Security improvement idea

[Wolfie]

With the new security feature for the upcoming 4.0 suite, this little nugget came to my mind.

Add an option where after X number of years of inactivity, a members account will have it's password information nullified. Even with the new improvement in place, the best protection of all is if there isn't anything to try to brute force crack to begin with. For those that are consistently active, an announcement would obviously be noticed so active members could change their passwords if the database was compromised.

At the very least, a way to selectively flag accounts, either individually or by mass, that the next time someone tries to sign in, they will be required to do a password reset, regardless of the success of signing in. That way if an admin feels an account has been compromised, they can flag that account and require the member to essentially re-validate that it's them.

Should be a tool not often used, but could come in handy.

[Aiwa]

Good idea.

Enhanced member management / control is a good thing.

[Wolfie]

Talking with someone about this, another enhancement.

Member group settings.. Set time period per group for when a password would be wiped off the account (by task) due to inactivity. Also, time period for requiring someone to change their password to something different. Both optional, but available.

[Aiwa]

Group controls would be great..

At a minimum a way to set different time periods for admins / members so there can be better account security for those that have ACP / supermod access.

[Jυra]

I dislike security when it comes at the risk of hindering activity.

[Wolfie]

I dislike security when it comes at the risk of hindering activity.

How would it hinder activity, other than hindering hacker activity? If I were running a big community, like Neowin for example, I'd like to think that if my database got grabbed somehow, that those who haven't been active for awhile would already have their passwords erased, meaning that they aren't at any risk for their passwords being compromised. And with a few clicks, could wipe out everyones password, thus making it so that if a password is figured out somehow, it won't work. The true owner of the account would have to reset the password and therefore keep their account secure. Only exception would be if their email account got compromised, but that's not within our control as an admin. Make sites using IPS software an undesirable target and that in itself improves security by discouraging attacks to begin with.

[Aiwa]

I don't see how it's hindering activity if you lock accounts that haven't logged in for a year. What activity are you hindering?

[Jυra]

Returning members.

[Wolfie]

Returning members.

If they're not returning, how is it hindering their activity? If someone does happen to return after a year (or two or however long it's set for), then it might seem a bit inconvenient to reset the password, but it's protecting their account and security. If someone uses the same password on multiple sites (and let's be honest, we know a lot of people do it), then if their password is wiped out on a site after lack of activity, then the chances of their security being compromised goes down some.

[Mark]

I really annoys me when sites do this... but it is something we've talked about.

If implemented, it would have to be on successful login, otherwise it's much less secure ;)

[Royzee]

Annoys me too. It it happened to me about a year ago.

When my login no longer worked, they sent me an email explaining that I would need to reset my password. Irritated as hell, I returned the email and told them no thanks.

[Jυra]

If they're not returning, how is it hindering their activity?

Because they may return.

[Wolfie]

Because they may return.

So in the meantime, if they don't return for say, 4 years, their account should remain vulnerable because someone could figure out the password somehow (social engineering, etc)? Okay I guess that makes sense.

[Royzee]

So in the meantime, if they don't return for say, 4 years, their account should remain vulnerable because someone could figure out the password somehow (social engineering, etc)? Okay I guess that makes sense.

I don't see where their account would be any more vulnerable than a member who stops daily.

[Jυra]

I completely agree with the above post.

[Makoto]

I would just like to prevent people from using passwords such as 'abc' and 'password' really.

[Wolfie]

I don't see where their account would be any more vulnerable than a member who stops daily.

Following that logic, if you have an admin who only visits once every four years, their account poses no more risk to your site than that of an admin who visits every day.

Would you really let an account with ACP access retain that access if it's not used frequently? Before you go saying, "Well that's different because it has ACP access," stop yourself and remember what damage can be caused by a regular account. That valid members account could he hacked and then used to send out a crap load of spam to others. How does that lapse in security look on the admins of the site for leaving such a huge gaping hole open in security?

What it comes down to is not only protecting people from themselves, but protecting your community from them as well. If they use the same password on a dozen or more sites (yours included), then say one of those sites gets compromised and the password is figured out, all it takes is for the hacker to know that they are on your site as well and to try the account. If it's a unique username, it wouldn't take long to track down some of the sites they are on.

On the flip side, lets say your site gets compromised (not due to the IPS software, of course :D ), they grab a copy of your database and the user hasn't been on in a few years. Their password details still intact, it doesn't take a genius to realize that their password could be cracked (it's not using the newer hash method) and suddenly your site becomes the reason that their accounts on other sites get hacked in to. Well, that and the fact that they shouldn't have used the same password on multiple sites, but the point remains, do you want to be that helpful to a hacker? The password hash removed, it becomes a moot point to the hacker. They'll look for the older password hashes for that reason. If the inactive accounts have those hashes removed, it's no good to a hacker. Active accounts get converted to the new hash method, thus making it much harder for hackers. Clearing out those hashes (of accounts not active for a long period of time) makes it even less worthwhile for hackers because they get fewer accounts they can try to compromise.

