New forum passwords

[andyprough]

Just a note that I'm claiming p@ssworD1 for myself - all you copycats and plagiarizers back off.

[satrow]

Just a note that I'm claiming p@ssworD1 for myself - all you copycats and plagiarizers back off.

It would be a great leveler if you allowed everyone else to use it too.

[andyprough]

It would be a great leveler if you allowed everyone else to use it too.

Nope, everyone else is just going to have to fight over Pa$$word1, pAssw0rd1, and passWord1*. I was absent the day we were supposed to learn sharing in pre-school, so I'm not wired like that.

[Moonchild]

Just a note that I'm claiming p@ssworD1 for myself - all you copycats and plagiarizers back off.

You won't be able to use it. I'm bumping the minimum number of characters for a password to 10. ;P

[andyprough]

You won't be able to use it. I'm bumping the minimum number of characters for a password to 10. ;P

I thoroughly enjoyed the plotline to the stupid move 'The Hangover II', about retrieving the password to the bank accounts of Chow the international criminal, which turned out to be "bologne1".

Of course, that entire plotline would fall apart under your draconian new password regime. They would have had to go with "bolognese1", or something similar without near the punch to it. So, for the sake of future stupid Hollywood drinking films, I think you should reconsider.

[Moonchild]

for the sake of future stupid Hollywood drinking films

[vannilla]

We should all do like this guy: https://github.com/danielmiessler/SecLists/pull/155

[BenFenner]

I'll enforce a password change regime (you will need to choose a new password on occasion)

You won't be able to use it. I'm bumping the minimum number of characters for a password to 10. ;P

Both of these tactics are antithetical to users choosing strong and memorable (good) passwords. Microsoft did the heavy lifting with research ~20 years ago and have been corroborated every time since. 15 years late, but USA's NIST got on board as well.
Making users change their passwords on any regular time scale, or forcing them to choose passwords with arbitrary length or character requirements or restrictions results in users choosing less-strong passwords on average, with password compromise being much more often as well. When users are forced to jump through these password hoops, they are much less likely to be able to remember them, so more likely to write them down somewhere physically or virtually which get compromised. They also don't create strong passwords, they create less-strong passwords.
This is based on decades of research from numerous, enormous datasets. The entire IT security community agrees what you plan to do will make things worse for you, and your users, not better.

Please reconsider this policy. I would hate for this to get worse, and users treated poorly to boot.

[Moonchild]

Arguing that that is antithetical is in paradox with your own statement. because users choosing good, strong passwords will by definition use sufficiently long ones. I'm just worried that the minimum of 8 characters being the same length as "password" means users will use variations of "password" which is a considerable risk. Forcing those users to add at least 2 more characters will hopefully mitigate that risk (somewhat).

Also, users choosing good, strong passwords would in general use a proper password regime for themselves and use unique passwords for websites and store those passwords in something other than grey matter memory (because good, strong passwords that are unique per site are normally not very memorable). Pale Moon conveniently offers a password storage facility so that you only need to remember your master password if you set it (recommended you do).

I also won't be forcing people to change it regularly. The maximum password age is set to more than a year. That will be enough to avoid old, old database leaks from compromising accounts and will not unduly strain the user into choosing weak passwords because they "have to change it over and over". If you think that's unreasonable then I'm sorry, but I will not reconsider this.

Like many things in security this is about balancing convenience against security. Neither should be given absolute reign.

The entire IT security community agrees

Well at least the entire community - 1 then. I count myself as part of the IT security community.

[Lucio Chiappetti]

I see the day has come.
Just to tell users of a feature I discovered. When pressing "New posts" I was prompted to change password, which I did. I saw it was recorded in Saved Logins under my e-mail as username, not with my actual username. Then to test it, I tried logout and login, and I supposed I had to login with my e-mail as username, but that was invalid. So I inserted the actual username with the new password, and now Saved Logins updated it, and I got in.
So I suppose that's the feature (pretty acceptable thogh slightly unexpected).

[andyprough]

Based on excellent advice from that well-known security expert known as the XKCD comic strip (https://xkcd.com/936/), I went with the completely random and impossible to solve 4-word password, "thispasswordishard".

So I guess 'p@ssworD1' is available again for you serious privacy buffs out there.

[BenFenner]

Arguing that that is antithetical is in paradox with your own statement. because users choosing good, strong passwords will by definition use sufficiently long ones.

There is no paradox here. Your planned changes will cause, on average, users to create less-strong passwords. The research on this is crystal clear.

I'm just worried that the minimum of 8 characters being the same length as "password" means users will use variations of "password" which is a considerable risk. Forcing those users to add at least 2 more characters will hopefully mitigate that risk (somewhat).

You're wrong. It is as simple as that. Changing the min from 8 to 10 will cause a typical user to change their password from something like "Hippo @2" to "1111111111" or similar. It's been seen time and again. Humans are humans. You can't change that. You frustrate them, they give up.

