Welcome to the ZDoom Forums!

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does.

If your bank doesn't have some form of 2FA then they're seriously doing something wrong...

Phredreeke wrote: ↑Fri Jan 20, 2023 5:59 pm

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does.

If your bank doesn't have some form of 2FA then they're seriously doing something wrong...

Right. If you notice, most places are either shorter password + 2fa or long password. Most places have 2fa, though, so...almost everywhere uses shorter passwords

One thing to note is that Chrome's password generator produces 15 character passwords.

For a local password generator and manager look into https://keepass.info/

This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?

alekksandar wrote: ↑Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?

We sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3

CandiceJoy wrote: ↑Sun Jan 22, 2023 7:14 pm

alekksandar wrote: ↑Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?

We sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3

Does phpBB have any sort of brute force protection? If so, even 15 character would be resistant to anything short of stealing the database and running the hashes through a GPU cracker.

I do not quite understand why so many are so resistant to using a 20 character password, when it is so easy.
After all, they don't have to deal with the hazzle of keeping the forum going and coping with rebuilding the
forum when it gets hacked. Rachael et al are doing an excellent job.

I used the password generator from programming.de,
then saved the generated password in a text file.
Now, all that is required is to copy/paste the password into the login.
Eesy peesy.

I have been pondering this method of execution for some days now. Read the pro's, read the cons. Using Bitwarden. I changed it from a 14 character pass to a 30 character one (A random pass mixed with my old one, works like a charm).

For better or worse i reckon we can all agree this measurement is excessive but purely only so because it needs to be done to fight off spam and because the more obvious choices (OAuth/2FA) have their own issues to work with the backend as-is.

Obviously this isn't an ideal scenario. The next thing you know, we are at a 35 character pass (Which it originally was). I mean, i don't mind, i play along and will happily do a 100 character pass... but it is excessive.

The OAuth situation surprises me, primarily because that's what i use on our hospital's wiki. Ofcourse, that has a whole virtualized security grid behind it that filters out most of the doo-doo's... but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.

So TLDR: I get ''why'' it is done and i also get ''why'' it is difficult to seek an alternative. But i also get ''why'' this will have a finite limit if some miraculous idea won't spring up.

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does. That is the state of things.

I am glad you are ignoring all the reasons ''why'' this has to be done in this particular way.

neoworm wrote: ↑Fri Jan 20, 2023 10:21 am It makes you look like a bunch of self obsessed tools.

Glad you came back just to spit on staff decisions without any care in the world. I guess your new years good intentions were this.

Redneckerz wrote: ↑Mon Jan 23, 2023 3:07 pm but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.

Honestly, I agree. I think if 20 characters with the complexity requirement is insufficient, I would personally prefer we seek an alternative other than lengthening passwords again. But that's just my 2 cents

So, whats going on? Are forums accounts under constant brute-force attack?
Thats why you are changing password policy?

Not necessarily constant.

It is constant. Just because you don't see it doesn't mean it's not happening. People run those bots 24/7, so yes, it's constant.

You only see the accounts getting compromised that have not properly protected themselves - and that's the same for us, too.

Ugh.. damn savages.. I know that pain.. My IP blacklist is growing and growing..
fwcli> stats rules
427 rules in DB
427 subnets (not IPs!) with size of minimum /24 (class C) or larger..

I can give you some hints at PM if you want

The forum already has a system that blocks IP logins from individual hosts for several hours after a failed login attempt, at least without engaging the captcha. I've reduced the maximum number of captcha-free attempts per IP down to 1 now, since recaptcha3 is automatic anyway.

Rachael wrote: ↑Wed Jan 25, 2023 3:02 pmI've reduced the maximum number of captcha-free attempts per IP down to 1 now, since recaptcha3 is automatic anyway.

That's bad news for people with script blockers who for some reason got their settings reset, e.g., due to a new OS installation -- even if that was on another machine. NoScript will reset its centrally stored settings anyway because reasons. Other blockers might save their settings per machine.

It typically takes three attempts to get a Captcha become visible since you need to reload the page after every change that unlocks some additional functionality. If your browser keeps trying to sign you in automatically using outdated credentials, this will probably cause your IP to get blocked.