I just received my invitation to join and did so. One step was to create a password, which I did. Interested that it was only a one step process and not a “type password” then “confirm password” process.
1 Like
Thanks for the feedback Michael, we’ll take it on board.
It might also be helpful to have the password guidelines displayed so everyone knows to use at least 10 characters in the creation of their password (and any other rules that apply, caps, numbers etc) because if you don’t satisfy the password criteria the message that comes up is that the link has expired, not that you haven’t satisfied the criteria.
Brendan from Choice quickly set me straight once I made contact but it might save some confusion if the password rules were displayed at the point of change.
Thanks to Choice for the community initiative!
4 Likes
agree, and why 10 characters, 6 should be ample
Lou
3 Likes
Hmm, thank you – we’ll test that.
The forum software (Discourse) just sets a character minimum, rather than rules for special characters. Password cracking software has figured out how to crack special character rules these days, as people tend to use fairly predictable letter-number substitutions and/or short prefixes and suffixes. There’s a great paper on it from the University of Cambridge’s computer lab:
But even better is this comic:
But we all have far too many passwords, it’s a mess. Ultimately we need to get rid of passwords altogether. The second most common thing for someone to do on a login form is to click RESET PASSWORD! For this forum I’ve made sure we have a super-fast email processor, so at least when you do that your reset should come through instantly.
2 Likes
Hi there, … a question and some feedback:
- Initially I was skeptical that the original email was genuine, thus I opened up the secondary email on my iphone - just it case it was malicious. (Note that the secondary email from noreply@… went straight to my Junk folder … I am always loathed to click on links in emails anyhow!) Seeing that it was genuine, I proceeded to open it on my laptop.
- After opening on my laptop, I noticed that the password for this site was not consistent with passwords for voiceyourchoice.com.au (nor choice.com.au). I now have three passwords for Choice websites. Any chance to implementing single sign-on for all Choice websites?
Thanks
Yes – after sending the first invitations we realised that the noreply email address didn’t look very trustworthy. We’ve now configured the site to send all automated emails from a choice.com.au address that goes to the choice.community team so people can reply to it.
[quote=“Choice_VI, post:6, topic:849, full:true”]
I noticed that the password for this site was not consistent with passwords for voiceyourchoice.com.au (nor choice.com.au). I now have three passwords for Choice websites. Any chance to implementing single sign-on for all Choice websites?[/quote]
We’re on it, but it’s not as easy as it should be. Unfortunately the sign-in system for choice.com.au is closely tied to the site’s content management system so we can’t use it for other logons. However we are working to unite everything under standard single sign-on protocols. The forum software we’re using (Discourse) should make it easy for choice.community to add that when the time comes.
1 Like
I agree with the 10 characters passwords. As far as I am aware nowadays it takes a hacker about five minutes to hack a password with only six characters.
1 Like
I recommend and use a password manager which will create a password for you. I also add the username and web site to the details tab and any notes. I only have to remember the one password to open the database, it will fill in the details if I use the password widget in the browser. There is a android app that I use on my phone as well. Of course you have to set up and use a good password for the password manager.
I use a paid version but hey are some good free password mangers as well.
Choice could remove the need for passwords by using an approach where we identify ourselves to our devices first.
A current trend is 4-digit PINS that are claimed to be as or more secure than a password. Sure they are. Regardless of whether they are or are not, 4-digit PINS are used on Windows 10, SIMs, debit/credit cards, and an increasing number of “things”.
Fewer “good” characters beats any number of obviously predictable characters, so an enforced minimum beyond perhaps 6 or 7 might make someone feel good, but in practice is not “added” security without additional requirements.
I agree, ten characters seems a lot for this site, no $ are involved. 
G’day!
A 4-digit pin works fine for situations where you have two-factor authentication. That is, to break into your account the attacker would need both your PIN and to have physical possession of your card or device.
(There are incidentally three possible factors in an authentication system: something you have, something you are, something you know. So asking for two passwords isn’t two-factor, but pin-and-chip or card-and-fingerprint for example are).
In an online system like this one, there’s only one factor really possible: something you know. If we allowed 4-digit PINs here there would be an easy way to compromise accounts: just try to log into every account on the site using 0000. Before you’ve tried 10,000 accounts you’ll be in for sure.
So how to make a single password secure? To do my due diligence I looked for the best available research and read the 161 page report on the topic from the Cambridge computer lab linked above. Yes, I think being a massive nerd might be one of the criteria for working at CHOICE. Anyway, they conclude that long passwords with no special rules have been shown to be the most secure and most memorable option available (they tested both). People are used to coming up with C0mpl1c4ted pa55w0rds so 10 characters like that is a bit much. But it’s actually fine to do something like horsebatterystaple instead, which is easier (obviously please don’t actually use horsebatterystaple).
Now I do appreciate that this may still be more secure than really necessary. These are not the nuclear codes and choice.community is free.
But.
People are also asking us to link choice.community accounts with their CHOICE member accounts. If we do that we have extra security obligations. We’d be linking to real names, addresses, payment info.
