• Welcome to Simple Machines Community Forum. Please login or sign up.

[2.1/mod] Password Force Change/ Password Flagging.

Started by Benchtech, January 10, 2012, 03:41:14 PM

Previous topic - Next topic

Benchtech

I have been discussing this on a similar request but I would like a variation.

I would like to be able to force a user to change their password upon the next login. When I have to reset users passwords for them the best I can do is tell them to change their password when they have logged in as I usually change it to something very simple in order to make the process as easy as possible. The trouble is users often don't bother to navigate to their profile and change their password and some don't know how. If they were forced to do this when an admin ticked the 'Require Password Change on Next Login' box then it would be much simpler. I have attached screenshotts below of how it is done on Google Apps.


Here admin has the option to change the password and also the option to force a change of password upon the next login.


This then pops up upon the next login of the user and the specified user cannot use any functionality of the website before this is changed.

I seriously believe this feature would improve security and also would be loved by admins all over the SMF community. Please include it  ;D ;D ;D
Owner, admin and member of benchtech forums.

Kindred

not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.
No good deed goes unpunished
All helpful urges should be circumvented

Benchtech

Quote from: Kindred on January 10, 2012, 04:41:24 PM
not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...

Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting. I reset it for them, it's no good making it complicated because they will just forget it again, I set something simple such as password or changeme. Now, without the option to force password changes there is no way to make sure they change their passwords, some users forget, some can't be bothered and some have no idea about security. Forcing them to change it ensures that they change their password if they like it or not, it also makes it alot easier than navigating to profile settings and I believe it would be a useful feature, especially for professional forums. I guess that is why Google have it.

Ben.
Owner, admin and member of benchtech forums.

青山 素子

Quote from: arrowtotheknee on January 10, 2012, 05:14:33 PM
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.

Quote from: Benchtech on January 10, 2012, 05:43:27 PM
Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.

In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.

The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.

For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Benchtech

Quote from: 青山 素子 on January 10, 2012, 07:21:35 PM
Quote from: arrowtotheknee on January 10, 2012, 05:14:33 PM
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.

Quote from: Benchtech on January 10, 2012, 05:43:27 PM
Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.

In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.

The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.

For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.

The way I see it is. It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security, and in the battle between bots and forums any slight increase is a worthy one. Plus it doesn't seem to hard to implement as said above (Not that I would have the slightest clue where to start).
Owner, admin and member of benchtech forums.

Arantor

In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.
No good deed goes unpunished
All helpful urges should be circumvented

Benchtech

Quote from: arrowtotheknee on January 11, 2012, 11:02:30 AM
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.
Owner, admin and member of benchtech forums.

Arantor

Well done for missing the point.

Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.

Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.

Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.
No good deed goes unpunished
All helpful urges should be circumvented

青山 素子

Quote from: Benchtech on January 11, 2012, 10:58:50 AM
It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security,

It's better than offering those admins a way to force password expiration as they could just set it to a very low value like 14 days. As for security, it helps but not in the way you are probably thinking.


Quote from: Benchtech on January 11, 2012, 10:58:50 AM
and in the battle between bots and forums any slight increase is a worthy one.

It probably won't make any difference in the "battle" unless you're choosing weak passwords to assign.

But, back to security. You are probably thinking that it will help the user make a strong password. It most certainly won't. A stupid user will still use a stupid password. My thoughts are more of the kind that if you write down a temporary password to hand to someone or send through e-mail, that password is already compromised. If the e-mail server or account are compromised, the attacker has that password. If someone sees the password written down, they know that password. Forcing a change from it secures against your temporary password being exposed and ensures that you do not know the password to that account. In no way does it protect a user from their own stupidity.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Benchtech

Quote from: arrowtotheknee on January 11, 2012, 11:09:58 AM
Well done for missing the point.

Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.

Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.

Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.

You have also missed the point. I am not suggesting the feature is used to force a password change periodically, as you're right, that will do little in the way of security. I am suggesting the feature SOLEY for the idea of resetting peoples passwords, or for when accounts are created for them, as is its purpose on Google Apps. People are not going to tell you their password so you can set it for them when making, or resetting account and them doing so would be another security risk, so the idea of forcing them to change it eliminates the risk of them forgetting, or not knowing how to change it.

But I suppose you know all there is to know about security and someone as stupid and unknowledgeable as me can't recommend any security improvements.
Owner, admin and member of benchtech forums.

Arantor

No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to. Forcing a password change is actually not that conducive to security, as multiple studies have shown.

No, I don't know all there is to know about security, but I do know when something will be less secure and when someone won't listen to arguments provided to the contrary. There are times for this feature, the times you're thinking of are not those times.
No good deed goes unpunished
All helpful urges should be circumvented

青山 素子

Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM
No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to.

Yeah, I usually generate a 14-character long password using upper, lower case, numbers, and dashes. Needless to say, some people aren't happy to type all that in.


Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM
Forcing a password change is actually not that conducive to security, as multiple studies have shown.

It can be useful in certain situations.


Quote from: arrowtotheknee on January 11, 2012, 12:32:39 PM
There are times for this feature, the times you're thinking of are not those times.

Agreed, to a point.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Kindred

Ok...  let's just chill a little bit here.

Benchtech, we've already pointed out that we can see a purpose for this thought... However, that purpose is not at all related to "security" as forcing a user to change their password really does nothing for security.


Arantor...   no need to snipe at him... he's not being demanding and he is trying to argue his point logically
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

I don't snipe at people until they start out by calling me a moron.
No good deed goes unpunished
All helpful urges should be circumvented

Benchtech

Quote from: arrowtotheknee on January 11, 2012, 02:21:34 PM
I don't snipe at people until they start out by calling me a moron.

If you have a look back I never called you a moron specifically.
Owner, admin and member of benchtech forums.

Benchtech

Also could someone look into applying or declining this, if you wouldnt mind :)
Owner, admin and member of benchtech forums.

Arantor

If I have a look back, I see precisely this post. Bolding is mine.

Quote from: Benchtech on January 11, 2012, 11:04:48 AM
Quote from: arrowtotheknee on January 11, 2012, 11:02:30 AM
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.

And in the very post I quoted, I said it would make no difference at all, so since I said it would make no difference at all, and you assert that only a moron would say it would make no difference... I must by definition be a moron.

Also, if you care to look back over the pages of threads here, stuff very rarely ever moves out of this board, into applied/declined or indeed anywhere else (except to mod requests)
No good deed goes unpunished
All helpful urges should be circumvented

Benchtech

Quote from: arrowtotheknee on January 18, 2012, 11:08:27 AM
If I have a look back, I see precisely this post. Bolding is mine.

Quote from: Benchtech on January 11, 2012, 11:04:48 AM
Quote from: arrowtotheknee on January 11, 2012, 11:02:30 AM
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.

And in the very post I quoted, I said it would make no difference at all, so since I said it would make no difference at all, and you assert that only a moron would say it would make no difference... I must by definition be a moron.

Also, if you care to look back over the pages of threads here, stuff very rarely ever moves out of this board, into applied/declined or indeed anywhere else (except to mod requests)

I still never called you a moron, if you've diagnosed yourself as one, then there's not much I can do about that.
Owner, admin and member of benchtech forums.

Arantor

I just applied logic to what you stated. If what you stated is incorrect...
No good deed goes unpunished
All helpful urges should be circumvented

Advertisement: