- Posts: 965
- Thank you received: 218
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Enforce safe passwords/password policy
- tammo
- Topic Author
- Offline
- Official LimeSurvey Partner
Less
More
3 years 11 months ago - 3 years 11 months ago #199449
by tammo
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
Enforce safe passwords/password policy was created by tammo
Is there any way of enforcing safer passwords for survey administrators? As far as I can see the user change his password to one letter passwords.
I would like to have a minimal number of x characters and minimum of 1 lower case, 1 UPPER CASE and 1 special character.
And a notification to change the password at regular intervals.
I tried looking for this, but came up with nothing.
Using LS3, most recent version,
greetings,
Tammo
I would like to have a minimal number of x characters and minimum of 1 lower case, 1 UPPER CASE and 1 special character.
And a notification to change the password at regular intervals.
I tried looking for this, but came up with nothing.
Using LS3, most recent version,
greetings,
Tammo
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
Last edit: 3 years 11 months ago by tammo. Reason: Typos
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
3 years 11 months ago #199450
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Enforce safe passwords/password policy
Only in 4.X currently
Evant was not added to 3.X
Evant was not added to 3.X
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: tammo
The topic has been locked.
- tammo
- Topic Author
- Offline
- Official LimeSurvey Partner
Less
More
- Posts: 965
- Thank you received: 218
3 years 11 months ago #199453
by tammo
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
Replied by tammo on topic Enforce safe passwords/password policy
You did not make a plugin for this?
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
3 years 11 months ago #199459
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Enforce safe passwords/password policy
Nobody ask, and there are no real event in 3.X for this
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- holch
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 11639
- Thank you received: 2737
3 years 11 months ago #199488
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic Enforce safe passwords/password policy
To be honest, I personally think that those restrictions generally lead to the most danger. Suddenly people can not use the passwords they want and then they note them down, write them on a post-it next to their screen, etc. The more you try to force people to use cryptic passwords the more dangerous it gets. I am talking about normal users, not IT people.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The following user(s) said Thank You: DenisChenu
The topic has been locked.
- tammo
- Topic Author
- Offline
- Official LimeSurvey Partner
Less
More
- Posts: 965
- Thank you received: 218
3 years 10 months ago #199497
by tammo
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
Replied by tammo on topic Enforce safe passwords/password policy
You could be right. This is probably true when people do not use a password manager.
Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.
Tammo
Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.
Tammo
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The following user(s) said Thank You: DenisChenu
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
3 years 10 months ago - 3 years 10 months ago #199500
by DenisChenu
Without restrictions : user are sometimes so kind for bad people …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Enforce safe passwords/password policy
Size and advice to use sentence maybe.holch wrote: To be honest, I personally think that those restrictions generally lead to the most danger.
Without restrictions : user are sometimes so kind for bad people …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 3 years 10 months ago by DenisChenu. Reason: remove hacker for bad people
The topic has been locked.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
3 years 10 months ago #199535
by jelo
Most people cannot imagine how many brute-force attacks to logins are happening on the internet in a few minutes.
LimeSurvey as a webapplication is not a top target, cause it isn't automatically containing user data of value (like a webshop) or attracting many users (like website with SEO potential).
In the last 12 months, more SaaS-tools began to implement simple 2FA solutions (e.g. E-Mail with access code for every login). If you use 2FA with more sophisticated tokens, you will need to educate people a lot. The introduction of 2FA should be done, with the case when you don't have access to the second factor (Token lost or broken).
The password complexity should be raised a bit and fine-tuning should be possible for admins.
Username and password should be on different forms to reduce a attack automation a bit.
And additional formfield for OTP or simple security word can reduce attack vector a bit.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic Enforce safe passwords/password policy
It's not about cryptic passwords, it's about exposed passwords. Bruteforcing combined with already known informations.holch wrote: The more you try to force people to use cryptic passwords the more dangerous it gets.
Most people cannot imagine how many brute-force attacks to logins are happening on the internet in a few minutes.
LimeSurvey as a webapplication is not a top target, cause it isn't automatically containing user data of value (like a webshop) or attracting many users (like website with SEO potential).
In the last 12 months, more SaaS-tools began to implement simple 2FA solutions (e.g. E-Mail with access code for every login). If you use 2FA with more sophisticated tokens, you will need to educate people a lot. The introduction of 2FA should be done, with the case when you don't have access to the second factor (Token lost or broken).
The password complexity should be raised a bit and fine-tuning should be possible for admins.
Username and password should be on different forms to reduce a attack automation a bit.
And additional formfield for OTP or simple security word can reduce attack vector a bit.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: tpartner, tammo
The topic has been locked.
- holch
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 11639
- Thank you received: 2737
3 years 10 months ago #199578
by holch
I know - Just saying.
The tougher the rules, the more "creative" users become in remembering passwords and then suddenly all the goo intentions caused exactly the opposite.
And I have no solution for the dilemma.
Don't get me wrong, I am fully aware of the risks of easy to crack passwords, but current attempts often lead to rejection of users to the point that a tool becomes 'unusable' for them due to the restrictions.
Tricky but very interesting topic.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic Enforce safe passwords/password policy
Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.
I know - Just saying.
The tougher the rules, the more "creative" users become in remembering passwords and then suddenly all the goo intentions caused exactly the opposite.
And I have no solution for the dilemma.
This solves security problems, but users will hate it because it takes time and the codes not always come as quickly as they are supposed to. Then you need to do something and can't login and have to wait for the email to arrive.2FA solutions (e.g. E-Mail with access code for every login).
Don't get me wrong, I am fully aware of the risks of easy to crack passwords, but current attempts often lead to rejection of users to the point that a tool becomes 'unusable' for them due to the restrictions.
Tricky but very interesting topic.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
3 years 10 months ago #199584
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Enforce safe passwords/password policy
There are a 2FA plugin at a time in Store, but seems deleted.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.