Passwords
This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.
Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.
I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.
So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.
Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.
Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.
I worked at reddit for years and personally dealt with the effects of thousands upon thousands of accounts being compromised and used to spam, vote-cheat, etc. It was almost always because people use bad passwords and re-use their bad passwords. I had to repeatedly spend days or weeks dealing with the fallout from that, helping people recover access to their accounts, and so on. I'd really like to avoid needing to repeat that here.
You're right that the value of an individual account is low, but people don't compromise one account and stop. Allowing weak/re-used passwords enables large-scale compromises ("credential-stuffing attacks"), and that's the real issue.
The current method of blocking all known-breached passwords is widely recommended, including by NIST:
Generate a random password for every site. Store it in a password manager, text file, or just write it down on a piece of paper. Yes, it's less convenient than using the same password everywhere. That's exactly the point.
Thanks. I wont disagree with you for providing first hand information. The current system is inconvenient, but since you provided legitimate, first hand information, i'm willing to accept that there is a reason for it. It might be worth explaining to new users the reason why things are the way they are in a bit more verbose way than is done on the new user registration pages.
Saw your post (edited 47 seconds ago)
I didn't notice anything different, but nice to know you care? <3
Edit 2: still not sure what you changed, because it all looks the same to me but: 7 hours, 15 minutes ago
(edited 18 minutes ago)
It's nice to see site admins that are on top of stuff? That said, might I suggest some sort of wiki bit? Like, when a post gets edited, let us read the changes. Some are obviously benign (spelling) but some will be changing the dialogue.
While I don't disagree, my main beef on why I haven't personally signed up for a password manager is because its not a practical solution. It only works on your browser, and browsers in general for that matter. There are a lot of places where the flow just doesn't work.
That depends entirely on which password manager you use. There are many options that work outside a browser.
KeePassXC is one such example, but there are others.
@meghan
thanks, TIL
As @esrever says below, KeepassXC works for me on my phone, laptop (all browsers) and at work thru using KeePass Portable. I'll see if I can write up my method today and post it here.
I don't quite understand what you mean by that. Most password managers allow copy/pasting passwords from the password vault so you can use them outside the browser (e.g. to login to external applications), and also have associated phone apps which allow the same. So how much more practical can you get?
Check out https://bitwarden.com -- its got good support for Win/MacOS/*Nix along with CLI, mobile, and browser. I've used all major password managers for extended periods of time, and, for me, Bitwarden has been the most headache-free experience.
It just works.
There are many options that sync across all of your devices, too. I really like Apple's keychain because it works not only in browsers but in any app on the iOS that is written to support password managers (which isn't hard). Really, there is seriously no reason not to use a password manager. It is exactly like vaccination. You are only hurting yourself and everyone else by not using one.
Well, that's not really quite accurate. Others have noted KeepassXC, while I have used masterpasswordapp for years now, which has no plugins. On a laptop I use their js website or the ios app on mobile.
This explanation needs to be front and center, not buried in the comments.
Basically it's worth rewording this restriction to explicitly say that some passwords are blacklisted due to an elevated risk of account compromise and associated admin overhead. Without getting into why they are blacklisted. That is, that's the blacklist exists to help the forum operators.
Because the way it reads now is that this is done for the users, which comes across as gratuitous. I've used pass1234 for all forum accounts since the BBS times, because I really don't care about any of them in the beginning and treat them all as throw-aways. If some forum proves to be nice, only then I would go and change the password to something unique.
So when told that here I need to select something unique from the get-go for my own sake, it just doesn't read right. Nope, I really don't need that. But if you ask nicely and explain that it's for forum's sake, then it makes sense and it's not a big deal.
The behavior you've described is grossly irresponsible and selfish. Password security is exactly like vaccinations: when we all practice good password security, we all benefit. The moment someone decides they don't want to
vaccinate their kidsbe a responsible netizen with a secure password, their account gets compromised. Just because you can't think of a reason to value your account it doesn't mean no one else can. It doesn't mean there's no attack surface exposed by a compromised account. Maybe someone can use the information visible in your account, amalgamated with information in other accounts, to gain even greater access to the site.Furthermore, do you really not value the privacy of your accounts at all? I can understand having the position that you don't trust your accounts to be secure, at all, ever, but arguably that's not how things should be. We should be able to trust that our accounts have some degree of privacy and security.
Bah, get off your high horse.
