Forum Password Requirement & Periodic Reset

Pigoo · Aug 17, 2019

I've been getting some grumbling lately from members on my site regarding the need for a login ID and password for thier acounts...and the need to change thier password every so often (via the setting in the Admin control panel).

Some of the reasons they mention do make some sense...such as there really are no super-hyper critical personal or financial information asked for upon registration or stored in the database.

I think I would be ok if each member used a really strong password (including numbers, letters, capitals, ampersands, minimum number of digits, etc.)...and then the requirement for changing passwords every so often could be relaxed. But I think the problem is vBulletin 4.2.5 doesn't support mandatory strong passwords like this.

Can anyone give me a really good reason or two why maintaining a password is important for each members account (and changing it every so often)...so I can share it with the website membership?

Thanks

haqzore · Aug 17, 2019

It's actually proven that neither of your desired strategies are effective or beneficial. They actually make security worse.

Here are a couple, but a quick Google will get you all you could need.

https://arstechnica.com/information...ry-password-changing-is-ancient-and-obsolete/

https://resources.infosecinstitute.com/password-security-complexity-vs-length/

Pigoo · Aug 17, 2019

Thanks for the links...and the reply. I have read those and other articles similar to it before posting here.

Articles like those can be helpful...but it's also great to hear what other individual website owners & admins are doing...and what their opinions are regarding account passwords & resetting them occasionally.

For example haqzore...with the website or websites you're associated with...what do you do?

This is the sort of answer I was hoping to receive in this thread (actual "real world" password practices from Admin Zone members).

Thanks

haqzore · Aug 17, 2019

Pigoo said:
Thanks for the links...and the reply. I have read those and other articles similar to it before posting here.

Articles like those can be helpful...but it's also great to hear what other individual website owners & admins are doing...and what their opinions are regarding account passwords & resetting them occasionally.

For example haqzore...with the website or websites you're associated with...what do you do?

This is the sort of answer I was hoping to receive in this thread (actual "real world" password practices from Admin Zone members).

Thanks

The issue to keep in mind is that the few replies you get on TAZ amount to a very small sample size, from folks who aren't security experts.

The articles we've read are from far more robust sets of data and resources, so should be given more weight.

Anyways, I have 2 active sites currently with a few thousand members. I have no password expiration active. I have no complexity requirements. I've had no issues with member security/breaches/etc. Ever.

R0binHood · Aug 17, 2019

Pigoo said:
I've been getting some grumbling lately from members on my site regarding the need for a login ID and password for thier acounts...and the need to change thier password every so often (via the setting in the Admin control panel).

Both the UK National Cyber Security Center and the US National Institute of Standards and Technology currently advice against this

https://theadminzone.com/threads/resetting-passwords-at-regular-intervals.151212/

Having a way top require mandatory strong passwords with no time constraint seems to the the best way forward.

Pigoo · Aug 17, 2019

haqzore said:
The issue to keep in mind is that the few replies you get on TAZ amount to a very small sample size, from folks who aren't security experts.

Of course...still very nice to hear real world examples of what others are doing & experiencing.

haqzore said:
Anyways, I have 2 active sites currently with a few thousand members. I have no password expiration active. I have no complexity requirements. I've had no issues with member security/breaches/etc. Ever.

Awesome...thanks for sharing.

Let me share this thought. With many things in life...many folks think that they are invulnerable to many things because they themselves have never been a victim of something...or think that what they've been doing to avoid many of life's pitfalls is the sure-fire way to avoid them.

It's only when they've been a victim of something...do they then realize that they are not invulernable...maybe the habits or practices they have been relying on are not the best...and they need to be a lot more careful in the future!

Thanks again for the replies.

Pigoo · Aug 17, 2019

R0binHood said:
Having a way top require mandatory strong passwords with no time constraint seems to the the best way forward.

Yes I agree...and mentioned this in my original post.

Problem is (as far as I know)...vBulletin 4.2.5 doesn't support mandatory strong passwords ((including numbers, letters, capitals, ampersands, minimum number of digits, etc.).

As I also mentioned in my original post...I would be ok with a mandatory strong password without a reset date...if vBulletin 4.2.5 supported it.

Thanks for the reply & Admin Zone link.

R0binHood · Aug 17, 2019

Maybe you're best just letting them set the password to what they want and leaving it as is even without a way to force strong passwords?

Forcing them to change their password regularly is only going to ensure that the passwords of some regular users get weaker and weaker as they try to create new easy to remember replacements to their old expired passwords while also frustrating them for having to create new passwords regularly in the first place.

haqzore · Aug 17, 2019

R0binHood said:
Maybe you're best just letting them set the password to what they want and leaving it as is even without a way to force strong passwords?

Forcing them to change their password regularly is only going to ensure that the passwords of some regular users get weaker and weaker as they try to create new easy to remember replacements to their old expired passwords while also frustrating them for having to create new passwords regularly in the first place.

Agree with this.

If you can't accomplish minimum complexity, at least stop forcing regular resets, as it's proven (as linked) to reduce security.

Paul M · Aug 17, 2019

Pigoo said:
Can anyone give me a really good reason or two why maintaining a password is important for each members account (and changing it every so often)...so I can share it with the website membership?

I would think its pretty obvious why you need a password.

No forum I have run has forced password changes, Ive never (knowningly) had any issues with this.
There really is no reason to change it often, although its better if you have a decent password of course.

As best I can remember, no forum Ive ever been a member of has forced them either,
The only time I have changed mine is if the site Im a member of has been compromised.

mysiteguy · Aug 17, 2019

If wouldn't matter a great deal if VB 4.2.5 supported mandatory strong passwords, it's password storage is notoriously weak and with a few GPUs/CPUs you can crack about half the hashes in a half million user VB database in a single day.

MagicalAzareal · Aug 17, 2019

Forcing people to change their passwords frequently leads to them using a weak password and possibly an alternating number at the end or something else. It doesn't make you more secure, all it does is make you less secure.

zappaDPJ · Aug 20, 2019

The only time I would ever force a password change is if there was a security breach and even then I wouldn't do it until I felt 100% sure the breach had been plugged. I've not read any of the articles linked but I have had personal experience of instances where enforced changes caused security breaches.

Many years ago I started working for an IT department who had a business wide policy of monthly forced password changes. This resulted in almost every employee noting their new password and placing it somewhere in their desk... I stopped that initiative on day one.

phatcows · Aug 20, 2019

zappaDPJ said:
Many years ago I started working for an IT department who had a business wide policy of monthly forced password changes. This resulted in almost every employee noting their new password and placing it somewhere in their desk

Or they just use the same password with a new digit on the end...1,2,3 etc. I work for a large Governmental body, and whilst they finally moved away from the monthly password change process a couple of years ago, let's just say, they didn't move very far from it.

zappaDPJ · Aug 22, 2019

I found this article quite interesting: https://theadminzone.com/ams/forced-password-reset-check-your-assumptions.1310/

To cut to the chase:

According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint.

Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. Twofactorauth.org has a handy list of your options here, broken down by industry.

“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Forum Password Requirement & Periodic Reset

Pigoo

Adherent

haqzore

Devotee

Pigoo

Adherent

haqzore

Devotee

R0binHood

Habitué

Pigoo

Adherent

Pigoo

Adherent

R0binHood

Habitué

haqzore

Devotee

Paul M

Super Moderator

mysiteguy

Fanatic

MagicalAzareal

Magical Developer

zappaDPJ

Moderator

phatcows

Adherent

zappaDPJ

Moderator