miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
Suggestions miniBB Support Forums / Suggestions /   

Stronger Passwords better security.

Author RRy
Guest
#1 | Posted: 22 May 2006 18:55 
When most new users sign up, they never consider the dangers of using a weak password. I propose creating a script that will allow the user to know whether or not their password is weak/medium/strong.
Also should check against keystroke cominations and dictionary hacks.

Ry

Author marsbar
Associated Member
#2 | Posted: 23 May 2006 02:21 
Not sure whether the info in this thread helps:
http://www.minibb.com/forums/5_3283_0.html
- mb

Author RRy
Guest
#3 | Posted: 23 May 2006 05:05 
Hi Marsbar,
It's a interesting read, But I highly recommend that the creators of miniBB would consider adding this into the main code, in that topic one of the team members states that it is Not their task to care about people passwords, that extremely debatable, they should care about every single user that logs onto what they have created.
even if the password itself isn't their problem, they can recommend on how to create a more secure one.

Ok, we understand now idea with easier-to-say passwords (so function new_password() is probably the most interesting part of your code). However, we don't think it's a programmer's task to care about user's password. Internet has it's own rules and ethics, the same as any other sphere. When you come to restaurant, waiter should not teach you how to take knife and fork - his goal is just to serve your table.

Anyway, thanks for the code and explanation... hopefully it will be useful for someone.

Author Paul
Lead Developer
#4 | Posted: 23 May 2006 11:00 
one of the team members states that it is Not their task to care about people passwords, that extremely debatable, they should care about every single user that logs onto what they have created

Proof of concept?.. We have a mini board script. If we are going to include every feature, carrying about the users, we will be similar to mega-maxiBB.

As about password - that's exclusively up to users what password they prefer. If lamers enter their nickname as password, it's their problem. After somebody hacks their account, they will know things they should not do.

Author Ry
Guest
#5 | Posted: 23 May 2006 20:03 
Hi Paul,

Well here the debate part, I'm not asking you to be like all the other chat forums out their, I am asking for you to do everything in your power for the security of everyone that uses this product though.

Their are several companys that are now inter-grading this into their product to help/assist user in picking a more safe and secure password.
Hotmail uses the Weak/Medium/Strong display, it forces the user to use at least 6 alpha-numeric characters.
link ' accountservices.passport.net/reg.srf?id=2&sl=1&lc=4105 '

Here is a link of Gmails build in password strength checker.
Link ' weblogs.java.net/blog/kirillcool/archive/2005/12/visual_feedback.html '
Gmail also has a password straight checker in its options menu if you wish to change your password. (most have a gmail account to see what I'm talking about)

I am not saying it has to be all fancy with bells and whistles like "hotmails" or "gmails", the main concept of it will help Force users to be smarter about what they use for a password. Stopping people from using such passwords like birthdays, girlfriend's name, pet's names, etc.
In the end you are right, it is up to the user on what their password going to be, but helping them make a smarter discussion is what YOU the creators should be responsible for.

As about password - that's exclusively up to users what password they prefer. If lamers enter their nickname as password, it's their problem. After somebody hacks their account, they will know things they should not do.

First off, calling some folks "lamers" for not being as Internet savvy as you, is Lame!
Second, If every programmer thought the way you just did basically saying its their problem... the net would be far worse then it is now...
you have the knowledge and skill, to help. all I'm asking is to consider the idea.

Ry

Author tom322
Registered
#6 | Posted: 23 May 2006 21:21 
IMO the concept of "stronger passwords" might be good for ecommerce, not for a (mini) forum. I don't think forcing users to make up a password they will forget in a week (because when a password is not assiciated with something the user knows, s/he's likely to forget it sooner than later) is something the users want.

It's not the 90thies anymore when one computer was used by 10 or more people - currently people have their own computers and don't usually share them with other than members of the family (not always though because even kids tend to have their own laptops). The user has a choice to choose any password they want, so I don't see a problem.

Also, what about "international" users? My name is tomasz and if I was to choose it as a password in gmail or hotmail - it would have been considered a "strong" password -- even if all my family members and friends would think it's the simpliest thing they would imagine.

