Posted By COECipher at 11:01 AM - Tue Apr 18 2017
A couple thoughts:
a) Why would anyone want to hack an account here? What would they possibly gain for the effort?
b) What's the worst that could happen if an unauthorized user got into your account? I see absolutely nothing of value that can be stolen.
Which actually leads me to another question. Why does CoE have such strict password rules? All that does is make it harder for regular users to remember their passwords. A hacker is NOT going to randomly guess passwords. They will first go through the list of most commonly chosen passwords and then, if they really want in badly enough, go through brute force methods. Which is why passwords by themselves offer only minimal security and requiring complex password rules inconvenience members of the community more than they offer any real security.
Better level of security is two-factor/two-step authentication. If you really worry about security, implement that. Ditch the complex password rules. That's only an illusion of security.
There are always those who want to hack an account, even if it is just for the fact to brag about it. There are people who have spent quite a bit actual money here, who would be rightly pissed off if someone hacked their account. Not only that but those people who have spent enough have access to the NDA sections, and would not like any old random hacker to gain access to those sections of the forums, and get blamed for it.
The Password requirements are all about making it harder to guess the passwords by increasing the potential value from each character. Instead of only 62 possible values from each character (a-z, A-Z, & 0-9) adding the Symbols makes each character that much harder to brute force. (depending on the symbols allowed each character could be in the range of 80-90 possible values) which significantly adds to the possible permutations of passwords available. Honestly even with that having a 6 character minimum is kinda low.
Now brute forcing over the web is usually easy to detect, but I have seen some attack attempts do it in a very slow and methodical method of trying 1-5 attempts every couple of mins. Attackers try and get around that by using vast botnets to hide that an attack is taking place.
I agree that I would love to see two-factor authentication as an option, and some places go overly complex with the requirements, in ways that negate the benefits you would get with having a bigger pool of values for each character, but the best thing would be if people would actually take password security seriously, and not choose bad passwords, or re-use them on multiple websites.