Forced to change password

[ajgelado]

Today I entered the forum to read notes on previous Pale Moon versions (through the "more news..." link on the home page), and, out of the blue, I was asked to change my password before I could access the forum. Opening it in a private window worked perfectly (but I wasn't logged on, obviously). I'm not a regular on the forum, but I have written a dozen posts since I joined in 2020 and I visit it several times a year, so I doubt my account can be considered inactive. Have we had a security breach and our password hashes have been leaked? Or is it just a proactive measure?

[Moonchild]

It's just a protective measure, because online breaches are a dime a dozen these days. You will be asked on occasion to change your password.

[UCyborg]

On the dozens of pages I registered an account in the past, this must be the only one that ever asked me to change password.

[van p]

On the dozens of pages I registered an account in the past, this must be the only one that ever asked me to change password.

It's unusual but certainly not unheard of. For example, my employer's payroll service provider requires employees to change their password every 6-7 months. Simply a good security practice. I also had to change my Pale Moon password last year.

[BenFenner]

Simply a good security practice.

No, it is not. It is antithetical to security. But we've been over this a few times.

[Gemmaugr]

On the dozens of pages I registered an account in the past, this must be the only one that ever asked me to change password.

It's unusual but certainly not unheard of. For example, my employer's payroll service provider requires employees to change their password every 6-7 months. Simply a good security practice. I also had to change my Pale Moon password last year.

I know NexusMods use(d?) such a system. And it was terrible while I was there. They further had more requirements on of that, and didn't fit in with my password system at all*. I could never remember which was the latest password I'd set it as. A frustrating password system isn't good security at all. All it takes is just two passwords on rotation with a one off input-key and if the old one is compromised, so is the other one. Or your single mail password for recovery could be compromised and the rotating password system is rendered useless. Being frustrating also means you'd try to simplify it as much as possible to remember what it actually is, this time around.

*(which lets me have a unique but memorable static & dynamic password for each site I use)

[van p]

Simply a good security practice.

No, it is not. It is antithetical to security. But we've been over this a few times.

I don't have time to read 45 posts. If you wanna give me the gist, I'll read that. Thanks.

[Moonchild]

The gist is that opponents are against periodic changes of passwords, period. No matter how long the time between changes. It is only antithetical to security if you ask users to change their password too often and they get fatigue. That isn't the case here; requests for password changes are years apart, not months or weeks.
You can also change it then change it back right away if you are confident your previously used password is secure (not used elsewhere, of sufficient strength, etc.)
On the other side of that coin is that data breaches happen all the time and many people will absolutely re-use the same password across sites, so this inconvenience for people having good credential policies for themselves is unfortunate but a compromise I'm insisting on here.

[UCyborg]

What a phenomenon, humans and password management. Is password manager still foreign concept to good portion of humans?

I taught myself to use a password manager at young age, so I personally don't have problems with passwords in general.

Could it be that the rise of 2FA requirement, at least when it comes to certain services, is really a sort of cope for potentially bad user passwords?

[Moonchild]

What a phenomenon, humans and password management. Is password manager still foreign concept to good portion of humans?

Unfortunately, very much so. Tons of people use simple, easy to guess passwords; tons of people re-use passwords. Despite having password managers right at their fingertips in most browsers as well.

Could it be that the rise of 2FA requirement, at least when it comes to certain services, is really a sort of cope for potentially bad user passwords?

The hard push for 2FA was most certainly in part because of this. (And personally I think sane and aware credential management precludes the hard need for 2FA)

[Gemmaugr]

What a phenomenon, humans and password management. Is password manager still foreign concept to good portion of humans?

I taught myself to use a password manager at young age, so I personally don't have problems with passwords in general.

Could it be that the rise of 2FA requirement, at least when it comes to certain services, is really a sort of cope for potentially bad user passwords?

Using a password manager means that you don't know you passwords. Only the program you're using knows it, and makes you either locked to a device or require leaky online databases to hold your passwords for you.
(https://web.archive.org/web/20240806205 ... en-hacked/)

I would have been out of luck several times if I had relied on a password manager. Knowing my own passwords allows me to log in from anywhere and at any time, without fearing that any external dependencies may falter on me (internet, updates, breaches, etc).

