Advertisement:

Author Topic: [2.1/mod] Password Force Change/ Password Flagging.  (Read 40879 times)

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
[2.1/mod] Password Force Change/ Password Flagging.
« on: January 10, 2012, 03:41:14 PM »
I have been discussing this on a similar request but I would like a variation.

I would like to be able to force a user to change their password upon the next login. When I have to reset users passwords for them the best I can do is tell them to change their password when they have logged in as I usually change it to something very simple in order to make the process as easy as possible. The trouble is users often don't bother to navigate to their profile and change their password and some don't know how. If they were forced to do this when an admin ticked the 'Require Password Change on Next Login' box then it would be much simpler. I have attached screenshotts below of how it is done on Google Apps.


Here admin has the option to change the password and also the option to force a change of password upon the next login.


This then pops up upon the next login of the user and the specified user cannot use any functionality of the website before this is changed.

I seriously believe this feature would improve security and also would be loved by admins all over the SMF community. Please include it  ;D ;D ;D
« Last Edit: January 19, 2012, 09:10:23 AM by Norv »
Owner, admin and member of benchtech forums.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,115
  • Gender: Male
    • Kindred-999 on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #1 on: January 10, 2012, 04:41:24 PM »
not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #2 on: January 10, 2012, 05:14:33 PM »
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #3 on: January 10, 2012, 05:43:27 PM »
not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...

Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting. I reset it for them, it's no good making it complicated because they will just forget it again, I set something simple such as password or changeme. Now, without the option to force password changes there is no way to make sure they change their passwords, some users forget, some can't be bothered and some have no idea about security. Forcing them to change it ensures that they change their password if they like it or not, it also makes it alot easier than navigating to profile settings and I believe it would be a useful feature, especially for professional forums. I guess that is why Google have it.

Ben.
Owner, admin and member of benchtech forums.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,021
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Password Force Change/ Password Flagging.
« Reply #4 on: January 10, 2012, 07:21:35 PM »
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.

Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.

In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.

The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.

For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #5 on: January 11, 2012, 10:58:50 AM »
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.

Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.

In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.

The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.

For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.

The way I see it is. It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security, and in the battle between bots and forums any slight increase is a worthy one. Plus it doesn't seem to hard to implement as said above (Not that I would have the slightest clue where to start).
Owner, admin and member of benchtech forums.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #6 on: January 11, 2012, 11:02:30 AM »
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #7 on: January 11, 2012, 11:04:48 AM »
In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.
Owner, admin and member of benchtech forums.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #8 on: January 11, 2012, 11:09:58 AM »
Well done for missing the point.

Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.

Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.

Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,021
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Password Force Change/ Password Flagging.
« Reply #9 on: January 11, 2012, 12:11:19 PM »
It wont cause any danger to users unless an overactive admin forces changes all the time and it makes users set stupid passwords, and it does have a use for increasing security,

It's better than offering those admins a way to force password expiration as they could just set it to a very low value like 14 days. As for security, it helps but not in the way you are probably thinking.


and in the battle between bots and forums any slight increase is a worthy one.

It probably won't make any difference in the "battle" unless you're choosing weak passwords to assign.

But, back to security. You are probably thinking that it will help the user make a strong password. It most certainly won't. A stupid user will still use a stupid password. My thoughts are more of the kind that if you write down a temporary password to hand to someone or send through e-mail, that password is already compromised. If the e-mail server or account are compromised, the attacker has that password. If someone sees the password written down, they know that password. Forcing a change from it secures against your temporary password being exposed and ensures that you do not know the password to that account. In no way does it protect a user from their own stupidity.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #10 on: January 11, 2012, 12:25:57 PM »
Well done for missing the point.

Users with bad passwords are a security threat, yes. So you force them to reset it. They pick another bad password. There's still a problem there, but I guess it's beneath your level of concern because you think you've dealt with the problem.

Forcing the password to be changed doesn't solve the problem, it relocates it. But I guess I'm obviously a moron, never mind the fact that bots that actually attempt to brute force passwords actually aren't all that common (having been running a specialist honeypot for over a year that actually specifically observes such attempts), and the only time it ever really came to light for SMF was about the same time I started on said honeypot, after observing a lot of bruteforcing attempts. The bots, in fact, were going through a list of about 50 most common passwords, of which password was merely one of many. Second most popular was password1.

Point is: the more you push users to reset their passwords, especially given how many the average user has to deal with, the more they're going to PICK STUPID PASSWORDS. No matter what you do to try and beat it into them with a big stick that they're not supposed to.

You have also missed the point. I am not suggesting the feature is used to force a password change periodically, as you're right, that will do little in the way of security. I am suggesting the feature SOLEY for the idea of resetting peoples passwords, or for when accounts are created for them, as is its purpose on Google Apps. People are not going to tell you their password so you can set it for them when making, or resetting account and them doing so would be another security risk, so the idea of forcing them to change it eliminates the risk of them forgetting, or not knowing how to change it.

But I suppose you know all there is to know about security and someone as stupid and unknowledgeable as me can't recommend any security improvements.
Owner, admin and member of benchtech forums.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #11 on: January 11, 2012, 12:32:39 PM »
No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to. Forcing a password change is actually not that conducive to security, as multiple studies have shown.

No, I don't know all there is to know about security, but I do know when something will be less secure and when someone won't listen to arguments provided to the contrary. There are times for this feature, the times you're thinking of are not those times.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,021
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Password Force Change/ Password Flagging.
« Reply #12 on: January 11, 2012, 12:37:21 PM »
No, you set it to a randomly made password, not 'password' so it's immediately secure from bot attacks that you were talking about, then you tell them how to change it should they want to.

