The Lemon Fool

Passwords require replacing every 90 days on this site. As many of you joined 5th November, thats about then.

I would suggest you go into your control panel ahead of this time and change it. As if i'm hit with a pile of "i forgot" requests, it will take me a while to process you all

stooz wrote:Passwords require replacing every 90 days on this site.

That would be this site's implementation rather than a generic feature of phpbb. Is it really necessary?

stooz wrote:Passwords require replacing every 90 days on this site.

Why? Seems massive overkill for such a site.

mc2fool wrote:

stooz wrote:Passwords require replacing every 90 days on this site.

Why? Seems massive overkill for such a site.

Even TMF didn't have an expiry date for passwords. Login cookies expired, but passwords never.

Given the minimal damage a single normal user could do, having an enforced reset period is probably unnecessary.

I had enough trouble trying to come up with a password the first time round...

"Password must be between 8 characters and 30 characters long, must contain letters in mixed case and must contain numbers."

I imagine forcing a password change will put off most lurkers like me. Is it absolutely necessary?

As has already been said that is massive overkill and will be hugely detrimental, and as Alaric said this must surely be a configurable feature,

Stooz please make this your number one priority to change.

I too think enforced password changes are unnecessary.

Please reconsider.

Staffordian

It seems the 90 day forced password change option has been selected by stooz but can be amended or disabled, if I've understood this correctly:

https://www.phpbb.com/support/docs/en/3 ... al_server/

Extract:

"FORCE PASSWORD CHANGE

It is always ideal to change passwords once in a while. With this setting, you can force your users to change their passwords after a set number of days that their passwords have been used.

Only integers can be entered in the text box, which is located next to the DAYS label. This integer is the number of days that, after which, your users will have to change their passwords. If you would like to disable this feature, enter a value of "0"."

staffordian wrote:
I too think enforced password changes are unnecessary.

Please reconsider.

Staffordian

I've got to agree with that, and would go further to suggest that keeping such functionality active would lead to some users actually migrating away from the board. We've all got enough passwords in our lives, and I can't really see the benefit of a 90-day-rule for a bulletin board. I've had the same password with my bank for over 15 years now!

I'd suggest turning off all requirements to change a password once set-up, other than allowing a user to do so if they wish to themselves.

Certainly seems to be a case of the downsides to such a requirement completely overwhelming whatever positive benefit doing so might bring, and as many people have already said - TMF managed to allow users to keep their passwords indefinitely, with no detrimental effects as far as I'm aware.

Are you open to turning the requirement off Stooz?

Glad you brought it up, mind!

Cheers,

Itsallaguess

Itsallaguess wrote:
I've had the same password with my bank for over 15 years now!

Itsallaguess

Yes, I noticed you never change it

--kiloran

Stooz, I forgot my original password and you were brilliant sorting it out for me. Please don't make me change it again !

Tricia

Ye gods, to choose a new password, I'd have to know what the old one was, and I'll never manage that!

Gaggsy wrote:"Password must be between 8 characters and 30 characters long, must contain letters in mixed case and must contain numbers."

Those with a working knowledge of chess openings and notation might wish to consider using these. For example "Spanish" would be e4e5Nf3Nc6Bb5. The sequence e4e5f4 was a plot point in a recent episode of the Morse prequel "Endeavour".

I always find a requirement to change passwords frequently is considerably LESS secure. Because everyone needs to write them down to remember them.

Gryff

I agree that it seems overkill, albeit good security practice. I presume the system doesn't store old passwords so there's presumably nothing to stop one changing it to a new password and immediately back to the previous one?

who on earth would want to hack into my TLF account ?

chas49 wrote:I agree that it seems overkill, albeit good security practice. I presume the system doesn't store old passwords so there's presumably nothing to stop one changing it to a new password and immediately back to the previous one?

===

i wouldnt bet on it .

Where *is* the control panel, anyway? What does it look like? I see the little "gear cog", but it doesn't have a password option that I can see.

MDW1954

MDW1954 wrote:Where *is* the control panel, anyway? What does it look like? I see the little "gear cog", but it doesn't have a password option that I can see.

MDW1954

Ckick on the small arrow beside your username at the top of the page (not sure if its there on every page, but it's certainly on some...)

Then go to profile, edit account settings.

Staffordian