Forest BB

The digital grapevine of The Forest.
It is currently Mon Sep 22, 2014 12:15 pm

All times are UTC




Post new topic Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Fri Jul 17, 2009 12:43 pm 
Offline
User avatar

Joined: Mon Jan 22, 2007 5:50 pm
Posts: 944
When signing up for the website, it pushes the user to choose a strong password. I think this is a bad thing and will discourage people from logging in because of problems with forgotten passwords. I have had this myself with sites that make me use a strong password. I end up not using it at all because it makes me deviate from my normal system of creating passwords, so I forget. Once I have had to reset my password a couple of time, I just don't bother with that site anymore - too much hassle.

I understand that the site does not force you to choose a strong password. I have ignored it's advice and used one of my usual ones. However, the first time I chose a password for the site, I thought it was requiring me to make a strong one. The interface is misleading in that way. So I chose a strong one and subsequently forgot it, requiring a reset which was a hassle.

I also understand that it may be seen as a good opportunity to teach people about strong passwords and encourage them to start using them. I think it would be fine to have a box on the sign-up page that gives information. But to have a box telling you "Your password is too weak" when you are choosing it is going too far.

Check this (pdf):
Quote:
ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

By all means give information about password strength, and why choosing a strong one may be good. But let's avoid discouraging people from using weak ones if they want. It is not a if the forest is a major hacking target.


Top
 Profile  
 
PostPosted: Fri Jul 17, 2009 8:07 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
neil wrote:
It is not a if the forest is a major hacking target.


Security through obscurity is bad practise.

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
PostPosted: Sat Jul 18, 2009 10:28 am 
Offline

Joined: Thu Apr 20, 2006 2:01 pm
Posts: 1327
Actually security by obscurity means something slightly different. Agree with Neil on this, I think we want simplicity all the way.

_________________
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!


Top
 Profile  
 
PostPosted: Sat Jul 18, 2009 11:10 am 
Offline
User avatar

Joined: Thu Sep 16, 2004 2:10 pm
Posts: 1557
I HATE needing a strong password, when they make you use at least some caps and at least some numbers it means I have no way of remembering my thousand different passwords so have to write them down in giant permanent marker letters all over my web presence to remind me what they are. This is not good. xxXX

_________________
"We all tend to idealise kindness and tolerance, then wonder why we find ourselves infested with losers and nutcases." Sebastian Horsley


Top
 Profile  
 
PostPosted: Sat Jul 18, 2009 3:10 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
chombee wrote:
Actually security by obscurity means something slightly different.


Yeah, it wasn't exactly the term I was looking for, but you get the idea.

Just because we might not be a viable target for hackers, doesn't mean we can be lax about our security. There are boxes connected to the web that do nothing but spider sites until they find one that can potentially be exploited. I had to deal with an attack of spambots and hacking attempts on a website I ran which had a regular userbase of about 6 people.

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
PostPosted: Sat Jul 18, 2009 4:00 pm 
Offline
User avatar

Joined: Mon Jan 22, 2007 5:50 pm
Posts: 944
We have also had to deal with hacks at the forest. The bb has been taken down, so has the blog we used to run. It's fine; we dealt with it. What I'm saying is, it's not national security that's at stake. It's not worth causing people loads of hassle and putting them off from signing up & using the site.


Top
 Profile  
 
PostPosted: Fri Jan 22, 2010 5:14 pm 
Offline

Joined: Thu Apr 20, 2006 2:01 pm
Posts: 1327
I read a good idea about passwords today. It said that making people type both their username and a password is pointless typing. The username doesn't improve security any cause it's plainly visible and accessible to any observer. If the system made sure that everyone had a different password, then you could login by typing your password only. This'd mean that passwords could be longer (so more secure) and it would still be less typing cause you don't need to type a user name. To make sure everyone has a different password you don't ask users to come up with a password, instead the system generates a handful of passwords and lets the user choose the one they like. The passwords should be easy to remember. It suggested randomly generated combinations of English words like:

savory manlike oracle

exclusive malformed seal

old free papaya

blooming small labyrinth

rotten turnip sob story

There are trillions of possible passwords like this in English, making them much harder to guess.

_________________
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!


Top
 Profile  
 
PostPosted: Fri Jan 22, 2010 5:48 pm 
Offline
User avatar

Joined: Mon Jan 22, 2007 5:50 pm
Posts: 944
That's quite a good idea.

My first thought was what if someone mistypes and accidentally logs on as someone else? But this wouldn't happen with random groups of 3 words.

My second thought is what if someone starts randomly typing in groups of 3 words?


Top
 Profile  
 
PostPosted: Sat Jan 23, 2010 4:00 pm 
Offline

Joined: Thu Apr 20, 2006 2:01 pm
Posts: 1327
You'd be unlikely to hit anyone's password at random because the number of users is much smaller than the number of possible passwords (which is literally trillions). I think it's no different from taking a list of all our bb usernames (which is easy to get) and repeatedly pickling a random username and trying out a random password with it, but with the manlike oracles the passwords are much harder to guess than the kinds of passwords people usually come up with themselves.

Guessing someone's 4-digit internet banking pin is far easier, there are only 10,000 possible pins.

I admit the idea feels a little uncomfortable but it really is more secure, although I haven't actually done the math.

_________________
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!


Top
 Profile  
 
PostPosted: Sun Mar 14, 2010 10:49 am 
Offline

Joined: Sat Mar 13, 2010 7:39 pm
Posts: 31
http://en.wikipedia.org/wiki/Dictionary_attack


Top
 Profile  
 
PostPosted: Sun Mar 14, 2010 4:01 pm 
Offline

Joined: Thu Apr 20, 2006 2:01 pm
Posts: 1327
No, it's not vulnerable to a dictionary attack.

_________________
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!


Top
 Profile  
 
PostPosted: Sun Mar 14, 2010 6:35 pm 
Offline
User avatar

Joined: Wed Mar 29, 2006 11:24 am
Posts: 2615
It would be vulnerable to a dictionary attack cubed. Mwahhhahha.


Top
 Profile  
 
PostPosted: Mon Aug 15, 2011 8:40 pm 
Offline
User avatar

Joined: Thu Sep 16, 2004 2:10 pm
Posts: 1557
Image

sean is so smart.

_________________
"We all tend to idealise kindness and tolerance, then wonder why we find ourselves infested with losers and nutcases." Sebastian Horsley


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group