Jump to content

Photo

Important Security Update to our User Portal


  • This topic is locked This topic is locked
408 replies to this topic

#401
NexusAreUseless

NexusAreUseless

    Enthusiast

  • Supporter
  • PipPip
  • 106 posts
In response to post #76337158.


Spoiler

2009? That was when I created my account, Zombie_Hunter. Are you sure you didn't drop all the extended characters from usernames in your database and that's why everyone is saying that the usernames they need are taken when they try to set another one?

#402
shadowstalker517

shadowstalker517

    Stranger

  • Members
  • Pip
  • 1 posts
A 12 character password is extremely frustrating. When I have to have a special password just for nexus, Its too long for all the passwords I already use.

#403
Khornethegrim

Khornethegrim

    Stranger

  • Members
  • Pip
  • 1 posts
These password requirements are bulls***. I have no problem with requiring a longer password as that is the best way to make a secure password, but requiring all that other s*** just makes it harder for humans to remember them.

Set a minimum password length, sure. That's fine. But don't tell me what that password has to contain (numbers, upper and lower case, special characters, etc) and just let me create a password that I can f***ing remember!

#404
FuryoftheStars

FuryoftheStars

    Journeyman

  • Members
  • Pip
  • 37 posts
Yeah, sorry all, but I gotta agree that the new password requirements are a little over the top. This is a game forum/mod website. It's not like it's our bank account or a shopping site. Increasing the password length while keeping the complexity requirements is only going to serve to make more people use stupid passwords that can be guessed, etc.

If you want to make the password length longer, fine, I agree that increases security. But then drop the complexity requirements so that we can pick longer passwords while still being able to remember them.
https://xkcd.com/936/

#405
splitwires

splitwires

    Regular

  • Members
  • PipPip
  • 76 posts
In response to post #76957508.


Spoiler

gotta agree here, a couple of my friends working web security talk about passwords all the time, and what i've picked up from it is that, while nothing guarantees security, complexity doesn't really make a notable difference, because your second biggest threat, right after someone breaking into a database and stealing user info, which from what i understand nothing the user can do will prevent, is bots mass guessing passwords from a pool of all possible passwords, but password length? each extra character makes the password take exponentially longer for the bot to guess

#406
chuckdm

chuckdm

    Old hand

  • Supporter
  • PipPipPip
  • 525 posts
In response to post #75565108. #75576458, #75587358, #75680398 are all replies on the same post.


Spoiler

re: arms race, you're right, but keep in mind that the last time we had a major arms race, it bankrupted the USSR, nearly bankrupted the USA, and the fallout - thankfully only metaphorical - is still being dealt with today in places like Afghanistan. This is to say that perhaps the best idea is to just acknowledge defeat.

My suggestion? Mandate 2FA and then remove ALL password requirements since NO password requirement will EVER stop a determined hacker. If a hacker has to physically acquire my actual phone, I have security they can never crack in the form of my Beretta 391 Urika-II 12ga shotgun.

In any case, it should be noted that, unless someone manages to ascertain the server-side database at Nexus, their ability to crack any password, regardless of length, is severely hampered, and if they DO managed to get the database, then the security failure isn't on the users for having weak passwords, it's on Nexus for having weak security on their end. So, in effect, the changes they made don't accomplish anything. This is, and was never, about increasing security, because the innate delay involved in testing every attempt, combined with Nexus's extensive DDoS protection, means a remote hack through the web interface would take millennia even with a 6 or 7 character password. Instead, it's about shifting blame in the event of a hack, i.e. "it's not our fault for having weak security and allowing someone to get their hands on our account database, it's your fault for having a weak password!" Which is to say, BS.

Anyhow, just had to reset mine for the second time since these short-sighted rules were put in place. Before this, I've literally not had to reset it once in 4 years. These measures haven't stopped a single hacker, but they HAVE made the site less convenient for me, twice.

#407
Treap

Treap

    Stranger

  • Members
  • Pip
  • 8 posts

i'll add some of my hate to this topic, this long passwords are stupid as hell as people start to write them down somewhere to not forget it and it makes it easier to find them out
I set my password to something like YouAreBunchOfFuckingIdiots123 and sent it as reply to mail about password change cuz i knew that i won't forget the special password on only site that requires 12character long one and I would be reseting it every damn time, I actually don't remember the one i set around 2 weeks ago :v



#408
Rakosman

Rakosman

    Stranger

  • Supporter
  • Pip
  • 4 posts
Logged in for the first time in a hot minute and all I can say is.... are you stupid? Adding restrictions to passwords makes them easier to crack because it reduces the possible combinations, it makes people more likely to pick something memorable which makes it more likely to appear in rainbow tables, and it makes people more likely to write them down - which obviously makes them less secure. The important parts of a strong password are: length, novel words. That's it.

Congratulations on making my account less secure by your asinine rule change.

#409
OmegaXero

OmegaXero

    Stranger

  • Premium Member
  • 2 posts
Get rid of this insane 12 character requirement. It should be up to us how long our password is, not you.




Page loaded in: 0.958 seconds