New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

Locked
zdusr
Posts: 32
Joined: Fri Mar 19, 2021 12:33 pm

Re: New Password Requirements and Password Reset

Post by zdusr »

ramon.dexter wrote: Wed Jan 18, 2023 10:02 am
Rachael wrote: Wed Jan 18, 2023 6:10 am Several people complained so I reduced it. The main purpose of the reset was to get people off of the years-to-decades-old passwords that they had before the new requirements that they simply never changed. I'm always of the belief that "more is better" but sometimes I forget that people aren't nerds like me that have ways of managing passwords that make such requirements trivial to deal with xD
Yeah,so I add another 1234567890 to mypassword. Wooow, such security! On a hobby forum, where I have no vital information, not even a real name!

What about normal password and twofactor authorization?
I think it's more about them protecting against passwords that leak over time due to other sites being hacked. Got to admit that 20 char didn't allow me to re-use any of good old passwords. I don't see any other reason. I mean if somebody already gets access to dump their database then they probably have a bigger problem than your password not being 20 chars. Such hacker could already add spam directly by executing insert statements on their sql database and I don't understand how having 20 char long pw would help in that case.
zdusr
Posts: 32
Joined: Fri Mar 19, 2021 12:33 pm

Re: New Password Requirements and Password Reset

Post by zdusr »

Caligari87 wrote: Wed Jan 18, 2023 11:39 am
I wouldn't mind 2A support if it's optional. OAuth is an open free standard so there's plenty of one-time-code generators which don't have any sort of tracking or online database features, you don't need to use Google Authenticator or the like.
Yes, in that case it would have to be optional. I wouldnt imagine giving my phone number to every single forum that wants to implement 2FA. For me it's a risk that I never know what site uses it in bad way and which doesnt and I don't have time resource to for example google every site before registering and then taking interviews from admins before registering and so on. And even if site means well it can still leak via hackers. So yes, has to be optional.
User avatar
phantombeta
Posts: 2081
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

zdusr wrote: Mon Jan 30, 2023 6:22 pm I think it's more about them protecting against passwords that leak over time due to other sites being hacked. Got to admit that 20 char didn't allow me to re-use any of good old passwords. I don't see any other reason. I mean if somebody already gets access to dump their database then they probably have a bigger problem than your password not being 20 chars. Such hacker could already add spam directly by executing insert statements on their sql database and I don't understand how having 20 char long pw would help in that case.
Being able to dump a database doesn't mean you can *add* to it. On top of that, spammers exploiting leaked passwords doesn't mean this forum leaked passwords- rather, there's a very strong suspicion that the influx of spam is related to the LastPass leaks. This isn't just here, either, other forums (even running on other forum software!) have been getting spam too and have the same suspicion.
zdusr wrote: Mon Jan 30, 2023 6:31 pm Yes, in that case it would have to be optional. I wouldnt imagine giving my phone number to every single forum that wants to implement 2FA. For me it's a risk that I never know what site uses it in bad way and which doesnt and I don't have time resource to for example google every site before registering and then taking interviews from admins before registering and so on. And even if site means well it can still leak via hackers. So yes, has to be optional.
Secure 2FA doesn't use things like SMS or email (specially not SMS, because it's insecure as hell and easily readable by attackers), it uses things like OATH. These use authenticators instead, and don't require a phone. All they require is a computing device with enough power to perform the necessary cryptographic operations. (And, in the case of OATH with TOTP, somewhat accurate current time and date)
The most well-known and widely-used implementations of these are authenticator apps on smartphones, but these never even touch your phone number (much less your personal info), and there very much are non-smartphone alternatives, like the YubiKey.
Professor Hastig
Posts: 225
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

phantombeta wrote: Mon Jan 30, 2023 10:54 pm Secure 2FA doesn't use things like SMS or email (specially not SMS, because it's insecure as hell and easily readable by attackers), it uses things like OATH. These use authenticators instead, and don't require a phone. All they require is a computing device with enough power to perform the necessary cryptographic operations. (And, in the case of OATH with TOTP, somewhat accurate current time and date)
The most well-known and widely-used implementations of these are authenticator apps on smartphones, but these never even touch your phone number (much less your personal info), and there very much are non-smartphone alternatives, like the YubiKey.
If it was that easy.
These technologies may exist but the only common implementations of 2FA I know either use SMS or a custom made smartphone app, no way to use an alternative device. Either way I have to entrust my security to a device I do not want to entrust it to and especially when it comes to banks there is a notable resistance to technologies that avoid the smartphone.
You can rest assured that in the end you will have filled up your phone's storage with an endless list of authenticator apps if this nonsense continues - because everybody will do their own thing - and all 'security' will be thrown out the window when that smartphone gets stolen. If you ask me, any security that relies on a smartphone, i.e. a device you often carry around outside your house, is not secure, regardless of what kind of authentication it uses.

