More flexibility regarding passwords please

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
Post Reply
truepurple
Level 1
Level 1
Posts: 16
Joined: Fri Jul 07, 2017 11:32 am

More flexibility regarding passwords please

Post by truepurple » Fri Jul 07, 2017 12:45 pm

When making a account or changing passwords, the forum has high absurd restrictions. Must be 10 characters, must have alphabet, upper and lower case, number and special character in it. Didn't you guys get the memo? Such random passwords make it harder to remember, not to crack, forces us to write down the password if we don't want to use a password manager. It's recommended by some that 4 or more random words with dashes between them are used as a password. And I loathe security forced on me like this. It's not like someone cracking my password and logging in as me is a threat to the forum. Please let us use what passwords we want to use!

User avatar
wallyUSA
Level 5
Level 5
Posts: 635
Joined: Thu Jun 08, 2017 2:31 pm
Location: Top of Georgia

Re: More flexibility regarding passwords please

Post by wallyUSA » Fri Jul 07, 2017 2:18 pm

truepurple wrote:When making a account or changing passwords, the forum has high absurd restrictions. ...
We should encourage more secure passwords not less secure passwords. This forum is used by thousands of people around the world so let's try to protect the integrity of it and user accounts by using secure passwords! You can find many articles on the net regarding creating & remembering secure passwords. This is the best we have until we all have something better like biometrics or dual authentication.
Tina 19.2 Cinnamon 4.2.4 Kernel 4.15.0-64 (64 bit). {Dell XPS 13}
Please, if your query has been resolved, edit your first post and add [SOLVED] to the beginning of the subject line. This may help others find solutions.

truepurple
Level 1
Level 1
Posts: 16
Joined: Fri Jul 07, 2017 11:32 am

Re: More flexibility regarding passwords please

Post by truepurple » Fri Jul 07, 2017 3:19 pm

There is a difference between encourage, and force, And again, there is no risk to the forum if a individual gets their account compromised. And no real risk to the individual either since we don't have credit cards etc in our accounts. So no need for high security on a forum anyway. Download webpage, yeah, forum, not so much.

Also, again, these restrictions can make some peoples forum password LESS SECURE.

We don't need you duck taping our scissors because you can't force us to not run with them or whatever BS. Don't treat us like children.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: More flexibility regarding passwords please

Post by Fred Barclay » Fri Jul 07, 2017 3:34 pm

No one is being forced to use this forum ;) but if you do, we ask that you follow our rules, including those about passwords.

Our forum was hacked about 16 months ago, after which our password requirements were changed to be more restrictive. It's not only about making it harder to brute-force accounts here, but also about protecting the users themselves. If we allowed simple passwords, people would be more likely to reuse passwords across multiple sites. Then, if we were successfully attacked and the passwords discovered*, the attacker could then use those passwords and gain access to more high-value accounts, like paypal or bank.

*Our passwords are salted so it's more difficult to get at them even if the forums were hacked, but it's still a possibility.

Cheers!
Fred

EDIT: We had a discussion about this some time back if you'd like to read it:
viewtopic.php?f=60&t=218164&p=1142495
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

truepurple
Level 1
Level 1
Posts: 16
Joined: Fri Jul 07, 2017 11:32 am

Re: More flexibility regarding passwords please

Post by truepurple » Fri Jul 07, 2017 4:42 pm

What does salted password mean?

Lots of people don't lock their car doors when they go into a business. They count on the car lock itself keeping anyone from driving off, and hide or take with any valuables in the car. You might believe that's a bad idea, but a Starbucks or a library that goes around enforcing a rule that everyone must lock their car doors to visit would be over stepping their bounds, even if they called it one of their rules.

So you are minding my business when you force your restrictions on me that have nothing to do with the security of the OS or the site itself. And in the process, forcing me to use a simpler password then I normally would and to write the password down where anyone visiting or stealing might access it. And forcing me the risk if I lose track of that password, that I might have to make a new account. And still not changing anything about how I password any other accounts, so please stop minding our business for us!!!

Besides, I don't want to hear words of hypocrisy from a site that failed to secure anything down to their OS download, that had EVERYTHING compromised. When you fail security like that, you folks have NO GROUNDS to be lecturing and forcing your ideals of security on anyone else.

User avatar
jimallyn
Level 18
Level 18
Posts: 8953
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: More flexibility regarding passwords please

Post by jimallyn » Fri Jul 07, 2017 5:20 pm

truepurple wrote:And again, there is no risk to the forum if a individual gets their account compromised.
If somebody managed to compromise your account, they could post spams as you, or they could delete your posts. There's probably other things they could do, that's all that comes to mind right now.
truepurple wrote:Besides, I don't want to hear words of hypocrisy from a site that failed to secure anything down to their OS download, that had EVERYTHING compromised.
That is false. Not EVERYTHING was compromised; far from it.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: More flexibility regarding passwords please

Post by Cosmo. » Fri Jul 07, 2017 5:56 pm

truepurple wrote:Such random passwords make it harder to remember, not to crack
This is technically wrong.
truepurple wrote:don't want to use a password manager
Using a password manager belongs to the top 5 practices of security experts.
truepurple wrote:these restrictions can make some peoples forum password LESS SECURE.
How that? This is a thesis without any proof.
truepurple wrote:Lots of people don't lock their car doors when they go into a business.
If other people make mistakes it doesn't mean, that it is not a mistake.
I don't know, where you live. Here in Germany you can get into real legal trouble. If your car gets stolen and the thief makes an accident with it and it can be shown, that you did not lock your car, you get punished. At least for the created damage, possibly even more, especially if other people get hurt or killed by the stolen car.
truepurple wrote:Besides, I don't want to hear words of hypocrisy from a site that failed to secure anything down to their OS download, that had EVERYTHING compromised. When you fail security like that, you folks have NO GROUNDS to be lecturing and forcing your ideals of security on anyone else.
Besides that fact, that what you wrote is in detail not true: Do you say, that nobody is allowed to learn from own mistakes? You will hardly find people, who support this statement.

