Password strength, password reset

[Wojciech Rebis]

We need to implement password strength, and password reset functionalities on our ipb forums for super-moderators and administrators.

I've seen some topics about that on your forums.

Do you think of developing these functionalities? If so - when?

[.Ian]

Recalling some of the previous threads on this ( ) I think the consensus was that a members account could not be hacked into in order to control the forum, therefore would be of much value to a forum, especially as when people register they are not going to be in power straight away. Perhaps the exception to this would be during install of IPB that the initial username has to have a more complex password.

Perhaps the better way is to stress to all people with moderator / admin powers that they need to ensure that their passwords are strong and that they do not contain dictionary words for example and have at least one number in it.

[Biker.GA]

All the education in the world won't force a user to change their password. Saw this time and time again while managing security programs in the military. You can educate 'em all you want, but the only way to ensure strong passwords are used is to force it via the program, or issue them yourself.

[.Ian]

very true - couldn't even get my users to use the button for youtube - so wouldn't stand a chance on passwords!

[bfarber]

I can agree with the points made, but I'm not really in favor of the feature suggestion itself.

If I want my password to be 'abc' and I'm a random member of a random site, I should be able to use that as my password. Sure, for banking sites and so on, I want a stronger password, and it's nice they have guidelines to enforce this. But random forum x on the internet shouldn't really dictate to me what password I can use. It's my password, after all.

That's just my personal thoughts.

[Biker.GA]

I would say for the majority of "normal" users, no, this is not needed. However, the option to force strong passwords for "Staff" would be a nice touch. Especially for those with Admin rights.

[Wojciech Rebis]

If I want my password to be 'abc' and I'm a random member of a random site, I should be able to use that as my password.

Yeah, but if my company's security policy for forum moderators/administrators is to have a strong password, there is no other way than forcing them to do it.

You should make it possible to choose to which user groups it will be applied, so that normal users can use 'abc' passwords, while advanced users should use '4bC!*fG' :)

I think that an administrator should be able to choose what password strength should users on his forum use. If I have a forum with very important data - I have to be very careful about security issues, including normal and advanced users' passwords.

And your point (about random user) isn't a good point, since this feature might be switched off by default. If an administrator thinks that it is needed on his forum - then he can turn it on.

[bfarber]

Read my last sentence - these are my *personal* thoughts.

Quite frankly when I reach a site with a password security policy, it better have a VERY compelling reason for me to try to come up with a random password I'll never remember (forcing me to either let my browser save it, or writing it down, which in my opinion WORSENS security).

[SethT]

How about an inline password strength notifier?

Here's Microsoft's example

Just as a visual cue for those that care.

[Robulosity2]

http://www.passwordmeter.com/ as well

[Mr Omicron]

I would definately like to see some kind of system where admins can set a minimum required password strength e.g 7 characters, 1 capital letter, 1 number etc.

@Brandon, Some forums need to be secure and users understand this. Not all forums are there for everyones use and access. If it is a public forum, I agree it is stupid, but some are small community private forums. There really should be an option to do this.

At minimum, there should be an option to add a password strength meter which can also be effective as people can see that their password isn't the strongest and might make consideration to beef it up a bit. A lot of people don't understand they have weak passwords until they see something like this.

[Jυra]

If someone's password has been comprised, it's been comprised. What I read so far are gimmicks that won't solve that. With forums, it's many times the email account that the member or staff uses that is the cause.

[Jυra]

I somehow misspelled compromised?

[azjordian]

Hello,
I am a user on a Message Board that uses IP 2.3.6. (tcboyle)
I have sent in 3x to reset my password, because I recenlty changed it and then forgot where I wrote it down :(
I also emailed the Admin, of the MB, but haven't got a reply as of this morning.
Thank you for any help.

azjordian

[Biker.GA]

Hello,

I am a user on a Message Board that uses IP 2.3.6. (tcboyle)

I have sent in 3x to reset my password, because I recenlty changed it and then forgot where I wrote it down :(

I also emailed the Admin, of the MB, but haven't got a reply as of this morning.

Thank you for any help.

azjordian

Nothing we can do here. You'll need to contact the Administrator of the site you're using.

[Paranormalis]

I somehow misspelled compromised?

Nah, you just compromised on the spelling. haha

[azjordian]

Nothing we can do here. You'll need to contact the Administrator of the site you're using.

I did. Nothing yesturday and nothing this morning. It is frustrating.

[Jυra]

If there are other admins or staff, you could make a new account and PM the more active ones (assuming they don't have email validation).