Why do we have to keep changing the password?
Register
Page 1 of 4 1234 LastLast
Results 1 to 15 of 55
  1. #1
    DK Veteran Keithuk's Avatar
    Join Date
    Aug 2010
    Location
    England
    Posts
    2,264
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    129
    Thanked in
    121 Posts

    Default Why do we have to keep changing the password?

    Hi guys/gals.

    How come this is the only forum that I use out of 60+ that I have to keep changing the password every few months.

    This is surely a pain in the backside for users, well it is to me?
    Keith

    Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow

    2010 Golf GTD (170)

  2. #2
    Admin Assistant
    satsmo's Avatar
    Join Date
    Jun 2008
    Posts
    6,397
    Thanks Thanks Given 
    318
    Thanks Thanks Received 
    583
    Thanked in
    283 Posts

    Default

    It is good practice to do so from both our and your perspective. Security is paramount, the pain in the backside an after thought.
    I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams

  3. #3
    DK Veteran
    Join Date
    Jun 2011
    Location
    Last spotted in Wales
    Posts
    693
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    25
    Thanked in
    16 Posts

    Default

    Quote Originally Posted by satsmo View Post
    It is good practice to do so from both our and your perspective. Security is paramount, the pain in the backside an after thought.
    From a users perspective you may get a slight security gain for all those who use insecure (easy to guess passwords) but they generally just replace one insecure with another so the policy is effectively pointless. If somebody insists on using easily guessed passwords your unlikely to change their habits by forcing regular password changes. In fact, you'll very likely achieve exactly the opposite as people faced with sudden forced password changes almost invariably pick extremely unsecure new passwords.

    From the forums point of view, there really isn't any security gain whatsoever. The forum software is either secure or it isn't. How users decide to choose their own account passwords should not affect basic forum security in any way. Generally, hack attempts on forums rarely require user accounts on that forum.

  4. #4
    DK Veteran Keithuk's Avatar
    Join Date
    Aug 2010
    Location
    England
    Posts
    2,264
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    129
    Thanked in
    121 Posts

    Default

    Thanks for your comments guys but I still say its a pain.

    The users choice of password is up to them something they will easily remember as there is no point in having an obscure password that you have to write in a file in order to remember it.
    Keith

    Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow

    2010 Golf GTD (170)

  5. #5
    V.I.P. Member
    Meat-Head's Avatar
    Join Date
    Oct 2009
    Location
    Meatheadshire (Between London and Scotland)
    Posts
    31,902
    Thanks Thanks Given 
    8,818
    Thanks Thanks Received 
    6,052
    Thanked in
    4,769 Posts

    Default

    Quote Originally Posted by Keithuk View Post
    Hi guys/gals.

    How come this is the only forum that I use out of 60+ that I have to keep changing the password every few months.

    This is surely a pain in the backside for users, well it is to me?
    Simple. Close your other inferiorforums, then what ever your password is just add a number to it.

    eg your password is "wibble" change to "wibble 1" then "wibble 2"

    etrc

    Was Banned For Being Certifiably Insane and Stupid

  6. #6
    V.I.P. Member
    Join Date
    Mar 2008
    Posts
    1,015
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    16
    Thanked in
    13 Posts

    Default

    its set to change after 72 days if i mind right you can change it in usercp so that it dont change..

  7. #7
    Admin Assistant
    satsmo's Avatar
    Join Date
    Jun 2008
    Posts
    6,397
    Thanks Thanks Given 
    318
    Thanks Thanks Received 
    583
    Thanked in
    283 Posts

    Default

    Quote Originally Posted by TheCoder View Post
    From a users perspective you may get a slight security gain for all those who use insecure (easy to guess passwords) but they generally just replace one insecure with another so the policy is effectively pointless. If somebody insists on using easily guessed passwords your unlikely to change their habits by forcing regular password changes. In fact, you'll very likely achieve exactly the opposite as people faced with sudden forced password changes almost invariably pick extremely unsecure new passwords.

