What can you say? Some people truly value their own laziness and convenience over everything else and no good argument will ever be ablr to convince them that they might be wrong.
New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Lead GZDoom+Raze Developer
- Posts: 49142
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
-
- Posts: 13736
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
If it were up to me, such people wouldn't be welcome here.Graf Zahl wrote: What can you say? Some people truly value their own laziness and convenience over everything else and no good argument will ever be ablr to convince them that they might be wrong.
It also shows that they believe anyone with a colored name here is an idiot. (spoiler alert: all of our names are colored here)Rachael wrote: And this thread has perfectly shown proof of that.
To all people who sell games here, I hope you don't complain about the new pwd reqs, because spoiler alert, $$$ requires effort. (or if you're a big corporation, some -ness )
(yes I know Rachael sells games here)
-
- Posts: 333
- Joined: Thu Feb 25, 2016 2:01 pm
Re: New Password Requirements and Password Reset
i think that next time this kinda thing happens. explain it in the password stuff or whatever. cause not knowing what's going on with no one giving any explanation is really annoying
-
- Posts: 13736
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
In a security context, telegraphing your actions often gives bad actors time to react and adapt to it, and possibly even nullify it. I had considered this, but ultimately I decided the best way to handle this was to pull the rug out from under them. Yes - that does annoy legitimate users, I am well aware of that and I regret it, but in the end it was worth it to thwart those with bad intent, both for the sake of the legitimate users, and for the site overall, making it a less valuable target (hopefully) for those who seek to do wrong.
-
- Posts: 4449
- Joined: Sun May 30, 2004 10:16 am
- Preferred Pronouns: She/Her
- Location: GNU/Hell
Re: New Password Requirements and Password Reset
I haven't screwed up typing my new long password yet.
-
- Β
- Posts: 3167
- Joined: Wed Nov 24, 2004 12:59 pm
- Graphics Processor: ATI/AMD with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
I fail to see how that's a response to what I said? You said you can't back up the codes, I said you can generate a QR code in the app to do so which is a backup. Yes, if you don't rely on the cloud then you're responsible for doing the backups yourself. That should be obvious. As you also indirectly mentioned in your post, Google Authenticator just implements the standard OTP algorithms (RFC 6238 and RFC 4226). Many cloud backed password managers do so as well and you're free to use them if you don't have the ability to manage backups yourself.
This is of course ignoring that everything with OTP should also be giving you backup recovery codes to store somewhere safe as a last resort, so there's that answer to your scenario as well.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
In this scenario your account will be suspended immediately. If you care about your account, you will also reset the password when you notice it has been compromised, and undo most of the damage.wildweasel wrote: βThu Jan 19, 2023 8:49 am It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?
All these legitimate reasons are bullshit. Almost every other website doesn't enforce a 20+ long password. Why this forum is special?CandiceJoy wrote: βThu Jan 19, 2023 8:00 am I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity.
Is there a feature of selling games through zdoom forums? Very curious about that.
About project reputation, again, you can reset your password account and partially undo the damage. Considering you even will be hacked in first place.
Again, give it as an option, as a recommendation. If you are prone to be targeted due to be working on a large project or a project that involves money - better change your password. If you just have made a couple of mods that aren't very popular, or no mods at all, why will you be targeted before the former (if at all)?
Defending this change makes no sense. Any other website doesn't require such a long password, meaning there has to be something wrong with backend security for a large amount of accounts to be compromised. But you all seem to be missing that point.
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
This is correct...assuming, of course, that there are moderators around to take action. However, we are people too, as much as we might not like to admit it at times, which means that, unfortunately, we can't be around all the time. Believe me, we do our best and, in some cases, more. But even we need sleep sometimes, as much as we might be loathe to admit it at times. In addition, PHPBB gives us very few options to deal with this sort of issue beyond changing the password requirements. We've discussed multiple alternatives and, much to my personal dismay, every alternative would be worse for y'all, much harder to implement, or technically/financially not feasible. Trust me, I wish there were alternatives as well, but PHPBB ties our handscyber_cool wrote: βFri Jan 20, 2023 3:33 am In this scenario your account will be suspended immediately. If you care about your account, you will also reset the password when you notice it has been compromised, and undo most of the damage.
