All forums user should reset their password

Chat about anything related to Linux Mint
User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Thu Mar 03, 2016 6:29 am

Duke49th wrote:...where shall I write this down? Writing down passwords is stupid...isnt it?
I use keepass now and generate better passwords. Worst case would be to lose the database lol...
You don't have to write anything down KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: All forums user should reset their password

Post by Cosmo. » Thu Mar 03, 2016 8:36 am

Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.

A really good idea is to make regularly backups of the KPX-database.

User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Thu Mar 03, 2016 12:41 pm

Cosmo. wrote:
Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.
Oh, I see, Cosmo. You are misinterpreting me. I was only suggesting printing it out (so that you can hide it somewhere safe) in case your entire computer, or the KPX database ever got so mangled that you couldn't retrieve your passwords. In that instance you would though have a printout to get you out of the fix of having just 'lost' all your passwords.

I agree, the user doesn't need to know their passwords. I only know my passwords for my email addresses and for my bank - those are in my memory and nowhere else. For every other password I have I haven't a blind-clue what it is - KPX manages all that for me, has done for years. (Though, I do have a printout in case things ever go seriously wrong.)
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

User avatar
sdibaja
Level 5
Level 5
Posts: 689
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja » Thu Mar 03, 2016 1:45 pm

Radish wrote:
Cosmo. wrote:
Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.
Oh, I see, Cosmo. You are misinterpreting me. I was only suggesting printing it out (so that you can hide it somewhere safe) in case your entire computer, or the KPX database ever got so mangled that you couldn't retrieve your passwords. In that instance you would though have a printout to get you out of the fix of having just 'lost' all your passwords.

I agree, the user doesn't need to know their passwords. I only know my passwords for my email addresses and for my bank - those are in my memory and nowhere else. For every other password I have I haven't a blind-clue what it is - KPX manages all that for me, has done for years. (Though, I do have a printout in case things ever go seriously wrong.)
printing it out would be great. I would like to put a paper copy in my safe.
I am a total noob with KeyPass (24 hours+/-) and have been unable to figure out how to print to a text file. The html export creates a blank file for me :(
Do I need some sort of add-on?
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

User avatar
kc1di
Level 14
Level 14
Posts: 5418
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: All forums user should reset their password

Post by kc1di » Thu Mar 03, 2016 1:47 pm

Wanted to thank Clem and the whole team for their fast response to this issue ;)
Easy tips : https://easylinuxtipsproject.blogspot.com/
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608

jonnymoon96
Level 1
Level 1
Posts: 27
Joined: Wed Aug 12, 2015 9:19 pm

help changing password

Post by jonnymoon96 » Thu Mar 03, 2016 2:04 pm

can you help change my password on this forum

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: help changing password

Post by Cosmo. » Thu Mar 03, 2016 3:34 pm

Here you go.

rbenic
Level 1
Level 1
Posts: 32
Joined: Wed Jan 29, 2014 6:46 pm

Re: All forums user should reset their password

Post by rbenic » Sun Mar 06, 2016 1:55 pm

What accounts/addresses exactly are vulnerable to being hacked with decrypted data from your server (if they use the same password)?

- Accounts with the same username and e-mail
- Accounts with the same username, but with a different e-mail
- Accounts with the same e-mail, but with a different username
- Accounts with the same full name (as the full name of the e-mail address)
- E-mail addresses that can send mail from the hacked address (and applicable accounts)
- E-mail addresses that can receive mail from the hacked address (and applicable accounts)
- E-mail addresses that the hacked address can send mail from (and applicable accounts)
- E-mail addresses that the hacked address can receive mail from (and applicable accounts)

User avatar
xenopeek
Level 24
Level 24
Posts: 24134
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: All forums user should reset their password

Post by xenopeek » Mon Mar 07, 2016 1:18 am

rbenic wrote:What accounts/addresses exactly are vulnerable to being hacked with decrypted data from your server (if they use the same password)?
Technicality, but as the FAQ in the first post here notes the passwords can't be decrypted. They can be brute forced by guessing, encrypting the guesses, and comparing the result to the encrypted passwords in the database till a match is found. Depending on how common/simple your password is that can take seconds or many years.

None of the examples you give describe the risks I think.
  • If your password can be obtained through brute force, and you use that same password for your email, likely any accounts you have with that email address are then vulnerable as with most websites you can request a password reset by email.
  • If you used a different password on your email, only accounts you have on other websites where you used the same email address and the same password are at risk.
  • If you didn't use the same password on any other account for that email address you're only at risk if the (already public) profile information on your account (like location, occupation, birthday) would help with guessing passwords on other accounts that use that email address.
  • Lastly, as noted 51% of the email addresses had already been stolen from other (not Linux Mint!) websites in earlier attacks. If you're one of those then the information stolen from those other websites can be combined with the information stolen from the Linux Mint forums. Possibly making guessing your passwords easier if on those other websites other personal information could be found and you used some of that information as part of your passwords (like your year of birth).
Image

BluuzMoBeeL
Level 1
Level 1
Posts: 25
Joined: Fri Aug 14, 2015 11:40 pm
Location: Australia

Re: All forums user should reset their password

Post by BluuzMoBeeL » Mon Mar 14, 2016 5:51 am

Thanks,
Checked my password, and there is no way it can be compromized, it's unique.
So these who back doored have wasted time, their time.

Thanks LMF..., all good on my side of the street.

User avatar
sdibaja
Level 5
Level 5
Posts: 689
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja » Mon Mar 14, 2016 10:47 am

BluuzMoBeeL wrote:Thanks,
Checked my password, and there is no way it can be compromized, it's unique.
So these who back doored have wasted time, their time.

