Hackaday Forums

[gcb]

that's it.

[asheets]

What's "it"? You want to discuss what goes into making a password policy? Or complain about something?

[gcb]

heh, it was more a request. was typing after having to recover my password on a mobile.

why forums need better password policies than your online bank? there's no reason for that on sites nobody care about the data.

everyone will still use silly passwords for forums, be it "password" or "Password1"... nobody cares about forum passwords. having weird restrictions just made it harder to remember.

be your passwords hard to guess or not, silly rules ultimately just make them hard to remember

[MS3FGX]

If this forum has better password policies than your bank, I would suggest you take it up with your bank, not us.

There is absolutely no reason in the world that you shouldn't be using strong passwords for all your online services. Just because you don't personally think a forum is important enough to have a password more complex than "Password" doesn't make it true.

[UAirLtd]

if only there was a way of ensuring that people who choose to use weak passwords can have only themselves to blame when their money and identity gets stolen...

on a related note, our company policy is to use full alphanumeric+symbol passwords everywhere, we find that actually many sites don't allow a full range of symbols, and the only conceivable reason for this is if they weren't handling passwords in a secure way. Absurd!

In fact, one e-commerce solution that we use (a commercial, paid-for system, that is very popular and used by many other e-commerce sites on the internet), has some major issues with password - admin can view all the passwords. We asked them about it, and they claim that passwords are "encrypted in the database", and are "unencrypted for the admin panel", but that whole idea is pointless. There should be no instance where any admin needs to see user passwords at all, password-recover should never be possible, only password-resetting. We've had to disable user accounts entirely because of this, and we're only allowing anonomymous checkouts because of our concern about our users' data being compromised. If their e-commerce systems get hacked, we're damn well not going to allow our customers' data to be on there to be lost.

[gcb]

If this forum has better password policies than your bank, I would suggest you take it up with your bank, not us.

There is absolutely no reason in the world that you shouldn't be using strong passwords for all your online services. Just because you don't personally think a forum is important enough to have a password more complex than "Password" doesn't make it true.

if the user does not feel compeled to safegard his access to service in the first place, passwords instructions just compels users to type passwords that follow exactly the complex instructions... e.g. "one uppercase letter, one lower case letter, 8 characters minium, one number" = "Abcdefg1" or "12345678aA"

why do think 123456 and 12345678 are the most common passwords in the world? because most forms says next to the password field "minimum of 6 characters" or "minimum of 8 characters"... making more rules will make your users safer for a week more or so. but it drives people with already safe 6-8 chars passwords to ignore their good passwords rules and just deal with the crazy new rules like the above example.

anyway, it just pissed me at the time mostly because my function to create passwords based on domain (so i don't forget as i can simply run the function on my mind when i need to login anywhere) generated something without uppercases

[gcb]

if only there was a way of ensuring that people who choose to use weak passwords can have only themselves to blame when their money and identity gets stolen...

on a related note, our company policy is to use full alphanumeric+symbol passwords everywhere, we find that actually many sites don't allow a full range of symbols, and the only conceivable reason for this is if they weren't handling passwords in a secure way. Absurd!

In fact, one e-commerce solution that we use (a commercial, paid-for system, that is very popular and used by many other e-commerce sites on the internet), has some major issues with password - admin can view all the passwords. We asked them about it, and they claim that passwords are "encrypted in the database", and are "unencrypted for the admin panel", but that whole idea is pointless. There should be no instance where any admin needs to see user passwords at all, password-recover should never be possible, only password-resetting. We've had to disable user accounts entirely because of this, and we're only allowing anonomymous checkouts because of our concern about our users' data being compromised. If their e-commerce systems get hacked, we're damn well not going to allow our customers' data to be on there to be lost.

heh. seems lots of those. at least you guys know what's going on and act right.

most of the time people are clueless about it.

[tamarok]

A good password policy really depends on the context of usage. What are you protecting and in what environment? Are there safe guards against multiple retries?

The most basic password policy is "no dictionary words", and that usually assumes the language of the site you are connecting to. After that there are other characters you can add to the mix and length rules.

I have seen places where they have a good password format policy, but one of the following, which undermine this:
- poor password recovery process (too easy to fraud)
- the password is stored in clear text in the database. it should usually be hash and salted hash at that.
- the authentication process is via http and not https
- the cookie stores a clearcase password

All security systems have a weakness, you should establish how easy it is to exploit and in what situations.

Remember security is a delaying tactic and not a catch all solution. The strength of your security is in relation to the interest of what you are trying to protect.