• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Set password complexity

Caliburn

Well-known member
#2
I think admins should be able to set password complexity requirements for new registrations, and, can force users to change password, or define password expiry.
I strongly support this. I want to define minimum password strengths, lengths, and combination's.
 
#3
Defining minimum password length is understandable but combination? How often do you see regular forum owners use it. I think that should be left as a modification.
 
#7
I will say I've never liked systems that force a minimum 'strength' as all they ever seem to do is piss people off and encourage them to come up with the minimum possible to get past it.

Instead of putting restrictions down how about a random password generator that displays a random string that the user can copy and paste into the password field?

Users could then use whatever password remembering feature their browser uses to save that password. It also sidesteps the issue of the user coming up with the simplest password that will pass whatever checks are put in place.

I acknowledge something like that would need some process development and testing to see if it could be done in a way that most users could understand.
 

Caliburn

Well-known member
#8
I will say I've never liked systems that force a minimum 'strength' as all they ever seem to do is piss people off and encourage them to come up with the minimum possible to get past it.

Instead of putting restrictions down how about a random password generator that displays a random string that the user can copy and paste into the password field?

Users could then use whatever password remembering feature their browser uses to save that password. It also sidesteps the issue of the user coming up with the simplest password that will pass whatever checks are put in place.

I acknowledge something like that would need some process development and testing to see if it could be done in a way that most users could understand.
In my opinion, an ideal password is something like: #ns@$amp1e69!

Of course, I confess to having no issue with complex passwords. My PGP key is over 60 characters long and is a combination of letters, numbers, and symbols. So I know I'm in the minority here.
 

Biker

Well-known member
#9
My point is that these should be options available. Personally, I'd want complete control over length and combination (letters+numbers+symbols). I'm a paranoid person. :(
I've often thought that staff members should be required to use stronger passwords than the rest of the membership. However, forcing the entire membership to use convoluted passwords will, in the long run, just piss them off. I rarely go back to a site that forces me to use the maximum combination of alphanumeric AND symbols.
 

Caliburn

Well-known member
#10
I've often thought that staff members should be required to use stronger passwords than the rest of the membership. However, forcing the entire membership to use convoluted passwords will, in the long run, just piss them off. I rarely go back to a site that forces me to use the maximum combination of alphanumeric AND symbols.
For standard communities, I can see the drawback. For applications which security is a top consideration, it's a benefit. So like I said, this should be completely configurable in the AdminCP.
 

James

Well-known member
#11
I would like to be able to define a minimum password length and I would also like to see a password strength indicator (weak/medium/strong/very strong), this way I can define that all my staff have strong/very strong password combinations!
 

Disjunto

Well-known member
#12
eBay developer system has some complexity requirements, I reset my password there every other week because it is that annoying to try and remember
 

James

Well-known member
#14
The whole point of progressive enhancements and user experience is not to add complexity.
Perhaps, but if this was usergroup-specific we only need to apply it for accounts that have any value on the forum (moderators, admins, anyone with access to the user information). I personally would prefer my admin to be forced to use a secure and complex password than take the risk that he's going to use "letmein".
 
F

Floris

Guest
#15
A weak pass would be: mypass
A medium pass would be: mypassword
A strong pass would be: my1password

All three are easy to brute force

Complexity is not just length and forced numerics.

This is when you hit complexity, as it is using special characters, more than 16, and beyond default ascii.

rQ9yd3iI+#Pb|j->0%R_PS30PDcR32
wirp9\lv>2U5&94W02d'D$t6g"Dny[
A7*k[uo$Ew"lZAO"24fs-o0|wA5X+7
Nj8+`a310ZJwB.Jl}w[G1RSHka8gl0
^90&571V~DBB?oc`MLRjjMm3A~s056
etc

The reality is, your users will not go towards complexity. And when their letmein is told to be too short, they just add 123 behind it.
 

James

Well-known member
#16
A weak pass would be: mypass
A medium pass would be: mypassword
A strong pass would be: my1password

All three are easy to brute force

Complexity is not just length and forced numerics.

This is when you hit complexity, as it is using special characters, more than 16, and beyond default ascii.

rQ9yd3iI+#Pb|j->0%R_PS30PDcR32
wirp9\lv>2U5&94W02d'D$t6g"Dny[
A7*k[uo$Ew"lZAO"24fs-o0|wA5X+7
Nj8+`a310ZJwB.Jl}w[G1RSHka8gl0
^90&571V~DBB?oc`MLRjjMm3A~s056
etc

The reality is, your users will not go towards complexity. And when their letmein is told to be too short, they just add 123 behind it.
Exactly. We have to assume that our users have no idea about security in order to secure our forums.
If we have (for example) a set of checkbox-based options:

Force user passwords to include:
Alphanumerics (a-z0-9)
Multiple casing
ASCII characters

We could also extend this to use multiple associations of each:
Alphanumerics (a-z0-9) x8
Multiple casing
ASCII characters x3

I'm not sure if people would prefer this to be a modification, but in order to secure we have to assume that people are unsecure. Assuming the worst is the most efficient way to ensure you're the best protected... IMO.
 
F

Floris

Guest
#17
In my opinion it helps if users are made aware of the risks of easy passwords, specifically if they use 1 pass for many sites, including online-banking. However, it's their responsibility to choose a reasonably complex password.

I don't want to inconvenience them with 5 error msgs every time they choose letmein123 because it doesn't have % in it ..

A color indicator to show them the system suspects their pass to be too poor red, orange or acceptable green .. is more than plenty.
 

James

Well-known member
#18
The colour indicator could be (and should be) admin-defined. If we're taking the colour indicator approach I would also like an option to only allow passwords that pass a certain indicator (medium/strong).
 
#19
I will say I've never liked systems that force a minimum 'strength' as all they ever seem to do is piss people off and encourage them to come up with the minimum possible to get past it.

Instead of putting restrictions down how about a random password generator that displays a random string that the user can copy and paste into the password field?

Users could then use whatever password remembering feature their browser uses to save that password. It also sidesteps the issue of the user coming up with the simplest password that will pass whatever checks are put in place.

I acknowledge something like that would need some process development and testing to see if it could be done in a way that most users could understand.
I have to agree, forcing "strength" will only make the users forget their passwords more.
 

James

Well-known member
#20
I believe that passwords should be compliant with certain conditions for roles... like moderators and administrators.

"Your board is only as safe as the weakest password"