That's absolutely true, very few websites require a password 20+ characters in length. Unfortunately, most of the websites that allow shorter passwords aren't running PHPBB, which means an apples-to-apples comparison can't really be drawn. I have run PHPBB forums in the past myself and I can personally vouch for the fact that keeping them secure isn't easy in the least. I've thrown up PHPBB forums only to have them spammed with adult imagery in mere days, even with some of the more advanced security measures offered by PHPBB. It's honestly a wonder Rachael has kept these forums as secure as she has for as long as she has.cyber_cool wrote: βFri Jan 20, 2023 3:33 am All these legitimate reasons are bullshit. Almost every other website doesn't enforce a 20+ long password. Why this forum is special?
Not directly, no. But, people can and do get hired through private messages, and a compromised account can do a surprising amount of damage in a short period of time. As a web developer, I can tell you that it only takes minutes for a bot to delete an entire large account's worth of messages, possibly 10k posts or more, and you can't undo that kind of damage, not really.cyber_cool wrote: βFri Jan 20, 2023 3:33 am Is there a feature of selling games through zdoom forums? Very curious about that.
Technically correct, but in reality, not so much. You can partially undo the damage, but that part may be 1% or less depending on how big your account is, how long your posts are, how much information you posted, etc etc etc. We can suggest as much as we like but, in the end, very few people would actually do it without this change. If we don't stay on top of this, spam could very quickly bury legitimate posts and cause months worth of work for moderation staff; like I said, I've seen it happen myself. This is one reason we take compromised accounts so seriously: if we didn't, the entire forum could be overrun within hours. I seriously, honestly, truly wish I were joking or exaggerating about that, but I've had it happen to my own forums. As long as we stay on top this, though, things will be just fine. The forums I've seen get hacked didn't have these sort of password requirements, nor a difficult-to-guess question guarding signup (yes, that was back in my noob days a decade or two ago when I didn't know any better; luckily the forums that got hacked had very low populations, so the damage was minimal...which is the exact opposite of what would happen if ZDF had the same issue )cyber_cool wrote: βFri Jan 20, 2023 3:33 am About project reputation, again, you can reset your password account and partially undo the damage. Considering you even will be hacked in first place.
Again, give it as an option, as a recommendation. If you are prone to be targeted due to be working on a large project or a project that involves money - better change your password. If you just have made a couple of mods that aren't very popular, or no mods at all, why will you be targeted before the former (if at all)?
It may not make sense to you, and in truth, it may never make sense to you, though I have endeavoured to explain it to the best of my ability. I sincerely apologise for the inconvenience and grief this has caused you. It was never our intent <3 I assure you, however, that backend security is just fine. The only things we lack that the larger sites have, we cannot afford. Because ZDF sees a lot of traffic, and commercial traffic as well, we would have to use enterprise-level services to alleviate these sorts of issues, which are very expensive. In addition, there would likely be no guarantee that those services wouldn't have unintended side effects, such as banning all Russian users, which we will never want or allow, possibly even without our prior knowledge. I work in IT at my day job, and I can't tell you the number of times a company purchases a product without understanding what it will take to implement the product or what the product can actually do. You have my word, though, that if I ever become independently wealthy, I will personally do everything I can to prop up backend security.cyber_cool wrote: βFri Jan 20, 2023 3:33 am Defending this change makes no sense. Any other website doesn't require such a long password, meaning there has to be something wrong with backend security for a large amount of accounts to be compromised. But you all seem to be missing that point.
I do want to reiterate, however, that we do sincerely and honestly apologise for the inconvenience, as well as any anguish or grief it may cause you. This was never and never will be our intention. We simply wish to protect the information of our users and the security of this platform
Sincerely,
CandiceJoy
on behalf of ZDoom Moderation Team
-
- Posts: 248
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
Let's be serious: I have the feeling that the people complaining the loudest here are those who - to paraphrase an earlier post - still think that "memory" is the most secure password manager.
The reality is: These people are, unless kept in check by strict password requirements, the biggest thread a website can face - because they are easiest to hack.
The reality is: These people are, unless kept in check by strict password requirements, the biggest thread a website can face - because they are easiest to hack.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Why not allow users to take action? You can send a e-mail notification when an account is accessed from a new IP address, and that's just one possibility.CandiceJoy wrote: βFri Jan 20, 2023 4:23 am This is correct...assuming, of course, that there are moderators around to take action.
