Changes to password policies

In reaction to the recent attacks on Linux Mint, policies were changed on the forums and community websites, to only accept complex passwords:

  • With a minimum length of 10 characters
  • Which include both lower and upper case characters
  • And which include digits and symbols

Note: This post was edited on March 16th. The ability to set custom passwords on the community website was initially removed and it is now available again. Many thanks for your feedback.

 

55 comments

  1. Okay, what about the old users?

    Edit by Clem: Old empty/inactive accounts were pruned and all passwords were reset on the community website. On the forums, users were warned by email about the breach last week.

  2. Hi Clem. then how do we log in now on the community website, I logged out but could not log back in. So I selected forgot password, but nothing gets e-mailed to me. What is the new procedure ?

    Edit by Clem: That’s the way to do it. Check your spam box just in case it’s there.

  3. @Fabio #1 – Good idea. Unfortunately, there’s still a lot of folks who don’t have smartphones or non-smartphones that can receive text messages. I know, I’m one of them. šŸ˜‰

    What is badly needed is cheap 2FA solution that folks can use that doesn’t require a $145 contract with a cell company. Like a simple dedicated 2FA device the size of say, a key fob, with an LCD readout that can receive 2FA text messages only.

  4. So…the community no longer accepts custom passwords but can be generated/reset, but not set by users…and those passwords are then sent to the user by INSECURE EMAIL?! WTF!

    I had this happen to me today. I was astounded. No way to set a personalized secure password via an https connection and my newly generated one arrives in the clear via email?

    Methinks you guys need to read up a bit more on security.

    Edit by Clem: It has its cons, but the most important thing is you, and it’s more important than your community account.

  5. Clem, I have to agree with Joe. Sending passwords via email is outdated and insecure. For anyone with an email from a big company’s free email service (which many people have), you will be giving the password to that company and the government(s). Please reconsider.

    Edit by Clem: It’s not ideal and you make a good point, but it only compromises your community account for now (which is not sensitive), while keeping you safe, so I still think it’s a positive change. That said, we’ll consider implementing password complexity restrictions and if we manage to do that, we might be able to allow custom passwords again.

  6. Hi Clem, it’s been a couple days now, and still no e-mail. It is not in the spam folder either, and when I try to reset again, I get “e-mail already sent” What can I do ?

    Edit by Clem: Hi Crewp, we’ll check the logs. It’s possible the email is rejected by your email host.

  7. It would be very useful to have latest version of KeePassX in the repository, because we can then easily sync the database to a newer one (kdbx) Windows KeePass database and vice versa. Thanks šŸ™‚

  8. Hi Clem: If I am understanding the policy and comments above incorrectly, that you send passwords in the clear, please ignore my post here.

    I keep my e-mail on a shared server at my domain provider. I like keeping e-mail away from my PC and access it using pine on the provider machine over ssh for security purposes(saved me from viruses MANY times). If you send a password to me in the clear the possibility exists someone else on the shared server can view my e-mails(this happened in the past when I was on a previous provider, not my present provider). If possible, please force a password change (over https) on first use of the e-mailed-in-the-clear password, a password change that doesn’t get sent to my e-mail or phone in the clear.
    Thanks Clem! – MikeColley

  9. Why are you storing passwords? You should be storing only hashes – non reversible 1 way hashes. Hello? Am I missing something? For most uses storing reversible password data is not needed and not best practice.

    Edit by Clem: We’re not storing “passwords”, of course not. When I say we’re storing passwords, we’re obviously storing their hashed/salted representations, not the clear password itself. Still, even though they can’t be reversed into clear passwords, there are ways to find them via brute-force, so the issue at hand here is to ensure these passwords aren’t the same ones you use elsewhere on the Internet.

  10. All my forum accounts use the same quick-to-type “low security” password. In the worst case scenario, someone hacks my Linux Mint login/password and can now post elsewhere in my name. For me, the convenience far outweighs any lock-out or reputational damage I might incur. Now that my password is non-conformant, I’m not participating in the LM forum. The memory load of yet another special password isn’t worth the bother.

