SMF Development > Next SMF Discussion
[2.1/mod] Password Force Change/ Password Flagging.
Benchtech:
--- Quote from: arrowtotheknee on January 11, 2012, 11:09:58 AM ---Well done for missing the point.
Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.
Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.
Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.
--- End quote ---
You have also missed the point. I am not suggesting the feature is used to force a password change periodically, as you're right, that will do little in the way of security. I am suggesting the feature SOLEY for the idea of resetting peoples passwords, or for when accounts are created for them, as is its purpose on Google Apps. People are not going to tell you their password so you can set it for them when making, or resetting account and them doing so would be another security risk, so the idea of forcing them to change it eliminates the risk of them forgetting, or not knowing how to change it.
But I suppose you know all there is to know about security and someone as stupid and unknowledgeable as me can't recommend any security improvements.
Arantor:
No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to. Forcing a password change is actually not that conducive to security, as multiple studies have shown.
No, I don't know all there is to know about security, but I do know when something will be less secure and when someone won't listen to arguments provided to the contrary. There are times for this feature, the times you're thinking of are not those times.
青山 素子:
--- Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM ---No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to.
--- End quote ---
Yeah, I usually generate a 14-character long password using upper, lower case, numbers, and dashes. Needless to say, some people aren't happy to type all that in.
--- Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM ---Forcing a password change is actually not that conducive to security, as multiple studies have shown.
--- End quote ---
It can be useful in certain situations.
--- Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM ---There are times for this feature, the times you're thinking of are not those times.
--- End quote ---
Agreed, to a point.
Kindred:
Ok... let's just chill a little bit here.
Benchtech, we've already pointed out that we can see a purpose for this thought... However, that purpose is not at all related to "security" as forcing a user to change their password really does nothing for security.
Arantor... no need to snipe at him... he's not being demanding and he is trying to argue his point logically
Arantor:
I don't snipe at people until they start out by calling me a moron.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version