Looking for feedback on improving the security of your passwords

Salvatore IoveneMartin Junius
AstroBin Beta Testers 30 replies708 views
Which of the following "minimum password strength" you find acceptable and not annoying?
Multiple choice poll 416 votes
14% (60 votes)
13% (55 votes)
13% (52 votes)
14% (57 votes)
18% (76 votes)
17% (71 votes)
11% (45 votes)
You must be logged in to vote in this poll.
Salvatore Iovene avatar
Salvatore Iovene avatar
Hello,

thank you all for joining the "AstroBin Beta Testers" group.

Being part of this group you help AstroBin in two ways:

 - Get early access to new feature that require a slow roll-out
 - Provide feedback, opinions, and ideas

Today I want to pick your brains because there's a new problem on the horizon.

As you may know, AstroBin is the target of a little spamming. Nothing serious, and I can manage by myself with moderation, but usually I have to mark as spam a few images and a few forum posts every day.

This is achieved by a moderation queue: users who are on a free account and who haven't had some content approved in the past, go thru the moderation queue.

Lately, spammers have learned a new trick: they have broken into the accounts of users with weak passwords (like "password123" or something) to post on their behalf. So far we've been lucky, and this content always ended up in the moderation queue, but if I don't take action, soon a spammer will break into the account of some active astrophotographer with a weak password, and start posting a lot of spam on AstroBin.

This is highly indesirable, because often spam includes pornography.

To stop this, I want to enforce a "minimum password strength" requirement on AstroBin.

This will be done in two phases:

 - New accounts get the minimum password strength requirement upon signing up
 - Existing accounts are asked to check the strength of their password, and forced to change it if it doesn't meet the requirements (I need to ask because AstroBin doesn't know your passwords, they are encrypted)

Now, I want you to have strong passwords, but I don't want to be overly annoying.

Please see the poll above and SELECT all the password requirements that you think are acceptable. DO NOT SELECT the ones that you think are annoying and I shouldn't add them.

If you have any questions, please ask away.

Thank you!
Salvatore
Well Written Helpful Respectful Engaging Supportive
Neil Corke avatar
Neil Corke avatar
All except the special characters which are hard to remember!
Enol Matilla avatar
Enol Matilla avatar
This is a good thing to make more secure accounts.
one question, there are any top limit for the password size? I know people usually use long passwords autogenerated.

Greetings Enol.
Michael Ring avatar
Michael Ring avatar
Mix of lower/upper case should also be considered
Salvatore Iovene avatar
Salvatore Iovene avatar
Enol Matilla:
one question, there are any top limit for the password size? I know people usually use long passwords autogenerated.

Currently there is no limit on how long the password can be. The password is anyway hashed before saving, so technically all passwords are the same length, as long as the database is concerned.
Well Written
CCDMike avatar
CCDMike avatar
Hi Salvatore!

May I ask why this requirements are necessary?
I mean, we're not necessarily talking about very sensitive data here, are we?

Best
Mike
Salvatore Iovene avatar
Salvatore Iovene avatar
May I ask why this requirements are necessary?
I mean, we're not necessarily talking about very sensitive data here, are we?

Hi Mike, this is explained in the post above, specifically:
Lately, spammers have learned a new trick: they have broken into the accounts of users with weak passwords (like "password123" or something) to post on their behalf. So far we've been lucky, and this content always ended up in the moderation queue, but if I don't take action, soon a spammer will break into the account of some active astrophotographer with a weak password, and start posting a lot of spam on AstroBin.

This is highly indesirable, because often spam includes pornography.
Joakim Fjeldli avatar
Joakim Fjeldli avatar
Might I suggest adding a two-factor authentication (might be as simple as a 4-digit or 4-letter/digit code sent via email when logging in.
Or integration of something such as google authenticator/lastpass etc. Not a requirement but a possibility?
Thorsten Malchow avatar
Thorsten Malchow avatar
For me , savety first , is the best way.
Salvatore Iovene avatar
Salvatore Iovene avatar
Joakim Fjeldli:
Might I suggest adding a two-factor authentication (might be as simple as a 4-digit or 4-letter/digit code sent via email when logging in.
Or integration of something such as google authenticator/lastpass etc. Not a requirement but a possibility?

That would be great for sure, tho more complex to implement. I will see if I can make that happen too!
Michael Ring avatar
Michael Ring avatar
Certificate based authentication as an extra option would also be nice
Salvatore Iovene avatar
Salvatore Iovene avatar
Neil Corke:
All except the special characters which are hard to remember!

To be fair, you shouldn't remember your password. These days we use hundreds of websites with their password. You can't remember hundreds of passwords even if they are super easy, so if you don't rely on a password manager, there are only two options:

1. Your passwords are weak and will be hacked
2. You use the same few passwords on all websites (typically you use a stronger password for the most data sensitive websites, and a weak password for all the rest). This is also very bad because once one these websites get a data breach and your password ends up in a hacker database, your other accounts will be hacked too.
Vitali avatar
Vitali avatar
Two factor authentication for logins from new devices would be a way to go in the long run. I do not know how difficult it is to implement, but this is a great safeguard against spammers, because knowing the password would not be enough for them to post.
Well Written Concise
Dale Penkala avatar
Dale Penkala avatar
Hi Salvator,

1st I want to commend you for being so pro-active on this! Cuddo’s to you! 2nd I agree with the 2 step authentication factor, the use of special characters and at least 1 number is very good security! With so many spammers you definitely need to stay ahead of them!

