Poll for password change policy

[Moonchild]

Since I don't particularly think the discussion between a few members in this thread is very fruitful or likely to result in a solution through discussion, let's democratize it and put it up for a vote.

We currently have a password change policy that requires everyone to change their password every approximately 2.5 years. The password doesn't have complexity requirements and is free to be chosen anywhere from 12 to 100 characters long.
This long-term password change was chosen to pro-actively avoid "common" credentials (used cross-site) by users from causing issues on the forum. Data breaches and stolen credentials are pretty common these days and it was considered a decent compromise between security and convenience, but some people have been unhappy about it since it was introduced. So, let's put this to rest with a vote.

Several choices:

1. Remove the policy and keep passwords unchanged forever. It will be entirely up to the user to change the password as-desired or not at all.
2. Keep everything as-is, meaning a very infrequent request to change your forum password.
3. Keep the password change policy but make the length of the interval shorter than 2.5 years. If you choose this I'd like to know what length you propose and why.
4. Keep the password change policy but make the length of the interval longer than 2.5 years. If you choose this I'd like to know what length you propose and why.
5. Something else, e.g. remove forced changes but add complexity, or change the length requirements, etc. etc.

This will run for a month and I leave it entirely up to the community to decide. You can change your mind up to closure of the poll, as well.

[Bilbo47]

2.5 years is fine; my preference is one year bc that's how often I change passwords everywhere else anyway.

Prefer minimum length of 16; 12 doesn't seem long enough to protect from dedicated pre-quantum computational cracking.
Length 100 seems good enough; a round number would be 64.
Must disallow passwords that are in a dictionary. Thus, support / suggest pass*phrases* intead of just words.

[Moonchild]

Prefer minimum length of 16; 12 doesn't seem long enough to protect from dedicated pre-quantum computational cracking.

NIST currently seems to recommend minimum of 14. I may follow that going forward. But 12 should certainly be enough for something as lower-importance as a forum. I don't particularly think bad actors are going to invest serious dedicated resources to crack these accounts.

Length 100 seems good enough; a round number would be 64.

100 is a round number. 64 is just a power of 2 ;P I'll keep it at 100 so people have as much space as they want for linguistic phrases if that's what they want to use. Since it's hashed and salted anyway, it doesn't make a big difference on the back end.

Must disallow passwords that are in a dictionary. Thus, support / suggest pass*phrases* intead of just words.

There's no real way to disallow dictionary passwords since dictionary checks would be prohibitively computationally expensive (every word in every language...), However:

Regardless of the outcome (which I won't vote in, myself, hence "other") I'll be adding a "password quality meter" for when people register (or change their password) using a real-world quality algorithm (checking against common words/passwords, patterns, and guessability). That should at least give users one more tool to keep accounts secure.

[Gemmaugr]

NIST currently seems to recommend minimum of 14. I may follow that going forward. But 12 should certainly be enough for something as lower-importance as a forum. I don't particularly think bad actors are going to invest serious dedicated resources to crack these accounts.

Please, no. This will again mess heavily with my PW system, that is not words, and contains more than just letters. They're only going to continue increasing said number because of Password Managers. 10 is plenty. My PW system comes back as Very Strong on all password testers I've checked it against. I've also never had an account hijacked or broken into (and I do use a unique PW on every site).

I can go along, grudgingly, with 2.5 years rotation, or even 1 year rotation, if you keep allowing users to change the password back, and allow their own length. I'm sad to see such use of restrictions and forcing users to a set system when the tag line is "your browser, your way".

[andyprough]

I voted shorter because 2.5 years is more than I would generally plan to change passwords. But any length of time is fine - do what works best for the administration of the forum.

[frostknight]

NIST currently seems to recommend minimum of 14.

I mentioned this elsewhere, but DICEWARE method is the most secure... and has been since the 2000s (snowden said so)

And yet still most websites refuse to allow super long passwords. Its beyond stupid.

Long passwords are easy to remember but hard for computers to guess
complicated passwords are hard to remember but computers can guess easily.

