I think phpbb should move to support multi-word passwords. A simple shift would make it exponentially harder for passwords to be compromised. Even the best passwords ($dfk289@*1%) aren't anywhere near as strong as a multi-word password (blue funny dog barks). Even better would be a password + multi-word phrase option which hashes the two together.
I'd like to see phpbb support both implementations, allowing administrators to make the end decision. Thoughts?
Support Multi-Word Passwords
- canonknipser
- Registered User
- Posts: 71
- Joined: Mon Sep 19, 2011 4:42 am
- Location: Germany
Re: Support Multi-Word Passwords
it is no separate implementation, Its just another password (better name would be passphrase) rule including a whitespace as allowed character ...kjtocool wrote:I'd like to see phpbb support both implementations
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Re: Support Multi-Word Passwords
From a UI perspective, my ideal scenario would be:
1) You use the regular password, it looks as it does currently.
2) You use the multi-word password, there are four input fields for each word.
3) You use the combination option, there is an input field labeled "Password", and then four input fields labeled "Phrase" or something similar.
I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.
1) You use the regular password, it looks as it does currently.
2) You use the multi-word password, there are four input fields for each word.
3) You use the combination option, there is an input field labeled "Password", and then four input fields labeled "Phrase" or something similar.
I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.
- canonknipser
- Registered User
- Posts: 71
- Joined: Mon Sep 19, 2011 4:42 am
- Location: Germany
Re: Support Multi-Word Passwords
From a users perspective (mine, not yours ), it makes it more complicated - all UIs i know tell me to enter my username (one entry-field) and a self-choosen passphrase (another entry-field) and maybe a captcha (a third entry-field).kjtocool wrote:I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.
Having more than one field for the passphrase would it make much more complicate. Why is phpBB asking me for more than one word? How many letters have i to put in each field? How many words do i have to enter?
From programmers perspective, its much more complicated:
allowing a passphrase with whitespace, i have only to check:
are all types of letters entered?
did the user enter a passphrase long enough?
Having more than one entry field, i have to check this for each field, and afterwards i have to combine it for calculating the passphrase hash.
Whats the difference between "blue funny dog barks" and "blue" "funny" "dog" "barks"?
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Re: Support Multi-Word Passwords
I suppose I feel it is more intuitive.
When the user registers, they'll be prompted for a "pass phrase." How do they know to enter a space? How do you validate they didn't run a word together they meant to keep separate? To me, the easiest and most intuitive solution is to have 4 input boxes under one "Passphrase" heading.
When the user returns to login, they will see four input boxes, which should jog their memory that "oh yeah, this site uses that phrase." And certainly, if you choose to use the combination of a Password + Passphrase, it seems more intuitive to me if the options are distinct in nature: Username, Password, Passphrase. Segmenting it into understandable buckets aids in the recollection, simplifying a more complicated password entry system.
I do agree, it is more challenging from a design perspective.
When the user registers, they'll be prompted for a "pass phrase." How do they know to enter a space? How do you validate they didn't run a word together they meant to keep separate? To me, the easiest and most intuitive solution is to have 4 input boxes under one "Passphrase" heading.
When the user returns to login, they will see four input boxes, which should jog their memory that "oh yeah, this site uses that phrase." And certainly, if you choose to use the combination of a Password + Passphrase, it seems more intuitive to me if the options are distinct in nature: Username, Password, Passphrase. Segmenting it into understandable buckets aids in the recollection, simplifying a more complicated password entry system.
I do agree, it is more challenging from a design perspective.
- callumacrae
- Former Team Member
- Posts: 1046
- Joined: Tue Apr 27, 2010 9:37 am
- Location: England
- Contact:
Re: Support Multi-Word Passwords
If a user wants a multi-word password, let them. If they don't, let them.
It's fine how it is perfectly.
It's fine how it is perfectly.
Re: Support Multi-Word Passwords
Its already hard enough to deal with websites that require some sort of mix of letters or whatever, so I can't enter my favorite password there, having to remember 2 passwords would be horrible. Such passwords increase chance of user having to write down that password somewhere rather than typing it from memory, increasing chances of it being stolen.
Formerly known as CyberAlien.
Free phpBB styles | Premium responsive XenForo styles | Iconify - modern open source replacement for glyph fonts
Free phpBB styles | Premium responsive XenForo styles | Iconify - modern open source replacement for glyph fonts
Re: Support Multi-Word Passwords
Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".
- canonknipser
- Registered User
- Posts: 71
- Joined: Mon Sep 19, 2011 4:42 am
- Location: Germany
Re: Support Multi-Word Passwords
But, as long as the passphrase role allows it, you can enter it into one field - why do you want to use four (Or seven? Or ten?) fields for that?kjtocool wrote:Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".
There are a lot of tips outside for using easy-to-remember-but-hard-to-crack-passphrases, like using a sentence as "My dog has four legs and one head" and replacing number words by their numericals, just use the first letters of each word, and reverse the phrase giving: "h1al4hdM"
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB
Re: Support Multi-Word Passwords
Because unique fields forces the user to enter a phrase, one field simply allows it. With one field, you can't force an entire forum to follow.