Fact is, that - depending from the laws, which apply for the server (here the Mint forum server) - the owner of the server can get made legally responsible in some cases. Assume an account gets stolen and the password thief compromises the personality[1] of the stolen account and / or uses it to provide illegal material, it is possible, that the server owner has to proof, that he took all reasonable measurements to prevent such an attack. [2] So 2 things, which you told, are simply untrue: First a password theft can do for the person, where the password had been robbed, very serious damage; second: the server owner can get at least into the need to proof, that he did nothing wrong (costs at least time, possibly money), if he is unlucky, he can get punished.

Fact is also, that stealing a user account is not such a simple task like writing a post. It needs some knowledge and it needs some criminal energy. Somebody who does this has a reason to do this effort. Nobody would do this, just for the purpose to write in the name of another user that he prefers KDE over Cinnamon. Those people with criminal energy have criminal intentions. Ignoring this fact is beyond any reality. And keeping criminals out is not only legitimate, it is a duty!

Fact is, that by using a password manager entering my password - and you can be sure, that this is an extremely complicated one - is a task of a second. If you want to make your life less secure and at the same time more complicated: It's up to you.

[1] E. g. by writing: I have hacked this or that server, I have a number of illegal copies of commercial software and offer them for buying or he provides illegal links. There do exist cases, where somebody got arrested by the police and had been accused because of illegal things, which got published in his / her name or with his / her account, although the person did "only" make the mistake to use a weak password.

[2] You cannot argue, that this would also be possible by creating a new account in the forum. Every first time post has to get approved and if this account gets misused, it can be checked by the moderators, from which IP address this comes. So somebody who misuses a new account can get identified by the IP. In case of an successful attack against an existing account it has to be assumed, that the account owner is the bad guy, a real identifying would be impossible.

djk44883
Level 1
Level 1
Posts: 49
Joined: Sat Sep 01, 2012 10:27 pm
Location: Ohio, US

Re: More flexibility regarding passwords please

Post by djk44883 » Fri Jul 07, 2017 10:29 pm

Cosmo. wrote:
truepurple wrote:these restrictions can make some peoples forum password LESS SECURE.
How that? This is a thesis without any proof..
There are many articles why complex doesn't necessarily make it secure, here's a few examples:
http://crambler.com/password-security-w ... omplexity/
http://www.csoonline.com/article/260895 ... words.html
https://stormpath.com/blog/5-myths-password-security

I can understand the changes after the issues of the past. But making everyone who's looking for support with linux mint upgrade their password implies someone on a "registered user" level could have loged in and hack into the users password list. I'd hope it was more complex when the breach occurred.

If they can't get their computer to even boot... now they have to remember Whyw0ntPCw0rk to find help :lol: I thought it might be funny
If not for the courage of the fearless crew the Minnow would be lost... the Minnow would be lost!

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: More flexibility regarding passwords please

Post by MintBean » Fri Jul 07, 2017 10:43 pm

truepurple wrote:Besides, I don't want to hear words of hypocrisy from a site that failed to secure anything down to their OS download, that had EVERYTHING compromised. When you fail security like that, you folks have NO GROUNDS to be lecturing and forcing your ideals of security on anyone else.
Honestly, just go use another distro if that's your attitude.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: More flexibility regarding passwords please

Post by Cosmo. » Sat Jul 08, 2017 6:08 am

djk44883 wrote:There are many articles why complex doesn't necessarily make it secure, here's a few examples:
Already in the first link a read
Consider using a long and complex passphrase
So this link says something different. After that I stopped reading.
BTW: The aspect of wordbook attacks is completely missing in the article, at least this word does nowhere appear there.

Nobody said, that a complex password can replace a long password, both a needed and that is, what the OP is complaining about.

I stay with what I wrote: The statement, that restrictions to force using secure passwords can make passwords less secure is not proven. Actually it is wrong (just like many other details, which the OP wrote).

djk44883
Level 1
Level 1
Posts: 49
Joined: Sat Sep 01, 2012 10:27 pm
Location: Ohio, US

Re: More flexibility regarding passwords please

Post by djk44883 » Sat Jul 08, 2017 7:26 am

I'll concede, you can only do so much to protect people from themselves... no matter what is/isn't the securest method. If you have no restrictions and they use "password" for their password (I have no idea why, but apparently it's popular) it's a no-brainer for a hacker. If you apply more secure methods and user can't remember it so they put it on their monitor with a post-it... well you did what you could. Or no matter how often their system tells them to update security patches and malware detection... "I just click later"

So no matter what you do, end users are just people... you can't always protect them from themselves - but I understand you can't give up.

Personally I too am annoyed with restrictive passwords. I have a pattern I use for different password for everywhere, so when you make me come up with something completely different I dread clicking on 'forgot password'
If not for the courage of the fearless crew the Minnow would be lost... the Minnow would be lost!

User avatar
lyndave
Level 1
Level 1
Posts: 45
Joined: Tue Feb 07, 2017 12:30 pm
Location: australia

Re: More flexibility regarding passwords please

Post by lyndave » Sat Jul 08, 2017 8:23 pm

i for one think the pass word requirements for this sight are really good as it makes the pass word very difficult to crack

Post Reply

Return to “Suggestions & New Ideas”