Security improvement idea

[Wolfie]

Making people change passwords can make some people use more simple passwords like abc123 just to not have a password to remember. It would be seen as less point in having a decent password if one must keep changing it.

You are talking like they would be required to change it every week or something. This would be to wipe out a password if the account has been inactive for a long period of time. The 'add on' idea of doing member group level options for when to wipe out a password (or requiring a password change) is something that can be useful for sites that have a need for enforcing such limits.

If someone visits a site once every year or so, they're likely to do a password reset anyway unless their browser happens to remember the password for them. What would be the difference in their resetting their password because they can't remember their password and resetting their password because none of their passwords work? Either way, it's being reset. If you think resetting a password will drive someone away, then just put in a feature request to remove the function for resetting a password. I'd like to see how much support you get for that idea.

Active and inactive accounts can be cracked.

I don't recall someone saying that an active account cannot be hacked. But if someone is going to be active, then they are more likely to change their password than someone who is inactive. I mean let's stop and think about this for a moment...

Active member keeps using the site. Let's say that they don't change their password and use the same password on other sites. As a result their account gets hacked. Okay, that's bound to happen, no argument here against that. However that active member just might change their passwords once in awhile, thus preventing it from happening.

Inactive member is.. well.. inactive. I don't know about you, but I seriously don't believe an inactive member is going to get a hair up their butt one day and decide to visit your site for the sole purpose of changing their password just to make sure that their account doesn't get compromised. This would be a way of protecting their account for them.

I don't get why anyone would be opposed to such an option being available. Not like if it's added that you would be required to use it. Are you *required* to sell files if you have Downloads and Nexus installed? No. Just like you're not required to advertise on your site just because the feature is available.

Having more sites with this feature is more sites out there that have it...

Uhhh.. Wouldn't it be impossible for a site to have a feature and not have the feature at the same time? You're kind of stating the obvious there in a way that doesn't make sense in saying it.

[Jυra]

If you think resetting a password will drive someone away, then just put in a feature request to remove the function for resetting a password. I'd like to see how much support you get for that idea.

That's someone deciding to change their own password or when they forget it.

Using the same password on other sites is a separate problem. A user may have several passwords they use on many sites and could switch between them. You'll still have passwords that are used on other sites.

I am stating the obvious with the last bit because it's obvious. People join sites including us and you claim you don't get why others are against this.

[Wolfie]

That's someone deciding to change their own password or when they forget it.

There is a difference between choosing to change your password and resetting a password. Changing it happens when you are signed in and go to the UserCP to alter it on purpose. Resetting is when you are not signed in and choose the option to have the system change it for you so you can sign in again. Most likely you forgot your password, but there could be other reasons to need to reset it.

Using the same password on other sites is a separate problem. A user may have several passwords they use on many sites and could switch between them. You'll still have passwords that are used on other sites.

At least by wiping away their passwords hash, to find out the password from another site won't gain them access on your site. On the flip site, if your site gets compromised, the hacker wouldn't be able to use your database in an attempt to figure out their password. It's a win-win situation.

I am stating the obvious with the last bit because it's obvious. People join sites including us and you claim you don't get why others are against this.

You haven't provided a good reason for being against it, other than it being inconvenient for those who have to reset their password. It's akin to not wanting to password protect your admin folder because it would be inconvenient when you need to go into your ACP, or requiring email validation because you fear people won't want to join your site.

I've provided very good reasons in favor of this request and you haven't provided anything but a dislike for it for no justifiable reason. When I say that I don't get why a few people are against this, it's because it makes no sense to be against it. It's one thing to have a valid reason but to me it sounds like nothing more than being against it just for the heck of it.

[Jυra]

I've provided very good reasons in favor of this request and you haven't provided anything but a dislike for it for no justifiable reason. When I say that I don't get why a few people are against this, it's because it makes no sense to be against it. It's one thing to have a valid reason but to me it sounds like nothing more than being against it just for the heck of it.

