Is f.g.o a top secret agency now?

[eccerr0r]

Why is the new password requirement so long now?

TBH I had a crappy password for over 20 years here and still have a crappy password. TBH bruteforcing my password on an anonymous social media platform isn't very valuable... was there a real reason why the minimum password length was increased to 12?

Did someone actually run a bruteforce on the password list and find my stupid password?

[NeddySeagoon]

eccerr0r,

The old password size was set when the forums were new in 2002. The new password size may need to be good in another 25 years too.

[sam_]

It might be that we can reduce it, but we forced a change because the previous was sent out in plaintext and I don't recall what the hashing situation was (they were hashed I believe but I think MD5, not great for today's standards) so wanted to invalidate all of that.

I suspect 12 is just the new default and we didn't change it. The admins can comment on if they want to do that.

[eccerr0r]

Ah okay. IMHO even though md5 is no longer cryptographically secure in that collisions can be made, for an anonymous social media site that only has one real topic?

Would someone be interested in hijacking my f.g.o account? Really? Now that I wrote this I painted a couple concentric circles on my back...

True that quantum computing might be a problem in the future but brute force is not going to be solved by quantum computing, Reversing the encryption from the hash is going to happen but I don't think the length really matters when the hash is attacked that way. And it still requires access to the hash - which I sure hope that the admins keep from happening. But that's not on individual users, that's an admin issue!

I don't see brute forcing through the network a real issue unless it's a dictionary password, as long as someone didn't choose a dictionary password, the amount of time it'd take to crack a password would be hindered by just waiting 1 second between attempts.

Sorry about double posting this, since there are already replies, too late for me to delete...

[sam_]

Issue is more if the DB is compromised, someone gets a user's password, bruteforces the MD5, then they can try that password with the user's email on other services. But I agree that I don't think a long password is very important for the forums, for users anyway.

[grknight]

Would someone be interested in hijacking my f.g.o account? Really? Now that I wrote this I painted a couple concentric circles on my back...

Not specific to you, but cracking into a low risk site may lead to more valuable targets when people reuse passwords.
Password reuse of a Gentoo admin lead to that GitHub issue a few years ago.

[Banana]

Hell, the only real answer to this "problem" is the good old xkcd about Password Strength

https://xkcd.com/936/

[Chiitoo]

I think there's some additional hashing done during the migration [1], or at least a function exists, but I haven't really looked into it too deeply to say what exactly happens:

Code: Select all

function phpbb_convert_password_hash($hash)
{
	global $phpbb_container;

	/* @var $manager \phpbb\passwords\manager */
	$manager = $phpbb_container->get('passwords.manager');
	$hash = $manager->hash($hash, '$H$');

	return '$CP$' . $hash;
}

I'm no fan of changing passwords either, often at least, but when I finally started using password managers for work due to so many different ones needed, I kind of gave up on the ones I can remember... and mostly rely on them generators though I'd still rather remember them of course.

I do think it was a good idea to "refresh" them here, since the BB2 did send the initial ones back in plain-text for some reason.

It will happen again in 999 days, which is the current maximum delay for it, and was the easiest (only method without changes?) way to force the change on first log-in for everyone.

1. https://gitweb.gentoo.org/proj/forums.g ... .2.x#n1961