Yeah, I usually generate a 14-character long password using upper, lower case, numbers, and dashes. Needless to say, some people aren't happy to type all that in.


Forcing a password change is actually not that conducive to security, as multiple studies have shown.

It can be useful in certain situations.


There are times for this feature, the times you're thinking of are not those times.

Agreed, to a point.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,115
  • Gender: Male
    • Kindred-999 on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #13 on: January 11, 2012, 01:12:58 PM »
Ok...  let's just chill a little bit here.

Benchtech, we've already pointed out that we can see a purpose for this thought... However, that purpose is not at all related to "security" as forcing a user to change their password really does nothing for security.


Arantor...   no need to snipe at him... he's not being demanding and he is trying to argue his point logically
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #14 on: January 11, 2012, 02:21:34 PM »
I don't snipe at people until they start out by calling me a moron.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #15 on: January 18, 2012, 10:48:05 AM »
I don't snipe at people until they start out by calling me a moron.

If you have a look back I never called you a moron specifically.
Owner, admin and member of benchtech forums.

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #16 on: January 18, 2012, 10:54:33 AM »
Also could someone look into applying or declining this, if you wouldnt mind :)
Owner, admin and member of benchtech forums.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #17 on: January 18, 2012, 11:08:27 AM »
If I have a look back, I see precisely this post. Bolding is mine.

In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.

And in the very post I quoted, I said it would make no difference at all, so since I said it would make no difference at all, and you assert that only a moron would say it would make no difference... I must by definition be a moron.

Also, if you care to look back over the pages of threads here, stuff very rarely ever moves out of this board, into applied/declined or indeed anywhere else (except to mod requests)
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: Password Force Change/ Password Flagging.
« Reply #18 on: January 18, 2012, 11:15:25 AM »
If I have a look back, I see precisely this post. Bolding is mine.

In the battle for bots vs forums, it will make precisely zero difference. It will make a difference in other battles, subject to the caveats already outlined.

I'd love to know how you work that one out. A user wants their password resetting, I change it to password, he doesn't bother or doesn't know how to, bots spam the forum and try log in with current usernames, one of the most basic passwords to try 'password'. Account = Compromised.

Or, I force them to change it, they change it, job done.

You'd have to be a moron to say it would make no difference at all.

And in the very post I quoted, I said it would make no difference at all, so since I said it would make no difference at all, and you assert that only a moron would say it would make no difference... I must by definition be a moron.

Also, if you care to look back over the pages of threads here, stuff very rarely ever moves out of this board, into applied/declined or indeed anywhere else (except to mod requests)

I still never called you a moron, if you've diagnosed yourself as one, then there's not much I can do about that.
Owner, admin and member of benchtech forums.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,044
    • Arantor on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #19 on: January 18, 2012, 11:17:38 AM »
I just applied logic to what you stated. If what you stated is incorrect...
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,115
  • Gender: Male
    • Kindred-999 on GitHub
Re: Password Force Change/ Password Flagging.
« Reply #20 on: January 18, 2012, 11:22:23 AM »
ok... enough.


Benchtech,   this will probably not be a feature any time soon...    I'd suggest asking for it as a mod. If the mod becomes popular/much used, then it would be considered for a feature addition in the future.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Norv

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,313
  • Blue Wolf
Re: [2.1] Password Force Change/ Password Flagging.
« Reply #21 on: January 19, 2012, 09:10:12 AM »
Thank you for the proposal, Benchtech, and for the discussion.

I think it makes sense for accounts created from admin panel, indeed, as pointed out before.

I don't know how many cases of admins resetting passwords exist (for older accounts), since users should be able to reset their passwords (if one forgot their email address or has another one, they can request the admin to set another email for them, instead of resetting the password).
All things considered, I incline to add this one way or the other to SMF logins enhancements - or rather its ecosystem of official mods. I don't really see the "global" option (all users must reset passwords next time) as core feature..., for the reasons pointed out above - but for the same reasons it may be useful to develop a mod/tool that will allow the admin of a forum in need for mass-reset of credentials to have it at their disposal just in case. Thank you for the idea, it never occurred before, that I can remember, anyway. :)
To-do lists are for deferral. The more things you write down the later they're done… until you have 100s of lists of things you don't do.
File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

Offline Benchtech

  • Semi-Newbie
  • *
  • Posts: 34
  • Just another forum owner. www.benchtech.co.uk
    • Benchtech Technology Forums
Re: [2.1] Password Force Change/ Password Flagging.
« Reply #22 on: January 19, 2012, 03:00:04 PM »
Thank you for the proposal, Benchtech, and for the discussion.

I think it makes sense for accounts created from admin panel, indeed, as pointed out before.

I don't know how many cases of admins resetting passwords exist (for older accounts), since users should be able to reset their passwords (if one forgot their email address or has another one, they can request the admin to set another email for them, instead of resetting the password).
All things considered, I incline to add this one way or the other to SMF logins enhancements - or rather its ecosystem of official mods. I don't really see the "global" option (all users must reset passwords next time) as core feature..., for the reasons pointed out above - but for the same reasons it may be useful to develop a mod/tool that will allow the admin of a forum in need for mass-reset of credentials to have it at their disposal just in case. Thank you for the idea, it never occurred before, that I can remember, anyway. :)

Thankyou:)
Owner, admin and member of benchtech forums.