    Don’t assume responsibility for protecting foolish users using the same simple password for everything. Unless of course LM plans to rebrand as Nanny Linux.

    Edit by Clem: That’s exactly what we’re doing, we’re rejecting responsibility by not allowing you to store your simple password with us. You can get your browser to remember your password, you can sync that on multiple devices, you can even use lastpass, there’s many ways for you to use passwords without remembering them.

  11. Hi, Clement.
    What has been reported in a few replies here before, has happened to me as well. The reset password button on the community.linuxmint.com page states a mail had been sent out to me. Yet, nothing is in the inbox, nor in the spam box.
    Pressed the reset button more than 10 hours ago.
    What now?
    Karl

  12. Still no joy accessing community.linuxmint.com.
    Clicking the RESET NOW button and entering my e-mail address only yields the statement “Your request to change password is already sent. Please check your email. Enter your Username or Email Address”.
    But no mail in the inbox or in the spam inbox.

  13. “Clicking the RESET NOW button and entering my e-mail address only yields the statement ā€œYour request to change password is already sent. Please check your email. Enter your Username or Email Addressā€.
    But no mail in the inbox or in the spam inbox.”

    You probably will not resolve this situation unless admin makes some sort of change in the way they do this. There is obviously no timeout for the change password function. Most setups allow a 24 or 48 or 72 hour time period to complete the process of changing password. If not completed in that time frame no change happens and it simply remains at the old password —- AND —- the user is able to go through the process again.

    If your password change process fails for any reason including your mail server being down or hiccuping the mail back to Linux Mint for whatever reason, the community software isn’t allowing a retry after a timeframe. The admin’s emailed suggestion to resolve the issue is to simply create a new account with a new username. Absolutely dumb.

  14. In order to protect the stupid people who can’t follow simple security precautions you are forcing everyone to use a new password and even worse are distributing it by insecure means.

    I admit to using the same password on a number of Forums (those that don’t use OpenID) but I certainly don’t use it on any site that is sensitive. I might be embarrassed if someone cracked these, but I can live with this.

    At the moment I have 65 different accounts and store the password in a spreadsheet (suitably protected). Password managers are not an option. Many of the sites I use (mainly banking and financial sites) do not allow password managers so I am forced to supply them.

    Until 3 years ago this was no problem, but since a cardiac arrest 3 years ago I can no longer remember these. At best I can recall those I use daily, and even then I often need a reminder.

    This is a lousy solution to a problem which only affects the lazy or stupid.

  15. ā€œClicking the RESET NOW button and entering my e-mail address only yields the statement ā€œYour request to change password is already sent. Please check your email. Enter your Username or Email Addressā€.
    But no mail in the inbox or in the spam inbox.ā€

    You probably will not resolve this situation unless admin makes some sort of change in the way they do this. There is obviously no timeout for the change password function. Most setups allow a 24 or 48 or 72 hour time period to complete the process of changing password. If not completed in that time frame no change happens and it simply remains at the old password ā€”- AND ā€”- the user is able to go through the process again.

    If your password change process fails for any reason including your mail server being down or hiccuping the mail back to Linux Mint for whatever reason, the community software isnā€™t allowing a retry after a timeframe. The adminā€™s emailed suggestion to resolve the issue is to simply create a new account with a new username.

  16. Hi everybody,

    I’d like to thank you again for your feedback.

    We’re experiencing email issues because of two reasons.. first, we had to send 100+k emails to warn forums users of the breach and some hosts consequently flagged us as spammers. We updated our records to solve that but we’re still seeing issues with some of the hosts.

    Second our servers are now behind sucuri’s firewall (which protects them) and that means their IP no longer corresponds to the domain name they’re claiming. I.e. everything works fine but it makes it harder for mail host to verify their identity.

    We’re working on solving these issues at the moment.

    I also heard the points some of you made about the clear access code and although it isn’t sensitive, you’re right, it is a valid point. We’ll implement complexity restrictions as a result and we’ll bring back the ability to change your password.

