New Password Requirements and Password Reset

News about ZDoom, its child ports, or any closely related projects.
[ZDoom Home] [Documentation (Wiki)] [Official News] [Downloads] [Discord]
[🔎 Google This Site]

Moderator: GZDoom Developers

Locked
User avatar
DELTAtheDboi005
Posts: 218
Joined: Tue Apr 05, 2022 3:43 am
Preferred Pronouns: He/Him

Re: New Password Requirements and Password Reset

Post by DELTAtheDboi005 »

CandiceJoy wrote: Wed Jan 18, 2023 5:46 am Hey everyone! We've been having a bit of trouble with compromised accounts on here of late, so we've implemented a new password complexity requirement on all accounts, effective immediately. Upon logging in for the first time after today, you will be required to change your password to something that is at least 20 characters long, and contains both upper- and lower- case letters, as well as numbers. We feel this is necessary to maintain the continued security of the forums, and sincerely apologise for any inconvenience this may cause.

If you would like to create a randomly generated password, you can use https://passwords-generator.org/

If you have any questions, comments, or concerns, you can leave them below. Otherwise, keep on Dooming! :)
When I found out about this, I didn't give an iota of a shit. However I do think that this is a good idea to maximize security.
User avatar
Imp Hunter
Posts: 684
Joined: Sat Jul 05, 2008 6:20 am
Location: Brazil

Re: New Password Requirements and Password Reset

Post by Imp Hunter »

Making a new 20 chars password is not that big of a deal for me, but man, I'd really prefer a 2FA method instead. Just link it to my email, phone or something.
User avatar
Batandy
Posts: 1277
Joined: Tue Jul 19, 2011 2:56 am

Re: New Password Requirements and Password Reset

Post by Batandy »

20 character password isn't a deal breaker for me, I mean, I'm right here typing this post after I made one.

I just think it's absurd that I have to do this for a small forum that holds absolutely no vital information about me.
I mean, would I get hacked with no 2fa and a short password here? Maybe... I'd just contact an admin and have the password changed or make a new account if the old one is nuked, no big deal.
Professor Hastig
Posts: 225
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: New Password Requirements and Password Reset

Post by Professor Hastig »

What about the poor mods that have to deal with the fallout of your account getting hacked? I doubt for them it's "no big deal".
User avatar
Batandy
Posts: 1277
Joined: Tue Jul 19, 2011 2:56 am

Re: New Password Requirements and Password Reset

Post by Batandy »

Professor Hastig wrote: Thu Jan 26, 2023 7:16 am What about the poor mods that have to deal with the fallout of your account getting hacked? I doubt for them it's "no big deal".
I've never been a moderator in a forum so I can't really speak about the implications there, but if that has to happen, it will happen regardless of if you have a 10 character password or a 20 character password.
Besides, that's something every moderator in every forum has to deal with, and I don't think shorter password length will result in the entire userbase collectively getting hijacked.


All i'm saying is that this is very overkill for a niche doom forum and just an annoyance for the end user.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49053
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

This forum was suffering from compromised accounts on a regular basis, the most common reason that if people are allowed to use simple passwords, they will do - and they will do it elsewhere as well. So if some of those other accounts gets broken into, the one here is toast, too. Now people can't do the lazy routine anymore and to be blunt, all the whining and complaining we got is that people still stick to outdated means of managing passwords, which normally implies that their passwords may also be outdated.

For god's sake use a password manager instead of trying to memorize all passwords! All you then need to remember is a single passwords. At least this forum doesn't use Javascript hacks to disable the browser's password management - THAT is the true menace of the internet!
User avatar
Gollgagh
Posts: 207
Joined: Thu Apr 16, 2015 8:24 am

Re: New Password Requirements and Password Reset

Post by Gollgagh »

My case is perhaps a little bit odd-ball in this kerfuffle: I am the user with unique 100+ character non-dictionary passphrases in stored in a password manager, but this was one of two remaining sites (neither with any more identifying information than my email) with a password that needed to be retired fifteen years ago, so this forced me out of a bit of overly sentimental attachment. That's my little huffy puffy.