If internet forums start using this kind of authentication you can be sure that many of their users will take a hike and never come back.
User avatar
phantombeta
Posts: 2081
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

Professor Hastig wrote: Tue Jan 31, 2023 12:58 amIf it was that easy.
These technologies may exist but the only common implementations of 2FA I know either use SMS or a custom made smartphone app, no way to use an alternative device. Either way I have to entrust my security to a device I do not want to entrust it to and especially when it comes to banks there is a notable resistance to technologies that avoid the smartphone.
You can rest assured that in the end you will have filled up your phone's storage with an endless list of authenticator apps if this nonsense continues - because everybody will do their own thing - and all 'security' will be thrown out the window when that smartphone gets stolen. If you ask me, any security that relies on a smartphone, i.e. a device you often carry around outside your house, is not secure, regardless of what kind of authentication it uses.
I've never seen any "custom made smartphone app" aside from Steam, myself. Literally every single other site I've used that's had 2FA that wasn't just SMS or email just used plain OATH, and I have 2FA everywhere I can if it doesn't use SMS.
Are you sure the sites you're going to aren't just using OATH and suggesting you use their preferred authenticator? Google Authenticator, Microsoft Authenticator, etc. are just branded apps with the exact same functionality, the underlying protocol is still just plain OATH and you can use any of them on any site. And it works the same whether you've got one of those or a hardware device like a YubiKey. It's an IETF standard, so it's well-defined, has very good implementations, has been widely audited and is considered to be secure.
I have to wonder how you're missing the dozens upon dozens of sites that use plain OATH :-| For some examples, there's GitHub, GitLab, Itch.io, Humble Bundle, Discord, Google, Microsoft, Patreon and Twitch, all of which use OATH 2FA, and that's just some sites I personally use or used to use. (And that's not even all the ones I've used, I've got OATH 2FA on even more sites, I'm just not put them all here)
Professor Hastig wrote: Tue Jan 31, 2023 12:58 amIf you ask me, any security that relies on a smartphone, i.e. a device you often carry around outside your house, is not secure, regardless of what kind of authentication it uses.
The point of 2FA is that you have two factors of authentication. You can't access with just the authenticator, and you can't access with just the password- you need both, always. That's why it's called Two-Factor Authentication. There's nothing you can do to login with just a 2FA code. Every site I've used won't even allow you to input one until you've successfully entered your password.
Plenty of smartphone OATH apps also allow you to require a password to even access the app (along with encrypting the database containing the TOTP data used to generate codes), further decreasing any risks involved with your 2FA device being a smartphone.
Or you can just use a hardware device like a YubiKey, in which case those issues don't exist in the first place.
Professor Hastig wrote: Tue Jan 31, 2023 12:58 amIf internet forums start using this kind of authentication you can be sure that many of their users will take a hike and never come back.
Where did I say sites should require 2FA? (The answer is nowhere, because I didn't)
I don't think I've ever come across any sites that require everyone to use 2FA. The closest I've seen would be my bank, but that doesn't really count because it's not any kind of authenticator app, it just forces me to go to the bank with my card to get my device authorized, or confirm whatever change I made.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

And yet again I've just found myself logged out, and it took me several attempts to first get the site loaded at all, and then a couple more to log in (the error message was "The submitted form was invalid. Try submitting again"). UPD: several hours latter, got logged out again. Really?...
phantombeta wrote: Mon Jan 30, 2023 10:54 pm and there very much are non-smartphone alternatives, like the YubiKey
I have a couple of these (one primary + one backup), but support for such devices doesn't seem to be that widespread, although the standard (FIDO2) is open. BTW, Yubikeys can also act as one-time code generators (same as Google Authenticator), but you obviously need a smartphone app to access them. The difference from the Google app here is that the OTP settings are stored on the Yubikey itself, which communicates with the phone via NFC. Additionally, it can also act as a GPG key and, by extension (via --export-ssh-key) as an SSH key.
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

Player701 wrote: Tue Jan 31, 2023 4:10 am And yet again I've just found myself logged out, and it took me several attempts to first get the site loaded at all, and then a couple more to log in (the error message was "The submitted form was invalid. Try submitting again"). UPD: several hours latter, got logged out again. Really?...
Please please please, as I said before - clear your cache, clear your cookies for the site. If worst comes to worst, try a different browser. This should not be happening, and as I said previously it is very common when your browser gets cookie poisoning. This is *not* something that can be fixed on the server end.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

Rachael wrote: Tue Jan 31, 2023 7:02 amPlease please please, as I said before - clear your cache, clear your cookies for the site. If worst comes to worst, try a different browser. This should not be happening, and as I said previously it is very common when your browser gets cookie poisoning. This is *not* something that can be fixed on the server end.
I've already done that before, and while I sincerely hope you're not doubting my ability to clear cookies and cache, for the purity of the experiment I've cleared them again just now, and I've also cleared all login keys in my UCP. In addition to that, I'm going to use another browser from now on, one I've never used to log in to these forums before.

