Thanksthenickdude wrote:That's a good idea, MasterZ.
That would be a nice MOD... If I didn't have so many unfinished on my plate I would even consider doing that one.thenickdude wrote: I would like to see a dictionary check added to the password minimum requirements system - I'll check if there is a mod for that.
Well to that I say that's what the "forgot password" is for, and if they do not know their email or if they entered the wrong email then this will teach them to make sure it is correct next time. :pthenickdude wrote: The problem with expiring our users' passwords is that a non-zero (and possibly large) proportion of them don't know their passwords. They actually rely on the "remember me on this computer" option and so log into the forum about every six months whether they're active every day or not... . We don't currently validate email addresses on signup, so a large percentage of them also have invalid board email addresses. That makes regaining access to their accounts very difficult when the "remember me" system fails (or their password gets expired).
Code: Select all
Code: Select all
Code: Select all
Interestingly, if a large portion of users use real words for passwords this would actually make a remote dictionary attack more likely to succeed.Marshalrusty wrote:Raise the required length to 9 (there are fewer words with 9 characters) which will force everyone to get creative.
OpenID is awesome... I do not think I would change anything about it. Having a decentralized authentication provides a trusted, redundant authentication system for little to no cost. It also provides the ability to be more secure than standard websites would normally use. By using verisign for my OpenID provider means that any website/forum I sign up to using OpenID is automatically using 3 factor authentication. Something that would otherwise be unavailable to me without OpenID.ToonArmy wrote:Defeating the whole 'Open' part in OpenID.
The thing is, if you're not after a specific account then you can just try the 3 most common passwords on many accounts. Check out the list of most common passwords here from a study of 100,000 leaked passwords: http://blog.jimmyr.com/Password_analysi ... 8_2009.php . Note that the password "123456" is used by 3% of users and that the 10 most common passwords are together used by 11% of users!Marshalrusty wrote:A while ago, I found out that my mother used her maiden name as a password. Naturally, I made her change it because that's one of the first things I would try. Keep in mind though, that I would have gone through quite a few other things before coming to her maiden name. I can't imagine how long it would have taken with the 3-attempt => CAPTCHA condition.
Yes, random passwords are definitely unguessable.Even using alphanumeric lowercase characters, the number of possible combinations with 6 characters is 36^6, which is 2,176,782,336.
Actually, our forum accounts are attached to a game. In our game, each account has a random chance of getting something really valuable, so each account has a similar value. They aren't being attacked to forge their identities, they're being attacked to steal their stuff . The most vulnerable are also the ones who are least likely to comply with any of our security device.What you should do is add a note to the registration page asking users to select strong passwords. Raise the required length to 9 (there are fewer words with 9 characters) which will force everyone to get creative. Also post a topic on the board about this. The senior users are the ones likely getting targeted most, so they are the ones you should be focusing on educating.
I love OpenID but our users could never figure it out. They are mostly young teens .MasterZ wrote:Or just use phpBB OpenID There are some providers that have strong authentication methods such as three factor authentication (https://pip.verisignlabs.com). Then I just need to make the MOD force the users to use one of the stronger OpenID providers...