MFA/2FA have also let me down. Especially when it comes to mail sites with a short account inactivity deletion date. I had a catch-22 going on with GOG because my mail account for it was deleted during a vacation. To change email address, I needed the 2FA link. To disable 2FA, I needed the email account. Vicious SOL circle. SMS 2FA is a no-no, privacy-wise.

[Moonchild]

Using a password manager means that you don't know you passwords. Only the program you're using knows it, and makes you either locked to a device or require leaky online databases to hold your passwords for you.

Yes and no. Having backups of your passwords is always a good thing. Also, using a password manager doesn't necessarily mean you don't know the passwords yourself - password manager use doesn't equal random/impossible-to-memorize passwords.
Personally I use a hybrid approach: I have essential passwords in my brain, and less essential ones are remembered by an offline password manager. In addition, generated passwords use a mnemonic template (that I put together myself) that makes it easy for me to memorize what it spits out if I ever need it.

What they are pushing now with "passkeys" though, that is indeed pretty much bound to a device or risky cloud storage.

[Gemmaugr]

Using a password manager means that you don't know you passwords. Only the program you're using knows it, and makes you either locked to a device or require leaky online databases to hold your passwords for you.

Yes and no. Having backups of your passwords is always a good thing. Also, using a password manager doesn't necessarily mean you don't know the passwords yourself - password manager use doesn't equal random/impossible-to-memorize passwords.
Personally I use a hybrid approach: I have essential passwords in my brain, and less essential ones are remembered by an offline password manager. In addition, generated passwords use a mnemonic template (that I put together myself) that makes it easy for me to memorize what it spits out if I ever need it.

What they are pushing now with "passkeys" though, that is indeed pretty much bound to a device or risky cloud storage.

Ah, ok. A good compromise. I've only seen randomized password PW managers myself.

[BenFenner]

I don't have time to read 45 posts. If you wanna give me the gist, I'll read that. Thanks.

Apparently I can't even count on a good-faith summary from Moonschild, so here is the actual gist:

Back in 2006 Microsoft released the first comprehensive study on passwords and human behavior. They were one of a few to actually have the data available to do it. Since then, many more studies have come out that all corroborate the original findings.
The findings were that humans, on average, will set less secure passwords the more requirements that exist for the passwords. If you insist on special characters, for example, then you'll have users will less secure passwords. Same goes for enforcing a length, or enforcing password resets.
Password reset durations of fewer than 2 years were all shown to reduce password security. (Password reset periods longer than 2 years are inconclusive, with not enough data.)

Moonchild has made things worse for himself, either because he does not understand the argument (based on his summary, that is enitrely possible) or he rejects it because (paraphrasing here) "his common sense knows better".

Could it be that the rise of 2FA requirement, at least when it comes to certain services, is really a sort of cope for potentially bad user passwords?

The hard push for 2FA was most certainly in part because of this. (And personally I think sane and aware credential management precludes the hard need for 2FA)

It seems at least we agree on this.

2FA is certainly pushed, in part, because of password failures. This is the failure of ther service mind you, not the user. When a service pushes 2FA, you know they have no idea how passwords work and have screwed it up so badly they are trying to cover their own failures. Very often those password failures are due to password requirements and reset regimes exactly like the one this thread is about.

2FA does solve real problems though, and should at least be an option (not mandatory) in many cases for an improved security posture. But it really doesn't need to be nearly as prevalent as it is even now.

[moonbat]

2FA is certainly pushed, in part, because of password failures.

If you define password failure as being compromised (either due to user gullibility or a server breach) then 2FA at least ensures that simply knowing the password won't let someone else login to your account. Of course the user may also be dumb enough to disclose the 2FA code to the hacker who asks nicely

[van p]

Password reset durations of fewer than 2 years were all shown to reduce password security.

How so?

