password security and chaging passwords

  • I want your opinions on the following situations:

    I have a bunch of users who are not the most technology smart people.

    Would you…

    A) install a plugin that forces users to have a strong password, lower case mixed with upper case and symbols

    B) install a plugin that forces users to change their password every x days/weeks/months/etc…

    and is there a plugin that acts like a “master reset button”? Whenever I hear that passwords got hacked/stolen at xyz site, I change my passwords all over, my control panels of all my sites, social media, gmail and so forth. (none have same passwords by the way).

    I want to be able in chase things happen anywhere to have the option to do an emergency reset of ALL passwords. This site has 3,780 users.

    Long time ago when I started building sites, one user’s account got hacked and hacker commented on all posts and forum sections by embedding an adult video gif. It isn’t good to have porn all over a family site. I learned a lot since then.

    I want your opinions.

    Thank You.

Viewing 1 replies (of 1 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Would you…

    A) install a plugin that forces users to have a strong password, lower case mixed with upper case and symbols

    B) install a plugin that forces users to change their password every x days/weeks/months/etc…

    The answer is “It depends”. The first option is the most attractive to me.

    https://www.ads-software.com/plugins/search.php?q=password+strength

    With a large site of 3,780 users you do not want the focus to be security (unless it’s a site about security…) and just enforcing a set password strength should be fine.

    If your users choose strong passwords and the password reset mechanism works then that should be good.

    You can enforce password aging but that may turn off your users.

    https://www.ads-software.com/plugins/search.php?q=password+aging

    Performing password aging is useful when there is private data to protect (credit card info, social security, etc.) but that may turn off your users. That requirement should be based on a defined policy based on risk. If the risk is that a hacker can get just the user’s name and email then that may be overkill.

Viewing 1 replies (of 1 total)
  • The topic ‘password security and chaging passwords’ is closed to new replies.