Jump to content

Forcing strong passwords


Guest rct2·com

Recommended Posts

IP.Board could do with a capability to ensure that passwords have:

  • a minimum length
  • no maximum length [or at least a large length]
  • a minimum number of alphabetic characters
  • a minimum number of digits
  • rules about whether digits can occur at the beginning or the end
  • a maximum 'run' of alphabetic characters before a digit should be included
  • a maximum 'run' of numeric characters before an alphabetic character should be used
  • at least one character from a look up list
  • no repeat of the username
  • no repeat of previous passwords [up to a certain number of repeats]
  • a duration after which they expire [and warnings to people when they connect about how long to expiry]
  • no occurrences of words that are in a lookup dictionary, editable by the Admin
  • a feature for all this to be tailored by the Admin
Link to comment
Share on other sites

Interesting feature, but with those type of limits, that would surely make me never visit that site again.



I recognise that bulleted like that, it looks pretty scary, but if you think about it, once it's built into the product, it can be implemented as softly as each AdminCP likes. For example:
  • a minimum length already in the code
  • no maximum length [or at least a large length] already in the code
  • a minimum number of alphabetic characters could be zero
  • a minimum number of digits ditto
  • rules about whether digits can occur at the beginning or the end simple as yes/no, or 2 numbers, one for the front one for the end
  • a maximum 'run' of alphabetic characters before a digit should be included could be zero [for no limit]
  • a maximum 'run' of numeric characters before an alphabetic character should be used ditto
  • at least one character from a look up list could be an empty list
  • no repeat of the username could be on/off
  • no repeat of previous passwords [up to a certain number of repeats] could be zero [for immediate repeat]
  • a duration after which they expire [and warnings to people when they connect about how long to expiry]could be zero [for no duration]
  • no occurrences of words that are in a lookup dictionary, editable by the Admin could be empty dictionary [for no limits]
  • a feature for all this to be tailored by the Admin essential for all the above
These kind of features are built-in to most [not many, most] products I use in a corporate environment. If IPS aspire to these markets, they could easily implement this, rather than expecting the corporates to integrate IPS into their LDAP or Active Directory or Converge or ....
Link to comment
Share on other sites

No.

If I had to create, let alone remember, a password to follow guidelines created with those features, I would never even use the site - I'd find a better alternative that lets me pick my own password. It's the user's responsibility to create a good password.

Link to comment
Share on other sites

No.



If I had to create, let alone remember, a password to follow guidelines created with those features, I would never even use the site - I'd find a better alternative that lets me pick my own password. It's the user's responsibility to create a good password.


Oh my heavens!! please become the new network administrator of my old highschool.

Their password requirements were ridiculous.
Link to comment
Share on other sites

Who attacks with brute-force thesedays anyways? I feel safe as long as I have *A* password. Nobody is going to bother brute-forcing it, so no need to have it 'strong'.


There's always that one crazy person out there who'd be willing to try anything to take over a site. Although, on a personal note, I do agree with you - passwords like 2!Yx*(7lP are overkill.
Link to comment
Share on other sites

There's always that one crazy person out there who'd be willing to try anything to take over a site.


Too bad most systems it requires a huge list of proxies, and switching between them every 5 trys :P

And one of those proxies is bound to be willing to give me the information of who was using that proxy... ;)
Link to comment
Share on other sites

Wow! Hadn't expected such a lot of reaction. And so much "anti" too.

For those who are anti, can I just emphasise that my suggestion is that this is optional, and can be set in AdminCP as strong or as weak as the Admin chooses. Perhaps I should also suggest that there is an On/Off flag too. :)

Link to comment
Share on other sites

Wow! Hadn't expected such a lot of reaction. And so much "anti" too.



For those who are anti, can I just emphasise that my suggestion is that this is optional, and can be set in AdminCP as strong or as weak as the Admin chooses. Perhaps I should also suggest that there is an On/Off flag too. :)


Optional or not, admins who use it would get complaints, and then end up turning it off to better their community. It wouldn't get used, so it's not worth it.
Link to comment
Share on other sites

Sweeping statement .Garrett based on your opinion. FACT is, I know a person in a corporate IT security role who won't recommend IP.Board for internal use in his company because of the lack of strong password support. It's important to corporates to know that their personnel cannot easily attempt to 'pretend' to be other employees. EVERYTHING has strong password protection, Windows logon, LAN logon, email logon, etc.

