Why do we have to keep changing the password?

It is good practice to do so from both our and your perspective. Security is paramount, the pain in the backside an after thought.

From a users perspective you may get a slight security gain for all those who use insecure (easy to guess passwords) but they generally just replace one insecure with another so the policy is effectively pointless. If somebody insists on using easily guessed passwords your unlikely to change their habits by forcing regular password changes. In fact, you'll very likely achieve exactly the opposite as people faced with sudden forced password changes almost invariably pick extremely unsecure new passwords.

From the forums point of view, there really isn't any security gain whatsoever. The forum software is either secure or it isn't. How users decide to choose their own account passwords should not affect basic forum security in any way. Generally, hack attempts on forums rarely require user accounts on that forum.

Thanks for your comments guys but I still say its a pain.

The users choice of password is up to them something they will easily remember as there is no point in having an obscure password that you have to write in a file in order to remember it.

Simple. Close your other inferiorforums, then what ever your password is just add a number to it.

eg your password is "wibble" change to "wibble 1" then "wibble 2"

etrc

its set to change after 72 days if i mind right you can change it in usercp so that it dont change..

My answer was purely based upon a notion of the concept and I get what you are saying, (I hope so based upon your indepth reply) but as I said it is "beneficial". And one or two lines sometimes doesn't say enough but then again depends on how you read a reply.

Sorry Keith I feel for your pain

A Meat-Head solution that all already use

No it is set at 60 days here gazz and cannot be changed in the UCP.

I still think it is a minor problem to be part of such a great forum

Only thing would be nice is a warning - so we can change it before lock out.

that is *SO SCARY* when you get no access to DK

It used to be that it never changed, not so long ago. unless you ticked the box so it would.


With latest patches/security updates its changed that option turn of password change.

Me i never noticed it that i have had to change pass, only if i do a fresh install and i forget the supplied pass.


Me maybe old school, and use generated password that is meaningless to anyone and harder to brute force.

There is nothing in User CP as satsmo says. I've just had to change yet again.

Well to a high profile poster, it's quite scary when it pops up.

Guess some leechers don't care about it.

some warning would be cool, say 50 hours of DK time as a minimum.

I'd be interested to know why you think regular password changes are beneficial. I've done quite a bit of research in the past regarding the question of 'user' password changing and the conclusions were pretty much that it was always a bad idea to allow users to set their own password and an even worse one to then force those same users to change passwords at regular intervals. Its known that an average of 60% or more of users will choose easy passwords to begin with and that percentage will rise quite quickly (to over 85%) when a user is faced with an immediate compulsory password change. Those numbers are for applications that are supposed to be relatively secure so they may be even worse for a forum where most users wont consider account security a particularly high priority.

For a forum that allows user password setting, its actually more secure to allow users to stick with their original password as the greatest number of accounts will remain relatively secure (around 40%). If you need greater account security then you need to take it to the next level and remove user selectable passwords altogether, with all passwords then becoming random groups of character/numbers but, of course, that will likely mean lots of forgotten passwords from users who are unable to maintain a proper 'password' list.

It may seem counter intuitive to NOT change passwords but the fact is the initial pasword is often the most considered with subsequent forced changes mostly just being anything thats easily remembered.

Cheers TC.

Apologies for the late reply as I didn't see this until now and my quoted response was some three months ago.

I sat through a conference,(not one solely representative of online social media), on just this topic only yesterday and to be perfectly honest the facts and figures do not match up across the board.

My reference to beneficial may be somewhat bias as I have a varying opinion on security but see that a regular change of passwords is a more healthy approach to online security.......forgive me but I am of the old school approach.

If we take over full control of password lists and leave them hashed and static then as you say we must generate a more secure password, i.e. not the name of your cat,dog, or other familiar pass phrases. This then leads to a problem as you said not many people like trying to remember a password that is generated for them, or like to safe them in a supposedly secure wallet.

I would love to introduce some form of one time passcode but VB is quite limited and to be honest so are most peoples' time that run forums.

I appreciate your opinion on the matter of the cons of our current set up, but it is something that has worked quite well for us and many other forums.

The only gripe being the gripe.

i hate it but lets be honest...it takes 30 secs and the 'remember me' tick