When I found out about this, I didn't give an iota of a shit. However I do think that this is a good idea to maximize security.CandiceJoy wrote: ↑Wed Jan 18, 2023 5:46 am Hey everyone! We've been having a bit of trouble with compromised accounts on here of late, so we've implemented a new password complexity requirement on all accounts, effective immediately. Upon logging in for the first time after today, you will be required to change your password to something that is at least 20 characters long, and contains both upper- and lower- case letters, as well as numbers. We feel this is necessary to maintain the continued security of the forums, and sincerely apologise for any inconvenience this may cause.
If you would like to create a randomly generated password, you can use https://passwords-generator.org/
If you have any questions, comments, or concerns, you can leave them below. Otherwise, keep on Dooming!
New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Posts: 219
- Joined: Tue Apr 05, 2022 3:43 am
- Preferred Pronouns: He/Him
Re: New Password Requirements and Password Reset
-
- Posts: 684
- Joined: Sat Jul 05, 2008 6:20 am
- Location: Brazil
Re: New Password Requirements and Password Reset
Making a new 20 chars password is not that big of a deal for me, but man, I'd really prefer a 2FA method instead. Just link it to my email, phone or something.
-
- Posts: 1279
- Joined: Tue Jul 19, 2011 2:56 am
Re: New Password Requirements and Password Reset
20 character password isn't a deal breaker for me, I mean, I'm right here typing this post after I made one.
I just think it's absurd that I have to do this for a small forum that holds absolutely no vital information about me.
I mean, would I get hacked with no 2fa and a short password here? Maybe... I'd just contact an admin and have the password changed or make a new account if the old one is nuked, no big deal.
I just think it's absurd that I have to do this for a small forum that holds absolutely no vital information about me.
I mean, would I get hacked with no 2fa and a short password here? Maybe... I'd just contact an admin and have the password changed or make a new account if the old one is nuked, no big deal.
-
- Posts: 255
- Joined: Mon Jan 09, 2023 2:02 am
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
What about the poor mods that have to deal with the fallout of your account getting hacked? I doubt for them it's "no big deal".
-
- Posts: 1279
- Joined: Tue Jul 19, 2011 2:56 am
Re: New Password Requirements and Password Reset
I've never been a moderator in a forum so I can't really speak about the implications there, but if that has to happen, it will happen regardless of if you have a 10 character password or a 20 character password.Professor Hastig wrote: ↑Thu Jan 26, 2023 7:16 am What about the poor mods that have to deal with the fallout of your account getting hacked? I doubt for them it's "no big deal".
Besides, that's something every moderator in every forum has to deal with, and I don't think shorter password length will result in the entire userbase collectively getting hijacked.
All i'm saying is that this is very overkill for a niche doom forum and just an annoyance for the end user.
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
This forum was suffering from compromised accounts on a regular basis, the most common reason that if people are allowed to use simple passwords, they will do - and they will do it elsewhere as well. So if some of those other accounts gets broken into, the one here is toast, too. Now people can't do the lazy routine anymore and to be blunt, all the whining and complaining we got is that people still stick to outdated means of managing passwords, which normally implies that their passwords may also be outdated.
For god's sake use a password manager instead of trying to memorize all passwords! All you then need to remember is a single passwords. At least this forum doesn't use Javascript hacks to disable the browser's password management - THAT is the true menace of the internet!
For god's sake use a password manager instead of trying to memorize all passwords! All you then need to remember is a single passwords. At least this forum doesn't use Javascript hacks to disable the browser's password management - THAT is the true menace of the internet!
-
- Posts: 207
- Joined: Thu Apr 16, 2015 8:24 am
Re: New Password Requirements and Password Reset
My case is perhaps a little bit odd-ball in this kerfuffle: I am the user with unique 100+ character non-dictionary passphrases in stored in a password manager, but this was one of two remaining sites (neither with any more identifying information than my email) with a password that needed to be retired fifteen years ago, so this forced me out of a bit of overly sentimental attachment. That's my little huffy puffy.
Now, I don't want to give anybody any ideas, but something that I would really bristle at would be monthly forced password resets, because oh baby, you best believe I'm gonna be incrementing the number in that stupid password every reset.
Now, I don't want to give anybody any ideas, but something that I would really bristle at would be monthly forced password resets, because oh baby, you best believe I'm gonna be incrementing the number in that stupid password every reset.
Last edited by Gollgagh on Thu Jan 26, 2023 5:22 pm, edited 1 time in total.
