Wedge

Arantor · « Reply #45, on August 5th, 2013, 07:47 AM »

Yeah, the turnaround was pretty good - far better than most I've otherwise been involved in (usually on the clean-up side, sigh)

Changing passwords on a regular basis is not necessarily a good plan. It prompts people picking easier-to-remember passwords.

Kindred · « Reply #46, on August 5th, 2013, 01:41 PM »

yeah, I keep reminding people of that as well.
password1
password2
password3

runic · « Reply #47, on August 5th, 2013, 01:49 PM »

I agree but frequency of changing is also important consideration, changing every few months yes, but changing it every year well thats better.

Arantor · « Reply #48, on August 7th, 2013, 03:49 AM »

1. Road Rash Jr. has been post and PM banned. I have not fully banned him from the site should he wish to continue reading and so on but he cannot reply to posts nor send messages. I have had enough of his claims and I believe a lot of what he says to be fabrication at this point. The game ends here.

2. Kindred has the issue exactly correct with respect to password changing. I still believe that changing them even yearly isn't necessarily ideal, however I can see the logic of this.

3. I also believe it would be wise for both SMF and Wedge (and anyone else, for that matter) to adopt a system whereby a user's password can be expired and prompting a user to change it. Of course this does nothing for users who don't log in any more, perhaps something else needs to be considered for that situation.

Auk · « Reply #49, on August 7th, 2013, 04:08 AM »

Quote

2. Kindred has the issue exactly correct with respect to password changing. I still believe that changing them even yearly isn't necessarily ideal, however I can see the logic of this.

I agree, because it's a bit much for me to think of something that I can remember. Running out of materials here that are unique and easy to remember, as well as being convenient.

Quote

3. I also believe it would be wise for both SMF and Wedge (and anyone else, for that matter) to adopt a system whereby a user's password can be expired and prompting a user to change it. Of course this does nothing for users who don't log in any more, perhaps something else needs to be considered for that situation.

Would the passwords be changed automatically and then an email is sent? Or would the user who wishes to login will just use their password, and then get a notification (along with email) prompting them to change password?

Arantor · « Reply #50, on August 7th, 2013, 04:10 AM »

I don't know how the password changing would work.

For the basic case of forcing a user's password to change is easy enough: flag it as expired and force the user to change password when they next sign in.

The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.

markham · « Reply #51, on August 7th, 2013, 09:38 AM »

Quote from Arantor on August 7th, 2013, 04:10 AM

The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.

Can it not be automatically and silently changed to some random series of characters (without sending out any notifications)? Should that user attempt to log-on in future, he will have to go through the "lost password" routine.

kimikelku · « Reply #52, on August 7th, 2013, 10:54 AM »

At school i have a similar system like that, we have to change our password every 2 weeks, this is a website were we send our works and exams, if we dont login in 2 weeks, and happens quite often since we dont have exams our works to send every 2 weeks, we dont need to change our password, but if we do, the first time we login after we change the password 2 weeks later weneed to change it again, plus we have to use a password with at least 20 caracters, thats why i use a program called keypass, i can generate diferent and strong passwords, save them and reduce the risk of happening the same that happen to that sm,org admin.
Another way but i think it can get a little anoying is the system that steampowered.com uses with user accounts, asks for a small code when we change computer or ip address.

Norodo · « Reply #53, on August 7th, 2013, 12:30 PM »

Quote from markham on August 7th, 2013, 09:38 AM

Quote from Arantor on August 7th, 2013, 04:10 AM
The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.
Can it not be automatically and silently changed to some random series of characters (without sending out any notifications)? Should that user attempt to log-on in future, he will have to go through the "lost password" routine.

I'd be pissed off if I had to do that. Talk about unintuitive.

No I did not forget my password, you changed it!

EDIT: In addition, passwords that change without notification are usually a sign you have malware. That's not something I'd like to be led to believe in vain.

Arantor · « Reply #54, on August 7th, 2013, 06:01 PM »

Yup, passwords that change without notification are usually indeed a sign that something bad has happened. Malware? Maybe. What it does show is that your account has almost certainly been tampered with but not necessarily via malware - there are other ways for your account to be tampered with.

It's tough because I don't want to create a situation where a user is locked out of an account with no way back in, which is very possible in this situation.

Norodo · « Reply #55, on August 7th, 2013, 07:05 PM »

Quote from Arantor on August 7th, 2013, 06:01 PM

Yup, passwords that change without notification are usually indeed a sign that something bad has happened. Malware? Maybe. What it does show is that your account has almost certainly been tampered with but not necessarily via malware - there are other ways for your account to be tampered with.

Well obviously someone might have been looking over my shoulder or hacked into my WLAN or there might be some rogue admin but I think it's far more probable some kind of bullshit program.

The reason I thought that exact way right now was because this just happened to me. Microsoft Security Essentials does apparently NOT cover your ass sufficiently. <_<

After a ton of safe mode and other tricks I finally gave up, installed NOD32, and I am now a happy camper again. My online passwords are far safer too!

Arantor · « Reply #56, on August 7th, 2013, 07:34 PM »

Quote

Well obviously someone might have been looking over my shoulder or hacked into my WLAN or there might be some rogue admin but I think it's far more probable some kind of bullshit program.

Or the server was hacked into. Or someone brute forced your password. There are many exciting and interesting ways that this stuff can happen.

But yeah, anything that changes without good reason is a sign that something is up.

Norodo · « Reply #57, on August 7th, 2013, 07:42 PM »

Brute forcing my password without a hash or anything should be fairly impossible, but yes, of course you're right. I'm just telling you the reason I went straight for the "malicious software" idea.

xrunner · « Reply #58, on August 13th, 2013, 02:41 AM »

I hate passwords. >:(

Or passcodes or passphrases or whatever the f**k. Certainly most of them these days aren't passwords like platypus or pineapple. Those days are long gone.

Anymore you are required to add capitals and numbers and special characters - oh and not more than 2 capitals and 3 specials characters and blah blah blah ... not to mention that different sites have different requirements so your special neato passthing with 3 numbers and 4 capitals won't be accepted as a passthing on other sites. Can we all get along?

I can't even remember all the passthings I have now, I have a special spreadsheet with them all listed.

Oh yes, and the spreadsheet itself has a password. :heck:

Why can't it be simpler?

Over to the Super Brains that hang out here.

nolsilang · « Reply #59, on August 13th, 2013, 08:44 AM »

@xrunner : I suggest to use KeePass or LastPass to manage your passwords, they have a password generator that can be automatically applied and saved when you create an account. You just need to remember your master password, try to make it very long passphrases[1]. Well the caveat is when your master password is known/breached then it's... not good.

1.	Relevant xkcd : http://xkcd.com/936/

Wedge

Home

Login

Register

Arantor

Re: SM.org compromised

Kindred

Re: SM.org compromised

runic

Re: SM.org compromised

Arantor

Re: SM.org compromised

Auk

Re: SM.org compromised

Arantor

Re: SM.org compromised

markham

Re: SM.org compromised

kimikelku

Re: SM.org compromised

Norodo

Re: SM.org compromised

Arantor

Re: SM.org compromised

Norodo

Re: SM.org compromised

Arantor

Re: SM.org compromised

Norodo

Re: SM.org compromised

xrunner

Re: SM.org compromised

nolsilang

Re: SM.org compromised