Forum Password Requirement & Periodic Reset

Pigoo

Enthusiast
Joined
Aug 20, 2018
Messages
145
I've been getting some grumbling lately from members on my site regarding the need for a login ID and password for thier acounts...and the need to change thier password every so often (via the setting in the Admin control panel).

Some of the reasons they mention do make some sense...such as there really are no super-hyper critical personal or financial information asked for upon registration or stored in the database.

I think I would be ok if each member used a really strong password (including numbers, letters, capitals, ampersands, minimum number of digits, etc.)...and then the requirement for changing passwords every so often could be relaxed. But I think the problem is vBulletin 4.2.5 doesn't support mandatory strong passwords like this.

Can anyone give me a really good reason or two why maintaining a password is important for each members account (and changing it every so often)...so I can share it with the website membership?

Thanks
 

Pigoo

Enthusiast
Joined
Aug 20, 2018
Messages
145
Thanks for the links...and the reply. I have read those and other articles similar to it before posting here.:)

Articles like those can be helpful...but it's also great to hear what other individual website owners & admins are doing...and what their opinions are regarding account passwords & resetting them occasionally.

For example haqzore...with the website or websites you're associated with...what do you do?

This is the sort of answer I was hoping to receive in this thread (actual "real world" password practices from Admin Zone members).:)

Thanks:)
 

haqzore

Devotee
Joined
Dec 6, 2012
Messages
2,243
Thanks for the links...and the reply. I have read those and other articles similar to it before posting here.:)

Articles like those can be helpful...but it's also great to hear what other individual website owners & admins are doing...and what their opinions are regarding account passwords & resetting them occasionally.

For example haqzore...with the website or websites you're associated with...what do you do?

This is the sort of answer I was hoping to receive in this thread (actual "real world" password practices from Admin Zone members).:)

Thanks:)
The issue to keep in mind is that the few replies you get on TAZ amount to a very small sample size, from folks who aren't security experts.

The articles we've read are from far more robust sets of data and resources, so should be given more weight.

Anyways, I have 2 active sites currently with a few thousand members. I have no password expiration active. I have no complexity requirements. I've had no issues with member security/breaches/etc. Ever.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,336
I've been getting some grumbling lately from members on my site regarding the need for a login ID and password for thier acounts...and the need to change thier password every so often (via the setting in the Admin control panel).
Both the UK National Cyber Security Center and the US National Institute of Standards and Technology currently advice against this

https://theadminzone.com/threads/resetting-passwords-at-regular-intervals.151212/

Having a way top require mandatory strong passwords with no time constraint seems to the the best way forward.
 

Pigoo

Enthusiast
Joined
Aug 20, 2018
Messages
145
The issue to keep in mind is that the few replies you get on TAZ amount to a very small sample size, from folks who aren't security experts.
Of course...still very nice to hear real world examples of what others are doing & experiencing.:)

Anyways, I have 2 active sites currently with a few thousand members. I have no password expiration active. I have no complexity requirements. I've had no issues with member security/breaches/etc. Ever.
Awesome...thanks for sharing.:)

Let me share this thought. With many things in life...many folks think that they are invulnerable to many things because they themselves have never been a victim of something...or think that what they've been doing to avoid many of life's pitfalls is the sure-fire way to avoid them.

It's only when they've been a victim of something...do they then realize that they are not invulernable...maybe the habits or practices they have been relying on are not the best...and they need to be a lot more careful in the future!

Thanks again for the replies.:)
 

Pigoo

Enthusiast
Joined
Aug 20, 2018
Messages
145
Having a way top require mandatory strong passwords with no time constraint seems to the the best way forward.
Yes I agree...and mentioned this in my original post.:)

Problem is (as far as I know)...vBulletin 4.2.5 doesn't support mandatory strong passwords ((including numbers, letters, capitals, ampersands, minimum number of digits, etc.).

As I also mentioned in my original post...I would be ok with a mandatory strong password without a reset date...if vBulletin 4.2.5 supported it.:)

Thanks for the reply & Admin Zone link.:)
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,336
Maybe you're best just letting them set the password to what they want and leaving it as is even without a way to force strong passwords?

Forcing them to change their password regularly is only going to ensure that the passwords of some regular users get weaker and weaker as they try to create new easy to remember replacements to their old expired passwords while also frustrating them for having to create new passwords regularly in the first place.
 

haqzore

Devotee
Joined
Dec 6, 2012
Messages
2,243
Maybe you're best just letting them set the password to what they want and leaving it as is even without a way to force strong passwords?

Forcing them to change their password regularly is only going to ensure that the passwords of some regular users get weaker and weaker as they try to create new easy to remember replacements to their old expired passwords while also frustrating them for having to create new passwords regularly in the first place.
Agree with this.

If you can't accomplish minimum complexity, at least stop forcing regular resets, as it's proven (as linked) to reduce security.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,881
Can anyone give me a really good reason or two why maintaining a password is important for each members account (and changing it every so often)...so I can share it with the website membership?
I would think its pretty obvious why you need a password.

No forum I have run has forced password changes, Ive never (knowningly) had any issues with this.
There really is no reason to change it often, although its better if you have a decent password of course.

As best I can remember, no forum Ive ever been a member of has forced them either,
The only time I have changed mine is if the site Im a member of has been compromised.
 

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,017
If wouldn't matter a great deal if VB 4.2.5 supported mandatory strong passwords, it's password storage is notoriously weak and with a few GPUs/CPUs you can crack about half the hashes in a half million user VB database in a single day.
 

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
561
Forcing people to change their passwords frequently leads to them using a weak password and possibly an alternating number at the end or something else. It doesn't make you more secure, all it does is make you less secure.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,058
The only time I would ever force a password change is if there was a security breach and even then I wouldn't do it until I felt 100% sure the breach had been plugged. I've not read any of the articles linked but I have had personal experience of instances where enforced changes caused security breaches.

Many years ago I started working for an IT department who had a business wide policy of monthly forced password changes. This resulted in almost every employee noting their new password and placing it somewhere in their desk... I stopped that initiative on day one.
 

phatcows

Adherent
Joined
Nov 15, 2015
Messages
253
Many years ago I started working for an IT department who had a business wide policy of monthly forced password changes. This resulted in almost every employee noting their new password and placing it somewhere in their desk
Or they just use the same password with a new digit on the end...1,2,3 etc. I work for a large Governmental body, and whilst they finally moved away from the monthly password change process a couple of years ago, let's just say, they didn't move very far from it.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,058
I found this article quite interesting: https://theadminzone.com/ams/forced-password-reset-check-your-assumptions.1310/

To cut to the chase:

According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint.

Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. Twofactorauth.org has a handy list of your options here, broken down by industry.

“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
 
Top