  17. Clem Said: “Weā€™re experiencing email issues because of two reasons.. first, we had to send 100+k emails to warn forums users of the breach and some hosts consequently flagged us as spammers. We updated our records to solve that but weā€™re still seeing issues with some of the hosts.”

    When all these problems started and Mint was altering its servers in response I found that all emails from Mint Forums and a couple of other Mint email addresses would be automatically put into the Junk folder in Thunderbird (TB). This never happened before the current difficulties – all my Mint emails were delivered into the Inbox.

    At first I thought this was some problem with TB and tried marking all Mint emails in the Junk folder as “Not Junk”. However, after about of week of doing this nothing happened, Mint emails still arrived in Junk.

    Then I had a brainwave and went directly to my Hotmail account to see what was happening there. It turned out the emails being classed as Junk was happening at Hotmail itself. So I adjusted my settings at Hotmail for “Safe Senders” by adding the domain “linuxmint.com” into that list. As soon as I did that my “Topic reply notification” emails from Mint Forums started arriving in my Inbox again. Problem solved, great!

    However, funny thing is that in the Safe Senders list I already had entries for “forums@linuxmint.com” and “admin@linuxmint.com” there. So I was kind of scratching my head as to how those two entries didn’t guarantee that the notification emails went to my Inbox after the new forum went online. Why did I (eventually) have to add the domain linuxmint.com to the list to get the emails delivered into my Inbox? Mmm…

    Point is if you have a Hotmail account and are experiencing this same difficulty try the above as a solution. (It might also work with accounts from other email providers.)

    Hope this helps,

    Radish

  18. “The forums now only accept passwords containing at least 10 characters and which include symbols, digits and mixed-case characters.”

    “Weā€™ll implement complexity restrictions as a result and weā€™ll bring back the ability to change your password.”

    Iā€™m not an expert by any means, but I did manage to stumble upon this: http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase If the guys at Security StackExchange (and author of xkcd) are right, then a password like “correcthorsebatterystaple” is a perfectly good password. If this is true (again, I canā€™t judge, Iā€™m just a random bystander), then Iā€™m not sure if forcing people to use digits, punctuation, etc, is the right thing.

  19. A second issue is this one: “Thatā€™s exactly what weā€™re doing, weā€™re rejecting responsibility by not allowing you to store your simple password with us.”

    Iā€™m not sure if it is your job to dictate people what passwords they should use. Yes, it might seem to be unreasonable to use a PayPal password in Linux Mint community website; but it is the userā€™s PayPal account, and not yours, Clem. And it is the userā€™s password, and not yours, Clem. You may, of course, warn your users that they should use a distinct password. But the final decision should be theirs. Worst case, their PayPal account gets compromised because they used a password like “123456” both on PayPal and here. But it will be their responsibility, and not yours.

    I think that you may be going too far into your usersā€™ responsibilities and that might be wrong.

    Edit by Clem: We got breached already, and no it’s not just people’s fault, we have a share of responsibility.

  20. How do I delete my Linux-Mint Forum account? (Or whatever account I have on LinuxMint.com). (If memory serves me, I only created an account on the *forums*, to post a reply to a comment/thread/post/whatever-the-heck-it’s-called on the Linux-Mint Forums and that’s it).

  21. @ 25. Mel

    To have your forum account deleted send an email to admin@linuxmint.com requesting that the account be deleted. When you send your request send it from the email address that you used for your forum account. In the email state your forum User-name and email address for the account.

    Sorry you’re leaving.

  22. What about using some OAuth login, like FB, G+, etc.? Because its pretty safe, if we are using on Google auth. the double verification process

  23. Sending a password (in clear text) by e-mail is also a bad security practice because if one gets access to that e-mail address it can easily gain access to other accounts with different passwords.

    A JavaScript password-strength checker can be easily implemented and backed by a similar back-end checker. Making sure there are a minimum of 10 valid characters is easy, so I would recommend this approach. Hey, you can even get a bit overboard and have a JavaScript random password generator in the browser, so the server doesn’t have to compute all those, but simply check it and, if valid, store it.