----

I have a few forums and have personally put the logout buttons in the Preferences section so that when the user goes to the site s/she doesn't have to login all over again to post. I'm also a member of many BIG forums and they also tend to keep the user logged in all the time (until logout) -- for example the biggest webmaster forum at Webmasterworld.com.

----

Even IF the computer is stolen or for some other reason, the user at minibb can just click on the "Password" link and have a newly-generated password sent to him/her.

Author Enn
Guest
#7 | Posted: 25 May 2006 05:23 
1. You are in charge of this programming. You are responsible to your users. This is basic mark-eting. Whether commerce is involved or not you are still the creators of a product and you are still making it available to others and as such those users are, definitively, your customers. Your obligation is to the customer and while it is not up to you to make sure that they're passwords are secure it is up to you to guide them. When their is a product and a user base the creator of the product is obligated to educate their user base. This is easier for you by creating a system whereby the customer is guided to create better and stronger passwords for their own protection.

2. It is disrespectful to refer to your customers (see above) as lamers. I wouldn't call you a lamer for your glaring inability with grammar. Is it fair for you then to refer to the users of your product, the people who give your product a purpose as lamers simply because they do not share your knowledge or computer savvy. Putting people down is never cool. Just because you know a lot about a certain field it is not fair to assume that everyone should be as educated in that field as you are.

3. These two things, the compromise of secure information and the disrespectful attitudes to the users of your product will catch up to you, limit the possibilties of use of your product and make your product virtually purposeless. A product without a customer base is worthless. This is true in standard commerce, in e-commerce, and even in a situation like this. If you want people to use your product you have to mark-et yourself to the needs of your user.

This sort of stuff should be a given.This is respect for your customer and their safety.

Taking the needs of the user into consideration and offering options to improve password security shows conscientious leaders who take real pride in what they create and what they do.

Frankly, I'm seeing people whose egos are too big for their place. Take a step back and look at things objectively rather than getting caught up in your own self importance. I'm sure your users would be appreciative of being more respected and appreciated.

Frankly, I'd like to ask why you're so defensive about this in the first place? Do you doubt the worth of your program or the value of your skills? Perhaps you doubt your own competence.

What is true is that this is a good product; however, even good things can be improved upon. A minor and simple improvement in password security can take what is a good forum system and make it great. This is a suggestion and I feel that it is a very good suggestion and I feel it is in your best interest for the sake of your users to take it into consideration. It would also be a good idea to show more respect for your users since without users, no matter how good a product is, the product ceases to have purpose and thus ceases to have a reason to exist.

Author Ivan
Advanced Member
#8 | Posted: 25 May 2006 07:06 | Edited by: Ivan 
Enn-Ry-RRy, you, too, could show more respect registering and presenting yourself instead wanting respect as anonimous.

"Google has some thing and I want you, too, to have it" is not a reason to do/make it.

As per the passwords you are absolutely right! So, the easiest way for you will be, by my modest opinion, simply to add a remark to your registration form:

Please don't choose your girlfriend's name as password! Use the word "Popocatepetl" instead!

I hope this will help :)

Author Ry
Guest
#9 | Posted: 25 May 2006 08:31 
Hello Ivan,

Enn-Ry-RRy, you, too, could show more respect registering and presenting yourself instead wanting respect as anonimous.

To make this clear, I either go by RRy or Ry, As for Enn that would be my roommate, That I have shown this topic to and She wish to add her own feedback.
As for respect, I have tones for this group of individuals that have created this product, my post have been friendly, respectful, and on topic. Registering doesn't create respect, the forum allows Guest to post their thoughts and feedback, as for myself why would I wish to go though the hassle of registering, as I only wish to post Suggestions, to help improve their product.

"Google has some thing and I want you, too, to have it" is not a reason to do/make it.

Like I said above:
"I am not saying it has to be all fancy with bells and whistles like "hotmail" or "gmails", the main concept of it will help Force users to be smarter about what they use for a password. Stopping people from using such passwords like birthdays, girlfriend's name, pet's names, etc."

As per the passwords you are absolutely right! So, the easiest way for you will be, by my modest opinion, simply to add a remark to your registration form:

Thank you, hoping others will take this into consideration.