Hackers are like leeches. They're not going to suck on a rock for blood, they're going to look elsewhere. Be that rock.

[GreenLinks]

If anyone wants to lower activity on their forum , this is the greatest idea to implement.

I never visited any website that reset my password with out my concept or knowledge.

[Makoto]

I feel kind of guilty, because I feel like I'm responsible for starting some somewhat irrational paranoia now..

If that's what gave you the idea for this, I feel like I should at least say that I don't really agree with half of what I said there.

[Royzee]

Following that logic, if you have an admin who only visits once every four years, their account poses no more risk to your site than that of an admin who visits every day.

Would you really let an account with ACP access retain that access if it's not used frequently? Before you go saying, "Well that's different because it has ACP access," stop yourself and remember what damage can be caused by a regular account. That valid members account could he hacked and then used to send out a crap load of spam to others. How does that lapse in security look on the admins of the site for leaving such a huge gaping hole open in security?

An admin who visits every four years would be usless as an admin. But I would not delete their account, I would demote them to member after the first couple of months.

I hope you also see, that your argument is apples and oranges.

[Wolfie]

If that's what gave you the idea for this, I feel like I should at least say that I don't really agree with half of what I said there.

It wasn't, not by any means.

An admin who visits every four years would be usless as an admin. But I would not delete their account, I would demote them to member after the first couple of months.

I hope you also see, that your argument is apples and oranges.

No, demoting an admin would be turning it to apples and oranges, unless you're going to somehow demote inactive members as well. The only difference between a regular user and an admin user is the level of access. The facts remain the same though, if you would change the admin's account in any way, then you are proving my point that there is a reason to do something. :smile:

I made a very valid point, don't try to wiggle out of it. ;)

[Royzee]

No, demoting an admin would be turning it to apples and oranges, unless you're going to somehow demote inactive members as well.

Inactive members have absolutely nothing to do with why I would demote an inactive admin. If admin are not there to work they have no business in acp.

How that would translate to also demoting inactive members ( to what group I have no clue ) I cannot wrap my head around.

[Aiwa]

Those arguing against this, realize that you could just not use said feature.

It is a valid security measure. Yes, it could potentially have membership side effects, but I would rather sacrifice a few members and maintain account security for those accounts that have been abandoned.

If a member returns after a year, he/she likely returned for a reason and would reset their pass. Your normal user isn't going to write off why they were coming back after an extended absence out of spite like some here have said.

[Wolfie]

Inactive members have absolutely nothing to do with why I would demote an inactive admin. If admin are not there to work they have no business in acp.

How that would translate to also demoting inactive members ( to what group I have no clue ) I cannot wrap my head around.

You're right, apples and oranges. Let's focus on the main point, not your side point.

I asked if you would allow an absent admin to retain ACP access. Obviously it was from a security standpoint, not a usefulness one. That's where you're getting sidetracked and missing the point. The reason to remove elevated access is for security, not whether or not they're useful to you. If you think it's the other way around, then you are saying that if someone is useful to you, then give them access even if they aren't trustworthy. That's backwards. Security comes first, period.

Now that we have that sorted out. Would you allow an account to retain ACP access even if the account owner doesn't sign in until a few years later? Forget the argument of their being useful to you or not. Would you allow it? No, you wouldn't (or at least, SHOULDN'T). Why? Because that's a security issue. If a regular member doesn't visit your site for 3 or 4 years, do you really want to run the risk that someone may eventually hack into that account and then use it to spam your other members? If you're fine with your community being used for such activities, then hey, go for it. Just please put up a huge notice on your site so that if I ever come across it, I'll know to avoid joining because I prefer to not get spammed.

Also, not sure why you are against such an option being available. It's not like it would be forced usage. I don't see you protesting against the option to require people to sign in to view the community. Do you use it? If not, you should argue against it because it's not your thing. They're called options and settings for a reason. Just because you may not like it for your site doesn't mean others wouldn't appreciate the option to improve security on their site. After all, nothing says you would be required to use it.

If a member returns after a year, he/she likely returned for a reason and would reset their pass.

That sentence reminded me. I wonder how many return after a year or more and just reset their password right at the start because they've gone through enough passwords that they don't even bother trying to remember. They try to sign in and fail, they end up resetting their password anyway. Same thing, they wouldn't know that their password got scrubbed for security reasons.

[Jυra]

My answer would be yes.

Making people change passwords can make some people use more simple passwords like abc123 just to not have a password to remember. It would be seen as less point in having a decent password if one must keep changing it.

Active and inactive accounts can be cracked.

Having more sites with this feature is more sites out there that have it...