Why do we have to keep changing the password?

**Meat-Head** · 22 June, 2012, 20:46

Originally posted by satsmo

I sat through a conference,(not one solely representative of online social media), on just this topic only yesterday and to be perfectly honest the facts and figures do not match up across the board.

I would love to introduce some form of one time passcode but VB is quite limited and to be honest so are most peoples' time that run forums.

I appreciate your opinion on the matter of the cons of our current set up, but it is something that has worked quite well for us and many other forums.

.

Cool, conference, you could have been moderating DK

Guessing it would be too much hassle to make it IP address referenced

e.g. when at home ip address the password CAN be simple 'dawg' 'cat' etc etc, and when at another members gaff, or 'new' computer has to have some kind of 'long' password.

Like say peoples credit card numbers, so they can donate to DK AND log in in one hit.

**TheCoder** · 23 June, 2012, 00:28

Originally posted by satsmo

I appreciate your opinion on the matter of the cons of our current set up, but it is something that has worked quite well for us and many other forums.

tbh, its more of an interest in why you think regular password changing adds to forum security in any significant way rather than a criticism. My background is in computer security (not forums) so I guess i'm just nosey as to why certain perceptions may be prevelent even though the opposite might actually be true.

Originally posted by satsmo

I would love to introduce some form of one time passcode but VB is quite limited and to be honest so are most peoples' time that run forums.

Obviously that would be far more secure in terms of account security but, as you hint, it would also be more difficult to set up and maintain and very likely not worth the hassle.

Ultimately, I suppose you need to ask yourself what it is your trying to protect. User account security should really have little impact on forum security (i'm sure site Admin/Moderators have a somewhat different password policy than standard users) and very few forum 'hacks' actually require an attacker to be logged in.

**Devilfish** · 1 July, 2012, 11:46

Haven't read this full thread so apologies for that. We enabled the password change option because I had a few people coming to me saying their account had been hacked or password guessed and could I sort it out, change their password back, change their email address, etc. Now I'm presented with the question of is this person the real account holder and are they who they say are? To cut short, it's a pain the ass for me to sort out. It's not a solution, people will still pick weak passwords for whatever reason. But it's an additional security feature. Most of the time it's not the forum account that's been compromised, it's been the members email address and they managed to reset the forum password using that.

In any case, I'm not planning to disable it so please just change it when asked.

**Meat-Head** · 1 July, 2012, 13:28

Originally posted by Devilfish

Now I'm presented with the question of is this person the real account holder and are they who they say are? To cut short, it's a pain the ass for me to sort out..

cool, your the boss so can't argue but does it not show up ip address, if if somebody else is trying to access another account does it not flag up.

Hotmail seems to get hacked a lot, no matter what password you use!

Would be nice if a warning popped up?

**TheCoder** · 1 July, 2012, 23:21

Originally posted by Meat-Head

...... but does it not show up ip address, if if somebody else is trying to access another account does it not flag up.

IP address can be fairly meaningless. Large amounts of people have dynamic IP's which change regularly (standard with ADSL unless you've got static ip) and there are also significant numbers of people using vpn's (probably via another country, making geo-tracing useless).

**TheCoder** · 1 July, 2012, 23:30

Originally posted by Devilfish

Haven't read this full thread so apologies for that. We enabled the password change option because I had a few people coming to me saying their account had been hacked or password guessed and could I sort it out,.......

That sort of seems to emphasise my point that the average user isn't particularly concerned about security. Unfortunately, from your point of view, there really is no solution as nothing you can do fixes the fundamental problem of people using insecure passwords (especially on the often one-off registration e-mail addresses).

A better solution might actually be to tell users that lose control of their account that the old account is banned and they must make a new account. It may seem harsh but maybe lessons will be learned......

**Meat-Head** · 5 July, 2012, 22:15

Originally posted by TheCoder

).

A better solution might actually be to tell users that lose control of their account that the old account is banned and they must make a new account. It may seem harsh but maybe lessons will be learned......

that would be fine for leechers, but what about 'high profile' posters

it would get a bit out of hand asking for DOB and inside leg meausrement etc etc.

**maca** · 5 July, 2012, 22:23

You cant download untill you have 5 useful posts that have been thanked ???

**Meat-Head** · 5 July, 2012, 22:27

Originally posted by maca58

You cant download untill you have 5 useful posts that have been thanked ???

chuff, no scrap that if GMB lost his password he would be at it for weeks.

also means the moderator team spends hours scooping up garbage

**maca** · 5 July, 2012, 22:30

Ok i get it stfu maca

**Meat-Head** · 5 July, 2012, 22:34

Originally posted by maca58

Ok i get it stfu maca

use the stalk botton you will see it's been suggested a million times and rejected a million times.

**maca** · 5 July, 2012, 22:35

Its late i cant be arsed reading

**TheCoder** · 6 July, 2012, 01:17

Originally posted by Meat-Head

that would be fine for leechers, but what about 'high profile' posters.

If 'high profile' posters cant control their own accounts properly then do they really deserve to be high profile ?

This is supposed to be a technical forum after all !

Anyway, lose your 'high profile' account once and your unlikely to let it happen again (assuming it matters to you) so perhaps its a matter of just letting lessons be learned.

**haribo** · 6 July, 2012, 01:19

Originally posted by TheCoder

If 'high profile' posters cant control their own accounts properly then do they really deserve to be high profile ?

This is supposed to be a technical forum after all !

Anyway, lose your 'high profile' account once and your unlikely to let it happen again (assuming it matters to you) so perhaps its a matter of just letting lessons be learned.

Stop it please! i refuse to click thanks on 3rd post of yours tonight, but couldnt have put that better myself

**Meat-Head** · 6 July, 2012, 07:44

Originally posted by TheCoder

If 'high profile' posters cant control their own accounts properly then do they really deserve to be high profile ?

.

don't know what happened but our own top shite poster GMB45 his account got hijacked and caused no end of greif for him and team admin.

my own hotmail and that of Z786 has been hacked (yioutube for it)

if anybody wishes to store my password for me then it's here

Supercalifragi-listicexpialidocious.

Why do we have to keep changing the password?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment