No idea about that I'm afraid. If it becomes an issue then it may be worth switching it off again, but I've not seen or been made aware of any hacking attempts the last few days.I’ve set up the two step security (with email verification) and even though I’m logged in I randomly got yesterday and today verification passes sent to me. I wonder if it’s a glitch or somebody attempting to login here
That's useful guidance, but we need to work with what we have available - passwords and 2FA. Whilst the complexity argument is indeed flawed by human behaviour, it doesn't alter the fact that there are 26 upper case characters, 26 lower case, 10 numeric characters, and (depending on character set) a number of special characters. Consequently as in any cryptographic algorithm, by and large simple character replacement can only take you so far. The longer and more complex the password, the easier it is for the hacker to fall foul of the limited number of failed logins the target system allows. However with complexity comes the desire to write down or store the password, which undermines its effectiveness with a new vulnerability.. For this reason, I like the use of a number of discrete words separated by numbers and characters., to achieve semantic complexity rather than character-set complexity. At least that's my choice. I also like 2FA and always use Face or Fingerprint authentication where possible.
There are multiple vectors of attack against passwords (including shoulder surfing, network sniffing, brute force, re-use, etc.). Using very long/complex passwords - allied to a limited number of permitted failed logins - will go some way to redressing brute force attacks, although most hackers will be using Rainbow Tables these days, which considerably reduces the effectiveness of long/complex passwords or passphrases
Noted @Adrian Jones which is why we would prefer people to do whatever they can to protect their accounts themselves, which can also include requesting us to set their account to exclude access to the classifieds/marketplace if they wish
Not quite true. It states that requesting customers to frequently change Password can be bad; "Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user." This can result in users just using slight variations each change or other short cuts.
Doesn't matter whether you say "frequently" or "regularly" - the point is that forcing users to change passwords (other than immediately after a known compromise) is counterproductive and is more likely to weaken security than to strengthen it.
I guess something like a Yubikey would be the way around that, but it would depend on the forum software supporting it.
Which is why I included the quote with the numbers. The link you provided to the NCSC might be useful for TP management if they have not already studied it.
Indeed - there are three factors at play in any security scenario - "Cost", "Security" and "Ease of Use". You can never optimise all three, and for any given context it's a case of finding the right balance between these conflicting requirements.
NCSC said:
