ZDoom

20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?

Valherran wrote: ↑Wed Jan 18, 2023 8:56 pm 20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?

That's what we have done the last 3 times, by deactivating accounts last active before a certain date. This time around, the accounts getting compromised had been last active within the last 5 months, with no password or email changes on record.

Valherran wrote: ↑Wed Jan 18, 2023 8:56 pm 20 characters requirement is a bit excessive. If old and unused accounts were an issue, why not just lock them after x amount of time?

They do, in fact, do exactly that. The problem is that it's not enough and spam posts are still coming through. I personally saw one recently. (someone else had already reported it but it hadn't been deleted yet)
I'm pretty sure it's also not just old accounts, either. Probably a non-zero amount of amount of LastPass users who got pwned in the breach and didn't change their passwords had their accounts here stolen too.
Another site I use has been victim to forum spam recently, and they also suspect the influx of spam comes from the LastPass breach.

Graf Zahl wrote: ↑Wed Jan 18, 2023 2:32 pm Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...? :?

Anything would be either too complex for the average user (public key crypto through a challenge system), require costly physical devices (abusive to poor people) or just be passwords but worse.

The only more secure alternative to passwords is MFA. TOTP is perfectly good for this, and if you really hate smartphones that much, then just get something like a YubiKey, those support TOTP just fine, just like your smartphone, and can be used for that. They even have the bonus that they're dedicated devices, so someone can't just find a way to hack them directly.
Or if you're particularly paranoid and more electronics-inclined, grab some open-source single-board computer with support for acting as a USB device and build your own authenticator yourself.

Since I cannot remember 20+ characters of passwords after some weeks and months(even the password is something that only myself can know...I still can forgot it totally), I let Firefox's password manager(not really trust those passwords storage websites) helped me to deal with that...at worse, just reset it if something went wrong...oh well, not big deal.

Well damn, I guess 2FA is the only way to really combat that.

Valherran wrote: ↑Wed Jan 18, 2023 9:59 pm Well damn, I guess 2FA is the only way to really combat that.

I just remembered Discord's hacks can even skip 2FA by click a server invite link and the user got hacked. Well, that's more like Discord's site problems but just saying.

PlayerLin wrote: ↑Wed Jan 18, 2023 10:22 pm

Valherran wrote: ↑Wed Jan 18, 2023 9:59 pm Well damn, I guess 2FA is the only way to really combat that.

I just remembered Discord's hacks can even skip 2FA by click a server invite link and the user got hacked. Well, that's more like Discord's site problems but just saying.

That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.

wildweasel wrote: ↑Wed Jan 18, 2023 10:28 pm That's because those hacks are exploiting flaws in how their client software works, and shouldn't be thought of as being the same as what we're seeing here.

Thanks for tell me about that, good to know. I'm glad I only use web version of Discord(as I know web version is safe from those exploits but never understand how were their inner works).

--

Still, using 2FA or something like that should be better solution...longer passwords can still drove people away and never really solved the problem totally...

2FA will also drive people away - if not more - so you'd be between a rock and a hard place.

This is still just a hobby forum. Excessive security is really not appropriate here.

Blzut3 wrote: ↑Wed Jan 18, 2023 5:04 pm

yum13241 wrote: ↑Wed Jan 18, 2023 3:07 pm Google Authenticator doesn't let you back up your codes. Alternatives exist though.

It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.

What if I reset my device? Too bad then/

neoworm wrote: ↑Thu Jan 19, 2023 12:56 am This is still just a hobby forum. Excessive security is really not appropriate here.

I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.

Graf Zahl wrote: ↑Thu Jan 19, 2023 12:11 am 2FA will also drive people away - if not more - so you'd be between a rock and a hard place.

Rachael also dismissed the idea due to 2 things.

1. You can't trust a random phpBB plugin.
2. She doesn't want to lock herself into phpBB.

It's sad that most websites still claim SMS 2FA is secure. No it's not.

yum13241 wrote: ↑Thu Jan 19, 2023 1:42 am I don't get the point here. You're probably just mad about having to have such a long password. Use a password manager. I recommend Bitwarden. You can even host it yourself. https://neoworm.bitwarden.org is a possibility.

That's understandable. On what other website have you seen a 20+ character requirement for password, on top of using both lower and uppercase letters? I have only seen special characters requirement, and it was for a bank website (on top of 2FA of course).
That's certainly not the problem with users choosing insecure passwords.

At the same time it's been proven that nothing else worked.