the only password that should ever be accepted is the 100% correct password. Anything else reduces the entropy of the password and makes it immensely easier to brute force.
Even then your example do not match the way Facebook do it. For example first letter uppercase is only on a mobile device. It doesn't work on a desktop.
NO!!!!
the only password that should ever be accepted is the 100% correct password.
Anything else reduces the entropy of the password and makes it immensely easier to brute force.
Even then your example do not match the way Facebook do it.
For example first letter uppercase is only on a mobile device. It doesn't work on a desktop.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.
The method used by Facebook removes less than two bits of entropy
from the password.
If really concerned about the reduced entropy, one could much more than compensate for that by simply adding an extra character.
Please see: https://news.ycombinator.com/item?id=3920918I'm afraid you're not getting the point:
When you said "if I submit the same string with all capitals I
am successfully authenticated", that's will absolutely
not be the case.
To be successfully authenticated you have to flip the case of every letter. The alternative good password would be:
4p{Z4K8NVBl2OW,.8NQ;$g^@.8dAI9p9
It is not about case in-sensitiveness as you are implying, here
and on Twitter.
Yes, 1 bit of reduced entropy. A little bit more (but
less than two 2bits) with the Facebook logic that apply a
special treatment to the first character (if alpha). An
extra alpha character, by comparison, adds about 6 bits of
entropy.
"Our passwords are not case insensitive. We accept three forms of the user's password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled or their mobile device automatically capitalizes the first character of the password. We feel this does not significantly impact the security of the user's password or their account."
As you wish, but you can't treat people like idiots (with
corresponding Tweet) when what is proposed is not the end of
the world and good enough for none less that Facebook...
Honestly yes, because all my passwords have at least 60 bits of entropy and reducing it by less than 2 bits wouldn't harm much.
In things like that math is what count, not guts.
I actually agree with Michael and Brian here. We cannot tolerate or adapt any way of reductions of pw security. Just going to repeat Brian here, "the only password that should ever be accepted is the 100% correct password" and despite Michael's reaction being rather strong... I do agree with it's merit. No compromises on pw security at all costs whatever math somebody uses to justify his opinion!
Leo
Please pardon any errors, this message was sent from my iPhone.
Sorry to bring such a stupid topic here. I didn't know it was.
Accept my apologies for not being able to judge my idea before posting. Probably I should try to keep my childish ideas away, and stay limited to bug fixes only. Or at least keep away from any new ideas unless I'm more than double confident.
Please stop bursting the rage over me on Twitter or anywhere. I'm sorry.
I just wanted opinions and not a merge. That was not a PR, Reason? What else could be.
I think you're missing the obvious point.... most mobile phone IME's automatically capitalize the first letter of a sentence (which means you have to actually uncapitalize the first letter of your password on your phone)...
What Facebook is doing is reasonable, and an acknowledgment that the internet needs to mobile first as of 2016...
You don't have to like it... but you can expect to see it in most
mobile enabled apps going forward.... but Joomla! likes to be
behind the bleeding edge, so be it.
Cheers,
Brad
You're missing the obvious point (and most important point)....
What Facebook is doing is acknowledging that the internet is now a
mobile first world, and that the majority of their users keep up
to data on their mobiles.
Most mobile IME's automatically upper case the first letter of a
sentence, which results in a lot of mobile users entering their
password wrongly without knowing.
Joomla! is not that mobile friendly anyway, so no need to follow
Facebook on this one.
I think it's a great feature for mobile friendly apps, but that's
not Joomla!'s niche.
Brad
Safari apparently consider that particular aspect (auto-capitalization) not as a bug but as "feature". It can be turned off if needed.
Actually a bug, as they say:
!... the default value is
sentences
forform
andnone
forinput
elements withtype
set topassword
as in<input type="password">
.
Well... your IME might not, but many do... maybe you just haven't
tried all of the more than 200 IME's just for iPhones, and some
work differently for different languages... I think there are more
than 800 for Android.... anyway... below is what Facebook says....
A Stack Exchange thread pointed me to this ZDNet story that explains why Facebook allows users to login through multiple passwords. According to Facebook:
We accept three forms of the user’s password to help overcome the most common reasons that authentic logins are rejected. In addition to the original password, we also accept the password if a user inadvertently has caps lock enabled or their mobile device automatically capitalizes the first character of the password.
Well... I don't use Facebook much, and my IME doesn't do it...
but I do a lot of mobile development, and it's fairly well known
in the mobile world that many IME's capitalize the first letter...
should they... no... but there are millions of apps out there, and
thousands of IME's.... anyone can install any IME they want... and
any app can use a different IME.
