New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

Locked
User avatar
Phredreeke
Posts: 293
Joined: Tue Apr 10, 2018 8:14 am

Re: New Password Requirements and Password Reset

Post by Phredreeke »

neoworm wrote: Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does.
If your bank doesn't have some form of 2FA then they're seriously doing something wrong...
User avatar
CandiceJoy
Posts: 94
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1
Contact:

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Phredreeke wrote: Fri Jan 20, 2023 5:59 pm
neoworm wrote: Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does.
If your bank doesn't have some form of 2FA then they're seriously doing something wrong...
Right. If you notice, most places are either shorter password + 2fa or long password. Most places have 2fa, though, so...almost everywhere uses shorter passwords :)
BFeely
Posts: 44
Joined: Thu Mar 11, 2004 3:58 pm
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by BFeely »

One thing to note is that Chrome's password generator produces 15 character passwords.

For a local password generator and manager look into https://keepass.info/
User avatar
alekksandar
Posts: 19
Joined: Wed Jan 16, 2019 5:42 pm
Contact:

Re: New Password Requirements and Password Reset

Post by alekksandar »

This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
User avatar
CandiceJoy
Posts: 94
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1
Contact:

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

alekksandar wrote: Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
We sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time :( Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3
BFeely
Posts: 44
Joined: Thu Mar 11, 2004 3:58 pm
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by BFeely »

CandiceJoy wrote: Sun Jan 22, 2023 7:14 pm
alekksandar wrote: Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
We sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time :( Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3
Does phpBB have any sort of brute force protection? If so, even 15 character would be resistant to anything short of stealing the database and running the hashes through a GPU cracker.
User avatar
Kappes Buur
 
 
Posts: 4114
Joined: Thu Jul 17, 2003 12:19 am
Graphics Processor: nVidia (Legacy GZDoom)
Location: British Columbia, Canada
Contact:

Re: New Password Requirements and Password Reset

Post by Kappes Buur »

I do not quite understand why so many are so resistant to using a 20 character password, when it is so easy.
After all, they don't have to deal with the hazzle of keeping the forum going and coping with rebuilding the
forum when it gets hacked. Rachael et al are doing an excellent job.

I used the password generator from programming.de,
then saved the generated password in a text file.
Now, all that is required is to copy/paste the password into the login.
Eesy peesy. :D :thumb:
User avatar
Redneckerz
Spotlight Team
Posts: 1046
Joined: Mon Nov 25, 2019 8:54 am
Graphics Processor: Intel (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Redneckerz »

I have been pondering this method of execution for some days now. Read the pro's, read the cons. Using Bitwarden. I changed it from a 14 character pass to a 30 character one (A random pass mixed with my old one, works like a charm).

For better or worse i reckon we can all agree this measurement is excessive but purely only so because it needs to be done to fight off spam and because the more obvious choices (OAuth/2FA) have their own issues to work with the backend as-is.

Obviously this isn't an ideal scenario. The next thing you know, we are at a 35 character pass (Which it originally was). I mean, i don't mind, i play along and will happily do a 100 character pass... but it is excessive.

The OAuth situation surprises me, primarily because that's what i use on our hospital's wiki. Ofcourse, that has a whole virtualized security grid behind it that filters out most of the doo-doo's... but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.

So TLDR: I get ''why'' it is done and i also get ''why'' it is difficult to seek an alternative. But i also get ''why'' this will have a finite limit if some miraculous idea won't spring up.
neoworm wrote: Fri Jan 20, 2023 10:21 am I won't be reading rest of this but I will state following. My bank doesn't need 20 character long password, but a 25+ years old game fan forum does. That is the state of things.
I am glad you are ignoring all the reasons ''why'' this has to be done in this particular way.
neoworm wrote: Fri Jan 20, 2023 10:21 am It makes you look like a bunch of self obsessed tools.
Glad you came back just to spit on staff decisions without any care in the world. I guess your new years good intentions were this.
User avatar
CandiceJoy
Posts: 94
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1
Contact:

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Redneckerz wrote: Mon Jan 23, 2023 3:07 pm but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.
Honestly, I agree. I think if 20 characters with the complexity requirement is insufficient, I would personally prefer we seek an alternative other than lengthening passwords again. But that's just my 2 cents :)
User avatar
Borg
Posts: 54
Joined: Sun Jun 22, 2008 12:00 am

Re: New Password Requirements and Password Reset

Post by Borg »

So, whats going on? Are forums accounts under constant brute-force attack?
Thats why you are changing password policy?
yum13241
Posts: 779
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support
Contact:

Re: New Password Requirements and Password Reset

Post by yum13241 »

Not necessarily constant.
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

It is constant. Just because you don't see it doesn't mean it's not happening. People run those bots 24/7, so yes, it's constant.

You only see the accounts getting compromised that have not properly protected themselves - and that's the same for us, too.
User avatar
Borg
Posts: 54
Joined: Sun Jun 22, 2008 12:00 am

Re: New Password Requirements and Password Reset

Post by Borg »

Ugh.. damn savages.. I know that pain.. My IP blacklist is growing and growing..
fwcli> stats rules
427 rules in DB
427 subnets (not IPs!) with size of minimum /24 (class C) or larger..

I can give you some hints at PM if you want ;)
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

The forum already has a system that blocks IP logins from individual hosts for several hours after a failed login attempt, at least without engaging the captcha. I've reduced the maximum number of captcha-free attempts per IP down to 1 now, since recaptcha3 is automatic anyway.
User avatar
Ihavequestions
Posts: 163
Joined: Mon Jul 12, 2021 1:45 pm
Graphics Processor: nVidia with Vulkan support

Re: New Password Requirements and Password Reset

Post by Ihavequestions »

Rachael wrote: Wed Jan 25, 2023 3:02 pmI've reduced the maximum number of captcha-free attempts per IP down to 1 now, since recaptcha3 is automatic anyway.
That's bad news for people with script blockers who for some reason got their settings reset, e.g., due to a new OS installation -- even if that was on another machine. NoScript will reset its centrally stored settings anyway because reasons. Other blockers might save their settings per machine.

It typically takes three attempts to get a Captcha become visible since you need to reload the page after every change that unlocks some additional functionality. If your browser keeps trying to sign you in automatically using outdated credentials, this will probably cause your IP to get blocked.
Locked

Return to “ZDoom (and related) News”