You haven't provided very good reasons in favor of this feature because the feature is flawed and has a higher cost than benefit (which is pretty much none). People can crack accounts of active and inactive members. By making people reset them you're basically putting a big unwelcome sign on the forum. Keeping a strong password and having it safely kept is far better making people switch to a password they won't remember, don't wish to change, or changing to abc123. You know very well I don't support removing password resets for people that forgot their passwords.

[Royzee]

I asked if you would allow an absent admin to retain ACP access. Obviously it was from a security standpoint, not a usefulness one. That's where you're getting sidetracked and missing the point. The reason to remove elevated access is for security, not whether or not they're useful to you. If you think it's the other way around, then you are saying that if someone is useful to you, then give them access even if they aren't trustworthy. That's backwards. Security comes first, period.

Well there is no point in rehashing this. I already told you that I didn't consider it a security risk, so lets stop beating that horse.

A member who has not been around in years carries the same security risk of being hacked as a regular member. Following your logic I may as well shut my board down as every account carries is a potential for being hacked.

How anyone equates being absent with a security risk is unfathomable.

[Wolfie]

You haven't provided very good reasons in favor of this feature because the feature is flawed and has a higher cost than benefit (which is pretty much none). People can crack accounts of active and inactive members. By making people reset them you're basically putting a big unwelcome sign on the forum.

You are mistaken, I provided very good reasons for it. You have yet to provide good reasons against it. You keep rehashing (no pun intended) the idea of 'making people reset' their passwords as a reason, as though everyone who uses the site will have to reset their passwords on a regular basis. Those who are active would never experience it (unless passwords are set to expire), so it's not the epidemic that you're making it out to be.

Well there is no point in rehashing this. I already told you that I didn't consider it a security risk, so lets stop beating that horse.

Just because you don't see the security risk doesn't mean that it's not one.

Following your logic I may as well shut my board down as every account carries is a potential for being hacked.

I don't know how you come to that conclusion. Your logic is the equivalent of credit card companies never putting expiration dates on the cards they send you. "Hey, your card is just as likely to get stolen now as in the future, so why bother changing your cards?" Exactly the same logic as you both are using to argue against this.

A member who has not been around in years carries the same security risk of being hacked as a regular member. Following your logic I may as well shut my board down as every account carries is a potential for being hacked.

How anyone equates being absent with a security risk is unfathomable.

If the password has of an inactive account is wiped out, then that account cannot be hacked. For some reason, that fact seems to be eluding the both of you.

What's "unfathomable" is why you think an account with a password that never gets changed (due to inactivity) is NOT a security risk. If you seriously think that a password remaining unchanged isn't a security risk, then you have a LOT to learn.

[Dmacleo]

some people read w/o logging in.

only need to login to reply.

as long as we can enable/disable as we want it could be useful.

don't force it upon us, make it configurable and I would say it would be good option to have.

[Royzee]

What's "unfathomable" is why you think an account with a password that never gets changed (due to inactivity) is NOT a security risk.

Read what I post. I did not say it was "NO" security risk, I said it was no more risk that any other member who logs in daily.

[Wolfie]

as long as we can enable/disable as we want it could be useful.

don't force it upon us, make it configurable and I would say it would be good option to have.

Wouldn't request it any other way other than to be optional. One site might use it to the max out of necessity while another may never use it and never have a reason to. To make it forced would be a bad idea, I won't dispute that at all.

Read what I post. I did not say it was "NO" security risk, I said it was no more risk that any other member who logs in daily.

You're forgetting that someone who doesn't log in can't change their password. A member who visits almost every day can. Doesn't mean that they will, but if they can do it, then there's a chance that they will.

So, active accounts have the chance of the password being changed. The inactive accounts don't. Which is at a higher risk of being compromised by someone who is determined to hack into someones account? An active account or an inactive one? It's one or the other, not both and not neither.

Let's try it from this perspective. Maybe you'll see where I'm coming from and see how valid this feature request is.

