| Which of the following "minimum password strength" you find acceptable and not annoying? | |
|---|---|
| Your password can't be too similar to your other personal information. | |
| Your password must contain at least 9 characters. | |
| Your password can't be a commonly used password. | |
| Your password can't be entirely numeric. | |
| Your password must contain at least one number. | |
| Your password must contain any of the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ | |
| Your password can't have appeared in a data breach. | |
| Login to vote and view results. |
 #...
·
·
3
likes
|
|---|
|
Hello, thank you all for joining the "AstroBin Beta Testers" group. Being part of this group you help AstroBin in two ways: - Get early access to new feature that require a slow roll-out - Provide feedback, opinions, and ideas Today I want to pick your brains because there's a new problem on the horizon. As you may know, AstroBin is the target of a little spamming. Nothing serious, and I can manage by myself with moderation, but usually I have to mark as spam a few images and a few forum posts every day. This is achieved by a moderation queue: users who are on a free account and who haven't had some content approved in the past, go thru the moderation queue. Lately, spammers have learned a new trick: they have broken into the accounts of users with weak passwords (like "password123" or something) to post on their behalf. So far we've been lucky, and this content always ended up in the moderation queue, but if I don't take action, soon a spammer will break into the account of some active astrophotographer with a weak password, and start posting a lot of spam on AstroBin. This is highly indesirable, because often spam includes pornography. To stop this, I want to enforce a "minimum password strength" requirement on AstroBin. This will be done in two phases: - New accounts get the minimum password strength requirement upon signing up - Existing accounts are asked to check the strength of their password, and forced to change it if it doesn't meet the requirements (I need to ask because AstroBin doesn't know your passwords, they are encrypted) Now, I want you to have strong passwords, but I don't want to be overly annoying. Please see the poll above and SELECT all the password requirements that you think are acceptable. DO NOT SELECT the ones that you think are annoying and I shouldn't add them. If you have any questions, please ask away. Thank you! Salvatore |
1.81
#...
·
·
1
like
|
|---|
| All except the special characters which are hard to remember! |
0.00
#...
·
·
1
like
|
|---|
|
This is a good thing to make more secure accounts. one question, there are any top limit for the password size? I know people usually use long passwords autogenerated. Greetings Enol. |
3.94
#...
·
·
2
likes
|
|---|
| Mix of lower/upper case should also be considered |
#...
·
·
2
likes
|
|---|
Enol Matilla: Currently there is no limit on how long the password can be. The password is anyway hashed before saving, so technically all passwords are the same length, as long as the database is concerned. |
5.02
#...
·
|
|---|
|
Hi Salvatore! May I ask why this requirements are necessary? I mean, we're not necessarily talking about very sensitive data here, are we? Best Mike |
#...
·
·
1
like
|
|---|
May I ask why this requirements are necessary? Hi Mike, this is explained in the post above, specifically: Lately, spammers have learned a new trick: they have broken into the accounts of users with weak passwords (like "password123" or something) to post on their behalf. So far we've been lucky, and this content always ended up in the moderation queue, but if I don't take action, soon a spammer will break into the account of some active astrophotographer with a weak password, and start posting a lot of spam on AstroBin. |
1.20
#...
·
·
4
likes
|
|---|
|
Might I suggest adding a two-factor authentication (might be as simple as a 4-digit or 4-letter/digit code sent via email when logging in. Or integration of something such as google authenticator/lastpass etc. Not a requirement but a possibility? |
0.90
#...
·
·
1
like
|
|---|
| For me , savety first , is the best way. |
#...
·
·
1
like
|
|---|
Joakim Fjeldli: That would be great for sure, tho more complex to implement. I will see if I can make that happen too! |
|
3.94
#...
·
·
1
like
|
|---|
| Certificate based authentication as an extra option would also be nice |
#...
·
·
1
like
|
|---|
Neil Corke: To be fair, you shouldn't remember your password. These days we use hundreds of websites with their password. You can't remember hundreds of passwords even if they are super easy, so if you don't rely on a password manager, there are only two options: 1. Your passwords are weak and will be hacked 2. You use the same few passwords on all websites (typically you use a stronger password for the most data sensitive websites, and a weak password for all the rest). This is also very bad because once one these websites get a data breach and your password ends up in a hacker database, your other accounts will be hacked too. |
10.46
#...
