
Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.

Fuss:
Spoiler:
Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.
Professor Hastig
Posts: 255
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

cyber_cool wrote: ↑Thu Jan 19, 2023 3:40 am I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.
This site disagrees with your assessment:

https://www.quora.com/How-long-would-it ... r-password

Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!
User avatar
cyber_cool
Posts: 150
Joined: Tue Aug 13, 2019 8:40 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by cyber_cool »

yum13241 wrote: ↑Thu Jan 19, 2023 3:59 am Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.

Don't forget that hackers can use password breaches to try and guess your password.
cyber_cool wrote: Noone bruteforces passwords
Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.

Fuss:
Spoiler:
Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.
Rainbow tables are used when a breach has already occured. If it did, maybe just require a password change or notify users about it? And while using a longer password increases the amount of time you need to find a reduction function, the same wikipedia article you link suggests than you can add salt to generated hashes in order to make such attack more difficult.

And remember that you are securing a video game forum account. Why would it require more security than a bank account?

I am not trying to tell you that having a 10 character password is a middle finger to every attack. It's just overkill trying to force a 20 characters password for something that holds little to no value.
Professor Hastig wrote: ↑Thu Jan 19, 2023 4:04 am This site disagrees with your assessment:

https://www.quora.com/How-long-would-it ... r-password

Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!
A totally accurate information source you provided suggests that 11 character password takes almost a year to brute-force (again, locally). Who would spend a year to crack a gzdoom account? (Besides, 13 characters is already more than enough. Yet alone 20.).
Professor Hastig
Posts: 255
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

You are making a false assumption here. First, I do not know what computing power this requires, and second, this is mainly a protection against those users who reuse their passwords all over the place. Enforcing more characters makes that impossible. If people recycle a 20 character password and it is stolen off another site the chance of it getting cracked and used here is very slim. With a shorter password - not so much.
User avatar
CandiceJoy
Posts: 95
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Regarding the “just a hobby forum” thing…it’s not. I personally know several people that make money off of projects posted (or at least posted about) on here. See Hands of Necromancy, Disdain, Hedon, etc. More make money using the knowledge and skills learned here, problems fixed here, documentation and tools disseminated here, etc etc etc. For many, or most even, it is a hobby and nothing more, but for some, it is a source of income…possibly their only source of income, and it’s important to keep that in mind :)

Regarding what’s been tried before, I’m a relatively new staff member, so I don’t know all the details or anything, but I do know the question at signup was implemented to help fix the issue, and they’ve started to make it past that. I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity. :? That being said, we will continue to look into alternative options so long as this remains an issue, but at the present time, none appear viable :/

We honestly and sincerely do apologise for any inconvenience this causes. Rest assured that this was not done to annoy you or anything, and that we’re doing our best to try to keep your accounts and data stored on ZDoom Forums safe and secure. ^_^ <333
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
Professor Hastig
Posts: 255
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

I sincerely hope you are just being sarcastic here. At the very least you should consider the work it means for the moderators to deal with people's laziness with their password maintenance.
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: New Password Requirements and Password Reset

Post by wildweasel »

cyber_cool wrote: ↑Thu Jan 19, 2023 2:43 am
yum13241 wrote: ↑Thu Jan 19, 2023 2:31 am At the same time it's been proven that nothing else worked.
If only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.
This has already been explained, especially back when the incidents were still fresh - the last three times we've seen compromised accounts, we made the decision to Deactivate all accounts not active since before a certain cutoff date. This is why you may or may not have had to contact an admin to have your account Reactivated. But as the recent string of hits has shown us, the cutoff date doesn't even seem to matter, as we're seeing accounts get compromised that were active within the last few months.

Our options are fairly limited by what software and hosting we have available to us.
neoworm wrote: ↑Thu Jan 19, 2023 8:11 am No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?
User avatar
Rachael
Posts: 13793
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: New Password Requirements and Password Reset

Post by Rachael »

neoworm wrote: ↑Thu Jan 19, 2023 8:11 am No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.
One thing you absolutely fail to understand - every single time *anything* comes up - is there's a lot more to a problem or situation than you think, and you are unwilling to admit that you do not actually know every nuance or circumstance of a situation.

We're never going to see eye to eye, but you're sure as shit not going to convince us with your "factual" statements that fail to take into account anything beyond what you see or are even willing to understand. Let's make one thing clear here - your refusal to acknowledge certain facts does not magically turn them into untruths, and you still have to deal with them whether you want to or not. Sorry you don't like it, but we didn't do it to please you. (Nor did we do it to annoy you quite frankly, but your favorite thing seems to be to bitch and moan anyway, so seems we did you a favor in giving you the opportunity to do that ...)
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

To add, @neoworm blatantly ignored what:
CandiceJoy basically wrote: People make money here.
Having someone hack such a person's account would mean that they could give the game away for free, or post an update that ruins the project's rep. Again, I don't get the fuss.

Maybe this thread needs a lock?
User avatar
Rachael
Posts: 13793
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: New Password Requirements and Password Reset

Post by Rachael »

Locking it might be a good idea later on, but not right now, let people fuss about it for a bit, at least this thread contains it in one spot, for now.

Return to “ZDoom (and related) News”