You are not logged in.

#1 2021-09-14 17:29:16

Mr Victory
Member
Registered: 2021-06-10
Posts: 39

Preset passwords on forums should not contain certain characters

I had sent a password reset request for the forums, the new password contained the letter 'l'. Lowercase L. First, I confused it with letter 'I' (capital i), then I thought the other variant. I managed to login but people could be confused so I recommend passwords that are sent automatically should not contain certain characters.

The characters that can be confused I can think of:
Lowercase L, uppercase i, number 1
Uppercase O, number 0(zero)

Offline

#2 2021-09-14 18:09:06

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Preset passwords on forums should not contain certain characters

I recommend people use fonts that clearly distinguish between lL/iI/O0


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2021-09-14 18:20:45

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Preset passwords on forums should not contain certain characters

Copy and paste?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#4 2021-09-14 18:33:48

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: Preset passwords on forums should not contain certain characters

jasonwryan wrote:

I recommend people use fonts that clearly distinguish between lL/iI/O0

What if they are trying to register here because their font rendering is crap and they need help with it?

Slithery wrote:

Copy and paste?

What if they are trying to register here because they have not managed to install a GUI or other tools that would allow for copy and paste and they need help with that?

Yes, these situations in which one would really benefit from generated passwords not including these characters could be argued to be "corner cases" - but the effort required to support those corner cases should be trivial.  So why not do so?  Failing to do so is like my internet service provider telling me to go on their website for support if my internet service is down.

This feature request sounds like a good one to me.

Last edited by Trilby (2021-09-14 18:34:53)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2021-09-14 19:21:51

lahwaacz
Wiki Admin
From: Czech Republic
Registered: 2012-05-29
Posts: 748

Re: Preset passwords on forums should not contain certain characters

Trilby wrote:

What if they are trying to register [...]

Password reset does not work prior to the registration.

Offline

#6 2021-09-14 20:32:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: Preset passwords on forums should not contain certain characters

True - but I assumed a similar mechanic would be in place for initially registering too.  But it has been a decade since I've done that so perhaps not.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2021-09-14 21:04:55

Ammako
Member
Registered: 2021-07-16
Posts: 267

Re: Preset passwords on forums should not contain certain characters

Registration sends a password through email still, as of July 2021. Terrible practice, but it is what it is.

Offline

#8 2021-09-15 07:51:43

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,933
Website

Re: Preset passwords on forums should not contain certain characters

Ammako wrote:

Registration sends a password through email still, as of July 2021. Terrible practice, but it is what it is.

I agree. Services that send clear text passwords in any form are insecure and should be avoided [1].
A password should be retrieved from the user on both registration and password reset through a secure channel only (e.g. https).
Anything else is generally fishy. Exceptions confirm the rule.
That this antipattern is used on a tech forum is emberassing.

[1] https://www.youtube.com/watch?v=8ZtInClXe1Q

Last edited by schard (2021-09-15 07:52:55)

Offline

#9 2021-09-15 15:33:37

thiagowfx
Member
Registered: 2013-07-09
Posts: 586

Re: Preset passwords on forums should not contain certain characters

In general it's recommended (citation needed) to use the password reset only to log in once, and then change your password immeditately afterwards.

A bit off-topic: https://plaintextoffenders.com/

Offline

#10 2021-09-15 15:54:17

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: Preset passwords on forums should not contain certain characters

The german postal service tried to establish a secure service as email alternative. It was supposed to be point-to-point encrypted and the postal service would only have to once and very briefly decrypt the messages for technical reasons (yes, they stated that…)

Moral: an insecure channel is insecure.
While it's probably not hyper-important for this board, but the password is transmitted over an insecure channel and an intercepting offender can easily get control over the account ahead of you (if they seriously want to)
Security by "i clicked it first" is not a thing.

On the OT: I'm with Jason. Get a usable font. In general, one can come up with all sorts of reasons why certain glyphs should totally not be in a password because eg the letters , and are broken on my keyboard my font defaults to https://www.dafontfree.net/p22-da-vinci … f61660.htm or because I'm from China and all latin glyphs look the same and like an ant vomited on my screen.
If you want to be robust against that, you need to swicth to a completely different dictionary and use correct horse battery staple

Offline

#11 2021-09-15 16:32:42

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: Preset passwords on forums should not contain certain characters

More OT: I wonder how many people read that XKCD cartoon and showed it went right over their head when they ended up changing their password to "valid undulate capacitor fastener" or "accurate zebra fuelcell velcro" ...