There's a bunch of forums that have nonsense restrictions in place and force creating an account for no other reason but to collect email addresses and grow their "registered user base". So, yeah, you can bet your passive-aggressive antivax jab that the only thing they will see from me will be an @grr.la email and password for the password.
It's not an anti-vax "jab"... it's an entirely appropriate comparison in this case! Password security is very similar to herd immunity and people with poor passwords are very much like the unvaccinated, in that when their accounts (immune system) get compromised it affects everyone else in that community negatively, even those with good passwords (vaccinations). Not only because compromised accounts tend to be used for nefarious purposes like spamming, astroturfing, vote manipulation and shilling, which increases the overall noise and decreases quality on the site, but also because combating that abuse and helping users recover their compromised accounts takes away developers from actually, y'know, developing the site... see Deimos' reply at the very top of this topic.
You're basically arguing that forcing you to have a good password is inconvenient, and that's true... but IMO you're failing to see the bigger picture on why that's not a valid enough reason to allow bad passwords to be used. Just because you don't care if your account gets stolen, doesn't mean nobody else does or is unaffected by it when it happens.
It's for everyone's good. In my experience, people love to say things like, "lol it's just a forum account who cares?", but then down the line they get locked out of their account and you get a bunch of frantic messages that look something like:
This thread has a few hundred examples.
That was not the point. What I was saying that framing it as being good for the users comes across as patronizing. You are likely to get less flak and friction if the message was saying it's required for the forum's good first and foremost... in which case, for example, this whole thread would've not existed to begin with :)
I'm always impressed with how elegant your site is.
It is. If someone compromises your computer, they can do things like install a keylogger which can then sniff the password to unlock your password manager. This is why you keep your computer up to date on security patches, especially if it's running Windows.
You may be right about that. As I said at the end, I think it's a point to debate. I'm not sure what the goal of the people who run the site is regarding security.
I don't disagree with what you're saying, but requiring new (possibly unique) passwords may open people up to other security threats. Just asking people if they want to use a password that is known to be vulnerable is one thing. Requiring people to use a different password is another. I'm probably going to have to write the password for this down, because all my others are on the list. That list is going to expand. I can't remember all the passwords. There are external solutions, like password managers, but that isn't a solution for the average user.
There's the ideal, "IT" solution, and the one that includes the human factor. I'm not sure the solution we have is the one that deals with that.
In theory people would use password managers, but we shouldn't be talking about security. We should be talking about humans. The users are humans. We may want them to be perfect users but we both know that they are not. We may want to turn them into perfect users and shit on them when they're not. Hopefully, we both know that regardless of how much we do that, we can't fix human nature. Users aren't going to do all the things we want them to and we should plan accordingly.
That's not to say I disagree with what you think people should and perhaps rightly do. It's just that I don't think that's how actually people will act.
Fair, I might not have read your comment as thoroughly as I should have. I think it's obvious people should use password managers more, but unless people are forced they wont. I'll admit, I don't. I'm lazy. Depression may be a part of that, but i'm not saying that for sympathy, just an answer to why many people who are aware of the problem may not fix it.
Writing down passwords isn't the worst solution, but it's still not a great one and it's the one the site is forcing us into. I'm not sure there's a better solution, which is the uncertainty written into my original post. The post, at least, has generated some good, civil discussion about the matter.
<3
You can always write down the passwords in a booklet or notepad. For most people, keeping this notepad at home will be equivalent security to a password manager and you can likely convince them more easily to do this.
I'm not sure how needing a new password when your old one is already compromised is an "IT" solution, functionally it's the same...you remember your password through memory, writing it down, or using a password manager, just like you would no matter what. Hell this is light, given how many workplaces and universities require users to change their password regularly even if there's nothing wrong with it and it holds worthless information! This is about as low a cost on usability as I can imagine, compared to forced password rotations and forced 2fa. From an outside, not security-focused or IT perspective, trying to do this is as invalid as setting your password as "1".
You mention having to write it down as if that's a less secure outcome, which I don't really understand. Most people should probably be doing that anyway. And they certainly can figure that out...my grandparents can do it, and I think that's a good test.
Follow it to its logical conclusion. How many sites does a user view? How many unique passwords? A password manager might mitigate that, but how many users would actually go that route? How many post-it notes do I need to paste to my computer to remember all the unique passwords I should have?
You may see it as just "the cost of doing business" but that may not be the way the average user sees it. It's "what is" vs "what should be".