    From the forums point of view, there really isn't any security gain whatsoever. The forum software is either secure or it isn't. How users decide to choose their own account passwords should not affect basic forum security in any way. Generally, hack attempts on forums rarely require user accounts on that forum.
    My answer was purely based upon a notion of the concept and I get what you are saying, (I hope so based upon your indepth reply) but as I said it is "beneficial". And one or two lines sometimes doesn't say enough but then again depends on how you read a reply.

    Quote Originally Posted by Keithuk View Post
    Thanks for your comments guys but I still say its a pain.

    The users choice of password is up to them something they will easily remember as there is no point in having an obscure password that you have to write in a file in order to remember it.
    Sorry Keith I feel for your pain

    Quote Originally Posted by Meat-Head View Post
    Simple. Close your other inferiorforums, then what ever your password is just add a number to it.

    eg your password is "wibble" change to "wibble 1" then "wibble 2"

    etrc
    A Meat-Head solution that all already use

    Quote Originally Posted by gazz10 View Post
    its set to change after 72 days if i mind right you can change it in usercp so that it dont change..
    No it is set at 60 days here gazz and cannot be changed in the UCP.

    I still think it is a minor problem to be part of such a great forum
    I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams

  8. #8
    V.I.P. Member
    Meat-Head's Avatar
    Join Date
    Oct 2009
    Location
    Meatheadshire (Between London and Scotland)
    Posts
    31,902
    Thanks Thanks Given 
    8,818
    Thanks Thanks Received 
    6,052
    Thanked in
    4,769 Posts

    Default

    Quote Originally Posted by satsmo View Post
    I still think it is a minor problem to be part of such a great forum
    Only thing would be nice is a warning - so we can change it before lock out.

    that is *SO SCARY* when you get no access to DK

    Was Banned For Being Certifiably Insane and Stupid

  9. #9
    V.I.P. Member
    Join Date
    Mar 2008
    Posts
    1,015
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    16
    Thanked in
    13 Posts

    Default

    Quote Originally Posted by satsmo View Post



    No it is set at 60 days here gazz and cannot be changed in the UCP.

    I still think it is a minor problem to be part of such a great forum

    It used to be that it never changed, not so long ago. unless you ticked the box so it would.


    With latest patches/security updates its changed that option turn of password change.

    Me i never noticed it that i have had to change pass, only if i do a fresh install and i forget the supplied pass.


    Me maybe old school, and use generated password that is meaningless to anyone and harder to brute force.

  10. #10
    DK Veteran Keithuk's Avatar
    Join Date
    Aug 2010
    Location
    England
    Posts
    2,264
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    129
    Thanked in
    121 Posts

    Default

    Quote Originally Posted by gazz10 View Post
    its set to change after 72 days if i mind right you can change it in usercp so that it dont change..
    There is nothing in User CP as satsmo says. I've just had to change yet again.
    Keith

    Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow

    2010 Golf GTD (170)

  11. #11
    V.I.P. Member
    Meat-Head's Avatar
    Join Date
    Oct 2009
    Location
    Meatheadshire (Between London and Scotland)
    Posts
    31,902
    Thanks Thanks Given 
    8,818
    Thanks Thanks Received 
    6,052
    Thanked in
    4,769 Posts

    Default

    Quote Originally Posted by Keithuk View Post
    . I've just had to change yet again.

    Well to a high profile poster, it's quite scary when it pops up.

    Guess some leechers don't care about it.

    some warning would be cool, say 50 hours of DK time as a minimum.

    Was Banned For Being Certifiably Insane and Stupid

  12. #12
    DK Veteran
    Join Date
    Jun 2011
    Location
    Last spotted in Wales
    Posts
    693
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    25
    Thanked in
    16 Posts

    Default

    Quote Originally Posted by satsmo View Post
    ...... but as I said it is "beneficial". And one or two lines sometimes doesn't say enough but then again depends on how you read a reply.
    I'd be interested to know why you think regular password changes are beneficial. I've done quite a bit of research in the past regarding the question of 'user' password changing and the conclusions were pretty much that it was always a bad idea to allow users to set their own password and an even worse one to then force those same users to change passwords at regular intervals. Its known that an average of 60% or more of users will choose easy passwords to begin with and that percentage will rise quite quickly (to over 85%) when a user is faced with an immediate compulsory password change. Those numbers are for applications that are supposed to be relatively secure so they may be even worse for a forum where most users wont consider account security a particularly high priority.