Also, users choosing good, strong passwords would in general use a proper password regime for themselves and use unique passwords for websites and store those passwords in something other than grey matter memory (because good, strong passwords that are unique per site are normally not very memorable). Pale Moon conveniently offers a password storage facility so that you only need to remember your master password if you set it (recommended you do).

Yes, all of this makes sense, but it is not what users do. Ignoring how users behave in the real world does you no good. The research is undeniable. You can't force users to do these nice things with the password requirements you're describing.

I also won't be forcing people to change it regularly. The maximum password age is set to more than a year.

I see you're not familiar with the research at all. Two years is suggested as the absolute soonest a time-password-reset should apply. Anything more often has been shown time and again to cause users to choose less-secure passwords and store them using less-secure methods. Anything longer than 2 years, the data is unclear. The data is very clear on 1-year.

That will be enough to avoid old, old database leaks from compromising accounts and will not unduly strain the user into choosing weak passwords because they "have to change it over and over".

No, proper salting and hashing is what keeps you safe from old DB leaks. Changing passwords on the regular makes your security position weaker. Full stop.

If you think that's unreasonable then I'm sorry, but I will not reconsider this.

Read the countless research on the topic. I can't stress this enough.

The entire IT security community agrees

Well at least the entire community - 1 then. I count myself as part of the IT security community.

Then you should familiarize yourself with password strength and human behavior research. It goes against everything you're saying.


I own and administer a web forum (2007-present) myself. I saw a similar uptick the past couple weeks in necro-accounts suddenly spamming (crypto links). It was 2 accounts. I locked them and moved on with my life. (Then again, I no-doubt have much better password hashing and password requirements on my forum.)
Regardless, I suspect it's not DB leaks and weak passwords causing this, it's users having their e-mail accounts compromised which changing forum password behavior can't solve if the malicious user can recover their stolen account using the stolen e-mail account.

[satrow]

Regardless, I suspect it's not DB leaks and weak passwords causing this, it's users having their e-mail accounts compromised which changing forum password behavior can't solve if the malicious user can recover their stolen account using the stolen e-mail account.

Might be the case for people who use the same password on all accounts. Not sure how many members here would use that tactic.

[BenFenner]

Regardless, I suspect it's not DB leaks and weak passwords causing this, it's users having their e-mail accounts compromised which changing forum password behavior can't solve if the malicious user can recover their stolen account using the stolen e-mail account.

Might be the case for people who use the same password on all accounts. Not sure how many members here would use that tactic.

This is the "our users are special" fallacy, mixed with incorrect assumptions.

If the e-mail account a user has on file with the PM forum is compromised, it doesn't matter if the user's password is unique for this forum. The attacker can now "forgot password" reset it to anything they'd like (using the compromised e-mail account) and begin spamming.

[satrow]

Regardless, I suspect it's not DB leaks and weak passwords causing this, it's users having their e-mail accounts compromised which changing forum password behavior can't solve if the malicious user can recover their stolen account using the stolen e-mail account.

Might be the case for people who use the same password on all accounts. Not sure how many members here would use that tactic.

This is the "our users are special" fallacy, mixed with incorrect assumptions.

If the e-mail account a user has on file with the PM forum is compromised, it doesn't matter if the user's password is unique for this forum. The attacker can now "forgot password" reset it to anything they'd like (using the compromised e-mail account) and begin spamming.

Ah, another use of the big 'IF' word slipped in.

Might be the case for people who use the same password on all accounts. Not sure how many members here would use that tactic.

Care to estimate how many of our user base, or what %age, would your statement cover?

[Bilbo47]

Thank you MC for encouraging good password hygiene by requiring passwords to not age beyond one year.

[andyprough]

This is the "our users are special" fallacy, mixed with incorrect assumptions.

Thus far, all of your research based arguments have amounted to "humans are lazy and stupid, therefore we should never challenge them to become better versions of themselves".

Which is not surprising given that this is typical of what passes for research findings in all social sciences. Always has been, always will be.

[BenFenner]

No, the research shows you can encourage and promote stronger passwords. You can, of course, challenge them to become better versions of themselves. You simply can't require them.

There are loads of ways of educating and encouraging and promoting users to create stronger passwords. All detailed in the research. Telling users in real-time how strong their password is as they create it (or better yet, exactly how long it would take to brute-force) is one of the better solutions.
Sadly, requirements cannot be used for this purpose. On average, they will make things worse. Humans are humans. Ignoring human behavior in this regard makes absolutely no sense.

[Mæstro]

Could somebody link to this research’s DOI or some friendly Russian hosting it? While it sounds plausible enough that forcing password changes will move many users to recycle passwords with as little padding as possible to meet any requirements (so ‘password’ with both cases, numbers, symbols and 12 characters, changed yearly, becomes ‘Password123!’, then ‘Password456!’ next year), nobody has produced any thorough evidence that this is indeed what happens. If this has been documented, I should like to see the documents.

[BenFenner]

I'm trying to avoid biasing anyone's research by providing links, but with that warning, here is the ground-work study from 2006 that all others have followed and corroborated.

https://www.microsoft.com/en-us/researc ... rd-habits/