    Here are some really good advices on topic:
    http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication

    Edit by Clem: Yes, we went for a form validation server-side solution instead, but it’s the same idea. We’re bringing custom passwords back. Thanks for your feedback.

  24. @ 27 ondrej said: “What about using some OAuth login, like FB, G+, etc.?”

    I would hope that this suggestion is never enacted. On point of principle, given their attitudes to user data, I would never register with FaceBook, G+ etc. If it came to a crunch between using them for login authentication and losing my Mint Forums and/or Mint Community accounts then I would choose to lose the Mint accounts – though I would be very seriously unhappy with that situation. I suspect that a reasonable number of others would also be unhappy with that situation and with some justification. The proposal just has the effect of forcing Mint into a position where it is dictating to users that they must have a FaceBook, G+ (whatever) account. I don’t think that would be a reasonable position for Mint to take aboard.

    As a newbie I do actually need the support provided by Mint Forums. If I lost that support because of the introduction of this kind of login method then in all likelihood that would drive me away from Mint, another reason for unhappiness with this suggestion, I really like Mint.

    In any case I would see such a move as overkill. Provided we have strong passwords the current method is fine. The only weakness I see in this situation is that currently Mint Community accounts have their new (post-hack-elsewhere) passwords sent as plain-text email to the user and, crucially, the user can’t change the password after making an initial login with the password sent by email. That issue is easy to address by just allowing users the capacity to change the password after the initial login – perhaps even making that mandatory would be the best way to go. I have over the years come across some sites on the internet that will send an initial password to use, via plain-text email, to access the site. However, of those, several also had an advisory note in the email stating that the user should change the password to one of their own choosing after the initial login. I would think taking the above steps is as far as Mint need go in this situation.

    For anyone that disagrees with my position the following is worth a read: https://en.wikipedia.org/wiki/OAuth Some of the gaping holes in the system, including user privacy (let alone security), are detailed there. Why would anyone want to hand over to a third-party data detailing when they login to any particular website. All it does is inject a commercial middle-man into the equation of when you login into a website. And, looking into the future, that could be developed to such an extent that you don’t get access to websites without going through a commercial entity first. Extend that and it could easily evolve into a situation in which users end up being charged a fee by third-party commercial interests to access websites. Bye, bye free access internet. No thanks. Bat this one out of court.

    Just enforce on users the requirement to use strong passwords (as is now being done) and things will be fine. The situation with Mint Community accounts just needs a little tweaking and it’ll be fine for purpose too.

  25. Well I tried again, but it’s still the same. I click forgot password, enter my e-mail, and all I get is e-mail already sent, no e-mail arrives or is in my spam folder. How am I to reset my password ?

    Edit by Clem: Hi Crewp, we’re still having issues with some mail hosts rejecting our emails. It’s partly due to the 100K+ email notifications we had to send to forums users, and partly due to the fact that our servers are now hidden (and thus less trustable) behind a global firewall. We’re working on these two issues, but it might take a bit of time. Email is so abused, hosts had to react in very empirical ways, we can’t force a host to “trust” us and accept our emails if they think our email “reputation” isn’t to their liking. We added SPF records to aleviate that and it worked with some hosts, but obviously not with yours. Leave it with us and please be patient. If you can’t wait, contact us with an alternative email address.

  26. @Radish Comment-#29: Thanks for the info šŸ™‚

    I was also wondering if it’s currently safe to use the “Update Manager” in Linux Mint. (And I’m asking that because of the recent hack into one of Linux Mint’s servers through the WordPress vulnerability). I’m in distro Linux Mint 17.2 Cinnamon 64-bit, by the way.

    Edit by Clem: Yes it is.

  27. @kneekoo Comment-#32:

    Isn’t JavaScript already unsafe and easily-hackable?

    That’s a vulnerability right there.

