New forum passwords

[Moonchild]

{rant}

If you're of the opinion that your single password is totally breakproof and should never be changed, you can also just change it temporarily to something else, then change it back, and run all the risks associated with your one golden password that could never possibly ever be compromised forever until the heat death of the universe.
Then you can be as lazy as you want and keep your single password in your brain that you can easily remember in your wetware (and be the lazy human you describe perfectly). You are using unique passwords on every website you have an account at, right?

Telling users in real-time how strong their password is as they create it

It's not possible to accurately reflect this due to the various smart ways password attacks are done. It can also not reflect if said password has been used elsewhere or not. Brute-force password guessing is hardly ever used these days and there is a much larger risk of leaked passwords or variant guessing (from leaked passwords) than there is blind guessing. No, password complexity does not linearly increase by adding numbers or symbols, but it will make said passwords harder to remember if you require them. That's why I tend to not do that, as it does not make for a strong password, per se. Sufficiently long passwords, though, are a must.

In the meantime, I'm keeping the totally common-sense regime to stimulate people to occasionally change their password on this forum, if for nothing else but to occasionally remind them of their account security status. It's a low level of stimulus that prevents what you try to describe (change-fatigue). It's not ignoring human behaviour, but rather playing into it. Complacency is exactly what gets people into trouble, and never being reminded of account security will lead exactly to that, and to guessable passwords that are eventually re-used elsewhere and lead to compromise.

[satrow]

here is the ground-work study from 2006

Data collated in 2006, partly from an MS toolbar (esp. for users who'd not experienced the likes of Bonzi buddy, eh?) has nothing changed since then? Really?

[Moonchild]

Regardless, I suspect it's not DB leaks and weak passwords causing this, it's users having their e-mail accounts compromised

Actually, your suspicion is completely off the mark. Compromised e-mail accounts would not give attackers the passwords of their account on this forum, and there has been no activity to reset passwords on the problematic accounts prior to the problematic posts -- which were one-shot deals from suspicious IPs with no surrounding activity.
So we can simply rule that out; it's much more likely the passwords themselves were compromised from stolen account DBs that were not unique to those compromised sites, OR the passwords were extracted from "cloud" password vaults in one of the many breaches we've seen.

[somdcomputerguy]

.. users choosing strong and memorable (good) passwords.

I don't know or remember almost every one of the nearly 500 passwords in my KeePass (https://keepass.info/) database, most of which have been generated by that password manager. I just remember the 20+ character phrase to that database. I recommend any password manager except LastPass to anybody I hear complaining about passwords. I have had to sadly shake my head many times though because some (well, more than some, but thankfully less than most) people say something like, "Ya but I'm not a computer guy like you..".

[BenFenner]

{rant}

If you're of the opinion that your single password is totally breakproof and should never be changed, you can also just change it temporarily to something else, then change it back, and run all the risks associated with your one golden password that could never possibly ever be compromised forever until the heat death of the universe.

Yah, I know. This isn't about me. This is about you shooting yourself in the foot (and apparently the messenger at the same damn time).

It's not possible to accurately reflect this due to the various smart ways password attacks are done. It can also not reflect if said password has been used elsewhere or not.

You can't get perfectly accurate, but you sure can get close and educate the user at the same time. I've done it myself.
You can estimate time to brute-force and present this to the user.
You can, at the same time, run their proposed new password through a common-password check (I like the list of the most common 1,000,000 passwords myself).
You can choose a salt+hashing technique (with max iterations) that is resistant to rainbow table attacks.
You can present all of this information to the user, and more if you'd like. It's not hard. Again, I've done this all myself.

Of course there are side-channel attacks and other things to consider, but here "perfect" is for sure the enemy of "good". No need to throw your hands in the air and give up. Just do a decent job.

In the meantime, I'm keeping the totally common-sense regime to stimulate people to occasionally change their password on this forum, if for nothing else but to occasionally remind them of their account security status. It's a low level of stimulus that prevents what you try to describe (change-fatigue). It's not ignoring human behaviour, but rather playing into it. Complacency is exactly what gets people into trouble, and never being reminded of account security will lead exactly to that, and to guessable passwords that are eventually re-used elsewhere and lead to compromise.