It might not get used often, but it would get used. More often on intranets than the internet, I agree.

Link to comment
Share on other sites

You have to look at it from a developer standpoint though. The majority of IPB Mods out there are features that are nice, but not used often enough to be implemented into IPB as a default. Sure, everyone has suggested that they be implemented, but they aren't because, well, it's just not worth it to IPS to do so. They are aimed at developing a product which will be excellent for anyone who uses it - not wasting time implementing features that will not be widely used. For example, check your ACP settings. How many of those red bars and "REVERT" buttons do you have? A lot; just like everyone else's IPB.

It might not get used often, but it would get used


Exactly why it should be a mod, not default.
Link to comment
Share on other sites

Exactly why it should be a mod, not default.


Not if IPS want to increase their presence in the corporate marketplace. The products have moved from being free with optional support, to being licensed with almost compulsory support [if you want upgrades]. The next step is to make the products more suitable for corporate acceptance.
Link to comment
Share on other sites

Sweeping statement .Garrett based on your opinion. FACT is, I know a person in a corporate IT security role who won't recommend IP.Board for internal use in his company because of the lack of strong password support. It's important to corporates to know that their personnel cannot easily attempt to 'pretend' to be other employees. EVERYTHING has strong password protection, Windows logon, LAN logon, email logon, etc.



It might not get used often, but it would get used. More often on intranets than the internet, I agree.


Which IMHO proves that this "IT Security" guy doesn't know his ass from a hot plate.

Especially on Windows machines, adding a few extra requirements, which I can usually read means I can just type them into my brute forcer, and take an extra 30-45 minutes to crack. ;)

Not that I use it for unethical reasons, but I do have the software, and have been meaning to try it on my PC to see how good it really is. *shrugs*

Even worse on the internet, non-SSL sites throw all your data unencrypted over a network, damn http wireless traffic is a goldmine of usernames and passwords floating in the air. ;) Strong password protections are nothing but an annoyance, not to mention, use freaking ASCII codes in your password, I'll just sneak a hardware keylogger onto your desktop or something really evil.

Anyway, thats was the majority of my high school time spent was tampering with things, not so much unethically like stealing a password and using it, but curious if certain things could be done.
Link to comment
Share on other sites

IP.Board could do with a capability to ensure that passwords have:

  • a minimum length
  • no maximum length [or at least a large length]
  • a minimum number of alphabetic characters
  • a minimum number of digits
  • rules about whether digits can occur at the beginning or the end
  • a maximum 'run' of alphabetic characters before a digit should be included
  • a maximum 'run' of numeric characters before an alphabetic character should be used
  • at least one character from a look up list
  • no repeat of the username
  • no repeat of previous passwords [up to a certain number of repeats]
  • a duration after which they expire [and warnings to people when they connect about how long to expiry]
  • no occurrences of words that are in a lookup dictionary, editable by the Admin
  • a feature for all this to be tailored by the Admin

Fully agreed. It would be very useful in corporate environments. I would not want to allow people with weak passwords accessing any important content. Security may not be an issue in "fan-chat-sites", but it is (and will become even more so) for many serious sites. Easily breakable passwords also impose a risk for community sites in the non-corporate world, assuming, for example, that long-term members have more rights than newbies, and a SPAMer breaking one of those accounts could do quite some damage to the community. Ignoring ways to maximize security (within some reasonable limits) is irresponsible, IMHO. So, I welcome the suggestions above - sure, it should be fully configurable, so it can be finetuned to the individual needs of a particular community.

Since most of the features were very easy to implement and are present in most other account-based software, I always wondered why Invision did not put some of them in the ACP already.

Greetings,

Matthias

PS. Of course, strong passwords alone in an otherwise weak infrastructure will not help at all (-> Windows), however, IMHO this does not make up an argument against these useful suggestions... A system is only as strong as its weakest spot - and IP.Board shouldn't be this spot. Nobody will leave the door open, even if it is easy to break into a house through the window with a hammer.
Link to comment
Share on other sites

These strong password rules remind me of the ones on the various online bill payment sites I use, the ones I have to reset every month because they cannot be remembered. So if I don't want to have to reset them every month I have to write them down somewhere, thus defeating the entire purspose behind having a 'secure' password. As long as all of these settings have an 'off' switch, go ahead and add the feature, but I can certainly live without it.