Now, I don't want to give anybody any ideas, but something that I would really bristle at would be monthly forced password resets, because oh baby, you best believe I'm gonna be incrementing the number in that stupid password every reset.
Last edited by Gollgagh on Thu Jan 26, 2023 5:22 pm, edited 1 time in total.
User avatar
CandiceJoy
Posts: 94
Joined: Thu Jul 13, 2017 3:04 pm
Preferred Pronouns: She/Her
Operating System Version (Optional): Win11, MacOS Ventura
Graphics Processor: Apple M1
Contact:

Re: New Password Requirements and Password Reset

Post by CandiceJoy »

Gollgagh wrote: Thu Jan 26, 2023 4:15 pm My case is a little bit odd-ball in this kerfuffle: I am the user with unique 100+ character non-dictionary passphrases in stored in a password manager, but this was one of two remaining sites (neither with any more identifying information than my email) with a password that needed to be retired fifteen years ago, so this forced me out of a bit of overly sentimental attachment. That's my little huffy puffy.
I use 100-character randomly generated passwords. Good luck brute forcing THAT ;D
User avatar
Gollgagh
Posts: 207
Joined: Thu Apr 16, 2015 8:24 am

Re: New Password Requirements and Password Reset

Post by Gollgagh »

Yeah, but that's boring. If I'm gonna be making up nonsense, I wanna have at least a little bit of fun with it.
User avatar
Pandut
Posts: 231
Joined: Tue Mar 23, 2010 4:47 pm
Preferred Pronouns: No Preference
Graphics Processor: nVidia with Vulkan support
Location: existential dread

Re: New Password Requirements and Password Reset

Post by Pandut »

If people don't want to use a password manager (which is completely understandable) consider using a pencil and paper. I have a notebook in my bookshelf filled with dozens of 20-30+ character passwords. Use a password generator, write it down, keep the notebook somewhere safe. It's a time investment for sure because you'll have to potentially spend a few hours writing down all of your passwords but once the set up is complete it's the safest password management option imo. Patience is the only factor.

Also I noticed it pop up a few times so I figured I'd give a PSA when it comes down to Google Authenticator and other 2FA apps. Authenticator does not store recovery codes, you have to do it yourself. For example, if you add 2FA to Discord, Discord gives you the code to add to an Auth (whether its Google or Authy, etc), usually the same code is also your recovery code. 90% of services out there that support 2FA will tell you that it is absolutely imperative that you write that code down/keep it somewhere safe. Some of them will flat out tell you to screenshot the code. That is how you backup your 2FA when switching mobile devices. Steam and Battlenet's 2FA app does the same thing. Unfortunately sometimes it's not very obvious and Google Authenticator does a bad job at letting users know that it doesn't store/remember recovery codes.
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

Dropped the requirement from 20 to 15 characters since browsers autogen passwords at that length - however the password reset is still being enforced in order to get everyone into the new requirements.

If you aren't already, please use a password manager of some sort. Something like LessPass works perfect because you never have to store passwords anywhere.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

Could be just me, but the "Remember Me" checkbox appears to be broken - I get logged out every other day or so, while in the past I could stay logged in for months. May or may not be related to another issue I've been recently experiencing (still happening as of now).
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49053
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: New Password Requirements and Password Reset

Post by Graf Zahl »

Same here, actually. I had to re-enter my login data 4 times since the password change.
User avatar
Rachael
Posts: 13527
Joined: Tue Jan 13, 2004 1:31 pm
Preferred Pronouns: She/Her
Contact:

Re: New Password Requirements and Password Reset

Post by Rachael »

Please log out first, then clear your cookies from this entire domain (zdoom.org) completely. It works fine for me, so it's possible that you have browser cookie poisoning from a previous login that got invalidated. Happens all the time for me, and that's how I fix it.

I can't fix this server-side except to erase both your saved logins and active sessions completely, and that won't remove the bad cookie that's giving you problems, anyway.

If you want, go here and review your logins from other devices too: ucp.php?i=ucp_profile&mode=autologin_keys - to make sure you have no duplicate entries.
User avatar
Player701
 
 
Posts: 1632
Joined: Wed May 13, 2009 3:15 am
Graphics Processor: nVidia with Vulkan support
Contact:

Re: New Password Requirements and Password Reset

Post by Player701 »

Rachael wrote: Sun Jan 29, 2023 9:55 am Please log out first, then clear your cookies from this entire domain (zdoom.org) completely. It works fine for me, so it's possible that you have browser cookie poisoning from a previous login that got invalidated. Happens all the time for me, and that's how I fix it.
Did exactly that yesterday, and yet I've just found myself logged out again (plus it took about 5 attempts before the site loaded at all; see link in my previous post for details).
Locked

Return to “ZDoom (and related) News”