security Request for Feedback: Password reset process

[Paul]

If you were required to reset your password on NamePros as a result of a security convern, and you encountered issues or confusion during the process, please explain the issues you encountered.

Important: This is a public thread; anyone can read what you write here, and it may be archived by third-parties even if you edit or delete it later. Do not post any credentials or other sensitive information. If an error message contained a password suggestion, and you opted to use that suggestion, do not post the message here.

 

[tonyk2000]

I was not asked to reset the NP password. I did this voluntary, and it simply worked Changing online passwords, with or without reported data breaches, is always a good idea imo

 

[Dane]

If you were required to reset your password on NamePros as a result of a security convern, and you encountered issues or confusion during the process, please explain the issues you encountered.

YES, and it was the worst password reset I've ever encountered. It would not accept ANY of the passwords I tried to use, no matter what.

 

[Paul]

It would not accept ANY of the passwords I tried to use, no matter what.

Do you happen to remember what it told you when it refused to accept your passwords? How did you interpret what it was saying?

 

[Future Sensors]

YES, and it was the worst password reset I've ever encountered. It would not accept ANY of the passwords I tried to use, no matter what.

Not accept any of the passwords? How did you get in?

 

[Dane]

Do you happen to remember what it told you when it refused to accept your passwords? How did you interpret what it was saying?

It said something about the password being too similar to a previously used password. But I was trying totally random passwords that were not similar at all to previously used passwords. Nothing worked.

I'm not going to say publicly what eventually did work. But it took MANY tries and a lot of time to finally get it to work.

 

[Paul]

It said something about the password being too similar to a previously used password. But I was trying totally random passwords that were not similar at all to previously used passwords. Nothing worked.

I'm not going to say publicly what eventually did work. But it took MANY tries and a lot of time to finally get it to work.

It seems like a significant number of people ran into a similar issue. About 12 hours ago, we significantly decreased the sensitivity of the similarity detection. However, we're concerned that it may still be a tad aggressive.

Do you think providing live feedback about the quality of the password is likely to improve usability, even if the underlying criteria don't change?

Would detailed instructions for generating a secure password improve usability? For example, if numbers or symbols are merely appended to an insecure password, we deem the result to also be insecure. Would articulating these assessment criteria make the process simpler or more confusing?

 

[Dane]

Do you think providing live feedback about the quality of the password is likely to improve usability, even if the underlying criteria don't change?

Would detailed instructions for generating a secure password improve usability? For example, if numbers or symbols are merely appended to an insecure password, we deem the result to also be insecure. Would articulating these assessment criteria make the process simpler or more confusing?

I'm honestly not sure. I have sincerely never encountered a password reset that was THAT difficult. I was blindly typing random keys -- random letters, random numbers, random symbols -- but nothing worked. I can't imagine any amount of detailed instructions being able to help with that. Know what I mean?

 

[Paul]

I have sincerely never encountered a password reset that was THAT difficult

Judging by the number of failed attempts we saw, you're not alone.

I was blindly typing random keys -- random letters, random numbers, random symbols -- but nothing worked.

That's somewhat intentional. The current best practice is to maintain a list of compromised passwords and refuse passwords that match the list or are similar to those in the list, rather than forcing arbitrary criteria ("must contain at least one number") or expiring passwords on a regular basis. When people mash their keyboard, they tend to produce passwords that look random at first glance but that follow a pattern. Many of the resulting combinations have already been compromised.

Would it be helpful for us to provide a random password generator on the page? We include one example password in the error message, but it seems as though the suggestion is either being ignored or treated as untrusted.

Out of curiosity, if you go to https://haveibeenpwned.com/Passwords and enter a handful of random passwords--not real passwords that you use, but passwords comparable to what our site rejected--does that form also reject them? The database of compromised passwords we use comes from Have I Been Pwned, but we perform additional processing to check for similarities, not just exact matches. The form on that page will only check for exact matches. If it accepts your test passwords as secure, there may be an issue with our similarity detection algorithm.

 

[johnn]

I tried at least 10 times and nothings is working. I gave up and give it to my wife. She made it work the first time. I did not ask what she did. May be she scares the system. I don’t know.

 

[Dane]

Would it be helpful for us to provide a random password generator on the page?

Maybe. Orrrr.... how about making your password reset work like every other password reset on the Internet?

Out of curiosity, if you go to https://haveibeenpwned.com/Passwords and enter a handful of random passwords--not real passwords that you use, but passwords comparable to what our site rejected--does that form also reject them? The database of compromised passwords we use comes from Have I Been Pwned, but we perform additional processing to check for similarities, not just exact matches. The form on that page will only check for exact matches. If it accepts your test passwords as secure, there may be an issue with our similarity detection algorithm.

I think there may be an issue with your similarity detection algorithm. I tried several totally random passwords. They all came back with this: "Good news — no pwnage found!"

 

[Dane]

I gave up and give it to my wife. She made it work the first time.

I should have thought of that!

 

[Samer]

Horrible.

I cant pick 99% of passwords since the update.

“not secure enough” Your pass suggestions are always what i take and i forget them

Update: Restricted accounts cant participate in polls, please add 1 “No” for 6 No’s, and tell mods not to be offended, as any post that comments on my restrictions is seen as 1.5.

i know this post is going to likely be reported;
Paul, actually values feedback (i hope) Ty! : )

Samer

 

[Paul]

I think there may be an issue with your similarity detection algorithm. I tried several totally random passwords. They all came back with this: "Good news — no pwnage found!"

I've disabled the similarity detection algorithm for now, although it will still ignore some common patterns such as "12345" and "namepros".

Update: Restricted accounts cant participate in polls, please add 1 “No” for 6 No’s, and tell mods not to be offended, as any post that comments on my restrictions is seen as 1.5.

I can't add a vote to the poll on your behalf, but specific feedback is even more helpful.

 

[Samer]

I've disabled the similarity detection algorithm for now, although it will still ignore some common patterns such as "12345" and "namepros".



I can't add a vote to the poll on your behalf, but specific feedback is even more helpful.

I want my vote to count.

Is that what Democracy is?

Otherwise, it’s a sham
I give you credit. prev algo outsmarted me.
I always used “suggested password”
I never used “12345” keep that on. LOL.
Might’s well allow “Password” as password

I’m talking about parts of prev. passwords.
For example; 9 digits (yes really)
and my overall previous password 20+ or so

 

[Paul]

I want my vote to count.

We don't base our decision-making on polls alone. Posts are more helpful to us than votes.

We've stopped checking for compromised passwords for now, as it was causing too many people to give up changing their password. We plan to notify users if they log in with a compromised password. For now, we've gone back to enforcing specific criteria for passwords; these criteria aren't as strong as checking for compromised status, but they will have to do for now.

 

[Bravo Mod Team]

Honestly, I'm more worried about NamePros getting hacked

Your concerns were addressed in another thread 4 days ago:

• https://www.namepros.com/threads/allow-direct-messages-to-be-deleted.1253631/#post-8413855

This thread has a specific purpose.

Please stay on topic.

 

[Paul]

We've deployed additional updates:

• If you have a known-compromised password, you will receive an alert each time you log in asking you to change your password. This applies to all accounts, regardless of whether we've flagged them as high-risk.
• If you have a known-compromised password and don't have 2FA enabled, you will receive a confirmation email with a one-time PIN each time you log in from a new device.
• Based on feedback and high failure rates, we've disabled the requirement to set a password that isn't known to be compromised and returned to a set of basic criteria, such as length and character composition. This isn't ideal, but it's better than keeping the same password.