You'd think so, but none of the past 20 years of research backs you up. Common sense fails here.

Data collated in 2006, partly from an MS toolbar (esp. for users who'd not experienced the likes of Bonzi buddy, eh?) has nothing changed since then? Really?

Correct. Nothing has changed since then. Every study since has corroborated their findings. Your DDG works just as well as mine.

[Falna]

While it sounds plausible enough that forcing password changes will move many users to recycle passwords with as little padding as possible to meet any requirements (so ‘password’ with both cases, numbers, symbols and 12 characters, changed yearly, becomes ‘Password123!’, then ‘Password456!’ next year), nobody has produced any thorough evidence that this is indeed what happens.

Years ago, when I only had a few dozen passwords to remember, I certainly used to increment each password for each enforced password change (though starting with something rather more complex than 'Password', and always a different password for every site). No doubt I'd still be doing the same if I didn't have a password manager.

I'd be surprised if someone came up with evidence that that isn't common practice (in the absence of a password manager).

[Moonchild]

recycle passwords with as little padding as possible to meet any requirements

I'd be surprised if someone came up with evidence that that isn't common practice

I totally expect that to be the practice, for those that really insist on simple passwords. But the point is that those, while simple, are still considerably stronger than just 'password' with no requirements, and also stronger than plainly re-using the same password (and likely re-using it across sites). Of course there will be the oddballs who basically go all entitled "How dare you to ask me to change my password! To 'punish' your requirements I'm now going to use something thoughtless, 0-effort" but really, I have zero empathy for that. You can't reasonably cater to that approach because it is unreasonably extreme.

The issue remains that you can't make a perfectly secure password regime when dealing with a broad base of users many of whom simply don't care enough about their accounts to keep them secured, but in lieu of that, one should not just "throw in the towel" and not do anything, either.

And that's the last I have to say about it, myself.

[RealityRipple]

All passwords should be 512 randomly generated characters. Get better at memorizing things, humans.

[andyprough]

All passwords should be 512 randomly generated characters. Get better at memorizing things, humans.

Nothing difficult about memorizing Pa$$word x 64 times.

Or was that P@ssword? Crap.

[Night Wing]

I just "go with the flow".

Right now my new password contains 16 characters, but I'm going to change the password (again) and increase the number. To paraphrase from the movie, "Aliens" (with Segourney Weaver & Michael Biehn), "just be sure".

[BenFenner]

Of course there will be the oddballs who basically go all entitled "How dare you to ask me to change my password! To 'punish' your requirements I'm now going to use something thoughtless, 0-effort"

This is not supported by the research. "Oddballs" with that mindset and users who are frustrated and "give up" are indistinguishable. Regular users by-and-large produce exactly the same strength passwords as these "oddballs" you speak of when presented with rigid password length/character/time limitations.

but really, I have zero empathy for that. You can't reasonably cater to that approach because it is unreasonably extreme.

Incorrect. It is the norm. Ignore the research at your own peril.

The issue remains that you can't make a perfectly secure password regime when dealing with a broad base of users many of whom simply don't care enough about their accounts to keep them secured, but in lieu of that, one should not just "throw in the towel" and not do anything, either.

No one said anything about throwing in the towel. There are rigid requirements to implement:

1) The password should not be contained within the list(s) of known passwords (Easily available 1M password lists exist to check against.)
2) Given your chosen salt+hashing+iteration technique and current hardware-specs+hashcat algorithms, the password should survive ~200 years brute force attack with pro/hobbiest equipment of the day.

And there are all manner of educational opportunities during password creation:

1) Tell the user how long their proposed password will take to brute-force.
2) Explain what makes a good password. (Uniqueness, length, length, length, character set, memorability and/or secure storage.)
3) Encourage password managers and explain options.
4) Provide your own strong passwords the user can produce for use (similar to most password managers).

I realize that phpBB is likely very limiting in this area, but that doesn't mean the spirit is lost.

And that's the last I have to say about it, myself.

Good. You should read what the experts in the field have to say before you continue to leap to incorrect assumptions and conclusions one after another.