If you and Brian just need (crave) your flame war, have it with
Facebook. I just told you the reason, because nobody on this list
seemed to know. No point disagreeing with me... I'm not taking a
stand either way... just reporting the facts... if you want
(need?) to shoot a few more flames at me... go ahead.... some
people don't like facts ;)
Brad
Guess this could be on of those rare cases where having a "switch" to select the proposed behaviour could be a viable possibility...
(I said "switch" as I'm trying to avoid the forbidden "O"
word, which could ignite a fresh new salvo of pyrotechnic
flames...)
Mission not accomplished: running to wear my Nomex coverall.
OK, here I am, I dressed the Nomex coverall.
Sorry but:
Just a question, what's the real problem?
Just because I didn't speak up yet, doesn't mean that I would agree to this idea. Sorry, but this is simply a stupid idea. If you want to have this for your site, feel free to implement your own authentication plugin that behaves in this way, but it is a complete no-go for the joomla core. We have a duty to our users to make the software as secure as possible and knowingly weakening something as essential as the authentication system is simply unacceptable. I agree 100% with Michael here.
If you want to provide this feature to others, feel free to provide it as a third party authentication plugin, but be prepared to handle the fallout. Are you claiming to know all implications? I don't. Not only does it weaken the password, it might also introduce other weaknesses like implementation bugs, timing attacks or similar. I'm definitely not willing to take that risk.
Hannes
I understand your position, but, as I suppose many others (end-users and web designers in the max part, I think), beg to disagree.
You prefer the maximum obtainable security over a very small compromise that favor end-user UX.
This, in my books, should be "debatable" and not treated
as asinine.
... yet another "reductio ad absurdum".
What is proposed has been adapted by Facebook, and I don't think
they were all buzzed-up when they took that decision, unless you
know better.
adapted = adopted, sorry,
The history is full with such "cool" ideas that compromise security just a tiny bit for UX/profit/world peace and which fucked them later big time. If you take security seriously, there is no compromise. If you don't, then I have no business in this project anymore.
then you should ENFORCE minimum 12 chars password with a mix of
characters (upper AND lowercase), numbers, and symbols.
... but you want to dictate other policies that have a far lesser impact.
Joomla allows me to use "smz" as my password: 9.2 bit of entropy
(crap!!)
I want to be sure and make it "smz1": 14.2 bits
Apply Facebook algorithm: 14.2 - 1.59 = 12.61
better than "smz"!!!
I'm going to bed and in the morning will submit a pull request that solves your imagined problem and does not change passwords
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send an email to joomla-...@googlegroups.com.
Sorry? Have I used all-caps??? :-/ where??
To post to this group, send email to joomla-...@googlegroups.com.
> Password strength rules are different from server side processes which weaken the user password
No, they aren't: that's mathematically irrefutable.
Sergio,
I agree whole-heartedly. It is a tiny, insignificant difference
to password strength, and is easily more than offset by simply add
one more character to your password :)
I don't expect, or even want Joomla! to follow Facebook for
this.... but I definitely agree with Facebook doing it. Facebook
is something that a lot of people depend on daily (not me... I log
into Facebook about 3 times a year) and for many people, being
locked out of their Facebook account for an unknown reason causes
a tremendous amount of work for Facebook support reps....
It's not something that Joomla! (or any other framework) should
do as a default, but it is something that mobile-centric
applications should consider. After all... Facebook lists having
caps lock on, and IME's capitalizing the first letter as the two
things that stop legitimate users from logging in.... and they've
got enough users to have good stats.
I'm not changing my websites to have the 3 passwords.... but now
that Facebook has done it.... I will definitely be doing it for my
mobile apps ;) (was scared to do it before, but now that Facebook
has done it, it will become common).
I'm guessing that Michael has cancelled his Facebook account by
now.... :).
Brad.
"Input Method Editor", but many people use "Input Method
Extension" .... Android (and Apple) allows users and apps to
download any IME they want....and any program can build their own
if they want.
Basically... if you use a Chinese IME, you get a box like the English one... but as you type Pin Yin (english version of Chinese)... it shows the corresponding Chinese characters below the the box... when it selects the one you want, you can push enter to input it into the text box.... most Chinese IME's show a selection of chinese characters that potentially match what you input...
Here's a simple one.. This is what a Chinese user of Google uses to search (if they get through the Great Firewall)... there are many, but this is a simple one that only uses Pin Yin when typing... many also have boxes beside them to draw the Chinese character:
Basically, you type "ni hao"... and the corresponding Chinese characters (for "Hello")... show up.
BUT... it should be noted that the IME itself normally does not
know what called it.... it's simply a component that is called and
passes back the results to the calling program....The program
should deal with the results properly... many don't...
I'm not changing my websites to have the 3 passwords.... but now that Facebook has done it.... I will definitely be doing it for my mobile apps ;) (was scared to do it before, but now that Facebook has done it, it will become common).
Time tested, then. And the sky has not fallen yet.
