| Which of the following "minimum password strength" you find acceptable and not annoying? | |
|---|---|
| Your password can't be too similar to your other personal information. | |
| Your password must contain at least 9 characters. | |
| Your password can't be a commonly used password. | |
| Your password can't be entirely numeric. | |
| Your password must contain at least one number. | |
| Your password must contain any of the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ | |
| Your password can't have appeared in a data breach. | |
| Login to vote and view results. |
 #...
·
 |
|---|
Martin Junius: Do you log out after every use? Because if not, the login lasts 6 months. |
0.00
#...
·
|
|---|
Salvatore Iovene:Martin Junius: No, but using several devices and browsers. Only for login is ok, but please dont require them for uploads or forum/comment posts. |
#...
·
|
|---|
Martin Junius:Salvatore Iovene:Martin Junius: Yeah no worries, and won’t be needed for login either if I manage to do an email confirmation when logging in from a device never seen before. |
#...
·
·
2
likes
|
|---|
|
Alright folks, thank you all from the bottom of my heart for your suggestions! Here's what's new. For new users, AstroBin enforces strong passwords upon signing up:
You can optionally enable two-factor authentication here: https://www.astrobin.com/account/two_factor/ AstroBin will enforce two-factor authentication via email in two cases:
If #2 happens (only when you actually log in, after logging out or using a new device, and your password is weak) then AstroBin will send you an additional confirmation token via email. You get also an email that recommends to change your password. If you ignore it, you can continue using the weak password but then you will always be prompted with an additional email verification. As a final note, please read this snippet I wrote in the FAQ: https://welcome.astrobin.com/faq#is-my-security-protected in case you didn't realize yet why this was important. Thank you all again and I think I will sleep better at night now, not fearing waking up to AstroBin full of porn and spam! |
5.76
#...
·
|
|---|
|
I am happy to see you are not forcing password expirations on us, that is one of the commonly used things that contributes least to real security, and maybe even negatively. However, I really wanted to raise another issue while you are thinking harder on security -- your emails to the members are filled with clickable links. Clickable links with hidden URL's. This is user friendly and very commonly done, but itself sets up an environment of trust that is easily abused by hackers. So pretend I'm a hacker and happen to stumble across this discussion or your last newsletter. All I do is now send a fake email, pretending to be from you, to every astronomer I can find by skimming emails from web sites, with links to "check your password", land on a fake site and start harvesting passwords. Such skimmed emails are guaranteed to find a few hundred astrobin accounts, it's not like this is a niche site not used by many astronomers. Convenience is always the enemy of security. By being convenient for subscribers, you are training them to click on links that appear to come from astrobin. Is the cure (no clickable links, and warn people not to click on any) worse than the disease? Maybe. After all this is not a banking site. But... just something to think about. |
5.77
#...
·
|
|---|
|
Hi Salvatore, I'm pleased you're asking users to strengthen their passwords  This is how I'd approach it :- 1. No captcha image match - like many others, I find this **really** annoying - 'Im not a robot' confirmation is OK. 2. At least 8 characters 3. At least 4 species (lower case, upper case, number and special symbol) 4. 2FA the first login from a new device - via email is best, many users don't like disclosing their phone number 5. Every user required to update their password on their first login after implementing the new password policy. 6. Reconfirm user identity very year when the account is renewed. As other users have mentioned, convenience and security are always at odds with each other. Clickable links are definitely a concern, IMHO the only way around this is to avoid using them, and ask the user to log on independently using the site URL. I agree that Astrobin is not a banking site, and that a hacked account does not pose a huge risk to users. But it's really Astrobin we're trying to protect - and to prevent inappropriate material being posted on the site. |
