Changing Our Password Policy

[Tiberius]

When I first started these forums nearly 4 years ago, password security was the last thing on my mind. These days, I think about it on a regular basis. Over the last couple of years, various websites have been hacked into, and passwords exposed or cracked.

We've had a very lax password policy so far, with a minimum password length of 8, and absolutely no requirement for complexity. A password of "password" is allowed, for example.

A few days ago, I decided to test how secure our passwords really were, and simulated an attack. I downloaded the password hashes and salts (a value that adds security to a password) from the database, in an anonymized fashion (that is, I did not know which hash corresponded to which user). I then used a cracking program on them with a large password dictionary (over 16 million common passwords) and let it run.

A few hours later, 1,336 out of the 3,670 I'd downloaded were cracked. That means that 36.4% of the passwords were found in a commonly used password dictionary. A brute-force attack on the others was not carried out, but I predict it would have cracked more.

I informed the staff, and we've agreed that due to these results, our password policy needs to change, and we're going to enforce the change on all of our current users. In a few days, I will change the password policy such that all passwords will require complex characters (upper / lower case letters and numbers,) and must be over 12 characters in length. We will then force users to change their passwords before they can use the site again.

We are giving this advanced warning so that our active users are not caught out and confused by the change. If you want to create a complex and memorable password, I suggest using a passphrase (see my article on the subject). I would also recommend using an online password manager like LastPass and using a different password on each website.

Feel free to ask any questions you might have.

- Atheist Forums Staff

Update: Due to a large number of complaints, this no longer applies. If your account get's hacked, it is your own fault.
Update #2: Ignore that last update. If you don't care about other people's security, kindly fuck off.

[Paul the Human]

Yeah. I hate this idea. If I want to use an easily cracked password... that should be up to me.

But... yer da boss. If you say it's so... then it's so.

[Darwinian]

Done mine

[Rayaan]

Also:

[Minimalist]

I have trouble remembering the one I have.

I may see you guys in the future....or not. If I suddenly disappear you will know that I lost the little slip of paper that I wrote it on.

[Rayaan]

Then tell me your password and I'll write it down somewhere, in case if you lose that slip of paper. Problem solved.

[downbeatplumb]

how do i change my fricken password?

[Rayaan]

User CP -> Change Password

[downbeatplumb]

I found it just after I posted. Changed my sig while I was at it.

[Jackalope]

I would also recommend using an online password manager like LastPass and using a different password on each website.

Seriously, this.

Lastpass is up there with AdBlock Plus in the essential browser addons department.

It makes my life so easy - I don't have to remember any of the hundred or so passwords for websites I use. I don't even know what most of them are - they're randomly generated.

All I have to remember is one passphrase to unlock my password vault when I open my browser.

Free and works on Firefox, Chrome, IE, Opera, and probably others. There are apps for Android and IOS also, but they are unfree (it's useful enough to me that I pay the $1/month to use it on my phone).