Strong Passwords and OAuth

Greetings! An update on the availability of our login options.

tl;dr

Redemption Studio requires strict standards for logins but we now offer OAuth compatible logins as a compromise for ease of use for the user.


As of today, three new login providers are available: Discord, Google, and Steam. If you already have an account, you can login with your Discord or Google or Steam account—and if your Redemption Studio Forums account’s email and the other login provider’s email match—your logins will be associated with one another and any of the login options will be available to access our site.

With a background in technology and servers, it is vitally important for me that we require strict settings for user accounts. Too often, users (specifically those who are average users), utilize a weak password and use it across multiple services, leading to a single compromise resulting in many compromises and quite the headache.

Without digging into viruses stealing passwords, bot scripts which steal passwords are most effective when a user’s password is less than 14 characters in length. Clearly, many servers would not be able to process that many login requests without becoming overburdened, and secondary security (such as a server’s firewall) should kick in to block these bad requests.

More Security :computer:

http://www.infosecisland.com/blogview/9023-Cracking-14-Character-Complex-Passwords-in-5-Seconds.html
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/

So why allow for third-party services which are not nearly as strict in requirements login to the Forums?

As an alternative means for accessing the server, I would rather a third-party service handle user’s who desire a weak password and have to handle any subsequent compromises. Thus, since we require a long password before someone can login with us, another provider who doesn’t would need to be compromised, rather than our own databases, first. These alternative providers are a compromise (not in the security sense; pun unintended) for ease of access and use while attempting to maintain security standards.

That being said, I strongly recommend passwords at a length of a minimum of 16, but making them as long as possible. The best way to do this is to create random passwords of tremendous length. An easy way to manage these long passwords is through a password manager. (I personally recommend KeePassX. While KeePassX doesn’t sync to the cloud, you can place its database in a Nextcloud, Dropbox, Google Drive, or other cloud storage solution for a means of cloud storage. Remember that if it is in the cloud, others could potentially access your password database. A note of caution: your password database is only as good as the password protecting its login; requiring a strong password to access the database will protect the keys stored within the database.) KeePassX can generate passwords for you which meet various criteria (types of characters, number of characters, etc.) and thus you don’t have to worry about creating a unique 100 (read “long”) character password every time you need a new account. The manager stores the password (remember to save the database after adding or changing a key) and you simply copy/pasta (copy and paste) the entry into the login request or account creation form.

So, please feel free to link your accounts and join the community!