Forums » Suggestions & Development Discussion » Improve password security

Now that RPR deals with actual transactions,I feel it is important that password security is improved.

What I'd like to see?

1. Force both letters and numbers. Right now I can use just numbers or just letters.
2. Require a new password every 3 or 6 months.
3. Set an optional security question.

I personally am not a huge fan of my own suggestion, but I do think it's important. If only to consider it. Our accounts are now worth money after all.

I'm not sure forcing people to change their password every few months is a good idea.

While it is good practice for people to do that, I think there will be a lot of people asking "what happened to my password?" or "why can't I log in?". Especially from people who only want to use the free features.

It is annoying, but the advantages outweigh the cons. Password reset will be available and easy.

Personally I hate changing my passwodd every x months, but it's ridiculous how many people use fish, moon, hello, 12345 etc. For a password for years. It's a user's responsibility to use a good password, but changing it once every 3 or 6 months is hardly an inconvenience if it helps to protect users.

I have seen many sites that neglected to apply such measures and people's info was taken because it was so easy to figure out their passwords.

This could more accurately be stated as: Changing it once every 3-6 months is an inconvenience, and it helps to protect users.


While it is great practice for someone to have an incomprehensible password, for many people, it seems outrageously confusing and frustrating to remember. It leads immediately into writing passwords down, which is just as - if not more - recklessly insecure. Even if they manage to remember at first, they'll then have to change it just as soon as they're settling into it.

As I see it, the trade off between security and convenience is a personal choice. It is 2011: Everyone should understand the dangers of using an easy password. If they choose to continue doing so, it is their (arguably crappy) choice. There are many who, perhaps only using free features, feel that they are willing to take the risk that they will lose some character sheets if it makes their life easier, and would disagree with the assessment that it is "hardly an inconvenience" or even that the advantages outweigh the cons.

There are many sites I use that I myself would rather use a crappy password on because it is occasional and inconsequential usage. If I deem the information important, I create something more secure -- and when someone else makes that decision for me, I view it very dimly. I wouldn't describe this as the site neglecting to protect me, I would describe it as me deciding not to protect myself (thank you very much). I have never had a site other than my bank account that required me to change my password, ever, and that's only happened once in several years of usage.

I hope no one will read this as me not caring about security. I have gone back and upgraded our server side security repeatedly since the site opened, and continue to keep an eye on current developments in security and hacking and educate myself so that I can do my best to ensure all reasonable precautions are in place. However, I think my side of the bargain is patrolling our server and keeping it safe. It is up to the user to keep up their end of the bargain in picking a password harder to guess than 12345. Hopefully a lot harder to guess.

Counter-proposal
While I'm going to maintain that it is your responsibility to make the decision to be secure for yourself, here is what I am willing to do:

• Implement reminders about keeping passwords secure and changing them periodically.
• Create "password strength" detectors that will let you know whether the password you are picking is weak or strong.
• Create additional informational material that will help educate about how to keep your information secure. I've been wanting to create tutorial videos for the site for a long while now, and it's rising to the top of my list pretty rapidly. It makes sense to include a video on this topic.

Basically, I'm more than happy to arm users with all the information they need to make an informed decision, but I still think that that decision is theirs. No matter how many things I force people to do, there are always ways for them to foolishly let password hints slip, or give their roommates access to their email, or whatever. It is far better that people learn good password hygiene for themselves than my trying to forcefully close the various gaps.


The one thing I do want to say here is: If you are one of those risk-takers who views convenience as king and uses the same password everywhere, just make certain that your password to your email is NEVER THE SAME AS ANYTHING ELSE. IF someone gets access to your email, they can then get access to absolutely everything else you do, period. So many people use the same password as their email for everything, so if their information gets stolen on something silly like Neopets, suddenly someone knows their email and the password they use everywhere and can use that information to access everything from your virtual pets to your bank accounts. If you can't stand the thought of taking precautions with your RP characters, fine, but pleeease, don't take risks with information that could ruin your entire life.

It might also be worth noting: I don't save any of your paypal or credit card information to any database, and thus far epic perks are non-transferable. So if someone did break into your account, they can't give your stuff away, and they can't spend any of your money (unless they have also separately hacked your paypal account or gotten full access to your email account. See above about taking extra precautions with your email, as it is the epicenter of identity theft). The damage that they can do is the same as when we only had completely free accounts. Security needs from that perspective are unchanged.

As the main risk if someone broke their side of the bargain and had a crap password that was guessed is stuff being deleted, I view my side of the bargain in that scenario to be frequent backups so maliciously deleted things can be restored to a reasonably recent copy. And I do back the site up automatically every day at specified times, and sometimes also random extra times in between.

Gosh, I like your proposal much better than my idea Kim! I'm used to changing ten different passwords every month, at work and on some sites, but I hate it all the same. This will encourage people to do the right thing, and if doodoo hits the fan then it's their own fault.

