Password strength and security

Announcements from the Management and assistance with forum software. New to FWF? Please consider introducing yourself
Post Reply
Administrator
Administrator
Administrator
Posts: 213
Joined: 14 May 2005 20:35

Password strength and security

Post by Administrator »

We'd like to take this time to remind everyone about password strength and security. We have recently added functionality that will show users how strong (or weak) their password is as they type it into the password field when creating or updating their account.

There are two main features you will see:
  • The Password field changes colors from red (weak) to green (strong) as the user types in a password.
  • The Password strength is labeled as 'Very Weak', 'Weak', 'Good', 'Strong' and 'Very Strong'.
We'd like to offer a few other pointers about passwords and security.
  • Choose a password that indicates as Strong or Very Strong. The longer the password, the better. Passwords on FWF must be at least eight characters long, and preferably longer.
  • Change your password from time to time. The frequency is up to you.
  • Do not use the same password on multiple sites. If your password is unique to a site, then it will not be compromised if some other site is hacked.
One other reminded while we have your attention. Please keep the e-mail address in your profile up-to-date. That way, if you need to reset your password or if there ever is an issue we can notify you.

--Administrator
User avatar
deaddog
Veteran Contributor
Veteran Contributor
Posts: 3422
Joined: 19 Jan 2008 19:59
Location: Central BC/Arizona

Re: Password strength and security

Post by deaddog »

Administrator wrote:We'd like to take this time to remind everyone about password strength and security. We have recently added functionality that will show users how strong (or weak) their password is as they type it into the password field when creating or updating their account.

There are two main features you will see:
  • The Password field changes colors from red (weak) to green (strong) as the user types in a password.
  • The Password strength is labeled as 'Very Weak', 'Weak', 'Good', 'Strong' and 'Very Strong'.
We'd like to offer a few other pointers about passwords and security.
  • Choose a password that indicates as Strong or Very Strong. The longer the password, the better. Passwords on FWF must be at least eight characters long, and preferably longer.
  • Change your password from time to time. The frequency is up to you.
  • Do not use the same password on multiple sites. If your password is unique to a site, then it will not be compromised if some other site is hacked.
One other reminded while we have your attention. Please keep the e-mail address in your profile up-to-date. That way, if you need to reset your password or if there ever is an issue we can notify you.

--Administrator
Seems like overkill for a forum. What is the downside of someone hacking my FWF account?
"And the days that I keep my gratitude higher than my expectations, well, I have really good days" RW Hubbard
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: Password strength and security

Post by Peculiar_Investor »

deaddog wrote:Seems like overkill for a forum. What is the downside of someone hacking my FWF account?
I would say that's for you to decide. But recent events have shown the dangers of having the same username and password on multiple sites.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
AltaRed
Veteran Contributor
Veteran Contributor
Posts: 33398
Joined: 05 Mar 2005 20:04
Location: Ogopogo Land

Re: Password strength and security

Post by AltaRed »

Peculiar_Investor wrote:
deaddog wrote:Seems like overkill for a forum. What is the downside of someone hacking my FWF account?
I would say that's for you to decide. But recent events have shown the dangers of having the same username and password on multiple sites.
Indeed it does. I've had my own experience with that issue. What with some people having 50-100 accounts online, multiple use of a single password is likely a given...unless one is using a password manager that auto-generates passwords.... which I now do for many sites.
Imagefiniki, the Canadian financial wiki The go-to place to bolster your financial freedom
Jo Anne
Veteran Contributor
Veteran Contributor
Posts: 3648
Joined: 19 Feb 2005 21:33

Re: Password strength and security

Post by Jo Anne »

"Passwords on FWF must be at least 8 characters long. "

Since when? Mine is only six characters.
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: Password strength and security

Post by Peculiar_Investor »

Jo Anne wrote:"Passwords on FWF must be at least 8 characters long. "

Since when? Mine is only six characters.
For anyone creating an account or changing their password, the minimum is 8 characters. I don't recall when the minimum was changed but you (or anyone else) are grandfathered (grandmothered?) until you next change it.

That said, since you've just announced publicly the length of your password, that's yet another reason to consider changing it.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Norbert Schlenker
Veteran Contributor
Veteran Contributor
Posts: 7960
Joined: 16 Feb 2005 09:56
Location: An Argument Surrounded By Water
Contact:

Re: Password strength and security

Post by Norbert Schlenker »

With a user number of 61, I'm sure you're grandfathermothered. A six character password is fatally weak. Even though it's hashed before it's stored in the forum's database, it's possible - indeed likely - that every single combination of alphanumeric characters of that length has had its hash computed with multiple algorithms and stored for future use by crackers.