I don't know much about PHPBB or just PHP frameworks in general, but from what I have gathered it has a handful of mods, some of them are security-oriented too.CandiceJoy wrote: βFri Jan 20, 2023 4:23 am In addition, PHPBB gives us very few options to deal with this sort of issue beyond changing the password requirements.
Even if there aren't any security changes you can do to the backend, this doesn't mean changing password requirements is the ultimate solution. Accounts can be compromised by many other ways: hacking into user's e-mail address and then resetting the password, or finding (or using existing) exploits in backend.
This isn't the only website that uses PHPBB. This is not the best source, but you can still look some of them up: https://trends.builtwith.com/websitelist/phpBBCandiceJoy wrote: βFri Jan 20, 2023 4:23 am Unfortunately, most of the websites that allow shorter passwords aren't running PHPBB
They may not have the same amount of traffic as zdoom forum has, but some come close. And, of course, no 20+ character password.
And then they proceed to discuss all the details via private messages. And after that, they send their work through private messages.CandiceJoy wrote: βFri Jan 20, 2023 4:23 am Not directly, no. But, people can and do get hired through private messages
No sane person would even do that. Doing freelance work is already like going through hell, and you imply someone is doing it through PMs on a forum.
No need, it only causes minor annoyance. It's just the fact that there is a miriad of ways to improve security and the worst possible way was chosen.CandiceJoy wrote: βFri Jan 20, 2023 4:23 am I sincerely apologise for the inconvenience and grief this has caused you.
What kind of attacks did servers suffer that you need an enterprise-grade security? For a PHPBB forum?CandiceJoy wrote: βFri Jan 20, 2023 4:23 am The only things we lack that the larger sites have, we cannot afford. Because ZDF sees a lot of traffic, and commercial traffic as well, we would have to use enterprise-level services to alleviate these sorts of issues, which are very expensive.
Can't wait.CandiceJoy wrote: βFri Jan 20, 2023 4:23 am You have my word, though, that if I ever become independently wealthy, I will personally do everything I can to prop up backend security.
-
- Posts: 13736
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
My friend, you profess simplicity - where there is none.cyber_cool wrote: βFri Jan 20, 2023 5:12 am Why not allow users to take action? You can send a e-mail notification when an account is accessed from a new IP address, and that's just one possibility.
Do you have a handy addon for this?
That ship's already sailed - we did it, it's done, there's no going back on it now. Even if there was, I strongly disagree with you, and I think you are making assumptions thinking you know my position, when you really do not.cyber_cool wrote: βFri Jan 20, 2023 5:12 am I don't know much about PHPBB or just PHP frameworks in general, but from what I have gathered it has a handful of mods, some of them are security-oriented too.
Even if there aren't any security changes you can do to the backend, this doesn't mean changing password requirements is the ultimate solution. Accounts can be compromised by many other ways: hacking into user's e-mail address and then resetting the password, or finding (or using existing) exploits in backend.
It doesn't matter. I've ran this board without security once, and woke up to 160 posts I had to disapprove for being spam. I am *NOT* doing that again.cyber_cool wrote: βFri Jan 20, 2023 5:12 am This isn't the only website that uses PHPBB. This is not the best source, but you can still look some of them up: https://trends.builtwith.com/websitelist/phpBB
Quite a stink you're raising for such a "minor annoyance." Yes there are many ways to improve security - we chose the one that works best for us with the tools and people power that we have.cyber_cool wrote: βFri Jan 20, 2023 5:12 am No need, it only causes minor annoyance. It's just the fact that there is a miriad of ways to improve security and the worst possible way was chosen.
The internet is full of daemons from compromised sources, including bot nets and worms and the like. If you have an unpatched machine spend literally 2 minutes in your router's DMZ, I guarantee it will be a zombie. Even a fully patched machine might not fare long, unless you take certain steps to close unwanted services and such. Yes, most of these are "script kiddie" bullshit scripts that run 24/7, but it doesn't matter - if an attacker (even an automated one) finds a vector they can use, they will take advantage of it immediately. Any type of forum software happens to be one of those vectors - what better way to push your grey-market dubious products than to plaster links in every possible location in order to shove your listing on top of the Google search results artificially?cyber_cool wrote: βFri Jan 20, 2023 5:12 am What kind of attacks did servers suffer that you need an enterprise-grade security? For a PHPBB forum?