·
·
1
like
|
|---|
| Two factor authentication for logins from new devices would be a way to go in the long run. I do not know how difficult it is to implement, but this is a great safeguard against spammers, because knowing the password would not be enough for them to post. |
15.85
#...
·
·
1
like
|
|---|
|
Hi Salvator, 1st I want to commend you for being so pro-active on this! Cuddo’s to you! 2nd I agree with the 2 step authentication factor, the use of special characters and at least 1 number is very good security! With so many spammers you definitely need to stay ahead of them! Dale |
5.87
#...
·
·
1
like
|
|---|
|
currently, 8 characters and 4 different species (upper and lower case, number, special character) can be hacked in ~30 minutes on graphic cards. if you increase it to 12 characters, it needs 3000 years. With 1 or 2 characters more you can compensate going to 3 or only 2 features (like only upper and lower case). somehwere in between those is about the type of security you want to have (and it probably increases by 1 character every other year). It's not our bank account our medical records. Personally I found 2 factor authorization a pain in particular when I use it often - and everything that its a pain you have the tendency to work around thus compromising security .... Matthias |
2.94
#...
·
|
|---|
|
I believe that the access numbers to Astrobin should decrease significantly with a 2-factor authentication. The accesses of the members do not only occur with the intention to visit the own account, but e.g. via links in forums on other ways. If you have to have your cell phone with you to follow a link in a forum thread on your desktop, this might quickly become annoying. Pete |
#...
·
·
2
likes
|
|---|
I believe that the access numbers to Astrobin should decrease significantly with a 2-factor authentication. The accesses of the members do not only occur with the intention to visit the own account, but e.g. via links in forums on other ways. If you have to have your cell phone with you to follow a link in a forum thread on your desktop, this might quickly become annoying. 2FA would only be when you login (the cookie last 6 months if you don’t log out explicitly) or when you log in from a new device. Anyway, it would be optional and opt-in except an email confirmation when you’re seen from a new device. |
9.90
#...
·
|
|---|
|
Hi Salvatore, Two factor seems a bit too complex for a site like astrobin. I would go with at least one special character, number and a min length of 8 maybe. This is very common on serious sites and I would say user friendly. Bogdan |
2.81
#...
·
·
2
likes
|
|---|
Bogdan Borz: I agree Geoff |
7.87
#...
·
·
1
like
|
|---|
Bogdan Borz: Also agree Hartmuth |
2.62
#...
·
·
1
like
|
|---|
| @Salvatore Iovene I'd say all, plus at least one uppercase. 2FA would be great too, but I understand the difficulty and costs to add SMS service. Unless it would use a third party authenticator (google authenticator should be open to third party apps, I believe but I may be wrong). |
0.00
#...
·
|
|---|
|
Password length and avoiding "well known" simple passwords is IMHO the key. Please don't make the password policy too complicated, especially for entering passwords on a mobile. 2FA with OTP would be nice, but that not the clientel using "password123" in the first place. ;-) |
0.00
#...
·
|
|---|
| Have you considered adding some CAPTCHA mechanics in the user experience, IE registration and/or interaction of any sort such as image submission, forum posts and comments etc. |
#...
·
|
|---|
|
Hi everyone and thank you for expressing your very valued opinions! Right now the answers are as follows: Your password must contain at least one number. We also had discussions about two-factor-authentication and requiring an email confirmation when detecting a login from a new device. So far, it looks like the ones you like the least are:
I think that if implement an email confirmation if a new device is detected, it's okay to relax the password requirements, so I'm okay to lowering that to 8 characters. I don't think I want to compromise on "commonly used passwords" and "passwords appeared in a data breach" (called pwnd database). These are most likely the biggest two causes of people getting their account cracked. I don't think that there are brute-force attacks going on, but I will add a captcha to the login page and throttle the API authentication. I will implement 2FA as something optional for the user, just because it's so easy (no SMS, just authenticator app or email code) Thank you again and if you have something to add please let me know! |
|
0.00
#...
·
|
|---|
| Please don‘t go for a captcha overkill, these are really a pain in the something for legitimite users! |