    (ie. I’m referring to what you said-and-suggested about “A JavaScript password-strength checker can be easily implemented”).

  28. @ 36 Mel said: “I was also wondering if itā€™s currently safe to use the ā€œUpdate Managerā€ in Linux Mint.”

    Yes, totally safe. Update Manager and the updates it offers were never involved in recent events.

    Going forward, the only strong advice being given is that users should always check their ISO’s after download against official md5 and/or sha256 checksums. This is NOT because there is anything currently wrong with the ISO’s, there is no reason to suspect them. The advice is given purely as a routine precaution that users should adopt in all instances for their own safety. We should just use good security practices in our own activities concerning security.

    For details of how to do those checks see this post at Mint Forums:
    https://forums.linuxmint.com/viewtopic.php?f=60&t=217357#p1136607

    I would recommend reading the first post in that thread as it puts the hack into a correct perspective (you can see how limited in extent the hack was, and just how short the duration for which it was an issue).
    https://forums.linuxmint.com/viewtopic.php?f=60&t=217357

    Note: the hack never affected Mint Cinnamon 17.2 so you are perfectly safe in using it.

    Hope this helps. šŸ™‚

  29. @ 36 Mel said: “I was also wondering if itā€™s currently safe to use the ā€œUpdate Managerā€ in Linux Mint.”

    Yes, it is completely safe to use the Update Manager – it was never involved in the recent issues.

  30. @ 35 Crewp – If you find you ultimately cannot resolve the issue this is what the admins stated to me:

    “We can’t change your password from our side on this website. So alternative is you could register a new account with a different username (and different email address), or I could delete your current account so you can register it anew with the same username.”

    Maybe admin can be of help to you.

  31. I spent 40 years in high security work. Most Top Secret. If you make the requirement for complex characters, and other supposed security features, you just make a code breakers job easier. Computers that are programmed to break code must try EVERY POSSIBLE iteration. When you tell them that no password that is ONLY numbers will be acceptable, the number of iterations goes DOWN because the program does not, now, have to test ANY all number iterations!!!!! Security is COMPROMISED. A minimum length is the ONLY requirement that makes sense.

    Edit by Clem: From a maths standpoint I agree. A minimum of 10 characters also compromises security because the program can start guessing at 10 and doesn’t need to waste time guessing passwords of 1, 2, 3, 4, 5, 6, 7, 8 or 9 characters… with that logic you could even argue that guessing a 5 character passwords is longer with a minimum set to 1, than a 10 character password with a minimum set to 10. Gotta love maths šŸ™‚ If I was a hacker and I had to crack 200k passwords in the chance to gain access to gmail somewhere though, I would try to crack them all and iterate each combination on each password, I’d try to get the easy ones out first, the ones that are most likely in my dictionary/list and the most likely to be used elsewhere.

  32. It’s good that custom password return to the community website. It’s silly to send an email to a user with a one time password, it’s annoying. My Government uses a SMS two phase authentication, and I think that is very annoying
    For the G+ combined authentication, don’t do that, It might be insecure (I am not sure), and it will be bad for your privacy.

  33. Thanks for the response Clem, I took Ledduk’s advice and had the Moderators delete my account, and I re-registered with a different email. I know you have a lot on your plate, I and many others are grateful to you and the whole Mint Team. Thank you.

  34. Can anyone suggest how I get round this awkwardness –

    I have eventually managed to change my password ‘as stipulated’.

    In doing this I have had to use my wife’s email address (ran out of my own!!!).

    Naturally, she is not very keen on this and I donā€™t know why I had to change the address anyway. However, anything to be able to use the forum again.

  35. While I’m thinking about this, surely very long plain language passwords would be better than including symbols etc? Quotations from Shakespear come to mind (Is this a knife, I see before me). That with or without comma’

    Or an even better one from a German play – Mintkatze should know the 18th century author.

  36. @ 47 & 48 Kaufhof

    With respect to getting your forum account sorted with an email address of your choice: Email admin@linuxmint.com and explain the difficulties you are having and how you would like that to be solved. When you email send the email from the email address you currently have registered with the forum account and include your username.

