[RFC] Use password_hash

These RFCs were either rejected or have been replaced by an alternative proposal. They will not be included in phpBB.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 373
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: [RFC] Use password_hash

Post by Paul »

Nuisance Value wrote:Putting that up in large letters with a count down, i.e. 15 seconds before the user is allowed to move on to the next stage of his/her registration, would avoid unpleasantness latter on...
And would mean a lot users wont register as they dont want to wait for 15 seconds.

User avatar
Arty
Former Team Member
Posts: 985
Joined: Wed Mar 06, 2002 2:36 pm
Location: Mars
Contact:

Re: [RFC] Use password_hash

Post by Arty »

Nuisance Value wrote:Putting that up in large letters with a count down, i.e. 15 seconds before the user is allowed to move on to the next stage of his/her registration, would avoid unpleasantness latter on...
Why? To make them read text they don't want to read? That won't help anyone. People won't read that wall of text just like they don't read agreements when installing any software, 15 sec delay will only annoy them and give them plenty of time to reconsider registering.

99% of users (made up number based on my experience) don't even want to know about password hashing. There is no point in showing that text.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Use password_hash

Post by imkingdavid »

How about a little (?) icon with mouseover text that contains password complexity requirements and information about password storage? A time limit I agree is not a good idea. I'm not likely to register at a place that makes me wait, especially something like 15 seconds.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC] Use password_hash

Post by Pony99CA »

Let's not be as verbose as Nuisance Value suggests or have a countdown timer. That would only have, well, nuisance value. :D

The registration E-mail sent (at least if user activation is on) includes the following (emphasis added by me):
Your password has been securely stored in our database and cannot be retrieved. In the event that it is forgotten, you will be able to reset it using the email address associated with your account.
If you want to move that up or reword it, you can easily change the letter text to do that.

To remember passwords, get a good password manager (I use eWallet, but there's also LastPass and KeePass, I believe).

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC] Use password_hash

Post by naderman »

We are replacing password hashing with a patch based on the proposal [RFC]More secure password hashing, so I'm moving this one to rejected RFCs.

Post Reply