This world sometimes feels like its run by morons and I hate saying this because of my faith background (christianity). But alas, it appears to be true.

Bloat is another example that leads me to believe this as well. And how bloated software so damn popular. I could go on and on though... so... I will cut this short.

EDIT: Complicated passwords means lots of different characters AND long passwords means passphrases like a lot of uncommon words used together with a delimited in between each of them. delimiters could be spacebar pressed, or semi colon, you get the jist.

[andyprough]

I mentioned this elsewhere, but DICEWARE method is the most secure... and has been since the 2000s (snowden said so)

My passwords are usually diceware, and my Pale Moon Forum password is diceware. Even though they can get quite long, they can also be fairly easy to memorize. A randomized password of the same length would be very difficult to memorize without having photographic memory.

[frostknight]

My passwords are usually diceware, and my Pale Moon Forum password is diceware. Even though they can get quite long, they can also be fairly easy to memorize. A randomized password of the same length would be very difficult to memorize without having photographic memory.

And there's the point

[Moonchild]

No worries on the pwd length. Did a quick calc and 12 is certainly more than enough to counter brute force so I'm not sure why NIST bumped that to 14.
14 would exceed comfortable memorable "simpler" passwords (that aren't phrases) so I get that.

but DICEWARE method is the most secure... and has been since the 2000s (snowden said so)

It's a good method, sure, but at the same time it's not as secure as proponents want you to believe because it follows a set pattern with common words; you wouldn't have as many bits of entropy as the characters in the password because it is word-based (with words changing as units) and lot of people just flat-out discard that fact when calculating its security strength.

I voted shorter because 2.5 years is more than I would generally plan to change passwords. But any length of time is fine - do what works best for the administration of the forum.

Nobody says you can't change it more often if you want to It's just when the change is required.

I can go along, grudgingly, with 2.5 years rotation, or even 1 year rotation, if you keep allowing users to change the password back, and allow their own length.

Being able to change it and immediately change it back will remain an option for those who are confident of their password security. This time limit (as well as the minimum) is there primarily to prevent exceedingly simple and short passwords and re-used passwords with single character extensions (password -> password1; a length of 12 conveniently also prevents password123, a super-common "CBA to create something secure" password)

[Gemmaugr]

No worries on the pwd length. Did a quick calc and 12 is certainly more than enough to counter brute force so I'm not sure why NIST bumped that to 14.
14 would exceed comfortable memorable "simpler" passwords (that aren't phrases) so I get that.

I can go along, grudgingly, with 2.5 years rotation, or even 1 year rotation, if you keep allowing users to change the password back, and allow their own length.

Being able to change it and immediately change it back will remain an option for those who are confident of their password security. This time limit (as well as the minimum) is there primarily to prevent exceedingly simple and short passwords and re-used passwords with single character extensions (password -> password1; a length of 12 conveniently also prevents password123, a super-common "CBA to create something secure" password)

Thank you.

My PW system is based on two parts, one static and personal, and one dynamic and relevant, separated by "punctuation marks" (like . , - _ / " [ etc etc).

If we use you and this site as examples, not knowing anything personal about you (like name, initials, pet names, nick names, etc) but using known things, your password under my system would be;

Static Personal: "Moonchild_Straver_Wolf_" and Dynamic relevant: "Pale Moon.Forum.Dev

You then shorten them however you're most comfortable with, like:

"MO_CH_ST_WO_PA.MO.FO.DE" or "MC_ST_WF_PM.FM.DV"

For the next site, remembering your personal is easy, and seeing the relevant at the site becomes a cinch.

[moonbat]

Way I see it - this is an anonymous form (as in not tied down compulsorily to anyone's real identity) and it isn't exactly a great risk if passwords used here are compromised unlike if it were a bank or other account. So no reason to force password changes regardless of the length of the interval. It's upto the users to keep a separate password for this site that's not following a similar pattern they use elsewhere.