I wasn't suggesting anything about unique passwords. That's something you probably should do, but requiring users to use passwords that haven't already been compromised is completely separate from requiring them to have unique passwords on every site.
You're arguing that users should be able to make accounts that might as well already be stolen because you don't want to be forced to make a new password. Doesn't that seem a little silly?
If you only ask politely ask/suggest to people, it will get ignored 95% of the time. People need to stop being lazy with their passwords.
Meta, but personally I'd fancy a more descriptive title for this one. "Passwords" is way too broad.
A matter of perspective. I was only invited a few days ago, had an issue and then made a post. Other members have laid out their own opinion along these lines.
My opinion, the site is new enough that the title should be self descriptive. What else would I be talking about but this site? Later on, I would agree with you, because that would no longer be the case. Context is king.
Titles are often read on the frontpage, without the context of the group. I agree with @cadar that it could have been more clear.
Why not use a password manager? They're built into your browser (at least on Firefox and Chrome).
This is the correct answer. A password manager that's synced in the cloud (one that's NOT LastPass, considering how often they get compromised...) provides all the best practices security folks like me keep telling people about with almost none of the inconvenience.
It's done client side. The database stored on an external server can't reveal information about what it contains without decrypting it first, which is done with your master password on your PC/phone/etc.
You store an encrypted database, locally and optionally through online storage. You can even use a self-hosted solution. The decryption is done client-side and uses browser integration, integration with other software by way of a plugin, or provides a list that you manually retrieve the password from to copy+paste. You aren't telling anyone what sites you visit from an encrypted database.
No. No. Not at all. This is so very much the wrong way to implement a password manager. If the hosting provider for your keychain knows what's in your keychain, they're doing it wrong. They should have no idea what is in your data, only that you're storing your data with them. If anyone can decrypt any of your encrypted data but you, it. is. not. secure.
Do you have any suggestions for password managers? I've been using lastpass and just found out thanks to your comment about the hack. I've been feeling slightly negative about them for a bit now (a decent number of reported bugs that aren't getting resolved) but this is the kick in the pants I needed to jump ship. My girlfriend works at a pretty security-conscious company and they use 1password. I can't see any instances of them getting compromised but I'm also open to suggestions :)
I stick with the Apple keychain because of my use cases. I don't like the 1password pricing model, but if I was going to recommend something that you want to sync to all of your devices and the Apple keychain isn't an option, 1password is absolutely my recommendation. They've got some cool integrations with things like Have I Been Pwned which, as a very security-conscious person with sysadmin leanings, I really appreciate.
One shouldn't rely on external software in order to simply access a forum account.
This isn't a matter of accessing just one forum. A password manager is meant to solve the problem of managing a hundred passwords to a hundred sites. Tildes is just one of those sites.
Of course if Tildes is very important to you you can remember your password just to this site.
Password managers are above the likes of the average user. At best they allow the browser to save their password. Then what? As I said, usability vs security. What do we gain vs what we lose?
A random password saved in your browser and synced to Google/Mozilla's cloud is orders of magnitude more secure than a single easily-remembered (⇔ easily-guessed) password you use everywhere. By saving your passwords in your browser, you stop some random script kiddie being able to hack your accounts, at the (tiny, tiny) cost of needing to sign in to your browser to get at your passwords.
What do you lose by doing this?
I'm not arguing that there are more convenient ways of managing this nonsense, but those ways may not be apparent to the average user. I made up a password and I honestly mostly forgot it after having registered it. It's still something I remembered, but I didn't write it down. Firefox normally saves this nonsense for me, but in this case it didn't. I was able to run through all the iterations I thought it could be, and finally found it out.
Maybe the average user would write it down, but what for anyone else? I'm not trying to be obtuse. I didn't write it down because I thought i'd remember it, and then woops. My grace is that I was able to work it out and if I hadn't, I had at least entered my email before the last time I signed out so I could recover it. I may be dumb, but can you deny that about the average computer user? When designing a system, you need to consider the least intelligent people who will be using it.
It sounded to me that this is the opposite of what you were saying. It sounded like you replied to "Why should I make a strong password?" with "Why not use a password manager?", as if providing a solution to this particular problem.
I hope you see how, without elaboration, it might be confusing. Now that you've written out your reasons, it's become clear what point you were making.
Sorry - to make it clear, I thought the dialog was more like "How can I remember all these passwords?" -> "Use a password manager."
