Poll for password change policy

[zeroability]

I just responded to your remark and why i don't see setting 16 character minimum isn't going to work when seen in an administrative context. I didnt mean to sound condescending or what not as a result. Sorry if I did.

Not at all. I have remarkably thick skin. Just wanted to make sure my intentions were understood.
It seems the current requirements would allow for what I suggested (and would normally do as a practice) so I don't really see any conflict there. I would prefer passwords/passphrases do not expire. It is shown to increase the likelihood of them being forgotten, prompting for another change.

Edit: I have changed my vote to reflect what was discussed here.

[KlarkKentThe3rd]

Make it the responsibility of the user. If some evil hacker hacks your account, this is so sad. But it's just one user. The rest will be fine.

[Kand_in_Sky]

Maybe reminder every 12 monts or so and maybe check the security of the passphrase - but leave the decision to the user what to do.

[Moonchild]

Maybe reminder every 12 monts or so and maybe check the security of the passphrase - but leave the decision to the user what to do.

I can only work within the frame of what phpBB offers. It's either the user is on their own being fully responsible for it, or something's enforced. Custom reminders for it aren't reasonably possible. If you feel such a reminder is needed, then the policy in place should work well after you've already lapsed more than twice the reminder period suggested. After all, if you change the password in the meantime (following your own strategy) then the timer resets and the forum will never ask.

[RJARPCGP]

I just hope that the hacking doesn't get so bad that I have to change the password every 6 months! (because of the passwords getting leaked to the dark web every 6 months)

That risk goes up to the moon as soon as there's malvertising-redirects.

[Drugwash]

All I can say is I loathe any change in any aspect of my life that has not been initiated by myself. And I don't buy into fear-induced paranoia. In all 25+ years I've been active on the Internet never have I had even one online account hacked, and passwords have always been... lame.

Moreover, my memory is extremely bad (my mother suffered from dementia so I probably inherited it too). I may still remember the first place ever where I placed a new object, or the very first password for a new site, but if the place or password ever has to change -- I'm lost, short term memory is busted. If cookies don't work anymore it's 'bye-bye'.

So I guess you know what my choice was in the poll. Oh and by the way... back when GitHub announced they would enforce two factor authentication I deleted my account there. Such will happen for any other site or service that does that. We're humans not machines, and life should be simple to live [if it weren't for machines we ourselves built to make our lives increasingly more complicated].

[somdcomputerguy]

I kinda frown upon a 'regular password change' thing anywhere, but it really doesn't matter to me either way. I use a password manager to generate passwords, as well as to store the entry that saves that and other info, so remembering 300 or so passwords is something I don't worry about. Besides, having to memorize three passwords, two or three PIN codes, AND my name is quite enough.

[Lucio Chiappetti]

I voted the second option (keep current policy) mainly for respect towards Moonchild if he feels that the forum should be protected from bots and alike.
The frequency and rules of the change were/are not intrusive.
Personally (as stated in another thread) I do not regard my password on the forum (as similar ones) a "critical" one.
I see now that the votes are shifting towards "no password change" ... I won't change my vote which has been recorded, but of course also "no password change" is fully acceptable to me.

[Tharthan]

While I respect and understand Moonchild's rationale for implementing the password change policy in the first place, I'm sorry to say that I just find it to be frustrating.

I have to deal with enough regular password change policies in my workplace. To be frank, I don't think that it's especially realistic to expect that a person is going to keep some master password to unlock a "password lockbox" program to then be able to access umpteen other passwords.

In my experience, most people want to be able to either:

• Recall a password from memory; alternatively, write it down

• Save a password in a text file on their computer*

＊

In my opinion, this is arguably the least safe option.

OR

• Recall a password from memory

• In very special cases (particularly when the password is for something extremely important and serious) write down the password (which in this circumstance is probably not something easy to remember), and then put it away somewhere safe and secret.

It's happened more than once that I've been able to log back into an account I had on a website from years and years ago that was attached to some e-mail address that no longer exists, because and only because I recalled its password from memory. But there are now sites that make one jump through hoops just to access an old account that is, in fact, legitimately one's own!

I, and many others, do not want to have to go above and beyond to simply log into a website. The rigmarole should be the exception, not the rule.

