Forum Password Requirement & Periodic Reset

Discussion in 'vBulletin' started by Pigoo, Aug 17, 2019.

  1. Pigoo

    Pigoo Enthusiast

    109
    83
    +20
    I've been getting some grumbling lately from members on my site regarding the need for a login ID and password for thier acounts...and the need to change thier password every so often (via the setting in the Admin control panel).

    Some of the reasons they mention do make some sense...such as there really are no super-hyper critical personal or financial information asked for upon registration or stored in the database.

    I think I would be ok if each member used a really strong password (including numbers, letters, capitals, ampersands, minimum number of digits, etc.)...and then the requirement for changing passwords every so often could be relaxed. But I think the problem is vBulletin 4.2.5 doesn't support mandatory strong passwords like this.

    Can anyone give me a really good reason or two why maintaining a password is important for each members account (and changing it every so often)...so I can share it with the website membership?

    Thanks
     
  2. haqzore

    haqzore Devotee

    2,035
    402
    +1,193
  3. Pigoo

    Pigoo Enthusiast

    109
    83
    +20
    Thanks for the links...and the reply. I have read those and other articles similar to it before posting here.:)

    Articles like those can be helpful...but it's also great to hear what other individual website owners & admins are doing...and what their opinions are regarding account passwords & resetting them occasionally.

    For example haqzore...with the website or websites you're associated with...what do you do?

    This is the sort of answer I was hoping to receive in this thread (actual "real world" password practices from Admin Zone members).:)

    Thanks:)
     
    • Appreciation Appreciation x 1
    • List
  4. haqzore

    haqzore Devotee

    2,035
    402
    +1,193
    The issue to keep in mind is that the few replies you get on TAZ amount to a very small sample size, from folks who aren't security experts.

    The articles we've read are from far more robust sets of data and resources, so should be given more weight.

    Anyways, I have 2 active sites currently with a few thousand members. I have no password expiration active. I have no complexity requirements. I've had no issues with member security/breaches/etc. Ever.
     
    • Informative! Informative! x 1
    • List
  5. R0binHood

    R0binHood Habitué

    1,240
    432
    +978
    Both the UK National Cyber Security Center and the US National Institute of Standards and Technology currently advice against this

    https://theadminzone.com/threads/resetting-passwords-at-regular-intervals.151212/

    Having a way top require mandatory strong passwords with no time constraint seems to the the best way forward.
     
  6. Pigoo

    Pigoo Enthusiast

    109
    83
    +20
    Of course...still very nice to hear real world examples of what others are doing & experiencing.:)

    Awesome...thanks for sharing.:)

    Let me share this thought. With many things in life...many folks think that they are invulnerable to many things because they themselves have never been a victim of something...or think that what they've been doing to avoid many of life's pitfalls is the sure-fire way to avoid them.

    It's only when they've been a victim of something...do they then realize that they are not invulernable...maybe the habits or practices they have been relying on are not the best...and they need to be a lot more careful in the future!

    Thanks again for the replies.:)
     
    • Appreciation Appreciation x 1
    • List
  7. Pigoo

    Pigoo Enthusiast

    109
    83
    +20
    Yes I agree...and mentioned this in my original post.:)

    Problem is (as far as I know)...vBulletin 4.2.5 doesn't support mandatory strong passwords ((including numbers, letters, capitals, ampersands, minimum number of digits, etc.).

    As I also mentioned in my original post...I would be ok with a mandatory strong password without a reset date...if vBulletin 4.2.5 supported it.:)

    Thanks for the reply & Admin Zone link.:)
     
  8. R0binHood

    R0binHood Habitué

    1,240
    432
    +978
    Maybe you're best just letting them set the password to what they want and leaving it as is even without a way to force strong passwords?

    Forcing them to change their password regularly is only going to ensure that the passwords of some regular users get weaker and weaker as they try to create new easy to remember replacements to their old expired passwords while also frustrating them for having to create new passwords regularly in the first place.
     
  9. haqzore

    haqzore Devotee

    2,035
    402
    +1,193
    Agree with this.

    If you can't accomplish minimum complexity, at least stop forcing regular resets, as it's proven (as linked) to reduce security.
     
  10. Paul M

    Paul M Limeade Addict

    3,798
    1,627
    +2,219
    I would think its pretty obvious why you need a password.

    No forum I have run has forced password changes, Ive never (knowningly) had any issues with this.
    There really is no reason to change it often, although its better if you have a decent password of course.

    As best I can remember, no forum Ive ever been a member of has forced them either,
    The only time I have changed mine is if the site Im a member of has been compromised.
     
  11. mysiteguy

    mysiteguy Devotee

    2,911
    887
    +2,241
    If wouldn't matter a great deal if VB 4.2.5 supported mandatory strong passwords, it's password storage is notoriously weak and with a few GPUs/CPUs you can crack about half the hashes in a half million user VB database in a single day.
     
    • Informative! Informative! x 1
    • List
  12. MagicalAzareal

    MagicalAzareal Magical Developer

    313
    332
    +152
    Forcing people to change their passwords frequently leads to them using a weak password and possibly an alternating number at the end or something else. It doesn't make you more secure, all it does is make you less secure.
     
  13. zappaDPJ

    zappaDPJ Administrator

    6,744
    1,432
    +5,335
    The only time I would ever force a password change is if there was a security breach and even then I wouldn't do it until I felt 100% sure the breach had been plugged. I've not read any of the articles linked but I have had personal experience of instances where enforced changes caused security breaches.

    Many years ago I started working for an IT department who had a business wide policy of monthly forced password changes. This resulted in almost every employee noting their new password and placing it somewhere in their desk... I stopped that initiative on day one.
     
  14. phatcows

    phatcows Enthusiast

    245
    125
    +138
    Or they just use the same password with a new digit on the end...1,2,3 etc. I work for a large Governmental body, and whilst they finally moved away from the monthly password change process a couple of years ago, let's just say, they didn't move very far from it.
     
  15. zappaDPJ

    zappaDPJ Administrator

    6,744
    1,432
    +5,335
    I found this article quite interesting: https://theadminzone.com/ams/forced-password-reset-check-your-assumptions.1310/

    To cut to the chase:

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.