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
I use 100-character randomly generated passwords. Good luck brute forcing THAT ;DGollgagh wrote: ↑Thu Jan 26, 2023 4:15 pm My case is a little bit odd-ball in this kerfuffle: I am the user with unique 100+ character non-dictionary passphrases in stored in a password manager, but this was one of two remaining sites (neither with any more identifying information than my email) with a password that needed to be retired fifteen years ago, so this forced me out of a bit of overly sentimental attachment. That's my little huffy puffy.
-
- Posts: 207
- Joined: Thu Apr 16, 2015 8:24 am
Re: New Password Requirements and Password Reset
Yeah, but that's boring. If I'm gonna be making up nonsense, I wanna have at least a little bit of fun with it.
-
- Posts: 231
- Joined: Tue Mar 23, 2010 4:47 pm
- Preferred Pronouns: No Preference
- Graphics Processor: nVidia with Vulkan support
- Location: existential dread
Re: New Password Requirements and Password Reset
If people don't want to use a password manager (which is completely understandable) consider using a pencil and paper. I have a notebook in my bookshelf filled with dozens of 20-30+ character passwords. Use a password generator, write it down, keep the notebook somewhere safe. It's a time investment for sure because you'll have to potentially spend a few hours writing down all of your passwords but once the set up is complete it's the safest password management option imo. Patience is the only factor.
Also I noticed it pop up a few times so I figured I'd give a PSA when it comes down to Google Authenticator and other 2FA apps. Authenticator does not store recovery codes, you have to do it yourself. For example, if you add 2FA to Discord, Discord gives you the code to add to an Auth (whether its Google or Authy, etc), usually the same code is also your recovery code. 90% of services out there that support 2FA will tell you that it is absolutely imperative that you write that code down/keep it somewhere safe. Some of them will flat out tell you to screenshot the code. That is how you backup your 2FA when switching mobile devices. Steam and Battlenet's 2FA app does the same thing. Unfortunately sometimes it's not very obvious and Google Authenticator does a bad job at letting users know that it doesn't store/remember recovery codes.
Also I noticed it pop up a few times so I figured I'd give a PSA when it comes down to Google Authenticator and other 2FA apps. Authenticator does not store recovery codes, you have to do it yourself. For example, if you add 2FA to Discord, Discord gives you the code to add to an Auth (whether its Google or Authy, etc), usually the same code is also your recovery code. 90% of services out there that support 2FA will tell you that it is absolutely imperative that you write that code down/keep it somewhere safe. Some of them will flat out tell you to screenshot the code. That is how you backup your 2FA when switching mobile devices. Steam and Battlenet's 2FA app does the same thing. Unfortunately sometimes it's not very obvious and Google Authenticator does a bad job at letting users know that it doesn't store/remember recovery codes.
-
- Posts: 13793
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
Dropped the requirement from 20 to 15 characters since browsers autogen passwords at that length - however the password reset is still being enforced in order to get everyone into the new requirements.
If you aren't already, please use a password manager of some sort. Something like LessPass works perfect because you never have to store passwords anywhere.
If you aren't already, please use a password manager of some sort. Something like LessPass works perfect because you never have to store passwords anywhere.
-
-
- Posts: 1684
- Joined: Wed May 13, 2009 3:15 am
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Could be just me, but the "Remember Me" checkbox appears to be broken - I get logged out every other day or so, while in the past I could stay logged in for months. May or may not be related to another issue I've been recently experiencing (still happening as of now).
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
Same here, actually. I had to re-enter my login data 4 times since the password change.
-
- Posts: 13793
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
Please log out first, then clear your cookies from this entire domain (zdoom.org) completely. It works fine for me, so it's possible that you have browser cookie poisoning from a previous login that got invalidated. Happens all the time for me, and that's how I fix it.
I can't fix this server-side except to erase both your saved logins and active sessions completely, and that won't remove the bad cookie that's giving you problems, anyway.
If you want, go here and review your logins from other devices too: ucp.php?i=ucp_profile&mode=autologin_keys - to make sure you have no duplicate entries.
I can't fix this server-side except to erase both your saved logins and active sessions completely, and that won't remove the bad cookie that's giving you problems, anyway.
If you want, go here and review your logins from other devices too: ucp.php?i=ucp_profile&mode=autologin_keys - to make sure you have no duplicate entries.
-
-
- Posts: 1684
- Joined: Wed May 13, 2009 3:15 am
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Did exactly that yesterday, and yet I've just found myself logged out again (plus it took about 5 attempts before the site loaded at all; see link in my previous post for details).Rachael wrote: ↑Sun Jan 29, 2023 9:55 am Please log out first, then clear your cookies from this entire domain (zdoom.org) completely. It works fine for me, so it's possible that you have browser cookie poisoning from a previous login that got invalidated. Happens all the time for me, and that's how I fix it.