Ford Bronco Forum - View Single Post - Attention - Password and Security Update
View Single Post
post #44 of (permalink) Old 07-01-2016, 10:46 PM
chrisd91
Registered User
 
chrisd91's Avatar
 
Join Date: Apr 2015
Location: Yakima Valley
Posts: 126
Bronco Info: 79 Bronco 400 c6 np205 shackle flip, ~5" coils in front.
iTrader: (0)
Quote:
Originally Posted by schwim View Post
Hi there Pepe,

I just wanted to explain the flaw in thinking that you need a password that's unbreakable by machines.

The days of a script looping through 10,000 dictionary words to try to log into your account are long gone. Even when it doesn't work, it's a huge drain on server resources. Here's one example of how this should be protected against:

Allow up to 10 consecutive attempts to log in. Provide visual warnings to the visitor that they are nearing lockout. Once locked out, the IP addresses used in the attempts are blacklisted to save on wasted server responses and the forum sends an email to the address on record letting them know of the lockout with a link to reactivate their account. Only the holder of the account should have access to the email address, so this would be considered sufficient in regards to security to regain access to the account and would not involve a mod or admin to help.

This method also doesn't have to worry about spoofing IP addresses and UA strings. The forum wouldn't care about the location of the login attempt. 10 tries and you're done. You can reset the attempts field at 24 hours to keep the database table clean.

With 10 attempts, you could have a 4 character unrestricted password and would likely never see a compromised account.

More important than a complex pattern is to not use the most common passwords as that is what scripts are designed to use to try to log in.

Main disagreement I have with this is that when I tried logging in through the app to my other autoguide forum (one that was linked to an old, dead email account) before I was aware of the password reset was that after only two of my attempts I was locked out and told I had used all 5 attempts. My best guess if the app was trying to automatically log in with my old password between my log in attempts and those were counting against me. I could see someone getting to 10 attempts real quickly if they were having an error like that and were attempting to remember their password. I used 5 "attempts" that way twice before I got frustrated and texted my friend who is an admin there

Nothing to see here
chrisd91 is offline  
 
 
For the best viewing experience please update your browser to Google Chrome