Forced to change password

[therube]

Having backups of your passwords is always a good thing.

I'll reiterate that - even if I didn't follow that advice .

(My email accounts, various on yahoo & gmail, have been "on", active, for so many years on end, that I've never had to actually log in, in ages, I have no clue what my passwords are. And if my cookies should happen to expire - when they happen to expire, I'll be... without.)

They further had more requirements on of that, and didn't fit in with my password system at all*. I could never remember which was the latest password I'd set it as. A frustrating password system isn't good security at all. All it takes is just two passwords on rotation with a one off input-key and if the old one is compromised, so is the other one. Or your single mail password for recovery could be compromised and the rotating password system is rendered useless. Being frustrating also means you'd try to simplify it as much as possible to remember what it actually is, this time around.

I agree with that.
Even bugzilla (.mozilla.org), I forever had my password that I knew & used... & then one day, your PW had to be 80-chars long & had to have this & that & the other... so I just came up with some derogatory PW (well, it made me happy), that I simply wrote down in a text file, & have almost never gone back to bugzilla since.

Some (state ?) agency here (Maryland), that I need to log into - quarterly, forces you to change your password every < 90 days. What does that mean in practice? Every time I log in (once a quarter), I'm forced to change my password. Asinine.

Bank of America, online bill pay, in order to change a payees Invoice number (simply a textual field that prints on a physical check, assuming the check is generated by the bank) has had a captcha for a long time. Now, then force a 2FA on you to change that field. So if I'm not in my office (which is where the 2FA is sent to), I can't change the "Invoice number". (Now, I've got to assume that they've been burned in some way by allowing "open" access to that particular field, but it baffles me how [when one can change all else except for that - without captcha or 2FA].)


Endless password change requirements certainly makes me apt to use simpler passwords.
And 2FA almost never works, cause I have no cellphone, & if does go to a particular landline phone, that means I can only be authorize if I'm at that specific location. I'm in the bank, standing in front of the person I deal with - regularly, yet they want to send a "text" to my "phone", & I'm like good luck with that! (And as mentioned above, not knowing my email passwords, if they want to send to there, and again if I'm not at the location where my computer is, that too is worthless - for me.)


(As it is, when I log in here, I often need to try 2x, before I get it right .)

[Moonchild]

Right. well, Let's do it this way then, before people get flat-out hostile over differing opinions.
viewtopic.php?f=17&t=32935

P.S.: The earth isn't flat, it's obviously dorito-shaped! Where have you been the past 2 centuries?

[Gemmaugr]

You are really sounding like a flat-earther right now. Or climate change denier. Or anti-vaxxer. The science completely disagrees with you.

While we may agree on a lot of things, especially with passwords and 2FA in here.. Flat Earth is very black and white, yes.
Global Cooling, I mean Warming, I mean Change, I mean Emergency, and "anti-vax" (one can be against mRNA but not proven vaccines for example) are not as black and white.
Better use some other, not-as-political example. Like "2+2=5" or "gender is a sOCiaL coNsTRucT".

Anyway, the poll is up. No Voter ID required, so happy voting!

[Lucio Chiappetti]

I have replied to the poll. For what concerns Pale Moon forum I regard the current policy as fully acceptable, and I have replied to keep it as is.

Just for the sake of argument, I intended (before the poll was set up) to say something in this thread in general.
In general I do not like forced password changes for "irrelevant sites", specially too frequent ones, or complicate requirements. Personally I consider a forum as an "irrelevant site" ... for what concerns my protection ... I won't mind if anybody steals the password and posts for me (why should one do that after all ?) ... but I do appreciate that Moonchild might be concerned that stolen or common passwords may be stolen by bots, and I'm glad to comply with any policy protecting the forum.

Off-topic:
For the sake of argument I made an exercise looking at the passwords saved in the browser "Saved logins" (Classic password editor 1.1.2) and dividing them by categories. That's the closest thing to a password manager I use, without master password. I use a master password in my MUA imbedded pwd manager, just to avoid typing the three mail provider passwords. I got the dollowing statistics from less relevant to more relevant sites.

