All forums user should reset their password

Chat about anything related to Linux Mint
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
User avatar
Radish
Level 4
Level 4
Posts: 320
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish »

Duke49th wrote:...where shall I write this down? Writing down passwords is stupid...isnt it?
I use keepass now and generate better passwords. Worst case would be to lose the database lol...
You don't have to write anything down KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: All forums user should reset their password

Post by Cosmo. »

Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.

A really good idea is to make regularly backups of the KPX-database.
User avatar
Radish
Level 4
Level 4
Posts: 320
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish »

Cosmo. wrote:
Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.
Oh, I see, Cosmo. You are misinterpreting me. I was only suggesting printing it out (so that you can hide it somewhere safe) in case your entire computer, or the KPX database ever got so mangled that you couldn't retrieve your passwords. In that instance you would though have a printout to get you out of the fix of having just 'lost' all your passwords.

I agree, the user doesn't need to know their passwords. I only know my passwords for my email addresses and for my bank - those are in my memory and nowhere else. For every other password I have I haven't a blind-clue what it is - KPX manages all that for me, has done for years. (Though, I do have a printout in case things ever go seriously wrong.)
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.
User avatar
sdibaja
Level 5
Level 5
Posts: 900
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja »

Radish wrote:
Cosmo. wrote:
Radish wrote:KeePass can create a file for you with your passwords in plain text that you can print out. (Menu) File > Export To...
For what purpose? Let KPX do its job, the user doesn't even need to know the passwords.
Oh, I see, Cosmo. You are misinterpreting me. I was only suggesting printing it out (so that you can hide it somewhere safe) in case your entire computer, or the KPX database ever got so mangled that you couldn't retrieve your passwords. In that instance you would though have a printout to get you out of the fix of having just 'lost' all your passwords.

I agree, the user doesn't need to know their passwords. I only know my passwords for my email addresses and for my bank - those are in my memory and nowhere else. For every other password I have I haven't a blind-clue what it is - KPX manages all that for me, has done for years. (Though, I do have a printout in case things ever go seriously wrong.)
printing it out would be great. I would like to put a paper copy in my safe.
I am a total noob with KeyPass (24 hours+/-) and have been unable to figure out how to print to a text file. The html export creates a blank file for me :(
Do I need some sort of add-on?
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
User avatar
kc1di
Level 18
Level 18
Posts: 8147
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: All forums user should reset their password

Post by kc1di »

Wanted to thank Clem and the whole team for their fast response to this issue ;)
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
jonnymoon96

help changing password

Post by jonnymoon96 »

can you help change my password on this forum
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: help changing password

Post by Cosmo. »

Here you go.
rbenic

Re: All forums user should reset their password

Post by rbenic »

What accounts/addresses exactly are vulnerable to being hacked with decrypted data from your server (if they use the same password)?

- Accounts with the same username and e-mail
- Accounts with the same username, but with a different e-mail
- Accounts with the same e-mail, but with a different username
- Accounts with the same full name (as the full name of the e-mail address)
- E-mail addresses that can send mail from the hacked address (and applicable accounts)
- E-mail addresses that can receive mail from the hacked address (and applicable accounts)
- E-mail addresses that the hacked address can send mail from (and applicable accounts)
- E-mail addresses that the hacked address can receive mail from (and applicable accounts)
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: All forums user should reset their password

Post by xenopeek »

rbenic wrote:What accounts/addresses exactly are vulnerable to being hacked with decrypted data from your server (if they use the same password)?
Technicality, but as the FAQ in the first post here notes the passwords can't be decrypted. They can be brute forced by guessing, encrypting the guesses, and comparing the result to the encrypted passwords in the database till a match is found. Depending on how common/simple your password is that can take seconds or many years.

None of the examples you give describe the risks I think.
  • If your password can be obtained through brute force, and you use that same password for your email, likely any accounts you have with that email address are then vulnerable as with most websites you can request a password reset by email.
  • If you used a different password on your email, only accounts you have on other websites where you used the same email address and the same password are at risk.
  • If you didn't use the same password on any other account for that email address you're only at risk if the (already public) profile information on your account (like location, occupation, birthday) would help with guessing passwords on other accounts that use that email address.
  • Lastly, as noted 51% of the email addresses had already been stolen from other (not Linux Mint!) websites in earlier attacks. If you're one of those then the information stolen from those other websites can be combined with the information stolen from the Linux Mint forums. Possibly making guessing your passwords easier if on those other websites other personal information could be found and you used some of that information as part of your passwords (like your year of birth).
Image
BluuzMoBeeL

Re: All forums user should reset their password

Post by BluuzMoBeeL »

Thanks,
Checked my password, and there is no way it can be compromized, it's unique.
So these who back doored have wasted time, their time.

Thanks LMF..., all good on my side of the street.
User avatar
sdibaja
Level 5
Level 5
Posts: 900
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja »

BluuzMoBeeL wrote:Thanks,
Checked my password, and there is no way it can be compromized, it's unique.
So these who back doored have wasted time, their time.