Let's say that you have a member named Jake Speed. He changes his password each month on the first, without fail (not that it's known he does it, but he does). Does that make it impossible for his account to be hacked? No. Well then, why bother doing it? May as well just leave it as the same password because, using your logic, his account is just as much at risk of being compromised than any other account. There's a flaw in that way of thinking though. While it doesn't make it impossible to hack his account, it makes it less probable that it will happen.

Someone who has signed into their account is infinitely more likely to change their password versus someone who doesn't sign into their account. Okay so what protection do the inactive members have? If they aren't signing in and changing their passwords, they are getting NO protection. However, if their password (hash) is wiped out, then their password becomes protected. You can't brute force crack a password if you don't have all the necessary elements, and a major element is that final hash. Without that final hash, password cannot be cracked, period. You can use a super computer that could calculate 100 trillion hashes per second and you would never crack it. Never.

I don't really know how else to explain it to you. It's a very valid feature request and I've provided good reasons and examples of the benefits, but haven't heard any good/valid reasons for such a feature to not be available. Keep in mind that it being available doesn't mean it must be used. If you don't want to use it on your site, then don't use it. Simple as that. So if you wouldn't be forced to use it on your site, then why be opposed to it being available for admins who would appreciate the feature being part of the core product?

To sort of re-state the features, as there is some new stuff to add...

All optional functions of course (in case anyone is worried that I'm saying it should be forced)...

- Per member group, ability to require a password change after X days/months. Password changes cannot be to the same password. Though if someone changes their password to something different but then back to the original password, then oh well. Would be useful for sites that want to require admins to change their password every 3 months or something (for example). Could be done like that without affecting other members.

- Per member group, ability to flag how long before the members account is deemed 'inactive'. When this happens, one of two things happens. Either password hash gets wiped out or the next time they sign in, their account is flagged as having been inactive and they must re-activate their account. An email is automatically sent to them where they need to click on a link to that reactivates the account. If the password is going to get wiped out, then an email gets sent to the member letting them know that it has happened and why (provides security). Account is still valid, but to regain access, they will need to reset their password.

- Task to mark accounts as inactive (if option is set to require re-activation -vs- invalidating the hash).

- Task to invalidate hashes (if not set to just mark accounts as inactive). When an account has its hash invalidated, it too gets its account marked as 'inactive' in the same way. This would be to prevent the same account getting its hash invalidated multiple times.

- Ability to void out a password for an individual account.

- Ability to void out a password for multiple accounts. ModCP and ACP. (Via ACP, be similar to the 'mass prune' function, except voiding the passwords vs deleting an account, etc).

- Email notifications when action has been (or will be) taken. Be it by task or manual actions.

- Option to mention that a failed log-in could be due to a long period of inactivity. Obviously if the member hasn't signed in for a couple of years and it says that it happens after one year, then they know they need to reset their password. This way they aren't trying a dozen or so passwords that will all fail anyways.

- For the time duration for wiping a hash, have it available in months and years, with the minimum time period being 12 months (or 1 year). I'm for the feature being available, but obviously it would be a bit absurd to set it to something like one month.

- For wiping a hash, either simply erasing the hash (replace with NULL), or perhaps setting it to a random hash. With a random hash in place, not only does the account get the same protection, but a hacker wouldn't know if it's a legitimate hash or not. So if the DB gets stolen, they could be trying to crack a hash that can't be cracked. Would make it rather wasteful for them. One way to ensure that a random hash wouldn't end up being a valid/usable password would be to hash the existing hash but including a random number and a character that would be impossible to use.

- Among the options, admin can choose to let users decide for themselves if they want the action to be performed on their account. (Using default set within ACP unless member choose a custom setting.) That way a member can decide that their hash is invalidated after two years (for example) if at all. If user-level option is enabled, then their choice should trump ACP settings, with no way to override it other than manually affecting that members account.

Again, overall function and the various features being OPTIONAL. As in, it's only used if an admin purposely enables and uses it. Off by default.