• 7 totally irrelevant sites I visited in the past (amd might have even forgotten) and required a password
  [*}12 "accidental forums" on which I asked one question in the past but do not frequent regularly
• 12 obsolete sites internal to my organization
• 14 internal sites of my institute
• 7 primary forums which I frequent regularly
• 9 mailing list archives
• 14 commercial sites where I might have bought something (bookshops, theatre etc.)
• 7 transport agencies where I might have bought tickets
• Note I never store any credit card on a site or in the browser (I use a one-shot virtual card number generated by my bank for online transactions)
• 13 "scientific" sites I frequented accidentally
• 20 "scientific" sites of projects I work/ed on regularly
• 10 sites internal to my organization
• I agree on protecting data access on those sites (for the sake of the hosting institution, not for me). The great majority are pwds fixed once forever.
• 4 hospitals and alike (I do not really care if somebody sees my reports or book a visti for me
• 3 utilities and public administration sites
• 3-4 other public administration sites (including the one paying my pension and the tax office) are no longer stored as they use the national id schemes, so I might use a smartcard reader in preference to the national SPID system (this one has a quite painful password change policy). Really I won't care much if one sees my tax declaration or other info, but I agree these could be somehow sensitive data
• The only important password, i.e. my online banking one is not stored anywhere in the browser, and actually I use a private window when I connect to my bank

Only the last items (in colour) are considered relevant for me.

By the way, talking of backups, I would not mind having an utility to dump the saved logins (specially the irrlevant ones!) to a text file

[Moonchild]

By the way, talking of backups, I would not mind having an utility to dump the saved logins (specially the irrlevant ones!) to a text file

https://github.com/JustOff/password-backup-tool may be of help

[frostknight]

We've moved on since then, and best practices NOW (and for the past ~20 years) are to limit or completely eliminate password requirements for users. I'm not sure where you've been, but you've clearly missed the boat on best practices when it comes to password requirements.
The best practice is to salt passwords, use a strong hashing algorithm (the one HashCat sucks most at), use as many iterations of that hash as your hardware can tolerate, and then leave the users alone to do their thing.

Actually, the best practices in reality is passphrases... diceware.

Yet most of the world is still behind on this. Despite it being the easiest password to remember and the hardest for machines to guess.

Its so ironic...

The NSA and FBI have a hard time guessing these says Edward Snowden. And yet... almost no websites allow this. Facepalm.jpeg

[Ron_S]

You can also change it then change it back right away if you are confident your previously used password is secure (not used elsewhere, of sufficient strength, etc.)

I'm kinda surprised this topic is even a thing considering you can simply change it back to your old password as mentioned above.
It's not like 2.5 years is often anyway...

[Moonchild]

I'm kinda surprised this topic is even a thing

It shouldn't be, but apparently it is, because:

opponents are against periodic changes of passwords, period. No matter how long the time between changes.

[Bilbo47]

I use a one-shot virtual card number generated by my bank for online transactions

Is there a list of what banks / payment systems provide this feature? That would make me become a new customer, because all services in USA stopped offering it at one point.

[Lucio Chiappetti]

Off-topic:

Is there a list of what banks / payment systems provide this feature?

Sorry, my bank is in Italy. Formally it offers two possibilities of virtual credit cards. one-shot and time-limited, by default one-month. Both with a money ceiling. But my bank helpdesk itself advises against one-shot ... because some vendors, at least Amazon, are incompatible ... if you use a one-shot card and order say two books in a single order, they issue two payment transactions ... and the first one "exhaust" the card. So the advise is to create a time-limited card with an amount sufficient for all payments. Once the payments are ordered, you can block the virtual card for the residual amount, and create a new one.

[Potkeny]

I use a one-shot virtual card number generated by my bank for online transactions

Is there a list of what banks / payment systems provide this feature? That would make me become a new customer, because all services in USA stopped offering it at one point.

Off-topic:
Revolut offers one-use digital-only cards, and I believe its available in the States, can be used as an "online shopping wallet" while your regular banking remains at your old bank. Do note that some "shops" might not accept one-use cards, for example I had Steam decline it multiple times because for some reason, a one-time purchase requires a not one-use card...

[Falna]

Off-topic:

if you use a one-shot card and order say two books in a single order, they issue two payment transactions ... and the first one "exhaust" the card. So the advise is to create a time-limited card

Some vendors make a zero-value 'test' transaction, which exhausts a one-shot card before any actual payment; I've given up using them. Time-limited certainly sounds better.

[Moonchild]

To help users, I've now enabled a password strength algorithm that will indicate the strength of the password when registering an account or changing the password.
This uses a real-world guessability and strength algorithm (zxcvbn) to provide the indicator.