I'm not changing my websites to have the 3 passwords.... but now that Facebook has done it.... I will definitely be doing it for my mobile apps ;) (was scared to do it before, but now that Facebook has done it, it will become common).
Facebook did it in 2011 - thats FIVE years ago
Sorry, can't test as I don't have a FB account, but how have you
tested? From your MacBook? Couldn't it be that they did it in
their "Apps" only?
To put the icing on the cake. Did anyone try to see if Facebook still do this in 2016 ??
I just did and guess what the only password that was accepted was my exact password
Thanks, Brad.
I haven't a FB account and I haven't an IOS device (actually I don't even have a modern smartphone, being loyal to my old BlackBerry Bold): can you test if this little CSS does the trick, at least as far as regards the autcapitalization issue?
input[type='password'] {autocapitalize:off;autocapitalize:none;}
Cheers,
Sergio
P.S.: can you please also try using the "-webkit-autocapitalize" CSS attribute?
P.P.S: if the proposed CSS does work, only the "flip the case"
part of the game would suffice to fix the CAPS-LOCK issue,
reducing the entropy loss to a mere "1 bit"
I suggest having a feature to allow for the following variations of password during user authentication.Case 1: Assume the original Password is: PassWord@1The acceptable variations would be:PassWord@1 => Original password as it was set, obviously.passWord@1 => First letter was capitalised by mobile device while setting password.pASSwORD@1 => Caps-lock state reversed during login.PASSwORD@1 => Caps-lock state reversed AND First letter capitalised by mobile during login.Case 2: Assume the original Password is: passWord@1 (first is lowercase)The acceptable variations would be:passWord@1 => Original password as it was set, obviouslyPassWord@1 => First letter was capitalised by mobile device during login.PASSwORD@1 => Caps-lock state reversed during loginpASSwORD@1 => (umm, not sure)1-3 are same for both cases. The 4th only applies to the 2nd case. But we don't know what case is the first letter in the stored password anyway!So all these four variants can be accepted as correct password. I am not sure whether this would even make sense in general. Therefore not created a PR yet, see my commit at izharaazmi@b6837f8 and let me know whether this should be a PR.Facebook has this feature already for quite long. See http://www.zdnet.com/article/facebook-passwords-are-not-case-sensitive-update/
Thanks, wdburgdorf.
Geee... I really hope nobody will jump on this idea and make a
commercial plugin out of it!
> ... I give up
I'm sorry.
> All I'm getting out of this thread is a list of people whom I would never trust with my data because they feel customer convenience outweighs security every day.
Reductio ad absurdum (and mildly offensive)
Michael,
I don't want to offend (especially not as somebody did to me elsewhere, at the edge or beyond the edge of penal relevance), but what I'm getting from your story is that you've been badly bitten in the past or have been deeply inculcated with the concept that "not even a bit of additional risk" is acceptable.
I concur that this could be the case in some cases, but
making out of it a general unbreakable law, to me that means that
one takes decisions more listening to his guts feelings than
exercising his intellectual faculties, especially as nothing in
Joomla prevents one from using what you'll probably call asinine
passwords.
I was about answering with a "My turn giving up!", but no,
that wouldn't be fair and it would be offensive to your
intelligence.
To me this proposal falls into the "general unbreakable law" category because it prioritizes user convenience over account security.
And that's exactly what I'm confuting: isn't this exactly the same as not enforcing a minimum password entropy?
It is for user convenience that we do not enforce a minimum password complexity and/or two factors authentication and we leave users the freedom and responsibility of adopting their security rules. Why should this proposed option be seen any different?
You insist in calling "asinine" something you don't agree with (while others do). Sorry, but this should not be allowed here, not even to a column of the community like you are. There are dozens of way for saying you do not agree or even consider this a very-very bad idea without recurring to offensive and inflammatory adjectives.
I call it as I see it. Sorry (not sorry) if it offends, but I will not sugarcoat my opinion about things, especially when it pertains to security matters.
sorry, meant to say "incompatible with authoritativeness"
Joomla should be as secure as possible by default, with no core option to degrade it.
Any decisions to make it less secure (even by 1 bit) should be an active design and development decision by the site owner. As is the password policy.
A 3rd party plugin to implement this is OK (and might be popular), but not for the core joomla product.
I cannot force people to use secure passwords (although I would if I could), but I can ensure that the password chosen is the only one that lets them login.
If you value users over security, and can argue that making your website less secure for the sake of users (and your website support team) then go for it - there may appear be a financial saving in doing so (until your decision to lower the security causes a breach, and have to pay fines or get sued).
Just like I don't want a key that is almost the same as mine opening my door (house, car, shed, whatever), even if it my "almost the same" key that looks the same on my keyring. I will only be happy if the right key opens the right door, even if it is inconvenient and I have to try twice (or more) to get the door open. The same applies to my websites.