On 2014-05-22, we triggered a forced password change for SourceForge users.
- We have adopted a longer minimum password length standard.
- There has been a change in our authentication layer, moving to a more modern Open Source platform.
- Password hashing algorithm and key length has changed.
- Forced password reset has occurred sitewide to ensure all stored password hashes meet these stronger standards.
- All site users have been sent email asking for password change.
- There has been no known breach or compromise of our systems.
[…] …read more […]
For me a minimum of 10 characters for a password of sourceforge is too long.
It’s
no longer convenient, and for me the sourceforge-account has not that
security relevance as other accounts (with even shorter passwords).
With this restriction, I’m not willing to keep my account active.
See you
@Thomas Wow…just wow. You’re not supposed to remember 298984 passwords in this day and age. Please research password managers (LastPass, Keypass(x), 1Password, etc)
JasonMonroe Still a pain having to delve into a password manager every time we want to log in to our more little used websites.
Received email telling me to reset password. Tried to log in to do so. Got “incorrect username/password” error message. Tried to do a password reset by email. An hour later, received the email with a confirmation hash url. But that produces the error message: Invalid confirmation hash. Has anyone actually succeeded in resetting their password? Now I’m getting an error “It seems you’re attempting to post malformed content” when I click “post comment.” This is an annoying waste of time.
I think it needs to be faced-up to that this password expiry and complexity soapboxing is a ‘straw-man’ to deflect attention away from the real security issues the software industry faces, of C buffer overflows, SQL code injection and Javascript XSS.
Security sites indicate that these three make up the vast majority of hacks and vulns. Password bruteforcing doesn’t even figure on the list. And, shouldn’t be possible anyway if tarpitting is implemented.
If anything needs expiring or deprecating, it is coding tools that require the coder to validate every single piece of user input for embedded malware. There is no reason to be using such tools, other than they were introduced in the security-naive early PC era and have become entrenched in the IT subculture.
@Thomas In general longer passwords are more secure, the issue I would raise is with numbers, punctuation and capitals – ‘Squirrel noises’ -as Dilbert succinctly puts it. These area a particular problem on touchscreens where they require a complex and slow series shifts beween several keyboard screens which are hard to do and easy to shoulder-surf. I think the industry needs to move with the times on this one, touchscreens are mainstream and short passwords with squirrel noises are poor security in this context. Longer pure alpha passphrases are the way to go.
@Thomas
Absolutely agreed. For something that doesn’t need critical security like sourceforge
10 characters is absolutely ridiculous. I have a poor memory and have difficulty
with even eight characters.
And using password managers isn’t very secure because malicious software can hijack the entire database
and ALL your passwords
JasonMonroe what’s use is it to have stuff ‘in the cloud’, if you need a locally installed password tool to get to it? 10 characters minimum is ridiculous. At least, with OpenID I could use whatever service I wanted, but even that is now no longer available.
Expect an explosion of password resets from now on.
[…] forced password change was triggered by infrastructure improvements not a compromise. FMI see sourceforge.net/blog/forced-password-change/ Thank you, The SourceForge Team […]