Thanks LMF..., all good on my side of the street.
My password was also unique, and relatively strong. My new password is much stronger. Unfortunately many people are not quite so astute.

trivia: The 17th most common 10-digit password is 3141592654
a fun read: http://www.datagenetics.com/blog/september32012/

Bottom Line: we are thinking about it, that is a Good Thing!
Peter
Mate desktop https://wiki.debian.org/MATE
Debian GNU/Linux operating system: https://www.debian.org/download
prof_braino

Re: All forums user should reset their password

Post by prof_braino »

I notice the password policy is excessive:

"Password must be between 10 characters and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols."

How is this elegant or appropriate? This is a discussion forum, not an international banking establishment. Even if a forum member access password was hacked, would the attacker gain anything beyond the ability to post under the user name? Would the worst possible impact ever be greater than "mild annoyance"? Please consider consequence when addressing password policy.

Password should simply be LONG; e.g. mysistersallysellsseashells is easier and more secure than e.g. gr4v3ytr41n.

Sorry for the rant, but it makes me nuts when the maximum "war on terror" response is applied to every mundane issue. Yes, the SERVER was hacked, and yes the SERVER ADMINISTRATION access needs to be hardened. But no, individual user passwords remain trivial. To be random, passwords should be unrestricted; particularly when the access being protected is of trivial value. Overly restrictive password policy means one more password we will forget and need to reset next login. Please don't punish the users for an administrator mistake.
BluuzMoBeeL

Re: All forums user should reset their password

Post by BluuzMoBeeL »

I notice the password policy is excessive:
Not really, if one thinks about it;
If the, or a, forum is hacked, and it's a Linux forum of all things, I welcome them to hack it !
Why ?
How else do vulnerabilities become exposed ?
You are right in saying, "what can they gain by hacking a forum" ?
Absolutely nothing, except it's a win to the forum's admin etc *because* the vulnerability is exposed, the idiot hacker exposed the hole, here, first.
Don't you think then this, ( hack) is noted and fixed beyond the forum in our favor ?
User avatar
Moem
Level 22
Level 22
Posts: 16224
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem »

prof_braino wrote:I notice the password policy is excessive
I notice no such thing. I think it's fine. Seems we disagree, then.
prof_braino wrote:Even if a forum member access password was hacked, would the attacker gain anything beyond the ability to post under the user name? Would the worst possible impact ever be greater than "mild annoyance"?
Certainly, if people use identical passwords in different places. Which is unfortunately not unheard of, by any means.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Crewp

Re: All forums user should reset their password

Post by Crewp »

Hey M0em, glad to see you are right side up again. :lol:
User avatar
Moem
Level 22
Level 22
Posts: 16224
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem »

No no, I'm upside up. My right side is at the right. 8)
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
prof_braino

Re: All forums user should reset their password

Post by prof_braino »

Are we to understand that the hack of the mint download site was the result of a weak user password to access this forum? I did not understand that to be the case.

Unless the hack was due to a weak forum user password, changing the password policy to "difficult for the user to use" it not helping anything. If anything, the policy should be changed to "easy to use, difficult to crack". This is not the case here.

While it is trendy to set policy to something ridiculous such as require all of upper, lower, numbers, and special characters (rather than require a long sentence, etc) this is usually set for the benefit of those that do not understand passwords or security.

Anyway, we have heard the voice of the customer, now it is up management to choose whether or not to listen. I'm done, thank you for the responses.
killer de bug

Re: All forums user should reset their password

Post by killer de bug »

prof_braino wrote:Please don't punish the users
I don't see any punishment. As already said, Firefox or a different software can remember the password for you. Therefore I don't see the deal with a short length like 12 characters.
User avatar
Moem
Level 22
Level 22
Posts: 16224
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem »

prof_braino wrote:Are we to understand that the hack of the mint download site was the result of a weak user password to access this forum? I did not understand that to be the case.
You're right: it's not. This, however, is the case: there were two different breaches. The download site was compromised, and the forum user database was stolen. So the passwords we used on this forum before are in the hands of crackers, who can try their worst to unencrypt them, at their leasure. For that reason, we have been told to set a new password, of a decent quality. I don't consider that to be unreasonable in any way.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Sector11

Re: All forums user should reset their password

Post by Sector11 »

killer de bug wrote:
prof_braino wrote:Please don't punish the users
I don't see any punishment. As already said, Firefox or a different software can remember the password for you. Therefore I don't see the deal with a short length like 12 characters.
Yup, and since my forgetter is getting better that is exactly how I remember them too.

Also...
killer de bug wrote:.. in it's sig:

If it ain't broke, fix it until it is.
So that's what happened here. :lol:


Question: A bug is an "it" isn't it? :oops:
Locked

Return to “Chat about Linux Mint”