But here’s the truth: I’m also worried about the security of this community, beyond your account. We want to add things like product and service reviews, but as you know most websites that allow reviews are full of rubbish - fake reviews, astroturfing, paid shills by the truckload. So we want to be different. If you see a review on choice.community you should be able to trust that it’s written by a real Australian consumer, not a shill hiding behind a hijacked account.
So I do take your point, and you have my gratitude for taking an interest and making that point. For now though this is the line I’m taking. But this is your place, so I’m still open to discussion on this or any other matter.
Regards,
V.
I appreciate your thoughtful reply, but most of us have more than enough passwords. Human nature causes them to be reused. Every time one of “you” adds yet another requirement, off we go to invent another memorable password to propagate, that also meets everyone else’s rules. OK, some use password vaults, but when those get corrupted it is not pleasant. Some use pads.
Based on research “mouse button” password entry is more secure than any characters or PIN based method since a trojan cannot reliably sample them. If security is paramount why not give us an RSA option? (/joke) At what point is enough enough or too much too much? Thankfully web browsers can remember passwords, although those repository files can be stolen from PCs and decrypted, and I think you see where my commentary would be going if I continued…
1 Like
Yes it seems strange that my on-line Choice subscription is perfectly happy with my 6 character password, but Community Choice requires 10 characters, yet it just gives me access to forums, not to premium content
10 characters is pushing the friendship and is has the potential to end up with less secure passwords than 8 characters or less.
One should not assume everyone has or is using a (mobile) device.
OK, we have a good question above. Why does choice.com.au, which provides paid services, have a lower password threshold than choice.community, which provides a free service?
Like a lot of things it comes down to tradeoffs with a few factors, and one of them is money.
So to start with: choice.com.au is built on a fairly expensive enterprise-grade proprietary content management system, hardened against attack. It should be hard to break into, which means it needs to defend against the online attack scenario.
The Online Attack Scenario for choice.com.au
Imagine a moderately determined online attacker. They can run a script to try various passwords on our website. We’ll rate-limit their attempts, but they get around that by pointing a botnet at us – a network of say a few hundred compromised computers.
How long would it take for the online attacker to break a 6 character password?
https://www.grc.com/haystack.htm
Almost 4 days. Is it worth an attacker spending 4 days of their botnet’s time to access content they can get by just paying $23.95 a quarter? Nope! Excellent, we have enough security. But if we ever detect more serious attempts to compromise choice.com.au we’ll look at it again.
And what if an attacker wants to edit a story on choice.com.au? You can’t do that with a normal CHOICE member account – we have serious security around that. And what if they want your credit card details? You’ll notice if you log into your choice.com.au account we don’t display them, so the attacker is out of luck there.
The offline fast attack scenario for choice.com.au
Choice.community is free, so we run it on a shoestring. We use a pretty amazing free and open source platform called Discourse. The people who write Discourse are using the latest known techniques to keep it safe. Even so, in the past Discourse sites have actually been compromised, even with 8-character passwords, probably using offline fast attack.
How long does it take to crack a 6-character password using an offline fast attack?
0.00321 seconds. Ah.
How about 8 characters? 29 seconds.
10 characters? 10.45 hours.
Is it worth nearly 11 hours of cracking time to compromise a choice.community account? If we succeed as a community, then yes. This forum is going to rank like crazy on Google for questions like “where should I buy a new car on the Gold Coast?” and answers to that question from highly trusted accounts in this community could bump someone into the top 10 results on Google. It’s the kind of thing grey-hat SEO companies charge big money for, and their customers don’t always know the shady techniques they use to get their results. So even at 10 characters we’ll be on the lookout for compromised accounts, and we’ll be doing everything we can to keep attackers on the online attack side instead of the offline attack side.
It might be some consolation to know that to log into my administrator account I have to use a longer password, which would take a year and a half to crack using fast offline attack. And really if you come to value your account on choice.community I would recommend you use 12 characters or more as well.
Because twitter is hardened, so whoever broke Sarah Silverman’s 6-character password to post this either spent the 4 days of computation time or had access to a lot of computing power:
p.s. I also agree this is all horrible and stupid. We have too many passwords, and passwords are a terrible way to control access to things. The moment something better comes along I will adopt it, I promise.
Here’s how my favourite security expert Bruce Schneier recommends dealing with it for now:
- Keep a copy of all your important passwords in your wallet
- Keep another copy of all your important passwords in a secure location (e.g. at home in a locked box)
If your wallet is lost or stolen or your box is broken open, you have to change all your passwords. Luckily you have the other copy of them so that won’t be too hard. Meanwhile you can look them up easily because you carry them in your wallet, so they can be long and secure instead of memorable.
The absolute most important password you have is to your email account – because everything else will send password resets there. If your email is compromised, everything is compromised.
Do yourselves a favor and buy 1password. It’s software plus an extension for your favorite browser.
Remember 1 crazy password and it’ll give you access to all your passwords. It’ll even log into the site for you so no copy and pasting login and password details. It will also detect when you create a new password and ask if you’d like to save it.
It’s changed my life…
I don’t work for these guys at all. I was recommended this software by my security crazy web master.
Guy
1 Like
I use 1password for my personal information also. However, I think it’s only available on Mac OS X.
Another alternative is Lastpass.