Also, if bad survey results are due to user laziness, then user laziness is the problem, not security procedures. I think.

[Moonchild]

• relying on a single study is not science
• password change interval is more than 2 years here for a reason as i already indicated

But since my gist (not a summary) is not being appreciated next time you can just read. im done

[BenFenner]

• relying on a single study is not science

Another complete misrepresentation of the argument. I have said on numerous occasions there are many, many studies that corroborate the initial study's results with different source datasets. Everyone else's DDG works just as well as mine.
It got so undeniable that USA's NIST has to change their recommendations in ~2015 to align this the overwhelming evidence. (I'd link them, but CloudFlare is having a worldwide outage right now.)

Password reset durations of fewer than 2 years were all shown to reduce password security.

How so?

User gets frustrated, stops using secure password practices, uses less secure password (shorter, easier to guess, more common, shared among other sites, etc.).

Sure, blame the user. That gets you nowhere though, and hurts everyone.

Just stop frustrating the user. It's that simple.

[Moonchild]

Just stop frustrating the user. It's that simple.

And this slippery slope is why we have super annoying non-functional websites that are insecure as heck. And don't get me started on how much effectively irrelevant 2FA is absolutely frustrating on each and every login (and that is somehow OK?...)

I repeat: asking users to change their password is only an issue if it's done too often. Your many studies concur with me. But since there are obviously people who will always be frustrated at the slightest hint of resistance your view seems to be that we must yield to the lowest common denominator and throw best practices to the wind. Asking me to flat out disable password change policies for this reason is undermining your own argument. Unless you expect me to do something else to strengthen account security and prevent hijacks after credential leaks.

Infrequent requests for password changes is the most balanced option.

[BenFenner]

Just stop frustrating the user. It's that simple.

And this slippery slope is why we have super annoying non-functional websites that are insecure as heck.

No it's not.

And don't get me started on how much effectively irrelevant 2FA is absolutely frustrating on each and every login (and that is somehow OK?...)

Agreed. 2FA is one of the most user-antagonistic things out there, and really is a nuclear option that has been massively over-applied. No argument here. It is a near-complete failure of the security industry, born out of decades of ignoring the studies I'm trying to get you to read.

I repeat: asking users to change their password is only an issue if it's done too often. Your many studies concur with me.

No they don't. And it's become painfully clear you've not read a single one of them. You are really sounding like a flat-earther right now. Or climate change denier. Or anti-vaxxer. The science completely disagrees with you.
Only the first study done was inconclusive after 2 years because of lack of data. Go. Read. More. Studies.

But since there are obviously people who will always be frustrated at the slightest hint of resistance your view seems to be that we must yield to the lowest common denominator

It's not just my view. It's the view of nearly all IT security experts and researchers. Yielding to the lowest common denominator, in this case, produces on average the most secure password posture for any public system. This is something you still don't seem to understand or let fully sink in. With every password requirement designed to increase the quality of the passwords in the system, you instead REDUCE the quality of the passwords in the system. End of story.
Yes, this goes against the "common sense" of the late 1990s and early 2000s.

and throw best practices to the wind.

Best practices from the late 1990s? Yes, they need to die in a fire.
We've moved on since then, and best practices NOW (and for the past ~20 years) are to limit or completely eliminate password requirements for users. I'm not sure where you've been, but you've clearly missed the boat on best practices when it comes to password requirements.
The best practice is to salt passwords, use a strong hashing algorithm (the one HashCat sucks most at), use as many iterations of that hash as your hardware can tolerate, and then leave the users alone to do their thing.

Asking me to flat out disable password change policies for this reason is undermining your own argument. Unless you expect me to do something else to strengthen account security and prevent hijacks after credential leaks.

I have only snippets of what kinds of problems you're dealing with. I can only guess. If they are anything like what my forum deals with, they are easily managed, recovered from, mitigated, and dealt with. All without inconveniencing the user, or reducing password quality across the board with onerous password policy and requirements that actually make things worse.

Infrequent requests for password changes is the most balanced option.

And the earth is flat.