News:

Join the Facebook Fan Page.

Main Menu

Password Length

Started by FredT, May 12, 2022, 04:25:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

FredT

May 12, 2022, 04:25:53 AM
When a new user registers we have 3 options:

Low- with at least 4 letters
medium - can not include username
high - mixed with upper/lower case characters (letters, numbers, special characters)

Would it not make sense to be more presice and more secure, such as:

low - minimum 6 letters/ lower/upper case, must contain numbers (e.g. xYz123)
medium - minimum 8 letters /lower/uper case, must contain numbers and special characters (e.g. xYz123!_)
high - more as 8 letters /lower/upper case, must contain numbers and special characters, and a single english word (e.g. xYz12!_apple2)

Users are calling me they are confused signing in and how many/ what form the password at least should have.

Source for more information:
https://account.cern.ch/account/Help/?kbid=020040

Thanks alot

Arantor

#1
May 12, 2022, 04:45:09 AM
The original rules were written in 2004. The internet was a different place back then. The reality is that it will accept anything beyond the criteria given, so low really is "four letters".

The problem with changing it is that you suddenly have to deal with users who have passwords that are currently valid that are suddenly redefined to not be valid.

Also I'd note that users can be more secure if they want - nothing stops them using something generated, but I'd also note that a lot of these so called password rules end up both generating weaker passwords (because people do the bare minimum to get it through to keep it memorable) while also restricting pass phrases in the Diceware fashion (several random words, far far better for memorability and entropy against brute forcing)

FredT

#2
May 12, 2022, 04:55:28 AM
Yeah, I can hear you. I think this would also need a "enforce password change" policy for older passwords. But I think in times of Forum hacks and cybercrimes I would make such security change mandatory.

As long you run your little hobby/game forum no problem. But when you use it in your company with european DSGVO/ GDPR rules it is mandatory or no company out there would use SMF -because they are simple not allowed to by law.

Arantor

#3
May 12, 2022, 05:11:59 AM
Personally I think there are bigger concerns for data privacy compliance in SMF than password security. And I don't actually remember the GDPR mandating good password security, but it has been a while since I read both the original GDPR and my country's implementation of it.

Kindred

#4
May 12, 2022, 06:20:02 AM
There's still no password policy in gdpr as far as I know...

And as stated, there is no reason why an individual forum could not require something stronger... but forcing users to change passwords is fraught with annoyance, difficulties,  and problems
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

FredT

#5
May 12, 2022, 08:47:19 AM
Not sure either but I think it could fall into GDPR - Data Security/ Data Protection.

Here are the specific GDPR Password requirements:

What Should Be Considered for a GDPR Password Policy?

-Passwords should be a minimum of 8 characters in length but preferably longer. ...
-Forcing the use of complex passwords (Passwords having to consist of numbers, letters, and symbols) or, better again, long passphrases
-New passwords must be different from previously used passwords. ...
-Avoid dictionary words. ...
-The password should not contain personal information.

Here also some more and detailed source:
https://www.compliancejunction.com/gdpr-password-requirements/

Maybe something to consider for laterz

Arantor

#6
May 12, 2022, 08:54:42 AM
Password policy is NOT mandated explicitly by the GDPR. If actual rules were mandated, they would quickly become out of date.

The nearest is Article 32 which talks about the responsibilities of data processors and data controllers to control access to systems and by extension personal data.

If you can show me where the GDPR mandates secure passwords, I'd *love* to see it - and I don't mean some interpretation through a vendor or a blog post, I mean either the actual GDPR wording, or the transposition into a country's law for it.

There are tools in 2.1 for more senior accounts (e.g. admin) to require use of 2FA as their accounts are by nature higher access and can see personal data that wouldn't be visible to normal users.

FredT

#7
May 12, 2022, 09:06:08 AM
There is no password law.

There is just GPDR/ DSVGO laws and compliance recommendations.
You can follow the rules as a company, or not.

If you do follow a compliance guideline, you are mostly fine.
If you do not follow and some company is thoughless, or mindless they can, will be hacked, or pay for dataloss, or, or, or....a smart justice will blame it all on you/ a specific company or whatever :)

Everything can, but nothing have to be.

As a site admin or network admin I will always strive to do my best. When I have the tools, I will use em
Print
Go Up Pages1
User actions
Advertisement: