SMF Development > Next SMF Discussion
[2.1/mod] Password Force Change/ Password Flagging.
Benchtech:
--- Quote from: 青山 素子 on January 10, 2012, 07:21:35 PM ---
--- Quote from: arrowtotheknee on January 10, 2012, 05:14:33 PM ---The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.
--- End quote ---
That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.
--- Quote from: Benchtech on January 10, 2012, 05:43:27 PM ---Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.
--- End quote ---
In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.
The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.
For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.
--- End quote ---
The way I see it is. It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security, and in the battle between bots and forums any slight increase is a worthy one. Plus it doesn't seem to hard to implement as said above (Not that I would have the slightest clue where to start).
Arantor:
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.
Benchtech:
--- Quote from: arrowtotheknee on January 11, 2012, 11:02:30 AM ---In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.
--- End quote ---
I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.
Or, I force them to change it, they change it, job done.
You'd have to be a moron to say it would make no difference at all.
Arantor:
Well done for missing the point.
Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.
Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.
Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.
青山 素子:
--- Quote from: Benchtech on January 11, 2012, 10:58:50 AM ---It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security,
--- End quote ---
It's better than offering those admins a way to force password expiration as they could just set it to a very low value like 14 days. As for security, it helps but not in the way you are probably thinking.
--- Quote from: Benchtech on January 11, 2012, 10:58:50 AM ---and in the battle between bots and forums any slight increase is a worthy one.
--- End quote ---
It probably won't make any difference in the "battle" unless you're choosing weak passwords to assign.
But, back to security. You are probably thinking that it will help the user make a strong password. It most certainly won't. A stupid user will still use a stupid password. My thoughts are more of the kind that if you write down a temporary password to hand to someone or send through e-mail, that password is already compromised. If the e-mail server or account are compromised, the attacker has that password. If someone sees the password written down, they know that password. Forcing a change from it secures against your temporary password being exposed and ensures that you do not know the password to that account. In no way does it protect a user from their own stupidity.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version