SourceForge Forced Password Change

On 2014-05-22, we triggered a forced password change for SourceForge users.

  • We have adopted a longer minimum password length standard.
  • There has been a change in our authentication layer, moving to a more modern Open Source platform.
  • Password hashing algorithm and key length has changed.
  • Forced password reset has occurred sitewide to ensure all stored password hashes meet these stronger standards.
  • All site users have been sent email asking for password change.
  • There has been no known breach or compromise of our systems.
8 comments
Ian R
Ian R

I think it needs to be faced-up to that this password expiry and complexity soapboxing is a 'straw-man' to deflect attention away from the real security issues the software industry faces, of C buffer overflows, SQL code injection and Javascript XSS.


Security sites indicate that these three make up the vast majority of hacks and vulns. Password bruteforcing doesn't even figure on the list. And, shouldn't be possible anyway if tarpitting is implemented.


If anything needs expiring or deprecating, it is coding tools that require the coder to validate every single piece of user input for embedded malware. There is no reason to be using such tools, other than they were introduced in the security-naive early PC era and have become entrenched in the IT subculture.


Thomas
Thomas

For me a minimum of 10 characters for a password of sourceforge is too long.

It's no longer convenient, and for me the sourceforge-account has not that security relevance as other accounts (with even shorter passwords).


With this restriction, I'm not willing to keep my account active.


See you

smeezekitty
smeezekitty

@Thomas 

Absolutely agreed. For something that doesn't need critical security like sourceforge

10 characters is absolutely ridiculous. I have a poor memory and have difficulty 

with even eight characters. 


And using password managers isn't very secure because malicious software can hijack the entire database

and ALL your passwords

Ian R
Ian R

@Thomas In general longer passwords are more secure, the issue I would raise is with numbers, punctuation and capitals - 'Squirrel noises' -as Dilbert succinctly puts it. These area a particular problem on touchscreens where they require a complex and slow series shifts beween several keyboard screens which are hard to do and easy to shoulder-surf. I think the industry needs to move with the times on this one, touchscreens are mainstream and short passwords with squirrel noises are poor security in this context. Longer pure alpha passphrases are the way to go.

Joe002
Joe002

@Thomas 

At first I thought you were going to complain that the password length isn’t strong enough. I guess you wouldn’t keep a job where I work – minimum length is 16 characters.

If it makes it easier on you then just repeat your old password 2 or 3 or 10 times until you hit 10 or more characters…


JasonMonroe
JasonMonroe

@Thomas  Wow...just wow. You're not supposed to remember 298984 passwords in this day and age. Please research password managers (LastPass, Keypass(x), 1Password, etc)

fiammy
fiammy

@JasonMonroe what's use is it to have stuff 'in the cloud', if you need a locally installed password tool to get to it? 10 characters minimum is ridiculous. At least, with OpenID I could use whatever service I wanted, but even that is now no longer available.

Expect an explosion of password resets from now on.

Trackbacks

  1. […] forced password change was triggered by infrastructure improvements not a compromise. FMI see sourceforge.net/blog/forced-password-change/ Thank you, The SourceForge Team […]