Don't think lightly of easy passwords though, people know the risks but I want to bet that 50% of the RPR users have extremely simple passwords...

I think the suggestion of using reminders is better, I don't think it'd be that good of an idea to force people to change their passwords. Same thing with a password strength detectors and getting away from 'forcing' people and making it more of an option and a heavily placed suggestion.

I agree that reminders are the best approach. Something in the did you know section?

I would personally prefer a dashboard message, the did you know section seems more for more funnier messages to me.

Perhaps both?

There are some funny messages in there but there are some helpful ones too

I would HATE having all those password requirements. Really. I despise places that make me put numbers into my stupid password -.- It's a pet peeve of mine. I also would hate having to change my password, because then I won't remember it. I use variations of about two or three basic passwords of mine (ones that would only be thought of if you were me). I already have occasional slip-ups. If I was forced to change my password so many times I would never be able to log in because I would constantly be thinking it was my password from LAST time.

I really like Kim's proposal of reminders and her emphasis on password strength. At one time dA had a big 'hacker' issue with people hacking into others accounts and shutting them down, so they linked to a credible password strength detector site. I put in my password and it was either 'strong' or 'very strong', I can't remember. But nonetheless I even changed it to make it even more difficult, but it was still easy for me to remember. I have various emails for junk mail and things like dA or Furcadia emails, but for the one that actually matters, that password is not at all like any of my others.

So I think I'm pretty safe. But yeah. Pleeeeeeease don't force us to change passwords or I will be forced to hate. Dx

Mmm this is a mixed bag for me. Requirements to change my password x-months are bothersome (though I do see how useful they are), but I usually take it upon myself to change my password every once in a while for certain things if they're important enough. I think the shortest stint I had a certain password for was 3 weeks (I thought of a better pass).

Anyway, I'd prefer reminders & the "weak, strong, stronger" tip. I can gauge pretty well if I have a good password, but those bars are nifty (and pretty-- shhh don't ask why).

We should have the option to change our passwords (friendly reminders yo), not required, and if we have a weak password and don't change it... well, that's on us. You, Kim, are certainly doing things to make sure we're protected here at the RPR, but it's not all on you. It's on us users too!


... this reminds me that I should change up my password now. Brb~!

I'm glad that solution seems acceptable so far. I went to bed with worries about people thinking I didn't care about keeping them safe buzzing in my tired brain! I definitely don't want anyone's stuff to get stolen.

I didn't think people would dislike it so much, guess that proves me wrong! I literally need to change.. *counts* 4 passwords every month and have them all be different for the programs I use at work. That's not counting the password for my bank account and other sites, as well as my regular changes of email password and for my alts on Furcadia. I use different passwords with different numbers and letters and I remember them all, since they are easy for me to remember because I set them up in a certain way.

Just to give a few tips here already (maybe Kim can use them in her tutorial thingy as well?) for those who are worried right now their password might be too easy to guess.

• Try to avoid using actual words or names, especially names from people you know or names of your pets. These are the first things people will guess, and real words are checked first by programs that try to crack your password. It's best to try and avoid using names like Mary, John, Carl etc. and best not to use words like moon, dog, cat, rose etc.
  
• The longer your password is, the better. 8 to 16 numbers and letters in your password is recommended, but since a lot of sites have a limit on the max number of characters, it's usually best not to go above 16 characters.
  
• Mix upper and lower case letters and numbers together. This will make your password most difficult to guess and programs will need years to find the right combination of letters and numbers!
  
• If you struggle making up more complex passwords, try using the first letters from each word in a sentence. Say, you're a real fan of "Mary had a little lamb", you can make your password look like "Mhall".
  Similarly, you can replace words with numbers. 'to' for example can be made into a 2. "I don't like to poke you" can be "Idl2py"
  
  These mix numbers and letters. You can toss in random numbers. You will definitely be able to remember your favorite quote, catchphrase, maybe even a whole list of things that you like much better than randomly smashing your keyboard!

I know all about the horrors about thinking up secure passwords and changing them frequently, but you can make things easier on yourself with a few tricks.

You beat me to it! That has been one of my favorite tips for years. I was definitely planning on including information about tips like that.

Those are all great suggestions, Sanne! That would definitely be easier for my poor brain to remember.

I'm very poor at remembering passwords, I've even lost a few accounts in the past due to me just forgetting the password. :p I like the tip about using the first letters in a phrase though, might try it sometime

Whoops.

I did that and forgot my password for here. I remembered the "phrase" but not the order of things. Crud.
Ladies & gents, that's why you must seriously do your best to remember your password. Brb going to make another new one.

Useful video I found! I don't use a password manager myself, but if you have real issues with remembering different passwords for different sites and don't want to give up using secure passwords, they can be a useful solution.

Most password managers can be installed on a USB flash drive, and I'm also pretty sure that there are password manager apps for smartphones (though I wouldn't recommend it), so you can keep yourself mobile with your passwords