----
To be clear:
We did *not* do this to annoy you. Yes, it is annoying, we realize that, but that was *not* the intent.
The intent of this was to really fuck up the day of those very compromisers and attackers. And to that end, I think I was fairly successful. Yes, it comes at a cost, but the goal was to do it in a way that legitimate users could recover from the action easily, and the bots would suffer a critical blow in their battle to take over the forum.
And I know you disagree with me on this point, but I am going to make it anyway: Security is everyone's responsibility. If you give even an inch on it, bad actors will take a mile. We would not have scammers if there weren't victims to fall for scams. We would not have phishers if there weren't people who didn't check their browser's location bar when entering their password. Etc, etc. The reason why we have such awful shit to deal with to begin with, is because people don't take it seriously enough.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Well, okay, I get it, you don't consider writing something custom to resolve a security issue.
How much people are really working on backend and how much people are just writing messages in this thread justifying the decision?
Best for you, not users? I already know that.
Why would I ever put something in DMZ in first place?
That's how search engines work apparently? Amount of links on one website inflates search results for other website? Wow, I learn something every day. (Considering this attacks happen so often and in such amounts that you can't clear the forum from such spam links. Apparently it didn't happen yet.)
What doesn't matter? That other forums, somehow, achieve the same or better level of security without requiring 20+ character passwords? I am reading yet another huge reply and noone has answered this question I asked almost 3 pages above.
-
- Posts: 13736
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
If only we had 48 hours in a day or something ...cyber_cool wrote: βFri Jan 20, 2023 5:46 am Well, okay, I get it, you don't consider writing something custom to resolve a security issue.
Everyone has lives. Even among the ones we have doing backend stuff - we don't spend 24/7 here and it is unreasonable for you to ask us to. We are not your slaves.cyber_cool wrote: βFri Jan 20, 2023 5:46 am How much people are really working on backend and how much people are just writing messages in this thread justifying the decision?
So you want our moderators to burn out from being overworked doing a bunch of shit while being paid absolutely nothing? Yeah, no, I will pass on that proposal, thanks. I have a fairly happy moderator team who is able to handle *human* issues because they are not burdened spending all their time handling unapproved posts from spammers at a rate of hundreds per day, and I like to keep it that way.
You missed the entire point. The forum *is* in the DMZ.
Good to know you want the ZDoom forums to be used as a grey-market advertising area for people to push their Google search traffic. Yeah, this is really helping me to take you seriously.cyber_cool wrote: βFri Jan 20, 2023 5:46 am That's how search engines work apparently? Amount of links on one website inflates search results for other website? Wow, I learn something every day. (Considering this attacks happen so often and in such amounts that you can't clear the forum from such spam links. Apparently it didn't happen yet.)
Good for them, I guess?cyber_cool wrote: βFri Jan 20, 2023 5:46 am What doesn't matter? That other forums, somehow, achieve the same or better level of security without requiring 20+ character passwords? I am reading yet another huge reply and noone has answered this question I asked almost 3 pages above.
-
- Posts: 150
- Joined: Tue Aug 13, 2019 8:40 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Or that there are better attack targets. PHPBB has a market share of 0.2%, wordpress - 43.2% (https://w3techs.com/technologies/overvi ... management).
You wrote the same thing thrice. I know for a fact that you are not paid. But I also don't believe that every other possible solution is so hard that you are not able to implement it.Rachael wrote: βFri Jan 20, 2023 5:54 am So you want our moderators to burn out from being overworked doing a bunch of shit while being paid absolutely nothing? Yeah, no, I will pass on that proposal, thanks. I have a fairly happy moderator team who is able to handle *human* issues because they are not burdened spending all their time handling unapproved posts from spammers at a rate of hundreds per day, and I like to keep it that way.
You could, for example, make this password requirement last until you figure out how to, at least, notify users of a login attempt from other IP address. It would be understandable if it took you some time, like a month. But it would be much better than this dumpster fire.
Still no answer.