I also have to point out that the site loading issue is persistent across browsers and is exclusive to this particular website, which makes it statistically much more probable (although by no means certain) that it doesn't originate from my machine. All my recent logins have been from the same IP address, so there should be a way for you to find the relevant records in the server's logs (whenever you have the time, of course) and check them for anything unusual.
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

There is really almost nothing I can do about routing issues. This site is literally naught but a single host, we have no access to the routers or other external features.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

Rachael wrote: Tue Jan 31, 2023 8:30 am There is really almost nothing I can do about routing issues. This site is literally naught but a single host, we have no access to the routers or other external features.
Just checked with cURL when the issue appeared again, and this is what I've got:

Code: Select all

curl -v https://forum.zdoom.org
*   Trying 97.107.138.121:443...
* Connected to forum.zdoom.org (97.107.138.121) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: forum.zdoom.org
> User-Agent: curl/7.83.1
> Accept: */*
>
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
...
The lines "schannel: failed to decrypt data, need more data" continued for some time until I finally pressed Ctrl+C. Seems as if the connection was successfully established, but no data was being received from the other side, apart from the initial TLS negotiation.

Interestingly enough, a plain HTTP request to port 80 succeeded:

Code: Select all

curl -v http://forum.zdoom.org
*   Trying 97.107.138.121:80...
* Connected to forum.zdoom.org (97.107.138.121) port 80 (#0)
> GET / HTTP/1.1
> Host: forum.zdoom.org
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.23.2
< Date: Tue, 31 Jan 2023 16:03:47 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Keep-Alive: timeout=50
< Location: https://forum.zdoom.org/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.23.2</center>
</body>
</html>
* Connection #0 to host forum.zdoom.org left intact
Although the response was, of course, just a 301 redirect to the HTTPS page, not really useful. But it could mean that there's something wrong with the upstream server (FastCGI etc.) - that would explain why the plain request succeeded, as it was fully processed on nginx's side.
User avatar
phantombeta
Posts: 2081
Joined: Thu May 02, 2013 1:27 am
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia with Vulkan support
Location: Brazil

Re: New Password Requirements and Password Reset

Post by phantombeta »

Player701 wrote: Tue Jan 31, 2023 4:10 am I have a couple of these (one primary + one backup), but support for such devices doesn't seem to be that widespread, although the standard (FIDO2) is open. BTW, Yubikeys can also act as one-time code generators (same as Google Authenticator), but you obviously need a smartphone app to access them. The difference from the Google app here is that the OTP settings are stored on the Yubikey itself, which communicates with the phone via NFC. Additionally, it can also act as a GPG key and, by extension (via --export-ssh-key) as an SSH key.
I'm aware you need an application for OATH with YubiKey, I've looked into them myself :P
As far as I'm know, the only reason to use a smartphone app is if you're using it with your phone with NFC- and I'm pretty sure the point of that is to use it to login to something on the phone itself. For computers, they have a desktop authenticator app that works through the USB connector the YubiKey has.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

phantombeta wrote: Tue Jan 31, 2023 11:20 amFor computers, they have a desktop authenticator app that works through the USB connector the YubiKey has.
Now that's news to me, last time I checked there wasn't a Windows app available. It definitely makes things somewhat easier, thanks for mentioning it.
Darklord328
Posts: 64
Joined: Mon Sep 17, 2012 6:11 pm
Preferred Pronouns: He/Him

Re: New Password Requirements and Password Reset

Post by Darklord328 »

im siding with the adminstrators/moderators/community here, i have a 80 CHAR password, and they can try to bruteforce that, GOOD LUCK with that, all this nonsense of having at least 10/20 chars then they would have to updated it eventually, i dont mind it, and having 2FA on and i keep my phone at my hands at all times,

the administrators/moderators reserve the right to actually do what they have to do, and keeping the community safe from hackers/hijackers. ever since i have changed the password, i've been maintaining it on keePass. yes i was forced to change the password, to 20 chars, better yet, i changed 20 chars to 80 chars, i might change my password from 80 chars too 1000 chars. 1000 chars might sound outragious lol, though i might do it. try bruteforcing that in the near future. if they ask to change my password, then 1000 chars it is. change your passwords and be done with it. in the near future adminstrators/moderators might have to make us change our passwords again, if they do, just change your password and be done with it.
yum13241
Posts: 779
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support
Contact:

Re: New Password Requirements and Password Reset

Post by yum13241 »

Now I do maintain that the most important part of security is availability. You can't use a 1,000 char password to login to your computer, can you? If you can't remember the password it sucks. Maybe your password manager isn't working. Maybe you got a new device. Maybe both. Maybe something else.


I thought this thread died already?!
Darklord328
Posts: 64
Joined: Mon Sep 17, 2012 6:11 pm
Preferred Pronouns: He/Him

Re: New Password Requirements and Password Reset

Post by Darklord328 »

yum13241 wrote: Fri Feb 10, 2023 7:01 am Now I do maintain that the most important part of security is availability. You can't use a 1,000 char password to login to your computer, can you? If you can't remember the password it sucks. Maybe your password manager isn't working. Maybe you got a new device. Maybe both. Maybe something else.


I thought this thread died already?!
in regards to this quote, i can infact go way further and beyond if i really wanted to, im using keePass the password manager. im not using the built in password manager. just saying, and if admins/mods wants to lock this down, then thats their discretion! not ours.
Locked

Return to “ZDoom (and related) News”