New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[πŸ”Ž Google This Site]

Moderator: GZDoom Developers

User avatar
Rachael
Posts: 13793
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: New Password Requirements and Password Reset

Post by Rachael »

cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am Or that there are better attack targets. PHPBB has a market share of 0.2%, wordpress - 43.2% (https://w3techs.com/technologies/overvi ... management).
ZDoom is a target by traffic, alone. I'm not here to explain myself to you, and yet I've done the best I could anyway in that regard - if you still can't understand that, then this is a lost cause.
cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am You wrote the same thing thrice. I know for a fact that you are not paid. But I also don't believe that every other possible solution is so hard that you are not able to implement it.
You could, for example, make this password requirement last until you figure out how to, at least, notify users of a login attempt from other IP address. It would be understandable if it took you some time, like a month. But it would be much better than this dumpster fire.
Nobody here is on your time table. If it's that important to you, hire someone write an addon for it, and then get them to submit it here ---> https://www.phpbb.com/customise/db/extensions-36
After it's been reviewed by the phpBB team and it's been reviewed by several other board owners, I might consider it.
cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am Still no answer.
What is the point you're trying to make, anyway? I'm not going to play games with you. If you're trying to say something, just say it.
User avatar
CandiceJoy
Posts: 95
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am I also don't believe that every other possible solution is so hard that you are not able to implement it.
Here's the thing -- you don't have to believe it for it to be true. Truth is funny like that.
cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am You could, for example, make this password requirement last until you figure out how to, at least, notify users of a login attempt from other IP address. It would be understandable if it took you some time, like a month. But it would be much better than this dumpster fire.
Anything we do -- literally anything -- will be seen as a dumpster fire by some, that's been proven time and again :)
cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am
Rachael wrote: ↑Fri Jan 20, 2023 5:54 am Good for them, I guess?
Still no answer.
See, we don't actually owe you an answer, nor are we obligated to provide one and, when it comes to matters of security, we actually *SHOULDN'T*. We've engaged thus far in an attempt to help you understand, but it seems that's not going to work, so there's really no point in continuing to argue ^_^
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed

Re: New Password Requirements and Password Reset

Post by wildweasel »

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am
wildweasel wrote: ↑Thu Jan 19, 2023 8:49 am It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?
In this scenario your account will be suspended immediately. If you care about your account, you will also reset the password when you notice it has been compromised, and undo most of the damage.
Somebody has likely already replied to this part of the message by now, since I see the thread has flared up since I've slept, but I want to call attention to the "immediately" part - do you know how these accounts need to get suspended? This is something we have to do manually, when we see it. As many moderators and admins are on this site, we still don't have an all-encompassing, 24-hour response team that can handle that instantly, and we don't always see these things right away. "Well, check the forums more often!" somebody might say - nobody here's being paid to do any of that and there are other, far more pressing responsibilities to life than monitoring a forum, All The Time.
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does. That is the state of things. Anything you say doesn't change the fact that you are taking yourselves too seriously and it definitely doesn't make you look good. It makes you look like a bunch of self obsessed tools.

[User was temp-banned for 2 weeks, *and warned*, for this post. -mgmt]
User avatar
phantombeta
Posts: 2119
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does. That is the state of things. Anything you say doesn't change the fact that you are taking yourselves too seriously and it definitely doesn't make you look good. It makes you look like a bunch of self obsessed tools.
The only self-obsessed tool here is you, buddy. The forum kept getting filled with spam- I've personally been here back through the periods where Off-topic and the wiki would randomly get absolutely plastered with spam links by bots. This was done to deal with that.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

If I could I'd restrict passwords for those truly obnoxious individuals to be at least 40 characters, each one different. Too bad that the software has no special mode for these people to REALLY annoy them! :twisted:

BTW, I still remember many years ago when Vavoom was still a thing but its developer mostly absent that the first page of every subforum consisted solely of spam!
And if you have a look at the moderator logs you'll see that most spam comes through compromised accounts - new ones get immediately stuck in the approval queue and at some point the spammers will realize that trying to create accounts here may just be wasted work because nothing gets through. Which makes all those idiots with trivial passwords all the more appealing easy prey.
User avatar
neoworm
Posts: 1748
Joined: Fri Sep 23, 2005 9:17 am
Location: Czech Republic

Re: New Password Requirements and Password Reset

Post by neoworm »

phantombeta wrote: ↑Fri Jan 20, 2023 10:23 am The only self-obsessed tool here is you, buddy. The forum kept getting filled with spam- I've personally been here back through the periods where Off-topic and the wiki would randomly get absolutely plastered with spam links by bots. This was done to deal with that.
I also remember when this forum was alive. Doomworld project gets flooded by nw stuff daily including gzdoom project and here is a ghosttown. This will definitely not make it worse I am sure.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49183
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