Password compromises are common these days (Yahoo lost a billion user password database to crackers last year). Academic studies of such leaks show that 90+% of passwords in large dumps can be found with very little effort. See, e.g. http://www.wired.co.uk/article/password-cracking.

Look, none of this matters very much at FWF. Members know that anything they post is world readable, so they're generally careful about what they write. In almost all cases, members don't use their real names so it's hard for anyone less than a determined opponent to make use of a compromised password. But even given that FWF doesn't contain public information attributable to one person, it would be foolish to use the same password here as you would on what are clearly sensitive sites, e.g. your online banking login. If you want to use the same short password here on some other low security and low impact site, e.g. the local wagon wheel tips and tricks mailing list ;), then it's no big deal.

Nevertheless, everyone needs to understand the risk they run reusing passwords from site to site. If the wagon wheel list gives you up, maybe your direst neighbourhood enemy starts spoofing you at FWF. I'm sure regular readers would figure it out pronto. But if you use that same password - and this includes minor variants like tacking a zero to the front or an exclamation point behind - to do your online banking, or check your credit card balances, or trade stocks, then you're exposing too much.
Nothing can protect people who want to buy the Brooklyn Bridge.
User avatar
Shakespeare
Veteran Contributor
Veteran Contributor
Posts: 23396
Joined: 15 Feb 2005 23:25
Location: Calgary, AB

Re: Password strength and security

Post by Shakespeare »

I look at the other way: I use my "strong" password only on banking to avoid its compromise. This site is one of many on which I use my "don't care" password.
Sic transit gloria mundi. Tuesday is usually worse. - Robert A. Heinlein, Starman Jones
User avatar
Peculiar_Investor
Administrator
Administrator
Posts: 13267
Joined: 01 Mar 2005 14:52
Location: Calgary
Contact:

Re: Password strength and security

Post by Peculiar_Investor »

I concur with Norbert's viewpoint. Just remember, FWF is providing the hammer tool, it is up to members to decide what is a nail their password requirements.

As I've previously posted in the Website passwords topic, my adobe.com password was obtained but AFAIK never used for anything nepharious. That was my wakeup call and I've learned by lesson.
Imagefiniki, the Canadian financial wiki New editors wanted and welcomed, please help collaborate and improve the wiki.

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
pmj
Veteran Contributor
Veteran Contributor
Posts: 3412
Joined: 27 Feb 2005 18:15
Location: Ottawa

Re: Password strength and security

Post by pmj »

Shakespeare wrote:I look at the other way: I use my "strong" password only on banking to avoid its compromise. This site is one of many on which I use my "don't care" password.
:thumbsup:.
Peter

Patrick Hutber: Improvement means deterioration
Jo Anne
Veteran Contributor
Veteran Contributor
Posts: 3648
Joined: 19 Feb 2005 21:33

Re: Password strength and security

Post by Jo Anne »

Shakespeare wrote:I look at the other way: I use my "strong" password only on banking to avoid its compromise. This site is one of many on which I use my "don't care" password.
That's how I do it, as well.

If I had to use a "strong" "unique" password for every last website, I might as well sell my computer and give up.
User avatar
GreatLaker
Contributor
Contributor
Posts: 662
Joined: 16 Dec 2014 13:02
Location: Toronto

Re: Password strength and security

Post by GreatLaker »

I have a 3-tier password system. Very strong unique p/w for each site with financial info (banks, CRA, Service Canada). Moderately strong passwords - 10ish alpha numeric unique to each site for personalized stuff like email, Facebook, LinkedIn. A few not so strong passwords reused among non-personal stuff like web logins etc.

I have used SplashID password manager for going-on 2 decades since I won a free copy for my PalmPilot organizer. Upgraded a few times over the years though.
When I was young, I was poor. Now, after years of hard work, I am no longer young.
User avatar
LadyGeek
Veteran Contributor
Veteran Contributor
Posts: 1975
Joined: 26 Oct 2011 16:51
Location: Philadelphia, PA
Contact:

Re: Password strength and security

Post by LadyGeek »

Here's another aspect of "Why should I care?". The point of this forum is to educate investors. Reality says that the only barrier protecting your life's savings is the strength of your login password to the financial institution holding your money.*

Forcing members to treat computer security seriously here encourages members to use good computer security habits everywhere. It's simply the right thing to do.