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#12 2021-09-15 20:58:54

Ammako
Member
Registered: 2021-07-16
Posts: 267

Re: Preset passwords on forums should not contain certain characters

incorrect donkey capacitor paperclip

Offline

#13 2021-09-15 23:07:01

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Preset passwords on forums should not contain certain characters

Coming back to the topic: perhaps encode random bytes using rfc 4648 base32 or send a sequence of 5 random English words?

Clarification: That’s a response to a sub-thread started by Ammako above.

As for security, the only difference between sending a plaintext password or a confirmation link is that the latter is tamper-evident, and only if someone refuses to change the initial password:

  • Confirmation link intercepted: the attacker gains access to a worthless account with no history. Tamper-evident, because the link can only be used once. The user has no option to regain control without help from the staff.

  • Initial pasword intercepted: the attacker gains access to a worthless account with no history. Not tamper-evident, because the user never knows someone already logged-in. But they should also immediately change the password anyway, which will remove attacker’s access to the account.

Am I missing anything?

Last edited by mpan (2021-09-17 08:27:15)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#14 2021-09-15 23:27:43

ayekat
Member
Registered: 2011-01-17
Posts: 1,589

Re: Preset passwords on forums should not contain certain characters

If the attacker acts fast enough, even the "tamper-evident" difference probably becomes irrelevant. The attacker just needs to immediately change that password (to prevent the rightful user from logging in) and change the user's email address (to prevent the rightful user from making PW reset requests).

At this point, it should become fairly evident to the rightful user that things have gone wrong.

With the PW-in-the-email approach, the rightful user actually has a bigger chance of being "faster" than the interceptor, so… it's actually safer? What am I missing?


pkgshackscfgblag

Offline

#15 2021-09-16 06:19:19

seth
Member
Registered: 2012-09-03
Posts: 50,012

Re: Preset passwords on forums should not contain certain characters

attacker gains access to a worthless account with no history

The OP wrote:

password reset request

Unless encrypted, sending anything by mail is vulnerable (again: I doubt access to this forum is worth it and anything that blocks trolls will do) - whether it's a password or a confirmation link.
It's also common practice because identifying the legitimate user is hard and security isn't comfortable.

The need to provide a private secret (password, key) but the problem is that they've lost that and you need a fallback.
If you want to avoid providing them w/ a new private secret over an insecure channel, they must have submitted it before over a secure channel.
This can either be a secondary "password" (which tends to be not very strong) like "your first pets name?" or a public key (in doubt one that you handed them and told them to put that on a usb key inside a strongbox until you ask for it)

tl;dr: please use a password manager ;-)

Offline

#16 2021-09-16 18:04:13

Mr Victory
Member
Registered: 2021-06-10
Posts: 39

Re: Preset passwords on forums should not contain certain characters

I just created a topic just because my new password contained lowercase L and now

jasonwyran wrote:

I recommend people use fonts that clearly distinguish between lL/iI/O0

Slithery wrote:

Copy and paste?

seth wrote:

tl;dr: please use a password manager ;-)

I have three advices yikes

This is not going anywhere...

Offline

#17 2021-09-17 08:44:18

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Preset passwords on forums should not contain certain characters

Seth: to be clear, I was answering concerns stated in the Ammako’s sub-thread. That is about registration. I added a clarification now to avoid further confusion.

For password resets the situation boils down to the email address being the only verifiable identity of the account owner, at least for most people. You are right, that providing a public key would help solve the issue. But if someone isn’t using a password manager and not doing backups, I doubt they would provide the key either. And it wouldn’t solve the problem completely, due to widespread use of webmail clients nowadays. Better than nothing, of course, but not even close to being the solution.

Perhaps having a grace period after a password reset, during which previous passwords are still valid, would at least allow regaining control over the account. But I think we’re starting to deviate from the topic.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

Board footer

Powered by FluxBB