_Sandy, does that help any? :)

[Royzee]

You're forgetting that someone who doesn't log in can't change their password. A member who visits almost every day can. Doesn't mean that they will, but if they can do it, then there's a chance that they will.

As your not making any sense, and guessing what people may or may not do, I am out of this aimless conversation.

[Wolfie]

As your not making any sense, and guessing what people may or may not do, I am out of this aimless conversation.

How did that not make sense when it made perfect sense? :huh:

[Aiwa]

Read what I post. I did not say it was "NO" security risk, I said it was no more risk that any other member who logs in daily.

Yes, but reducing the number of accounts that are available for attack to anyone that might try to brute force removes them from being vulnerable...

[Jυra]

So if you wouldn't be forced to use it on your site, then why be opposed to it being available for admins who would appreciate the feature being part of the core product?

False sense of security and it may not get them to look into things that do work.

[Wolfie]

False sense of security and it may not get them to look into things that do work.

How would a true sense of security be a false sense of it?

Before you insist it's a false sense of security, tell me this. If the password hash is no longer valid, then what is the probability of the real password being figured out?

[Aiwa]

What about companies that force new passwords on employees every 3 months? Companies that lock out your account if you don't login in 3 months? Are they just doing it for a false sense of security? No, they are protecting their assets.

[Grimace`]

What about companies that force new passwords on employees every 3 months? Companies that lock out your account if you don't login in 3 months? Are they just doing it for a false sense of security? No, they are protecting their assets.

The place I work out forces a new password every 7 days ._.

@ The others: If you're against this idea, and it does come with IPB 4. Just do not enable it, would be the perfect fix right?

[Royzee]

Yes, but reducing the number of accounts that are available for attack to anyone that might try to brute force removes them from being vulnerable...

If anyone can attempt a brute force and get more than two or three tries your forum settings are wrong.

[Wolfie]

If anyone can attempt a brute force and get more than two or three tries your forum settings are wrong.

You don't really understand the issue do you? Yeah you don't.

If the database is compromised, then the hash results are used for brute force cracking of passwords. There are computer systems that can do roughly 350 billion hashes per second, and as technology advances and improves, it's only going to get easier for hackers to brute force passwords.

This is a fact, not speculation. If you don't believe me, then go ask a security expert if it's possible. When you don't believe them because they tell you that I'm right, then go find another professional. After a dozen or some, you might want to just accept that it's a fact.

[GreenLinks]

The place I work out forces a new password every 7 days ._.

@ The others: If you're against this idea, and it does come with IPB 4. Just do not enable it, would be the perfect fix right?

We do similar , however everyone in our company simply hates it.

Community Boards are also not similar to companies.

Don't mix both of them , if you do you'll make a huge mistake.

Wolfie dude you stated your facts why you continue to respond every message and defend this fanatically is out of my mind.

[Royzee]

If the database is compromised, then the hash results are used for brute force cracking of passwords.

If the database is compromised your already f%cked regardless.

[Wolfie]

If the database is compromised your already f%cked regardless.

In that case, why bother hashing the passwords to begin with?

[Royzee]

In that case, why bother hashing the passwords to begin with?

That question is too stupid to warrant an answer.

[Wolfie]

That question is too stupid to warrant an answer.

What you said essentially suggested what I asked. You opened the door to that question and it proves my point.

[Jυra]

Basically saying technology for one thing will advance and won't for another, so let's screw over members.

[Wolfie]

Basically saying technology for one thing will advance and won't for another, so let's screw over members.

I still don't get why you two are so dead set against this great idea. I mean, it's not like the idea is for it to be enabled with no way to disable it. No, it's for it to be disabled by default but be available to use if wanted. Don't want to use it? Then don't enable it, simple as that. No need to even look at it.

As for screwing members over, being against this idea is doing just that. "No, I don't want a feature that will help improve the security of members on my site." That's what you're essentially saying. No joke.