Dale
GalacticRAVE avatar
GalacticRAVE avatar
currently, 8 characters and 4 different species (upper and lower case, number, special character) can be hacked in ~30 minutes on graphic cards. if you increase it to 12 characters, it needs 3000 years. With 1 or 2 characters more you can compensate going to 3 or only 2 features (like only upper and lower case). somehwere in between those is about the type of security  you want to have (and it probably increases by 1 character every other year).
It's not our bank account our medical records. Personally I found 2 factor authorization a pain in particular when I use it often - and everything that its a pain you have the tendency to work around thus compromising security ….

Matthias
Peter Maasewerd (pete_xl) avatar
Peter Maasewerd (pete_xl) avatar
I believe that the access numbers to Astrobin should decrease significantly with a 2-factor authentication. The accesses of the members do not only occur with the intention to visit the own account, but e.g. via links in forums on other ways. If you have to have your cell phone with you to follow a link in a forum thread on your desktop, this might quickly become annoying.

Pete
Salvatore Iovene avatar
Salvatore Iovene avatar
I believe that the access numbers to Astrobin should decrease significantly with a 2-factor authentication. The accesses of the members do not only occur with the intention to visit the own account, but e.g. via links in forums on other ways. If you have to have your cell phone with you to follow a link in a forum thread on your desktop, this might quickly become annoying.

Pete

2FA would only be when you login (the cookie last 6 months if you don’t log out explicitly) or when you log in from a new device. Anyway, it would be optional and opt-in except an email confirmation when you’re seen from a new device.
Bogdan Borz avatar
Bogdan Borz avatar
Hi Salvatore,

Two factor seems a bit too complex for a site like astrobin. I would go with at least one special character, number and a min length of 8 maybe. This is very common on serious sites and I would say user friendly. 

Bogdan
Geoff avatar
Geoff avatar
Bogdan Borz:
Hi Salvatore,

Two factor seems a bit too complex for a site like astrobin. I would go with at least one special character, number and a min length of 8 maybe. This is very common on serious sites and I would say user friendly. 

Bogdan

I agree
Geoff
Hartmuth Kintzel avatar
Hartmuth Kintzel avatar
Bogdan Borz:
Hi Salvatore,

Two factor seems a bit too complex for a site like astrobin. I would go with at least one special character, number and a min length of 8 maybe. This is very common on serious sites and I would say user friendly. 

Bogdan

Also agree
Hartmuth
Marco Prelini avatar
Marco Prelini avatar
@Salvatore Iovene I'd say all, plus at least one uppercase.

2FA would be great too, but I understand the difficulty and costs to add SMS service.
Unless it would use a third party authenticator (google authenticator should be open to third party apps, I believe but I may be wrong).
Martin Junius avatar
Martin Junius avatar
Password length and avoiding "well known" simple passwords is IMHO the key. Please don't make the password policy too complicated, especially for entering passwords on a mobile.
2FA with OTP would be nice, but that not the clientel using "password123" in the first place. ;-)
Diego Pisano avatar
Diego Pisano avatar
Have you considered adding some CAPTCHA mechanics in the user experience, IE registration and/or interaction of any sort such as image submission, forum posts and comments etc.
Salvatore Iovene avatar
Salvatore Iovene avatar
Hi everyone and thank you for expressing your very valued opinions!

Right now the answers are as follows:
Your password must contain at least one number.
62 (17.87 %)

Your password must contain any of the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ 
59 (17.00 %)

Your password can't be too similar to your other personal information. 
50 (14.41 %)

Your password can't be entirely numeric.
50 (14.41 %)

Your password must contain at least 9 characters.
45 (12.97 %)

Your password can't be a commonly used password.
43 (12.39 %)

Your password can't have appeared in a data breach.
38 (10.95 %)

We also had discussions about two-factor-authentication and requiring an email confirmation when detecting a login from a new device.

So far, it looks like the ones you like the least are:
  • Your password must contain at least 9 characters.
  • Your password can't be a commonly used password.
  • Your password can't have appeared in a data breach.


I think that if implement an email confirmation if a new device is detected, it's okay to relax the password requirements, so I'm okay to lowering that to 8 characters.

I don't think I want to compromise on "commonly used passwords" and "passwords appeared in a data breach" (called pwnd database). These are most likely the biggest two causes of people getting their account cracked.

I don't think that there are brute-force attacks going on, but I will add a captcha to the login page and throttle the API authentication.

I will implement 2FA as something optional for the user, just because it's so easy (no SMS, just authenticator app or email code)

Thank you again and if you have something to add please let me know!
Martin Junius avatar
Martin Junius avatar
Please don‘t go for a  captcha overkill, these are really a pain in the something for legitimite users!