Please don't choose your girlfriend's name as password! Use the word "Popocatepetl" instead!

I do Not appreciate your sarcastic remarks. you speak of respect at the start of your post, yet you show me very little. Also please do not make assumptions without knowing the facts.

Author Paul
Lead Developer
#10 | Posted: 25 May 2006 17:38 
I don't know either Ry and Enn are the same person, at least I see one IP is used :-) So I will reply to all discussion in general.

I am asking for you to do everything in your power for the security of everyone that uses this product though

I think, this question is not related to the security of the script. This more relays on security of the users itself. If you install a lock on the door, it's up to you, either you enter 0000 as a code (and will be cracked sometimes/soon), or something like 3891 which is not easy to guess. Which way the lock should handle this?..

Remember that some users are registering accounts for posting 2-3 questions and don't really worry about they will be hacked or not. They just need to give a couple of questions on registered-users-only forum, and make a couple of replies. I am myself using easy-to-guess password on many forums I test or using once per life. I think, limiting users with the thing you offer, will limit their freedom. I don't see any respect we may have populated this way. We have a free software in all aspects. Even you are writing as anonymous user, because we are opened for everyone, despite I could make this board only for registered users. What for?.. I like freedom.

As about lamers, marketing, and egos ("Enn" post) - miniBB is a hobby project, and it gives what it gives. It's "AS IS" software, and I don't accept any of your claims. Yes, I have an ego, yes, I hate to lick an ass, and yes, I have some little marketing ideas, which already came true. But I don't know how my person is related to the subject though.

And be sure - I don't doubt I can program this. I doubt this feature is needed at all. We are discussing every new feature this way. So in general, I like your reply ;-)

Author realitybytes
Registered
#11 | Posted: 27 May 2006 23:35 | Edited by: realitybytes 
Just to add on to this post,

And to hopefully enforce why minBB stands out and for the miniBB community is the board by choice.

I found this board over a year ago and started working on it and customising it, due to work I stopped developing the site I was working on and now returning. So I downloaded the latest version and see very few front end differences, I look in to the recent changes and find some bug fixes and some core enhancements. That in itself saves me many hours of having to integrrate the files I worked on over a year ago I am able to get the latest copy of the board and practically pick up where I left off, and trust me I heavily customised it.

The minimilist nature of minibb is exactly why I went with it I trolled through hotscript for days looking for a board that had basic core features with bags of potential to make it in to whatever you want. The whole "customer" base of minibb IMHO is looking for this approach and does not want all these extra features built in to the core yes if developed some "customers" will use them, but this should be optional and being Open Source, always easy to develop yourself/as a communuity or even pay to have any given feature.

Personally I like the idea of a mod/plugin that will provide password security and if the community developes it I am sure minibb will add it to their downloads section. From my past experience the community here is helpful and I would gladly help out if you want this plugin and might even use it myself.

Start a topic in the coding section I am sure this would be easy to develop. Forget about the ethics of minibb and debating if this should or should not be included in the core of minibb, but if it is something you want then work to a solution and create what it is you want. Infact I think it would be easy to develop the hardest part will be the algorithm you want to test the strength of the password, and how much depth you want it to be. The bells and whistles as you state will be the easiest part e.g. the graphical display showing the strength.

I guess you could look about for open source scripts or if you understand this already then work out what it is you want.

Just some basics

Count number of characters.
Detect the actual characters, eg numbers letters symbols etc.
decide if you want to dissallow based on strength, personally I would not deny any password for a forum.

Then once you have that you need to define what is classed as weak and what is strong.

e.g.
Anything under 8 characters is weak
Anything from 9 - 12 is average
12+ strong

the above is on a very basic concept, which will need expanding more and classifying depending on what the characters are, mixed numbers and letters etc. Personally I dont think it should be based on extreme levels of checking but parsing it through several conditions to see if it falls between some defined ranges will be enough IMHO.

Author realitybytes
Registered
#12 | Posted: 4 Jun 2006 05:07 
Solution created details can be found here

http://www.minibb.com/forums/5_3864_0.html

Suggestions miniBB Support Forums / Suggestions / Stronger Passwords better security. Top
This topic is closed. New replies are not allowed.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB