Page MenuHomeSchine - Phabricator
Create Task
Maniphest T2074

Starmade | Do not give users terrible password advice in password reset emails
Closed, RejectedPublic
Actions

Description

When I just reset my Phabricator password I received an email which had the following in it:

After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help.

If you ask anyone with any sense, this is the worst password advice to give, it's even worse than using a password manager. So it would be highly advisable not to advise such insecure password storing and also not advise users to use incredibly weak and easily breakable passwords. Seriously, if you go any security advise site the number one thing will be not to choose a password such as "cat" or "1234", they will probably say to use a password which you will remember but to try and make it look like this "p0stm@m!" so that it's harder to brute-force attacks to work. The government even had this sort of advice.

Details

Task Type
Bug
Testing Results
Affected Gamemode(s)
none/unspecified
Reproducible
uncertain
Category
none/unspecified
Hardware/Software/System
OS-Specific
No
Hardware-Specific
No
Video Card Vendor
uncertain
User/Reporter/Contact
Username on Registry
Supreme_Panda
Serverconfig (server.cfg)
<replace this line with the file content>
Clientconfig (settings.cfg)
<replace this line with the file content>

Event Timeline

Unknown Object (User) created this task.Dec 3 2016, 7:46 PM
SmilingDemon added a subscriber: SmilingDemon.Dec 3 2016, 8:14 PM

p0stm@m! ... is 8 characters and a variation of postman ... according to one well enough informed ex NSA/CIA operator ... that will be brute forced within moments.

the point here is not to have a highly secure passphrase but to have access to a reporting feature on this tool.
other than admins or users with extended permissions there isnt much reason to handle this other than a throw away account. the only email adress linked to an account here should be a spam mail catcher you have access to.

lancake added subscribers: AndyP, lancake.Dec 3 2016, 11:18 PM

The "advice" mentioned is literally a joke. The developers who made Phabricator like to play with words and throw (obvious) jokes around which spices things up a little, makes this environment less strict and feel more lose like when you're marking all your notifications as read.

@AndyP can probably change the content of a reset password email although I don't think we should change it.

AndyP shifted this object from the S1 Public space to the S3 Starmade space.Dec 4 2016, 10:56 PM
AndyP changed the visibility from "Custom Policy" to "Public (No Login Required)".
AndyP changed the edit policy from "Task Author" to "Starmade (Project)".
AndyP claimed this task.
AndyP moved this task from New / Unconfirmed to Feedback on the Issue Navigation board.Dec 4 2016, 11:02 PM

Yeah, phabricator is taking a lot of stuff with some sarcasm, and makes fun of it.

I really doubt someone reading this advice will see it as a fact and think it would be a good idea to do so.
(I think phabricator will actually reject those choices.)

So yeah, main goal here, is having an easy to access reporting and communication platform.
It is not providing any authentication for other services, so yeah, even a "low complexity" password would be okay.
And as far as I could see, I can only enable the "serious" mode as global setting, but that will take a way some other fun facts you discover from time to time when derping a click and getting a nice notification, that makes it funny to remember this thing.

So yeah, I would personally say:
Wont fix that, as the effort would in general change the shape of this environment.

AndyP closed this task as Rejected.Dec 15 2016, 12:48 AM

-Rejected-

After reviewing the process and thinking about it, we are sure no one will take this advice serious.

Restricted Application removed a project: Issue Navigation. · View Herald TranscriptDec 15 2016, 12:48 AM
AndyP moved this task from Unclassed to Archived on the Starmade board.Dec 18 2016, 1:28 PM
ilf added a subscriber: ilf.Apr 5 2017, 8:32 PM