And you really think it will bother users to store a longer password in their browser? Grow up!
User avatar
phantombeta
Posts: 2119
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am Well, okay, I get it, you don't consider writing something custom to resolve a security issue.
That takes far more time than you think, and as far as I know, no one on staff is an info-sec expert, much less can they write a security plugin for phpBB. Nor would they have money to spare to make sure any of it is ACTUALLY secure.
cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am What doesn't matter? That other forums, somehow, achieve the same or better level of security without requiring 20+ character passwords? I am reading yet another huge reply and noone has answered this question I asked almost 3 pages above.
That's funny. The prime reason I've seen for phpBB forums getting shutdown and made read-only has always been "we've been getting overwhelmed with spam and we just can't deal with the sheer volume of bots, sorry".
cyber_cool wrote: ↑Fri Jan 20, 2023 6:04 am Or that there are better attack targets. PHPBB has a market share of 0.2%, wordpress - 43.2% (https://w3techs.com/technologies/overvi ... management).
Except phpBB is a far easier target, and it's far harder to deal with spam on a forum than on a WordPress blog (hint: You can just delete any posts made after the blog was compromised, and manually fix up any real posts that might've gotten edited. Or even just restore a backup without losing any of your real posts. Good luck doing any of that with any kind of forum software, without losing legitimate posts!)
phpBB has literally been a prime target for bots and skiddies since pretty much forever. It's a finicky piece of shit, updates constantly make breaking API changes, and no plugins are ever built in a way that makes it feasible to migrate to an updated plugin that does the same thing. Did you ever notice how the Closed Feature Suggestions and Closed Bugs forums used to have tags? And now they don't? Now try to take a guess why they're all gone from old posts, and new posts don't have them either!
User avatar
phantombeta
Posts: 2119
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

neoworm wrote: ↑Fri Jan 20, 2023 10:33 am I also remember when this forum was alive. Doomworld project gets flooded by nw stuff daily including gzdoom project and here is a ghosttown. This will definitely not make it worse I am sure.
That's funny, because the Gameplay Mods forum looks pretty lively to me. It's almost as if the users on this site are more interested in gameplay mods, which take more time to make, while Doomworld users are more interested in levels πŸ€”
(Though that's not to say we don't get levels, either- If you look at the Levels forum, you'll see at least 4 new ones posted just this month on the front page. Of course, most people still prefer to post their levels in the Doomworld forums, because that's just how it has been for literally years)
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

Rachael wrote: You missed the entire point. The forum *is* in the DMZ.
I thought you'd use port forwarding? I don't care, I just care it works. Maybe the port changes all the time?
User avatar
KynikossDragonn
Posts: 272
Joined: Sat Dec 12, 2020 10:59 am
Preferred Pronouns: He/Him
Operating System Version (Optional): Void Linux
Graphics Processor: Intel (Modern GZDoom)
Location: Independence, KS, USA

Re: New Password Requirements and Password Reset

Post by KynikossDragonn »

I really don't understand all the outrage, just set your password and be done with it right?

If we really don't want things like this to happen in the first place then we'd have to somehow manage to get every single hacker and script kiddie thrown in prison, and that obviously isn't happening.

Honestly, I was only mildly surprised by the sudden "You need to change your password before continuing", but I just did so and moved on with my life. There's really no need to bicker and drama about it... is there?
User avatar
Rachael
Posts: 13793
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: New Password Requirements and Password Reset

Post by Rachael »

yum13241 wrote: ↑Fri Jan 20, 2023 11:01 am I thought you'd use port forwarding? I don't care, I just care it works. Maybe the port changes all the time?
That isn't how VPS hosting works. It'd actually be kind of awesome if it could work that way, though, but we only can afford one host, not separate hosts where it's webserver+router.
User avatar
Rachael
Posts: 13793
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her

Re: New Password Requirements and Password Reset

Post by Rachael »

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am Anything you say doesn't change the fact
So, this is pretty much you, right now:
Yeah, if you're going to have your fingers in your ears, don't bother posting here. Thanks.

I'm in favor of actual discussions, not arguments where you try to force your opinions on me and refuse to listen.
yum13241
Posts: 853
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support

Re: New Password Requirements and Password Reset

Post by yum13241 »

Rachael wrote: That isn't how VPS hosting works. It'd actually be kind of awesome if it could work that way, though, but we only can afford one host, not separate hosts where it's webserver+router.
Probably since they don't host only forums?

Rachael also wrote: Yeah, if you're going to have your fingers in your ears, don't bother posting here. Thanks.

I'm in favor of actual discussions, not arguments where you try to force your opinions on me and refuse to listen.
One million percent agreed.

Return to β€œZDoom (and related) News”