OF - my account has been hacked and I am "selling" watches - this is not me!!
working with mod to get it straightened out
Sincerely

 

One suggestion for the mods:

check new or reset password hashes vs the haveIbeenpwned api and reject any pw that matches.


Might be good for any other work you build as well.

 

@dsio do you have a way to trigger a password reset for all users? Might be an idea, if possible?

Also great is an automatic feature that forces a new password at set intervals.

 

I never get tired of repeating this to everyone that will listed. Unique random passwords stored in an encrypted service like 1Password and if the services has it, have 2fa enabled. Rule of thumb: if you know your password(ie. can write it from memory), it's a bad password(or you are a genius).

 

This is not a bad idea. I work, depending on certain factors I have to change passwords every 3 months.

 

Many of us would not like this option.

 

May I ask what specifically your objections would be?

 

No one likes forced password resets. I also have to change passwords essentially on a monthly basis at work and I can tell you it accomplishes nothing because people just reuse virtually the same passwords with the minimum amount of alterations necessary.

People should be responsible for their own accounts. OF hasn't been compromised so there should be no reason to force every member to change their password. And not everybody has a WUS account.

 

As one who "liked" @larryganz comment...i, to my perhaps convoluted way of thinking, believe i am best able to control the security for my accounts and don't really care to be forced to change according to another's schedule. I'm not sure it makes the whole any stronger. Maybe it's a " big brother thing" maybe it's accepting responsibility for ones actions. Any how. Thanks.

Have fun
kfw

 

Both you and @Kmart make very valid points. Enough to bump me off the regular-interval idea.

To your point about managing your own password - well, lax password management (not saying yours is) can have repercussions on more than just the individual, as we’ve seen with the case of @Rockmastermike having his password compromised.

A one-time reset would have the effect of clearing the decks in order to make sure anyone potentially exposed to the WUS hack have changed their password. I’d hazard a guess that a meaningful percentage of OF members also have a WUS account. I’d further posit that a large percentage of them use a common password across websites.

A small inconvenience for the greater good, is how I would frame it.

As an aside, I’m curious to know from the mods if there is an account freeze feature when a member enters the wrong password more than X amount of times?