1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Set password complexity

Discussion in 'XenForo Suggestions' started by Shamil, Aug 15, 2010.

  1. Shamil

    Shamil Well-Known Member

    I think admins should be able to set password complexity requirements for new registrations, and, can force users to change password, or define password expiry.
    empire, dbembibre, RobinHood and 12 others like this.
  2. Caliburn

    Caliburn Well-Known Member

    I strongly support this. I want to define minimum password strengths, lengths, and combination's.
  3. Vincent Gabriel

    Vincent Gabriel Active Member

    Defining minimum password length is understandable but combination? How often do you see regular forum owners use it. I think that should be left as a modification.
  4. Caliburn

    Caliburn Well-Known Member

    More forum owners would use it if it were normally available.
  5. Brandon_R

    Brandon_R Guest

    I would define the lenght only.
  6. Caliburn

    Caliburn Well-Known Member

    My point is that these should be options available. Personally, I'd want complete control over length and combination (letters+numbers+symbols). I'm a paranoid person. :(
  7. I will say I've never liked systems that force a minimum 'strength' as all they ever seem to do is piss people off and encourage them to come up with the minimum possible to get past it.

    Instead of putting restrictions down how about a random password generator that displays a random string that the user can copy and paste into the password field?

    Users could then use whatever password remembering feature their browser uses to save that password. It also sidesteps the issue of the user coming up with the simplest password that will pass whatever checks are put in place.

    I acknowledge something like that would need some process development and testing to see if it could be done in a way that most users could understand.
    Brandon_R likes this.
  8. Caliburn

    Caliburn Well-Known Member

    In my opinion, an ideal password is something like: #ns@$amp1e69!

    Of course, I confess to having no issue with complex passwords. My PGP key is over 60 characters long and is a combination of letters, numbers, and symbols. So I know I'm in the minority here.
  9. Biker

    Biker Well-Known Member

    I've often thought that staff members should be required to use stronger passwords than the rest of the membership. However, forcing the entire membership to use convoluted passwords will, in the long run, just piss them off. I rarely go back to a site that forces me to use the maximum combination of alphanumeric AND symbols.
  10. Caliburn

    Caliburn Well-Known Member

    For standard communities, I can see the drawback. For applications which security is a top consideration, it's a benefit. So like I said, this should be completely configurable in the AdminCP.
  11. James

    James Well-Known Member

    I would like to be able to define a minimum password length and I would also like to see a password strength indicator (weak/medium/strong/very strong), this way I can define that all my staff have strong/very strong password combinations!
  12. Disjunto

    Disjunto Well-Known Member

    eBay developer system has some complexity requirements, I reset my password there every other week because it is that annoying to try and remember
  13. Floris

    Floris Guest

    The whole point of progressive enhancements and user experience is not to add complexity.
  14. James

    James Well-Known Member

    Perhaps, but if this was usergroup-specific we only need to apply it for accounts that have any value on the forum (moderators, admins, anyone with access to the user information). I personally would prefer my admin to be forced to use a secure and complex password than take the risk that he's going to use "letmein".
  15. Floris

    Floris Guest

    A weak pass would be: mypass
    A medium pass would be: mypassword
    A strong pass would be: my1password

    All three are easy to brute force

    Complexity is not just length and forced numerics.

    This is when you hit complexity, as it is using special characters, more than 16, and beyond default ascii.


    The reality is, your users will not go towards complexity. And when their letmein is told to be too short, they just add 123 behind it.
  16. James

    James Well-Known Member

    Exactly. We have to assume that our users have no idea about security in order to secure our forums.
    If we have (for example) a set of checkbox-based options:

    Force user passwords to include:
    Alphanumerics (a-z0-9)
    Multiple casing
    ASCII characters

    We could also extend this to use multiple associations of each:
    Alphanumerics (a-z0-9) x8
    Multiple casing
    ASCII characters x3

    I'm not sure if people would prefer this to be a modification, but in order to secure we have to assume that people are unsecure. Assuming the worst is the most efficient way to ensure you're the best protected... IMO.
  17. Floris

    Floris Guest

    In my opinion it helps if users are made aware of the risks of easy passwords, specifically if they use 1 pass for many sites, including online-banking. However, it's their responsibility to choose a reasonably complex password.

    I don't want to inconvenience them with 5 error msgs every time they choose letmein123 because it doesn't have % in it ..

    A color indicator to show them the system suspects their pass to be too poor red, orange or acceptable green .. is more than plenty.
  18. James

    James Well-Known Member

    The colour indicator could be (and should be) admin-defined. If we're taking the colour indicator approach I would also like an option to only allow passwords that pass a certain indicator (medium/strong).
  19. Brandon_R

    Brandon_R Guest

    I have to agree, forcing "strength" will only make the users forget their passwords more.
  20. James

    James Well-Known Member

    I believe that passwords should be compliant with certain conditions for roles... like moderators and administrators.

    "Your board is only as safe as the weakest password"

Share This Page