Thanks LMF..., all good on my side of the street.
My password was also unique, and relatively strong. My new password is much stronger. Unfortunately many people are not quite so astute.

trivia: The 17th most common 10-digit password is 3141592654
a fun read: http://www.datagenetics.com/blog/september32012/

Bottom Line: we are thinking about it, that is a Good Thing!
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

prof_braino
Level 1
Level 1
Posts: 42
Joined: Sun Mar 30, 2014 2:10 pm
Location: Chicago

Re: All forums user should reset their password

Post by prof_braino » Wed Mar 16, 2016 11:14 am

I notice the password policy is excessive:

"Password must be between 10 characters and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols."

How is this elegant or appropriate? This is a discussion forum, not an international banking establishment. Even if a forum member access password was hacked, would the attacker gain anything beyond the ability to post under the user name? Would the worst possible impact ever be greater than "mild annoyance"? Please consider consequence when addressing password policy.

Password should simply be LONG; e.g. mysistersallysellsseashells is easier and more secure than e.g. gr4v3ytr41n.

Sorry for the rant, but it makes me nuts when the maximum "war on terror" response is applied to every mundane issue. Yes, the SERVER was hacked, and yes the SERVER ADMINISTRATION access needs to be hardened. But no, individual user passwords remain trivial. To be random, passwords should be unrestricted; particularly when the access being protected is of trivial value. Overly restrictive password policy means one more password we will forget and need to reset next login. Please don't punish the users for an administrator mistake.

BluuzMoBeeL
Level 1
Level 1
Posts: 25
Joined: Fri Aug 14, 2015 11:40 pm
Location: Australia

Re: All forums user should reset their password

Post by BluuzMoBeeL » Wed Mar 16, 2016 12:42 pm

I notice the password policy is excessive:
Not really, if one thinks about it;
If the, or a, forum is hacked, and it's a Linux forum of all things, I welcome them to hack it !
Why ?
How else do vulnerabilities become exposed ?
You are right in saying, "what can they gain by hacking a forum" ?
Absolutely nothing, except it's a win to the forum's admin etc *because* the vulnerability is exposed, the idiot hacker exposed the hole, here, first.
Don't you think then this, ( hack) is noted and fixed beyond the forum in our favor ?

User avatar
Moem
Level 19
Level 19
Posts: 9514
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem » Wed Mar 16, 2016 1:15 pm

prof_braino wrote:I notice the password policy is excessive
I notice no such thing. I think it's fine. Seems we disagree, then.
prof_braino wrote:Even if a forum member access password was hacked, would the attacker gain anything beyond the ability to post under the user name? Would the worst possible impact ever be greater than "mild annoyance"?
Certainly, if people use identical passwords in different places. Which is unfortunately not unheard of, by any means.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Crewp
Level 9
Level 9
Posts: 2517
Joined: Sat Dec 01, 2012 8:36 pm
Location: Connecticut,USA

Re: All forums user should reset their password

Post by Crewp » Wed Mar 16, 2016 1:25 pm

Hey M0em, glad to see you are right side up again. :lol:
Image

User avatar
Moem
Level 19
Level 19
Posts: 9514
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem » Wed Mar 16, 2016 2:15 pm

No no, I'm upside up. My right side is at the right. 8)
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

prof_braino
Level 1
Level 1
Posts: 42
Joined: Sun Mar 30, 2014 2:10 pm
Location: Chicago

Re: All forums user should reset their password

Post by prof_braino » Wed Mar 16, 2016 3:39 pm

Are we to understand that the hack of the mint download site was the result of a weak user password to access this forum? I did not understand that to be the case.

Unless the hack was due to a weak forum user password, changing the password policy to "difficult for the user to use" it not helping anything. If anything, the policy should be changed to "easy to use, difficult to crack". This is not the case here.

While it is trendy to set policy to something ridiculous such as require all of upper, lower, numbers, and special characters (rather than require a long sentence, etc) this is usually set for the benefit of those that do not understand passwords or security.

Anyway, we have heard the voice of the customer, now it is up management to choose whether or not to listen. I'm done, thank you for the responses.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: All forums user should reset their password

Post by killer de bug » Wed Mar 16, 2016 3:43 pm

prof_braino wrote:Please don't punish the users
I don't see any punishment. As already said, Firefox or a different software can remember the password for you. Therefore I don't see the deal with a short length like 12 characters.
If it ain't broke, fix it until it is.

User avatar
Moem
Level 19
Level 19
Posts: 9514
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem » Wed Mar 16, 2016 4:07 pm

prof_braino wrote:Are we to understand that the hack of the mint download site was the result of a weak user password to access this forum? I did not understand that to be the case.
You're right: it's not. This, however, is the case: there were two different breaches. The download site was compromised, and the forum user database was stolen. So the passwords we used on this forum before are in the hands of crackers, who can try their worst to unencrypt them, at their leasure. For that reason, we have been told to set a new password, of a decent quality. I don't consider that to be unreasonable in any way.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Sector11
Level 3
Level 3
Posts: 175
Joined: Mon Nov 22, 2010 10:33 am

Re: All forums user should reset their password

Post by Sector11 » Wed Mar 16, 2016 4:09 pm

killer de bug wrote:
prof_braino wrote:Please don't punish the users
I don't see any punishment. As already said, Firefox or a different software can remember the password for you. Therefore I don't see the deal with a short length like 12 characters.
Yup, and since my forgetter is getting better that is exactly how I remember them too.

Also...
killer de bug wrote:.. in it's sig:

If it ain't broke, fix it until it is.
So that's what happened here. :lol:


Question: A bug is an "it" isn't it? :oops:
Using: BunsenLabs based on Debian Stable.
Conky PitStop

Post Reply

Return to “Chat about Linux Mint”