Hi guys/gals.
How come this is the only forum that I use out of 60+ that I have to keep changing the password every few months.
This is surely a pain in the backside for users, well it is to me?
Hi guys/gals.
How come this is the only forum that I use out of 60+ that I have to keep changing the password every few months.
This is surely a pain in the backside for users, well it is to me?
Keith
Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow
2010 Golf GTD (170)
It is good practice to do so from both our and your perspective. Security is paramount, the pain in the backside an after thought.
I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams
From a users perspective you may get a slight security gain for all those who use insecure (easy to guess passwords) but they generally just replace one insecure with another so the policy is effectively pointless. If somebody insists on using easily guessed passwords your unlikely to change their habits by forcing regular password changes. In fact, you'll very likely achieve exactly the opposite as people faced with sudden forced password changes almost invariably pick extremely unsecure new passwords.
From the forums point of view, there really isn't any security gain whatsoever. The forum software is either secure or it isn't. How users decide to choose their own account passwords should not affect basic forum security in any way. Generally, hack attempts on forums rarely require user accounts on that forum.
Thanks for your comments guys but I still say its a pain.
The users choice of password is up to them something they will easily remember as there is no point in having an obscure password that you have to write in a file in order to remember it.
Keith
Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow
2010 Golf GTD (170)
its set to change after 72 days if i mind right you can change it in usercp so that it dont change..
My answer was purely based upon a notion of the concept and I get what you are saying, (I hope so based upon your indepth reply) but as I said it is "beneficial". And one or two lines sometimes doesn't say enough but then again depends on how you read a reply.
Sorry Keith I feel for your pain
A Meat-Head solution that all already use
No it is set at 60 days here gazz and cannot be changed in the UCP.
I still think it is a minor problem to be part of such a great forum
I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams
It used to be that it never changed, not so long ago. unless you ticked the box so it would.
With latest patches/security updates its changed that option turn of password change.
Me i never noticed it that i have had to change pass, only if i do a fresh install and i forget the supplied pass.
Me maybe old school, and use generated password that is meaningless to anyone and harder to brute force.
I'd be interested to know why you think regular password changes are beneficial. I've done quite a bit of research in the past regarding the question of 'user' password changing and the conclusions were pretty much that it was always a bad idea to allow users to set their own password and an even worse one to then force those same users to change passwords at regular intervals. Its known that an average of 60% or more of users will choose easy passwords to begin with and that percentage will rise quite quickly (to over 85%) when a user is faced with an immediate compulsory password change. Those numbers are for applications that are supposed to be relatively secure so they may be even worse for a forum where most users wont consider account security a particularly high priority.
For a forum that allows user password setting, its actually more secure to allow users to stick with their original password as the greatest number of accounts will remain relatively secure (around 40%). If you need greater account security then you need to take it to the next level and remove user selectable passwords altogether, with all passwords then becoming random groups of character/numbers but, of course, that will likely mean lots of forgotten passwords from users who are unable to maintain a proper 'password' list.
It may seem counter intuitive to NOT change passwords but the fact is the initial pasword is often the most considered with subsequent forced changes mostly just being anything thats easily remembered.
Cheers TC.
Keith
Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow
2010 Golf GTD (170)
Apologies for the late reply as I didn't see this until now and my quoted response was some three months ago.
I sat through a conference,(not one solely representative of online social media), on just this topic only yesterday and to be perfectly honest the facts and figures do not match up across the board.
My reference to beneficial may be somewhat bias as I have a varying opinion on security but see that a regular change of passwords is a more healthy approach to online security.......forgive me but I am of the old school approach.
If we take over full control of password lists and leave them hashed and static then as you say we must generate a more secure password, i.e. not the name of your cat,dog, or other familiar pass phrases. This then leads to a problem as you said not many people like trying to remember a password that is generated for them, or like to safe them in a supposedly secure wallet.
I would love to introduce some form of one time passcode but VB is quite limited and to be honest so are most peoples' time that run forums.
I appreciate your opinion on the matter of the cons of our current set up, but it is something that has worked quite well for us and many other forums.
The only gripe being the gripe.
Last edited by satsmo; 22nd June, 2012 at 02:04 PM. Reason: typo
I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams
i hate it but lets be honest...it takes 30 secs and the 'remember me' tick
Read the Rules here; they apply to Everyone.
I appreciate all the help people give. I spent many years helping others, now it's me who needs the help.
Before the 2010 reset on the DK thanks count, I had over 3,000 thanks received and over 500 given
___________________
In the good old days, I hadDM800s HDOpenbox S10
TM500
DM500s
90cm FortecStar dish
Technomate 2300 Motor
Bookmarks