The world continues to advance in its weird ways to break into your privacy and infringe on your data. In light of this, we are upgrading our password security on accounts, and this means it’s time for y’all to pick a new one.
The old rules, in a kinder time, allowed for very short passwords. We upgraded the rules to a 6 character minimum for new passwords several years ago, but old passwords still could be short and work. As we’ve assessed the world around us, this is no longer okay with us.
The new rules force a minimum of 8 characters, per the latest best practices from NIST. We’re not going to force weird numbers and characters on you — for reasons rather as the XKCD cartoon suggests. They could add entropy, but they also make it hard for humans to remember, which encourages bad practices. Instead, make your password longer in a way that makes sense to you, rather than something you can’t remember or will reuse. I suggest at least 12 characters. It’s up to you how and if you want to use numbers and special characters.
A rule we DID add is that you can’t use a password on the list of the most common passwords, as collected from various breaches. “princess1,” “monkey,” and “passw0rd” are all right out, as is your username, or “dailykos”. Live a little. Go with “PrincessMonkey28forgottodoslospasswords” — but say it in your own unique way, please.
The MOST IMPORTANT RULE you can follow, and I can’t stress this enough, is DON’T REUSE PASSWORDS. Please don’t use the password you use here on any other site. And especially, make sure that your key passwords, for banking, email, unlocking your device, etc, are all unique. One of the most classic hacking techniques is to make a free porn website with login, save them in plaintext, then try the email and password combinations on other sites… often, this has allowed hackers to directly access people’s email or corporate accounts.
(Keeping track of them all is a pain, and the best advice I have for that is to use a password manager. A password manager can let you share passwords securely across your devices and it also lets you share them securely with other people when that’s a feature you need.)
We’ve added some code that will allow us to know when a password was last reset and force a reset if you haven’t. The new password standards are in place now, and we encourage you to (a) update your email address to one that will actually reach you and (b) reset your password now, while you’re still logged in to your account. You will either need a working email address you can access on record at your account or your current password to be able to reset your password. (Please note that even if you are getting Daily Kos emails, the email address on your Daily Kos profile may not be the same; those are wholly separate.) We expect to be in this Pretty Please mode for about a week. After that, we will tell the software to force a password update on login or when you return to the site.
To reset your password, or to update your email address, use the menu in the upper right to go to “View/Edit My Profile” and then click Edit Profile from the header on that page.
Note that when you change your password, this will log you out of all devices where you’re logged in. So, if you’ve got sessions on your computer, your phone, multiple browsers, etc, you’ll need to log in to all of them again with your new password. As before, it’s up to you to decide if you want your devices to remember who you are indefinitely or ask you each time you come back.
We don’t intend to use this often — NIST’s advice is that forcing people to change passwords on arbitrary timelines only causes them to choose worse passwords or implement bad practices like writing them down on a sticky note. However, we’re glad to have this as a safeguard for the future, so that if we do have a problem, or if hacker strategies require new password strategies, we will be able to force password resets quickly. It’s another measure to help keep us all safe.
A while back, we also added code that locks accounts if there are too many failed login attempts. This significantly limits anyone’s ability to use a brute force attack against our system. If your password can’t be easily guessed in a few tries, these two features together help considerably in keeping everyone’s account secure.
Remember that we will never ask you for your password except for on the site proper.
XKCD is one of my favorite comics, so if you haven’t found it and aren’t already using it for your greater acquisition of technological trivia of varying merit, I recommend you check it out:
Wednesday, Jul 17, 2019 · 7:19:54 PM +00:00 · elfling
Since several people have asked, here are some slightly clearer instructions for the situation where you are logged in and don’t know your current password. When resetting the password on the profile, there's not a link there for Forgot Password.
Instead, you’ll use the link on the login screen:
- Go to your user profile page (pulldown menu upper right). If you still can’t find it, or are on a phone, the edit profile link is of the form /user/(username)/edit. (You can also get to your profile by clicking on your linked username, as for example in a comment.)
- Click edit profile near the top
- view and if necessary update your email address.
- scroll to the bottom and click “Save”. Now that you know your email is up to date:
- (Open a private/incognito window, or in a different browser than your normal logged in one, if you're not sure that your email will work.)
- Click "log in" and when you get that screen, click "Forgot Password"
- Enter your email address, the one attached to your account, in the box.
- Check your email. There will be a link for resetting the password. Click it, or copy the link into your alternate browser window.
- Enter your new password twice.
Your password is now reset, and you'll want to go and log in on any of your regular devices.
If you’re still having trouble, please hit us up at the helpdesk, which has a link at the top of the page.
Wednesday, Jul 17, 2019 · 9:19:39 PM +00:00
·
elfling
Another question people are having:
The notification telling you about this story urging you to change your password doesn’t know if you’ve already changed it. It should disappear once you click it away in the upper right corner and not reappear on that device (unless you clear cookies). If you’ve changed your password since July 12, you’re good to go and don’t need to reset it again. Thanks everyone for your patience and feedback.