FYI - The forum software will accept passwords up to 100 characters in length.

*You have other protections against fraud, but why have the problem in the first place?
Jo Anne wrote:
Shakespeare wrote:I look at the other way: I use my "strong" password only on banking to avoid its compromise. This site is one of many on which I use my "don't care" password.
That's how I do it, as well.

If I had to use a "strong" "unique" password for every last website, I might as well sell my computer and give up.
There's no need to write down passwords any more. All you need is a password manager, then one strong password to access it.

Feel free to ask for assistance in the previously mentioned topic: Website passwords
Imagefiniki, the Canadian financial wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
deaddog
Veteran Contributor
Veteran Contributor
Posts: 3422
Joined: 19 Jan 2008 19:59
Location: Central BC/Arizona

Re: Password strength and security

Post by deaddog »

Peculiar_Investor wrote:
deaddog wrote:Seems like overkill for a forum. What is the downside of someone hacking my FWF account?
I would say that's for you to decide. But recent events have shown the dangers of having the same username and password on multiple sites.
I don’t use the same password on multiple sites.

I’m not arguing that one should not have a strong password or not have multiple passwords for multiple sites.

I was wondering what the downside was to someone gaining access to my forum password. I suppose that someone could make posts in my name that cross the line and I would be banned. Hopefully an appeal to the moderators might get me reinstated.

I log in to post then log out to read. A nice simple password that is easy to use and easy to remember works for me.
"And the days that I keep my gratitude higher than my expectations, well, I have really good days" RW Hubbard
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Re: Password strength and security

Post by kcowan »

Jo Anne wrote:
Shakespeare wrote:I look at the other way: I use my "strong" password only on banking to avoid its compromise. This site is one of many on which I use my "don't care" password.
That's how I do it, as well.

If I had to use a "strong" "unique" password for every last website, I might as well sell my computer and give up.
My banking passwords are never allowed to be stored by Chrome either. Banks, insurance carriers (drugs and dental), MyAccount, Investing sites. The only site I am aware of that was hacked was my Facebook account. It took a week to get FB to rid their site of my clone.
For the fun of it...Keith
Ken
Contributor
Contributor
Posts: 725
Joined: 03 Jul 2005 14:14
Location: Calgary

Re: Password strength and security

Post by Ken »

Norbert Schlenker wrote:...A six character password is fatally weak. ...
BMO only allows 6 characters. No more. No less. Which is insane. Has been like that for years. I checked just now. Still the same.
Ken
User avatar
tightwad
Contributor
Contributor
Posts: 183
Joined: 07 Feb 2007 15:26
Location: BC

Re: Password strength and security

Post by tightwad »

User avatar
LadyGeek
Veteran Contributor
Veteran Contributor
Posts: 1975
Joined: 26 Oct 2011 16:51
Location: Philadelphia, PA
Contact:

Re: Password strength and security

Post by LadyGeek »

The article notes that the listed vulnerabilities have been fixed. If you have one of those apps installed, check for updates now.
Imagefiniki, the Canadian financial wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Ken
Contributor
Contributor
Posts: 725
Joined: 03 Jul 2005 14:14
Location: Calgary

Re: Password strength and security

Post by Ken »

Password managers break my most basic security axiom; Don't post anything personal on the Internet that you don't want others, including Big Brother to know.
Even if the software stores your passwords locally, it's still an obvious target for a virus attack.
An aside; this axiom also precludes online backups and online data storage of any kind.
Granted, I am forced to shut my eyes and pretend that online banking is safe... apart from BMO with their 6 character passwords.
Ken
izzy
Veteran Contributor
Veteran Contributor
Posts: 3019
Joined: 19 Feb 2005 19:06
Location: Winnipeg MB

Re: Password strength and security

Post by izzy »

The Manitoba CAA is putting on a seminar on preventing identity theft,online fraud etc.To register you have to click on a link in the e-mail which notifies members :shock: .
Certainly inspires confidence in the "experts"who will be presenting eh!
"I disagree strongly with what you say, but I will defend to the death your right to say it."
Ken
Contributor
Contributor
Posts: 725
Joined: 03 Jul 2005 14:14
Location: Calgary

Re: Password strength and security

Post by Ken »

:rofl:
izzy wrote:The Manitoba CAA is putting on a seminar on preventing identity theft,online fraud etc.To register you have to click on a link in the e-mail which notifies members :shock: .
Certainly inspires confidence in the "experts"who will be presenting eh!
Ken
Post Reply