How do you all feel about requiring that your forum members have strong passwords?

 

How about enabling features such as mandatory 2FA logins? (Two-Factor)

 

How about for staff members, especially those who can get into your admin control panels?

 

Do you think more forum admins need to take something like this issue seriously?

I think it's a major restriction on their freedom. However, though, I think strong passwords are a must for the admin to prevent hacking.

 

Anyway, I would say strong passwords are good for users, but it's not my loss if they don't use them. It could be their loss.

Strong passwords are good for both staff and members, especially when browsers nowadays can generate a very strong password for you.

 

Mandatory 2FA? No, that can go straight in the bin...

If 2FA were an option on the software I used, I would strongly recommend my staff (if I had any) enable it along with having a strong password.

 

I don't require strong passwords for members, but I would highly advise having a strong password for any account you use.

 

All I have on the software I use is a security question for the Admin CP, which I do use.

Back when I run forums 10+ years ago, the ability of admins to require strong passwords from members was somewhat limited. If I recall, you could specify minimum password lengths, but that was about it, and obviously people would be annoyed if the minimum was set too high. On the forum I ran that got particularly popular, we had so many password issues that an administrator had to be hired to deal with account recovery and password help requests from members, which was kind of frustrating.

 

Luckily it seems nowadays that much of this functionality is built into forum software, and 2FA has made things so much easier too. I definitely wouldn't be hiring an admin to solely work on account recovery if I was running a forum nowadays, unless I had literally millions of members!

On the forums I converted to Invision I have strong passwords turned on. It's an option.

If implemented on an active forum, make it to new regs only, and not retroactive.

And then just make a public post/notice about it for current members.

InvisionFree was probably the most crack-able forum software I recall. Everyone was always getting their account hacked into. I remember John of Jcink explaining the primary reasons behind that, but I would have to search to find the post.

InvisionFree was probably the most crack-able forum software I recall. Everyone was always getting their account hacked into. I remember John of Jcink explaining the primary reasons behind that, but I would have to search to find the post.

Most of the time it was just guessing the password. This was in a time when we weren't aware how important a good password was. So often it was just easy to guess.

How do you all feel about requiring that your forum members have strong passwords?

They can have whatever password they want. If they want password, so be it. Just don't complain when your account is "hacked".

 

Spamming will be picked up on pretty quickly and the account will be locked, so there are no worries there.

How about enabling features such as mandatory 2FA logins? (Two-Factor)

Only on a professional forum (in the works) will require it because it'll have more sensitive information, and only if the team leader requires it of their collaborators.

How about for staff members, especially those who can get into your admin control panels?

I have hard-delete set to NEVER, and that can only be changed one way: Through me, physically, and a passkey. So I have no problem worrying about data loss through the ACP. Good luck getting onto the server to change anything. But, if you do, there are backups in place where some content can be lost, but very minimal.

Do you think more forum admins need to take something like this issue seriously?

Probably only allow people you trust ACP/Admin access and grant them specific privileges within it. I'm unsure about other forum software, but XenForo will let me disallow a moderator from doing anything from managing bans, or an administrator from managing user groups, if those people don't need to.

 

If I need a 3rd party developer to debug a style, I will only grant them "Manage styles, style properties, and templates" for the time they need, and on a development instance, to port over once it's done. There's no need for them to manage users, etc., if you get the point.

Most of the time it was just guessing the password. This was in a time when we weren't aware how important a good password was. So often it was just easy to guess.

I found the post by John in case you're interested in reading it: https://forum.jcink.com/index.php?showtopic=31044&view=findpost&p=216478

o.O

 

document.cookie could access the password hash? WHY? WHY WOULD YOU EVER DO THAT

 

HttpOnly was a sensible addition but it also didn't exist back in 2004 so had to be a later addition.

 

And yes, doHTML is entirely a bad idea unless you load it up with something like HtmlPurifier but that will break all the shonky non-standard codes people add to their posts etc.

document.cookie could access the password hash? WHY? WHY WOULD YOU EVER DO THAT

I guess people were clueless back then until the web started becoming more standardized and articles and documentation started popping up everywhere. :unsure:

That's the thing, 2004 was already well into the era of articles and documentation and have-a-go-heroes. In many ways that period is peak bad PHP practices being written out as guides.

That's the thing, 2004 was already well into the era of articles and documentation and have-a-go-heroes. In many ways that period is peak bad PHP practices being written out as guides.

Well, I was 14 at the time, so I know I was clueless. :ROFLMAO:

Consider that IPS wasn't even Matt M's first attempt at writing a forum software at that point in time. Ikonboard predated Invision.

Consider that IPS wasn't even Matt M's first attempt at writing a forum software at that point in time. Ikonboard predated Invision.

How old was he when he produced Ikonboard?

Well, the first version of Ikonboard debuted in 1999 and I think Matt was already in his early 20s by that point (though Ikonboard was written in Perl not PHP, though the security implications are no different in practice), with Invision's first version debuting in 2002.