Sorry, i'm not a trained in debate or philosophy. I try to formulate the most rational arguments I can and try to leave little to no interpretation otherwise. But, obviously, i'm not there yet. This is not a condescending point. Arguing on the internet for years, I try to make myself as clear as I can. That said, it's difficult. Thanks for your understanding.
Honest answer, I use that extensively. However, the password I signed up with wasn't saved automatically and I basically had to burn through a lot of iterations until I arrived at the correct one in order to log in and make this post. I was pretty close to having to use the password retrieval system because I had to use a password I almost never use.
Again, usability vs security.
This sounds like a bug in your password manager more than anything else.
Yeah, but then what? Is every user expected to use a password manager? What are your expectations of the average user? For me, I look at the lowest common denominator. I would like to envision myself as more than that. That would mean that there are a lot of people who use the system that would have problems at least as much as I have.
Yes.
Higher than they should be, I'll be honest.
Well unfortunately, we live in the Eternal September. We have to deal with everyone, not just the people we want to deal with.
I'm quite familiar with the Eternal September. That's the name of the Usenet server I use. :) The perspective I take is that education will help as many as we're able to help, and the rest, well, it's a bit like vaccination, isn't it?
Anyone who recognizes that reference is cool. That said, You may "get" it but i'm not sure you "grok" it. Look at your own comment from the lense a "September" user. You didn't know that I was in the know when you made your comment, you assumed. I understand you, but will other, less 'in the know' users be able to?
I will absolutely admit to assuming people know the things that I know. That's long been something of a flaw of mine; thank you for pointing it out. I'm not sure if you're referring to the term Eternal September, here, or something else, though. Can you clarify? Trying to reduce my assumptions.
Log out and back in and the browser should prompt you to save the password.
Yes, that's a solution, but a solution I had to look for. What of all the other users who come after me, who don't know to look for such a solution? Do you want to ask new users to logout and back in as part of the new user registration system?
I think that's a good point. As a consequence of entering multiple passwords upon registration people won't end up utilizing their browser's built-in features. Making a fix would actually be a good addition to the Tildes feature requests.
The browser will ask if you want to save the password when you successfully register, not when a registration attempt fails (due to a rejected password or any other reason). You don't have to log out and back in. It works as-is, the OP just didn't save theirs for some reason (missed seeing the prompt, perhaps).
I'm using firefox. I thought it would just grab my password and whatnot, but apparently it didn't. So, failure case #1.
Edit Notably, I let firefox grab pretty much all my passwords, safe or not. I wont lie, i'm more convenience over security, so when convenience fails, I get a bit puzzled.
Oh, okay.
Thanks <3
A compromised account can hurt all of us. Reddit is full of spam and manipulator accounts and the most valuable (and hardest to spot) ones are sold/compromised accounts with a long history of normal activity.
Are there not other ways to control that? If an account is suddenly accessed from another IP, could that not trigger a flag? I mean there's issues of course, with vpns and the like, but it's not like other solutions don't exist. Google shits on me nearly every time I try to access my mail from somewhere new.
And i'm not trying to deny the serious problem of spam and manipulator accounts. I bleed with you. I'm just not sure if what we have is best. I said in the original post, I may be wrong, but I am willing to be convinced one way or the other.
I believe it's not just checking for passwords. It's checking for email-password pairs instead. This email, combined with that password. Those passwords wouldn't trigger a warning if they were associated with other email addresses.Nevermind, it's definitely checking just passwords. I'd say you might have a point there.
To subscribe, I was only asked for a handle, not an email address. I had to enter that later (for password recovery purposes). I probably need to revamp my personal passwords from top to down anyway, but if that was true i'd definitely need to do so.
It's been so long since I signed up I don't remember the process (and it may have changed since). I did hit the trigger, though - from an old last.fm breach. That check's been there since launch.
Saw your edit, thanks for your honesty <3
I would kind of like if the password requirements were loosened a bit so long as you had 2 Factor Authentication enabled.
I used to use awful passwords, like just my name twice or other random common things, eventually I got to the point where I figured I'd make a solid password and just remember it, I spent 10 seconds making up a random word like 'jaffiniers', then I attach a random number onto it, like 18271, I spent a further 10 minutes repeatedly typing it, and got used to typing it by having my frequently used accounts not automatically log in, and not save the password, so I'd have to manually input it, after a few days it was bound to memory, I still use lots of other passwords, but the less I care about the account they're attached too the simpler they'll be.