Link to comment
Share on other sites

Which IMHO proves that this "IT Security" guy doesn't know his ass from a hot plate.


Well put. :lol:



Fully agreed. It would be very useful in corporate environments. I would not want to allow people with weak passwords accessing any important content. Security may not be an issue in "fan-chat-sites", but it is (and will become even more so) for many serious sites. Easily breakable passwords also impose a risk for community sites in the non-corporate world, assuming, for example, that long-term members have more rights than newbies, and a SPAMer breaking one of those accounts could do quite some damage to the community. Ignoring ways to maximize security (within some reasonable limits) is irresponsible, IMHO. So, I welcome the suggestions above - sure, it should be fully configurable, so it can be finetuned to the individual needs of a particular community.



Since most of the features were very easy to implement and are present in most other account-based software, I always wondered why Invision did not put some of them in the ACP already.



Greetings,



Matthias



PS. Of course, strong passwords alone in an otherwise weak infrastructure will not help at all (-> Windows), however, IMHO this does not make up an argument against these useful suggestions... A system is only as strong as its weakest spot - and IP.Board shouldn't be this spot. Nobody will leave the door open, even if it is easy to break into a house through the window with a hammer.


I'm all for stronger passwords in a corporate environment. However, forcing all of these stupid requirements would be more of an inconvenience than a help to most. Unless, of course, you have no real life, and devote every waking hour to remembering something such as *&6dH1lm%qJAz for a password. Not to mention you'd have to change it very often, because there's a chance someone is cracking it right this very minute. But wait! There's a tear in your tin foil hat, you have to go make a new one, or else the aliens may zap all of the information from your brain, including the very secure password!

My point is, where do you draw the line between "security" and "paranoia"?
Link to comment
Share on other sites

Which IMHO proves that this "IT Security" guy doesn't know his ass from a hot plate.

That opinion really blows a hole through his professional IT Security qualification then. :P

The company in question employs ethical hackers to try and do all the things you describe, its customers are allowed to demand penetration testing twice per year, it receives thousands of brute force attempts on its web servers per HOUR. IF security was compromised, it would go out of business almost overnight becuase its business IS personal data about people.

@Michael: In environments like this, IT Security people don't give a stuff whether users remember passwords or not, they would far rather people had to ask for resets than risk having passwords that are easy to guess and break.

It's clear that IP.Board is trying to make itself more attractive to larger business/corporates. Integration with LDAP is one such example. This feature, carefully delivered so that it wasn't mandatory, and didn't require businesses to source the board from IPS and mods from a third party, would make the product a more attractive proposition.
Link to comment
Share on other sites

Social engineering and sneaking hardware onto machines (you look on the back of your tower before logging in every day?) is so much easier than attempting a brute force. If their machines ALLOW you to attempt brute forcing you have a problem to begin with. Thousands of hits per hour = bad anti-brute forcing software. Not to mention thousands sounds way too slow for brute forcing considering combinations rank in the numbers of hundreds of millions just using a 6 character A-Z password. Brute forcing is about the lowest way to get in, the "script kiddie" way if you may. On the other hand taking apart TCP packet information especially communicating between a user and a web server is much MUCH easier. Apparently you can even crack SSL data. Though we're looking at 8 days processing for a desktop machine. *shrugs*

Not to mention, the more complicated the password, the slower the user usually types it, usually you can STAND there and watch them fumble with their retarded password.


IPB can add this, but I hope it's low on the list of features considering what the majority of the community wants included too.

Link to comment
Share on other sites

Thanks for the input, all valid points. And for spotting my deliberate mistake. That should have been per minute, not per hour!

As you'd expect in this kind of environment, a lot of customers are coming in through fixed extranet connections as well as internet. If customers allow keychecker software, dongles on the back of computers, and people just WATCHING passwords being entered then that's all traceable and this guy's company are not liable. And in this case, individual customers on the internet are only really able to access their own personal information, so the risk is much smaller.

On these boards here, the 'majority' tend to be individuals who own and run boards. This suggestion/request isn't really about the individual who owns/Admins the board, it's based on the requirements of the customers and their needs before they'll agree to use the board. They want the confidence that their usernames and passwords will be adequately secure so that their personal information will be protected and that their companies won't be compromised or misrepresented within the 'User Group' that logs in to the board.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...