    For a forum that allows user password setting, its actually more secure to allow users to stick with their original password as the greatest number of accounts will remain relatively secure (around 40%). If you need greater account security then you need to take it to the next level and remove user selectable passwords altogether, with all passwords then becoming random groups of character/numbers but, of course, that will likely mean lots of forgotten passwords from users who are unable to maintain a proper 'password' list.

    It may seem counter intuitive to NOT change passwords but the fact is the initial pasword is often the most considered with subsequent forced changes mostly just being anything thats easily remembered.

  13. #13
    DK Veteran Keithuk's Avatar
    Join Date
    Aug 2010
    Location
    England
    Posts
    2,264
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    129
    Thanked in
    121 Posts

    Default

    Cheers TC.
    Keith

    Wii 4.3E, USB Loader GX, CFG USB Loader, WiiFlow

    2010 Golf GTD (170)

  14. #14
    Admin Assistant
    satsmo's Avatar
    Join Date
    Jun 2008
    Posts
    6,397
    Thanks Thanks Given 
    318
    Thanks Thanks Received 
    583
    Thanked in
    283 Posts

    Default

    Quote Originally Posted by TheCoder View Post
    I'd be interested to know why you think regular password changes are beneficial. I've done quite a bit of research in the past regarding the question of 'user' password changing and the conclusions were pretty much that it was always a bad idea to allow users to set their own password and an even worse one to then force those same users to change passwords at regular intervals. Its known that an average of 60% or more of users will choose easy passwords to begin with and that percentage will rise quite quickly (to over 85%) when a user is faced with an immediate compulsory password change. Those numbers are for applications that are supposed to be relatively secure so they may be even worse for a forum where most users wont consider account security a particularly high priority.

    For a forum that allows user password setting, its actually more secure to allow users to stick with their original password as the greatest number of accounts will remain relatively secure (around 40%). If you need greater account security then you need to take it to the next level and remove user selectable passwords altogether, with all passwords then becoming random groups of character/numbers but, of course, that will likely mean lots of forgotten passwords from users who are unable to maintain a proper 'password' list.

    It may seem counter intuitive to NOT change passwords but the fact is the initial pasword is often the most considered with subsequent forced changes mostly just being anything thats easily remembered.
    Apologies for the late reply as I didn't see this until now and my quoted response was some three months ago.

    I sat through a conference,(not one solely representative of online social media), on just this topic only yesterday and to be perfectly honest the facts and figures do not match up across the board.

    My reference to beneficial may be somewhat bias as I have a varying opinion on security but see that a regular change of passwords is a more healthy approach to online security.......forgive me but I am of the old school approach.

    If we take over full control of password lists and leave them hashed and static then as you say we must generate a more secure password, i.e. not the name of your cat,dog, or other familiar pass phrases. This then leads to a problem as you said not many people like trying to remember a password that is generated for them, or like to safe them in a supposedly secure wallet.

    I would love to introduce some form of one time passcode but VB is quite limited and to be honest so are most peoples' time that run forums.

    I appreciate your opinion on the matter of the cons of our current set up, but it is something that has worked quite well for us and many other forums.

    The only gripe being the gripe.
    Last edited by satsmo; 22nd June, 2012 at 02:04 PM. Reason: typo
    I refuse to answer that question on the grounds that I don't know the answer. - Douglas Adams

  15. #15
    Retired Sat TV Addict
    .: JaCkPoT :.'s Avatar
    Join Date
    Aug 2008
    Location
    var/tuxbox/plugins
    Posts
    5,437
    Thanks Thanks Given 
    30
    Thanks Thanks Received 
    55
    Thanked in
    33 Posts

    Default

    i hate it but lets be honest...it takes 30 secs and the 'remember me' tick

    Read the Rules here; they apply to EveryOne.


    __________________________________________________


    DM800s HD
    Openbox S10
    TM500
    DM500s

    90cm FortecStar dish
    Technomate 2300 motor powered by UsalS


 

 
Page 1 of 4 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.