And for that reason, I voted for a user's password to be retained, until and unless the user decides to change it.

[ajgelado]

Security policies must have user's habits in mind to be effective. Nowadays it's a lot easier to obtain passwords using social engineering or malware than to brute-force hashes or trying to match leaked lists.

Asking for an user to set up a complex password and change it frequently is asking for they to save it somewhere (how many people do you know that are able to remember dozens of random character sequences?). The best it can happen is that they use a piece of paper; if they store it in a password manager, it can be the target of an attack, even if it is a long, unique one. There has been leaks of online password managers, and the local store of a browser can be compromised by malware. Also, a keylogger will intercept a new password as soon as it is typed. A simpler, permanent password will avoid these problems, or at least greatly mitigate them.

I know the belief in long passwords (16 characters or more) is well established, and it won't be going anywhere. But at least we can tackle the forced renovation.

P.D.: lately, this is getting absurd. Last time I changed my PayPal password, I tried to use an extra-long passphrase with more than 30 upper and lower case letters (52^30 ~= 3.02E+51). And it was rejected as insecure because it didn't include one digit!

[Moonchild]

Enforced complexity is really counterproductive, and aside from brute force attack prevention in very limited storage capabilities (e.g. an old system only supports 8 character passwords or something) doesn't make any sense. Dropping complexity requirements in favour of just requiring a longer password, even just by a single character, already compensates for brute force attack time investment because it's exponential (factorial, even).
An attacker can assume no special characters are used but they can't be sure if there is no requirement. But even with that assumption it won't really help them if the password is sufficiently long and avoids common patterns (guessability). That is why there are no complexity requirements here.
The instated password change policy is primarily in the context of password re-use (which is common for people only using their brain to password manage) and the issue with credential security online (breaches, infostealer malware). It's a compromise. As said before though, I'm fine with letting everyone decide for themselves if enforced changes 4x a decade is too much, or not. Your account, your choice.

[joshex]

May I suggest a Nagging policy where the site nags users to change their password if it hasn't been changed in X years but otherwise leaves the user with access via thier old password until a time when they do change it.

"We noticed it's been a few years since you changed your forum account password, we highly suggest you change it. The longer it remains unchanged the easier it will be for a hacker to brute-force keygen it."
[I'll change it now]
[I'll change it later, I understand the risks in waiting]
"remind me again on my next login": []

[frostknight]

May I suggest a Nagging policy where the site nags users to change their password if it hasn't been changed in X years but otherwise leaves the user with access via thier old password until a time when they do change it.

"We noticed it's been a few years since you changed your forum account password, we highly suggest you change it. The longer it remains unchanged the easier it will be for a hacker to brute-force keygen it."
[I'll change it now]
[I'll change it later, I understand the risks in waiting]
"remind me again on my next login": []

I could accept that. Although a poll on whether that is okay might be desired. Although, it might annoy some people. Idk...

[Moonchild]

May I suggest a Nagging policy where the site nags users to change their password if it hasn't been changed in X years but otherwise leaves the user with access via thier old password until a time when they do change it.

"We noticed it's been a few years since you changed your forum account password, we highly suggest you change it. The longer it remains unchanged the easier it will be for a hacker to brute-force keygen it."
[I'll change it now]
[I'll change it later, I understand the risks in waiting]
"remind me again on my next login": []

I could accept that. Although a poll on whether that is okay might be desired. Although, it might annoy some people. Idk...

Please see my previous post here:
https://forum.palemoon.org/viewtopic.ph ... 20#p267920

[Moonchild]

With the conclusion of the poll period, the password change policy has now been removed.
From this point forward, it will be entirely and fully up to each and every user to maintain a responsible password policy (complexity, guessability, length and lifetime).
As indicated before, the forum now gives a rough indication of the strength of the password entered when registering or changing the password, using the zxcvbn algorithm (courtesy of DropBox and Matt Friedman).

Remember: Keep it secret; keep it safe!

[Mæstro]

Now that the poll has closed and policy been set, it seems like a good time to share a survey of password-changing habits. There appear to be two kinds of man: those who change their own passwords, and those who have them changed for them.