[Moonchild]

it isn't exactly a great risk if passwords used here are compromised unlike if it were a bank or other account.

Unfortunately a lot of people re-use passwords, even those they use for banking, everywhere. Ironically, I just today got an e-mail from my bank reminding me that using a single password is very risky, and in it they quoted statistics that apparently no less than 40% of users in the country re-use passwords in use for important sites like banking partially or verbatim. So that seriously lowers the difficulty for a bad actor of guessing the banking password. While forum use isn't really important for users (as in impact on their lives), it all depends on whether this forum password is similar or equal to passwords used on other sites.
Another angle is also that it will be damaging for the community, i.e. our side of the fence. Trying to tie "importance" to damage through compromise is difficult, so I'd rather err on the side of caution whenever dealing with security (and my educational background pushes me in that direction as well). The reason I made this poll is primarily because I recognise my particular PoV may not be representative of the user base at large.

[frostknight]

It's a good method, sure, but at the same time it's not as secure as proponents want you to believe because it follows a set pattern with common words; you wouldn't have as many bits of entropy as the characters in the password because it is word-based (with words changing as units) and lot of people just flat-out discard that fact when calculating its security strength.

Actually, diceware is stronger when you use a list that has uncommonly used words.

So you aren't too far off the track there. If you use common words, it is more likely to be weaker. Much more so.

[Gemmaugr]

It's a good method, sure, but at the same time it's not as secure as proponents want you to believe because it follows a set pattern with common words; you wouldn't have as many bits of entropy as the characters in the password because it is word-based (with words changing as units) and lot of people just flat-out discard that fact when calculating its security strength.

Actually, diceware is stronger when you use a list that has uncommonly used words.

So you aren't too far off the track there. If you use common words, it is more likely to be weaker. Much more so.

I don't think common or uncommon, or length of words really matter. It's not that difficult to plug in say: https://github.com/dwyl/english-words (more specifically https://github.com/dwyl/english-words/b ... /words.txt) to a bruteforce program and run it. One word is the same as any other then. Lets round that file of 500k words up to 5MB, and calculate it for every language there is, also assuming an average of 500k words (overestimate) x 7000 = 36.7GB. Given the availability of 1TB HDD's.. anyone can do it.

Existing words are easy. Non-words being used in any order at all, now that's hard.

[zeroability]

Number 5 makes the most sense. NIST published this guidance a while back:

https://www.nist.gov/blogs/taking-measu ... ter-p5w0rd

Part of good passphrase hygiene is a minimum of 16 chars (4 four letter words) which can be easily achieved with a secrets manager that randomly generates passphrases. The entropy being the main contributing factor to mitigating dictionary and other brute force attacks on the machine side, and word irrelevance on the human side.

If 2FA is a possibility, that is probably a good idea. It tends to defeat most bot accounts, also.

[Moonchild]

This isn't really about what would be good password strategies for you. This is about what we should enforce as a minimum for people with all sorts of strategies. I'm not going to enforce a certain strategy by way of restrictions on everyone to coax it. Fine if you want to use 4 words; others would not.

[Night Wing]

Since the length of the password is no problem, I think my next password change will be either 16 or 20 characters.

[Basilisk-Dev]

Personally I think 1 year is better, but I voted for the 2-5 year option because I feel like site usability for other people is more important than my personal preferences.

Also relevant: https://xkcd.com/936/

[zeroability]

This isn't really about what would be good password strategies for you. This is about what we should enforce as a minimum for people with all sorts of strategies. I'm not going to enforce a certain strategy by way of restrictions on everyone to coax it. Fine if you want to use 4 words; others would not.

I didn't mean to sound presumptuous, and my suggestions actually seem like clarifications of somewhat identical suggestions that other members have made. It's my comment on the "Something Else" that you asked respectfully to have, which I respectfully gave.

[Moonchild]

I just responded to your remark and why i don't see setting 16 character minimum isn't going to work when seen in an administrative context. I didnt mean to sound condescending or what not as a result. Sorry if I did.