New Password Requirements and Password Reset

[cyber_cool]

At the same time it's been proven that nothing else worked.

If only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.

[Professor Hastig]

That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters?

You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:

If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!

[yum13241]

Yep. I say use a password manager with an extremely memorable master password, but very hard to guess. I recommend bitwarden obviously. I can't trust LastPass. LessPass also seems cool, but it's the same old "randomly generate garbage passwords" thing that every corporation uses.

[cyber_cool]

You will be seeing a lot more of this in the future. As computers get ever more powerful to run brute force attacks the only remedy is to make the passwords harder to crack. You either have the choice between 16 random characters or something much longer if you want security without a random garbage password. To make this clear:

If you got two passwords of the same internal complexity, one is 10 characters, the other is 20, the longer one won't be twice as hard to crack but n^10 times harder, where n is the size of your character set, so if you just use a normal alphabet that's 97,656,250,000,000,000 times harder!

I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.

[yum13241]

wait for a while before another password attempt

Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.

Don't forget that hackers can use password breaches to try and guess your password.

Noone bruteforces passwords

Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.

Fuss:

---

Either way the only fuss I see is "HURR DURR! I'm too lazy to make my password a passphrase, or to use a password manager, or to remember it! This extra security is pointless! HURR DURR!"

And don't say "it's like having more than one lock on your door". That's what 2FA is. A long pass(word/phrase) doesn't add an extra step.

Your passphrase could literally be iSukAtRememberingLoginInformation007! (that is no longer secure since I posted it)

Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.

[Professor Hastig]

I don't need my password to be harder to bruteforce than already impossible. 62^10 (10 digits + english alphabet, uppercase and lowercase) is more than enough. It's not bruteforced locally, which significantly limits the speed anyway (by amount of responses the server can send back). Also, most websites would make you to complete a captcha or wait for a while before another password attempt, and I guess it's enforced at REST level as well.
Noone bruteforces passwords, it's easier to find an exploit in a PHP plugin, especially if it's old.

This site disagrees with your assessment:

https://www.quora.com/How-long-would-it ... r-password

Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!

[cyber_cool]

Ya ever heard of "waiting out your session token"? Yeah, that exists. It still wasn't enough.

Don't forget that hackers can use password breaches to try and guess your password.

Noone bruteforces passwords

Ya ever heard of rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table. It's not brute forcing EVERYTHING.

Fuss:

---

Either way the only fuss I see is "HURR DURR! I'm too lazy to make my password a passphrase, or to use a password manager, or to remember it! This extra security is pointless! HURR DURR!"

And don't say "it's like having more than one lock on your door". That's what 2FA is. A long pass(word/phrase) doesn't add an extra step.

Your passphrase could literally be iSukAtRememberingLoginInformation007! (that is no longer secure since I posted it)

Having a memorable pass(word/phrase) is the most important part of security. Or rather, availability is the most important part of security. If you can't remember your pass(word/phrase), then you threw the baby out with the bathwater. Now claim your Darwin award @ https://hurr-durr.cc.

Rainbow tables are used when a breach has already occured. If it did, maybe just require a password change or notify users about it? And while using a longer password increases the amount of time you need to find a reduction function, the same wikipedia article you link suggests than you can add salt to generated hashes in order to make such attack more difficult.

And remember that you are securing a video game forum account. Why would it require more security than a bank account?

I am not trying to tell you that having a 10 character password is a middle finger to every attack. It's just overkill trying to force a 20 characters password for something that holds little to no value.

This site disagrees with your assessment:

https://www.quora.com/How-long-would-it ... r-password

Even if you factor in a higher per-character entropy it should be clear that 10 characters is very, very clearly not enough anymore!

A totally accurate information source you provided suggests that 11 character password takes almost a year to brute-force (again, locally). Who would spend a year to crack a gzdoom account? (Besides, 13 characters is already more than enough. Yet alone 20.).

[Professor Hastig]

You are making a false assumption here. First, I do not know what computing power this requires, and second, this is mainly a protection against those users who reuse their passwords all over the place. Enforcing more characters makes that impossible. If people recycle a 20 character password and it is stolen off another site the chance of it getting cracked and used here is very slim. With a shorter password - not so much.

[CandiceJoy]

Regarding the “just a hobby forum” thing…it’s not. I personally know several people that make money off of projects posted (or at least posted about) on here. See Hands of Necromancy, Disdain, Hedon, etc. More make money using the knowledge and skills learned here, problems fixed here, documentation and tools disseminated here, etc etc etc. For many, or most even, it is a hobby and nothing more, but for some, it is a source of income…possibly their only source of income, and it’s important to keep that in mind

Regarding what’s been tried before, I’m a relatively new staff member, so I don’t know all the details or anything, but I do know the question at signup was implemented to help fix the issue, and they’ve started to make it past that. I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity. That being said, we will continue to look into alternative options so long as this remains an issue, but at the present time, none appear viable :/

We honestly and sincerely do apologise for any inconvenience this causes. Rest assured that this was not done to annoy you or anything, and that we’re doing our best to try to keep your accounts and data stored on ZDoom Forums safe and secure. ^_^ <333

[neoworm]

No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.

[Professor Hastig]

I sincerely hope you are just being sarcastic here. At the very least you should consider the work it means for the moderators to deal with people's laziness with their password maintenance.

[wildweasel]

At the same time it's been proven that nothing else worked.

If only we were told what "else" have been tried, then there wouldn't be any doubts or complaints.

This has already been explained, especially back when the incidents were still fresh - the last three times we've seen compromised accounts, we made the decision to Deactivate all accounts not active since before a certain cutoff date. This is why you may or may not have had to contact an admin to have your account Reactivated. But as the recent string of hits has shown us, the cutoff date doesn't even seem to matter, as we're seeing accounts get compromised that were active within the last few months.

Our options are fairly limited by what software and hosting we have available to us.

No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.

It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?

[Rachael]

No, this is laughably unimportant in every conceivable way, you are just all taking yourselves way too seriously. This is hobby forum with NO information that has to be protected this seriously and if you actually have anything like that in your PMs you can choose to make your password stupid long. Forcing it on everybody is stupid.

One thing you absolutely fail to understand - every single time *anything* comes up - is there's a lot more to a problem or situation than you think, and you are unwilling to admit that you do not actually know every nuance or circumstance of a situation.

We're never going to see eye to eye, but you're sure as shit not going to convince us with your "factual" statements that fail to take into account anything beyond what you see or are even willing to understand. Let's make one thing clear here - your refusal to acknowledge certain facts does not magically turn them into untruths, and you still have to deal with them whether you want to or not. Sorry you don't like it, but we didn't do it to please you. (Nor did we do it to annoy you quite frankly, but your favorite thing seems to be to bitch and moan anyway, so seems we did you a favor in giving you the opportunity to do that ...)

[yum13241]

To add, @neoworm blatantly ignored what:

People make money here.

Having someone hack such a person's account would mean that they could give the game away for free, or post an update that ruins the project's rep. Again, I don't get the fuss.

Maybe this thread needs a lock?

[Rachael]

Locking it might be a good idea later on, but not right now, let people fuss about it for a bit, at least this thread contains it in one spot, for now.