Implementing the stricter password requirements you plan to implement will cause your users to produce less-strong passwords, re-use passwords, and similar. You will almost assuredly experience more accounts compromised here on the forum as a result.
You are turning the wrong knobs, and you are making things worse, and you are doing so in the face of overwhelming evidence to the contrary.

[BenFenner]

Admittedly, this specific post is 100% about me.

I got curious as to how many passwords I personally administer, including for my job.

I have ~546 active (non-archived) passwords under my steward. I'm sure I'm missing some as well. Mercifully (and smartly) absolutely none of them are with a place that forces a cyclical password reset.
If they all applied a year-long cycle (suggested in this thread as generous and non-onerous) I would be changing a password on average 1.5 times a day via that system's UI and then likely also a second time for a password manager.

A huge portion of my life would be changing passwords. I think I'd go off the grid and live by the lake instead.

Take out the work stuff and I'd still be changing a password on average every 2.5 days. What a world that would be!


Details:

45 - Commerce web sites (automotive)
39 - Commerce web sites (other)
24 - Classic web forums/social media (automotive)
10 - Classic web forums/social media (other)
5 - PC BIOS/CMOS/UEFI
5 - PC operating systems
4 - New-school social media
4 - Banking
4 - Personal web site/hosting
3 - Personal e-mail accounts
3 - Password managers
2 - Local app licenses
1 - Tablet operating system
1 - Insurance
1 - Medical
1 - Tax prep

152 - Personal subtotal.
--------
~394 - Work-related. SSH, Commerce, APIs, etc. for 4 environments.

~394 - Work subtotal.
--------
Total: ~546

[Falna]

I got curious as to how many passwords I personally administer, including for my job.

An interesting exercise. Just checked and I've got 1,055...

[BenFenner]

An interesting exercise. Just checked and I've got 1,055...

Can you imagine having to change ~3 of those a day, every single day, for the foreseeable future?

[Moonchild]

An interesting exercise. Just checked and I've got 1,055...

Can you imagine having to change ~3 of those a day, every single day, for the foreseeable future?

Yup! Since that would take only a minute at most (for all 3. And if it doesn't, then you need to get better password management)
Of course that's assuming you'd be visiting all 1000 sites every day, and they all have the same policy of 365 days/change. Otherwise you wouldn't be running into this nearly with any consistency or frequency like this.

But you were right:

Admittedly, this specific post is 100% about me.

And I'm thinking a bit bigger picture and not making conveniently supporting assumptions

absolutely none of them are with a place that forces a cyclical password reset

So what's your complaint if a few of them do?

Sorry, I said i was done. I'll refrain from now on.

[Mæstro]

Who uses a thousand passwords to begin? I have only 22 passwords saved in Pale Moon. Of these, ten are obsolete (sites I plan never to use again: my old school’s inbox, Neopets…) and another five are duplicates on the same site’s subdomains. Of course, I do not use ‘log in with Google/Facebook/???’, for I have accounts with none of these. I have kept a screenshot from 2019, just before migrating to Pale Moon, of passwords saved then in Waterfox; I had had 25 passwords then, with two duplicates. The law of the vital few holds here. Unless one has held every login for random BBS where one has posted even once since twenty years ago, I cannot conceive why one would ever have so many, to say nothing of needing them.

At this phase, I think we should simply relax to some topical music.

[Moonchild]

Off-topic:

At this phase, I think we should simply relax to some topical music.

*grooves to the sound of "502 - bad gateway"*

[THX-1139]

I am curious as to the rules for passwords here for the forum ie; Max number of characters that can be used and what special characters can be used if any.
My current PW is 12 long and no special characters, but all unique and random...I ask because I would like to make them better perhaps.
And what about password generators? any thoughts as to their effectiveness?

[Moonchild]

Max number of characters

100

what special characters can be used if any

Any, as far as I'm aware. Not entirely sure to what extent multibyte characters are supported though; php/mysql can get a bit picky sometimes about extended UTF-8 stuff.

[THX-1139]

Thank you! And I meant Keyboard characters like: @%&*)(_-=+ etc. That was all.