News:

Wondering if this will always be free?  See why free is better.

Main Menu

Password resets

Started by shawnb61, January 22, 2025, 02:59:17 PM

Previous topic - Next topic

shawnb61

See discussion here: https://www.simplemachines.org/community/index.php?topic=590528.0

I think we need a way to force password resets, in 2.1 & in 3.0.

This will address the issue where breached account IDs/passwords are being used to gain access to forums as valid long-term members (who have poor password regimen, e.g., simple passwords or re-used passwords...). 

This works.  My forum was up to 3 spam posts a week from long-standing members.  I reset the passwords for anyone who registered > 1 year ago and who hadn't logged on in > 1 year. 

Since then, we haven't had one single spam post from those users.
A question worth asking is born in experience & driven by necessity. - Fripp

Aleksi "Lex" Kilpinen

I'm not sure I'm a fan of the idea of potentially locking people out "just in case", but I do agree the functionality in itself could be useful.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

shawnb61

The thing is, they're not locked out.  They just need to follow the normal password reset procedure. 

Which shouldn't be too unusual & is likely needed anyway - they haven't logged on in a year...
A question worth asking is born in experience & driven by necessity. - Fripp

Aleksi "Lex" Kilpinen

The amount of bounced email I've seen over the years would say otherwise.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

vbgamer45

I saw this mod https://community.mybb.com/mods.php?action=view&pid=1603 in MyBB i thought about adapting the API for SMF but do it on register as well login/password reset.

Community Suite for SMF - Grow your forum with SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com - Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Sesquipedalian

This functionality already exists. The admin can go to any account and change its password to some random string. Then that member will need to reset the password in order to log in.

The only thing that doesn't exist is the ability to do it in bulk. But is the ability to do this in bulk a good idea anyway? It would be extremely rare to see a massive number of accounts get compromised this way all at once, and preemptively resetting people's passwords that have not been breached sounds like a bad idea to me.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

shawnb61

Quote from: Sesquipedalian on January 24, 2025, 02:26:39 AMThe only thing that doesn't exist is the ability to do it in bulk. But is the ability to do this in bulk a good idea anyway? It would be extremely rare to see a massive number of accounts get compromised this way all at once, and preemptively resetting people's passwords that have not been breached sounds like a bad idea to me.

Yes, the purpose is to be able to do it in bulk, as discussed in the referenced threads. 

It's not that all those (unused in 1 year+) accounts have been compromised.  It's that they present a steady source of access for spammers using breached id/password info.

There's a reason this need keeps coming up in the support boards - all the massive security breaches out there have created a large supply of known ids/passwords.

And it works - beautifully.  Taking this action has basically shut off spam in my forum. 

(And there I go tempting fate again...  ;D )
A question worth asking is born in experience & driven by necessity. - Fripp

Sesquipedalian

I remain unconvinced that it is a good idea to preemptively reset people's passwords.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Aleksi "Lex" Kilpinen

This could be a useful tool in the unfortunate event that your own server got hacked. Maybe a good mod idea?
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Sesquipedalian

A mod, perhaps, sure. I don't intend to make it a default feature, because I don't want to put something in front of admins to suggest this idea if they don't have a need for it. A mod, on the other hand, requires the admin to download and install it with intention and forethought. The admin would do so only if they have run into a situation where they felt the need for it.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Advertisement: