User password length vs reset password length

https://www.phpbb.com/ideas/
Post Reply
Author:
John connor
Posted:
Thu Aug 01, 2019 5:24 am
Rating:
Status:
New
User avatar
John connor
Registered User
Posts: 2186
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

User password length vs reset password length

Post by John connor » Thu Aug 01, 2019 5:24 am

Right now the option to set the maximum length for the password users can use is bind to the maximum length of the reset password a user will get if they request to reset their password should they forget their password. So if one were to use a user max size of 100 characters, then the reset password will also be 100 characters. This may pose a problem to those that use a smart device in one facet or another. Be it smartphone or tablet.

My proposal is to separate the length of password used for users with the length of password used for the password reset link. So I think there should be two options in the ACP. One to set the maximum password length allowed for users and another option for the maximum length of the password for the reset password upon using the "I forgot my password" link.

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: User password length vs reset password length

Post by david63 » Thu Aug 01, 2019 6:00 am

I can understand the reasoning behind this but I would be more inclined to say that the reset password should use the minimum length that is set for the password rather than the maximum length.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

v12mike
Registered User
Posts: 347
Joined: Thu Jul 09, 2015 5:03 pm

Re: User password length vs reset password length

Post by v12mike » Thu Aug 01, 2019 9:36 am

david63 wrote:
Thu Aug 01, 2019 6:00 am
I can understand the reasoning behind this but I would be more inclined to say that the reset password should use the minimum length that is set for the password rather than the maximum length.
I agree with this and I have previously modded my boards to give random passwords of the minimum length.

Should I vote the original proposal up or down?

User avatar
EA117
Registered User
Posts: 755
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: User password length vs reset password length

Post by EA117 » Thu Aug 01, 2019 2:16 pm

Perhaps something less deterministic? In order to retain some portion of the the "maximum difficulty" aspect of the current "use the maximum length" approach, when it comes to defending against someone who might intend to maliciously exploit the password reset.

e.g. If I simply view the registration form, I know minimum length. And then I issue a password reset on your account, but I can't see the email that was sent giving you your new password. But now I have the smallest possible value to crack using whatever method I'm going to use, and the password value is of an exact length I know.

So rather than "a new fixed length setting", and rather than "use minimum length", what about "a new minimum and maximum length for generated password"? And phpBB will randomly generate a password that is "of a length somewhere within that range." Effectively leaving an attacker to have to assume the password could be anything up to the maximum, even though users may get something shorter.

Or if we're against adding a setting, extrapolate a minimum and maximum generated password length based on the existing setting, similar to what phpBB is currently doing. For example, use the existing minimum as the minimum, and then a calculated maximum such as "min( minimum * 3, maximum )". Meaning the maximum generated password length would be up to three times the configured minimum length, unless this exceeds the configured maximum.

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: User password length vs reset password length

Post by david63 » Thu Aug 01, 2019 2:28 pm

With all due respect isn't that a bit over the top and in some ways defeats the original request.

If a member has requested a password reset how will a "hacker" know that?

How will the "hacker" know the member's username?

In my experience of requesting a password reset (not necessarily for a phpBB board) I get the email within minutes and then do whatever is necessary so the time window for the "hacker" is, in majority of cases, quite small. In any event there is not much that a "hacker" could glean from an "ordinary" member anyway.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
EA117
Registered User
Posts: 755
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: User password length vs reset password length

Post by EA117 » Thu Aug 01, 2019 2:57 pm

david63 wrote:
Thu Aug 01, 2019 2:28 pm
How will the "hacker" know the member's username?
I don't know, phpBB user david63 on a publicly visible phpBB board. How would they ever know your phpBB username? 😜 But yes, it wouldn't be obvious how they would have obtained the email address. Not that this makes it impossible, but certainly can concede it's not "open information" exposed by phpBB. (Though I guess that depends on your phpBB settings.)

Perhaps someone who does want the behavior to be exactly as Mr. Conner intended would set the minimum and maximum generated password length to be the same, such that the users always get exactly a specific length. (For the case where a separate "minimum and maximum generated password length" setting was added.) But that wouldn't be the only way the system was designed to allow operation.

The very optimistic "I will see the email within a couple minutes" is indeed one of the possible cases which will occur. They will also be attacking the founder account who hasn't answered his email in five years, and the user who switched from their old gmail.com account many moons ago and never updated their phpBB email. Also the normal upright bipeds who don't wear their email and will see it at the end of the day, if then.

But it is certainly a reasonable consideration to weigh "are there simple changes that will increase the security posture", versus "does this just complicate the life of the user without giving us anything in return." I just had a feeling I knew why "maximum length" would have been chosen by the current phpBB code, and was trying to "split the difference" of the new proposal between user "ease of use" and "unnecessarily predictable" security behavior.

Lady_G
Registered User
Posts: 232
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: User password length vs reset password length

Post by Lady_G » Thu Aug 01, 2019 9:59 pm

I have several complaints from users who did not want to type in a long reset password. They did not recognize that one can copy and paste the reset password into the login box field.

A change to the password reset form may also help. The form is here: language/en/email/user_activate_password.txt.

For example, to add a text description as:

Code: Select all

Copy and paste the password into the "Password:" field. You don't need to type it in.
Several of my users are of an "older age" and may have difficulty to copy and paste text. For these users, I would agree to changing the password length to the minimum value. There is no additional complexity of adding a separate field in the Administration Control Panel.

I do not agree on a formula to calculate the value, as it is arbitrary and will result in the same problem - a length that is too long to type in. My board's minimum password length can be manually entered without much difficulty.

The maximum length is intended for those using password managers - I do not expect anyone to manually enter a very long password.

If someone has compromised a user's email, it will not matter if the length is 10 characters or 100 characters.

User avatar
John connor
Registered User
Posts: 2186
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: User password length vs reset password length

Post by John connor » Fri Aug 02, 2019 2:18 am

Question: Why didn't I get a notification to this topic like I do all other topics? Notify me when a reply is posted is always checked.


Okay, about the password reset. You need an email to do that. You'll know the username, but phpBB needs an email for that user to reset the password. No email, no reset. Now say you do have their email address. The user will get an email about the password reset so they could let the Admin know they got an email. Then the Admin can look over the access log and see what IP initiated it.

My original idea stands. Two options in the ACP. One for the min and max user password and an option for max length for the reset password. Perhaps this option can also have a min and max settings which would be prudent.

Post Reply

Return to “phpBB Ideas”