A few people have mentioned they hate the insane password requirements. After reviewing I have relaxed the requirements.

Min length: 8 characters
Complexity requirements: Must contain letters and numbers
Allowed characters: ASCII (no international unicode)

I considered a yearly password change enforcement, but decided against it at the last moment. Just be sure to update your password regularly, and use special characters where possible to make it harder to guess.

Andy (Admin)

If they complain about that they sound like small children who know nothing about security.

I would tend to agree, however it was a little over secure for such a site like this. Had it been internet banking then perhaps you could argue that but it's not, so we can't Personally I don't care since my password already met those requirements by far anyway.

For years now I've always used 10 or more characters numerical's and a little bit of ASCII thrown in there to spice it up! I shouldn't see why people would complain ! Each to there own I guess

Welcome back Lee

Anyone who doesn't use at least 8 characters which include some numbers and symbols is bound to get compromised one day.

Well if someones account got compromised some could potentially leak contents of the FTP. I do agree with the requirements.

Not any more really, since only one person at a time can connect. That's the reason we set up the system the way it works now.

No offence, but if I was to hack into someone's account, all I would have to do is to change the IP lock, and I myself would indeed have access to the FTP server itself.

Theoretically, it would still be quite possible to use an account to get past the FTP server's IP lock, if such a person did the following:

1. Created an account here, as usual.
2. Made enough contributing posts to gain access to the FTP server itself.
3. Sent other people the user name and password to the account, so that they could also gain access to the FTP by just updating the IP lock for their own connections.

I'm not saying that this system isn't very secure, it really is, it's just that none of these security protection systems are completely foolproof.

Yes I know this, but usually when someone wants to do this they want it for others too not just themselves. That's how it makes it more secure, and we can know who is downloading by their username. The 50GB/day limit also prevents excessive leeching, as nobody should need more than that on a daily basis.

50GB per day I would say is more than enough for anyone ! If you're using more than that you seriously need to find a new hobby! and thanks Andy it's good to be back... passes the shift a little quicker at work haha!
[offtopic] I just got asked "whens the new operating system for windows coming out..." I was like "oh, Mountain Lion?" she then said to me " NO FIREFOX!" I had to contain myself form LOL'ing hahah then came of the argument of how she was wrong, she stormed out thinking she was right

Well, what I'm really talking about is leaking the FTP details across to other people, and not hacking the FTP for themselves alone.

EDIT: The only other thing I can think of (although I will admit that it is a bit harsh) is to put a rule in place against mirroring any releases here that are not widely available otherwise, without the written permission of the staff itself. I would also support a rule against mirroring the entire contents of the FTP server, since people would probably then just download from the mirrored copy rather than the original one.

Those who are caught would get a ban. It's easy to catch also, since the account is assigned per user.

It wouldn't happen, since they'd need to IP lock. Whoever owns the account could IP lock back to themselves at any time and they would get disconnected from the FTP. That's why with the new system it's not feasible.

And the attacker can change the account password. This is why secure passwords are recommended.

Actually, with this "account", I'm talking about an account that is created with the sole intention of giving the FTP access to other people (e.g, there are indeed the necessary contributing posts made to gain access to the FTP itself, but the whole scenario is staged so that the user account will be handed over to other people).

I'm not necessarily talking about hacking down on other people's accounts, but I'm also talking about the idea that someone could still create such an account just for handing it over to other people, and then allow anyone to IP lock to themselves (basically like a party line). In that case, the user didn't actually want to create any posts here at all, they would have just done it to gain access to the FTP server themselves, just so that they could allow anyone to use their account to IP lock to themselves and leech from the FTP server.

I also don't like the idea that people can theoretically mirror the entire FTP's contents, since that in itself is equal to allowing illicit access to the FTP server itself (the whole reason as to why we're against such is due to the contents of the FTP server itself). I think that that should also be against the rules.

Yes, this is what people used to do, but now since you can only have one user connected at a time it's not feasible. Nobody would bother doing it because they would keep getting disconnected every time someone else locked their IP to the FTP instead. And also with a 50GB/day limit on each username they wouldn't get very far. This includes mirroring too. It would take months to completely mirror the entire FTP with a 50GB/day limit.

I doubt anyone would willingly sit there making multiple accounts just to gain FTP access. It's never happened before so I doubt it ever will, it's just too much effort for people.

On the topic of passwords...
https://xkcd.com/936/

I always thought 12 characters was too much.
Thanks for this change, Andy.

It looks like as a result of this change bots are now registering and posting spam again. Although they don't appear on the forum they're still stopped in the moderator panel causing more work for moderators. I'm guessing this has happened because the password complexity was such that these bots didn't have long enough or complex enough passwords to get past registration. If this is the case, I may consider changing it back to what it was before to prevent the spam sign ups. I know this isn't what anyone wanted to hear but spam is a huge issue and it's only now that we have been getting it again.

In the mean time I have changed the Captcha to ReCaptcha in the hopes this will help, but if it does not I will simply change the complexity back. Anyone who has changed passwords since won't need to change it but next time you do it will need to be longer. I'll let you all know the decision.

IF someone was so desperate to get access to the FTP they'd just sign up and post :')

Would be funny if you were complaining about the rules you make.

Thank you very much. Unfortunately, the requirement quoted above does not match what is found in the User CP:



Could you please removed the mixed case letters requirement?

No since that then halves the complexity and the time it takes to brute force it.

Its great that my password meet the needed requirements already.

It seems ReCaptcha isn't doing the job on it's own, so I have increased the minimum password length again to see how that goes.