    For your password woes I would say install KeePassX and use that for generating and storing passwords. KeePassX can be installed from the Software Manager in Mint – it is very popular with Mint users. It also has an auto-type feature that will automatically enter your username/password into webpages with nothing more than you having to press hotkeys that you setup yourself. For a little more detail on this see the following forum webpage: https://forums.linuxmint.com/viewtopic.php?f=90&t=218570

    Hope this helps. šŸ™‚

  37. I had a question (and a statement/comment, and some feedback).

    Yesterday I tested Mint 17.3 Cinnamon 64-bit on a LiveDVD that I made from a .iso image I downloaded back in January.

    I miss the huge selection of background-images available in Linux-Mint 17.2 Cinnamon 64-bit. Can those please be put back in Linux Mint 18?

    And also: when I’m using Linux Mint 17.2 Cinnamon 64-bit, is there any way the I can access the location where those images are saved, so that I can copy-paste them to a external hard-drive or USB flash-drive ?

    I really like all those images, and I will heavily miss them in Linux Mint 17.3 (if I decide to upgrade to 17.3).
    Plus, I wish there was a way that Clem and/or the other developers (whoever is responsible for this sort of things) to add-again all those selection of images in Mint 17.3 (probably as a update released in the Update Manager, or some other way easy enough for a total Linux noob (like me) to get those images back and available to be selected at in Mint 17.3).

    I also couldn’t find a way (when running the Mint 17.3 LiveDVD) to disable the “show preview thumbnail when moving your mouse-cursor over a program’s-window button on the Panel/Taskbar.

    I tried searching in “Windows”, “Panel”, and other Settings/Options in the Settings Manager (which is where Clem said in a previous blog-post that the thumbnails can be deactivated) for the life of me I couldn’t find the option.

    (Plus, I really don’t like those thumbnails on the Panel because I already have them when I use ALT-TAB. Why would I want 2 of the same thing?)

  38. Why can’t you just let user choose what method of authentication to use? You could implement both methods (complex password and openid) and let a user decide. I personaly will use complex password, as I totally agree here with Radish @ 34. But maybe someone wants to remember only his google or facebook account passsword…

    As for the password complexity, you could memorize some complex phrase and add some couple of letters, which correspond to the site, say three letters from its domain name. You could memorize two different phrases: a simple one, and a complex one. And thus you will have different passwords to different sites, all of which you will remember.

  39. Hello. Today, March 27 2016, I downloaded Linux Mint 17.3 “Rosa” – Cinnamon (32-bit) via torrent at this link : Advanced Network Computing Lab at the University of Hawaii

    I checked signature and it was different than what is listed here :
    https://www.linuxmint.com/edition.php?id=203

    the md5 sum is df1f990ddabb07ebf556047317aa8b53 and the signature on your website is 6e7f7e03500747c6c3bfece2c9c8394f

    not sure if this is something that needs to be looked at or normal.thanks.

  40. @Mel, comment #37:

    JavaScript can be used to generate a password. You just don’t rely on it for security, because it runs in the client and can be manipulated. JS is only useful for convenience (user-friendliness). That’s why the back-end must always validate input data.

    The content of a password isn’t even relevant, unless it’s way too simple, as “1111111111”, “1234567890”, or “abcdefghij”. The length is really important because brute-force attacks will try everything and at some point they will succeed if failed logins are not dealt with in the code. When implemented, a login timeout plus a good password length will make brute-force attacks worthless. You don’t provide a good password after 5 tries during the last “X amount of time”, you get a login timeout for 1 minute between logins. After 10 failed attempts, you increase the timeout to 5 minutes. If you also enforce password changes periodically, that makes brute-forcing virtually impossible.

    It would be great if only the passwords would pose a threat to online security, but the more complex a system is, the harder it is to defend it. And sometimes all that effort can still fail.

Leave a Reply to Mike v Pelt Cancel reply

Your email address will not be published. Required fields are marked *