> must contain letters in mixed case, must contain numbers and must contain symbols
Please don't do this. Have a minimum length, but don't force me to miss it up. My password manager shouldn't have to try multiple times to generate matching passphrase.
I've sent feedback to a couple dozen sites over this. Most were government website (internal military sites are the worst) but when various financial institutions started updating their policies they forcing this silliness.
When they don't allow spaces in passwords either, I worry.
Keep in mind, there are situations where the website you're using is interfacing to backend systems that have constraints that can't easily be changed (colloquially known as "legacy systems"). Feedback is good, but change takes time.
Has anyone got direct, first hand experience with such a thing? I'm wondering if it's become urban legend.
I've inherited several ancient code bases where everyone knew silly password rules were a legacy requirement. And ultimately after a lot of digging, every time they were a "legacy limitation" because the original project manager called for it, and could easily be removed by commenting out one check. Which was never allowed to happen, because it was a "constraint that couldn't be changed".
I do accept there are databases with eight character fields for maximums, but beyond that, I'm interested in any genuine experience.
Passwords should be hashed client-side anyway, so the real issue there is how to encode the password hash in a way that satisfies the legacy system. But this is usually plausible, e.g. by base64 or hex encoding the hash to avoid disallowed characters and then appending specific characters that satisfy the set of required characters.
> This just makes the password the hash of the user's passphrase.
There are some other advantages that others have already mentioned, but even if that was all it did it would still be useful in inhibiting an attacker from learning the actual passphrase which many users are likely to have reused on other services.
It would also be useful in finding hash collisions which would give an attacker access to a user's account without needing the actual password, which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used.
Sending a password in plaintext over HTTPS is more secure than hashing it in javascript first and sending the hash.
You don’t need to hash a password over the client so long as it’s sent over an encrypted network. The goal of submitting a password is that it’s not sent in open plaintext. Otherwise even if you hash it on the client, the plaintext hash can still be intercepted and used, exactly as-is, as the plaintext password.
You can if you don't want the authenticating side to actually know the plain text.
e.g. password + client_salt => hash => send to server => (hash+server_salt)^hash2 => compare to db
By doing this you'd protect a user when their password might be accidentally logged (e.g. Twitter recently). Then if you compromise the hash you don't immediately reveal the password itself, just the text needed to authenticate, which can be changed. If you simply change the salt used client side you may not even need to have the user change their password (although obviously better if they did).
That said, I don't think this is required, but there is actually a case for it. Also obviously you should never log the password, but mistakes are made. This helps mitigate the risk of that password being exposed.
Nothing should be doing this. Insecure legacy systems that wrongfully expect to see the plaintext of the user's password should be replaced with properly functioning ones. But just because they haven't been yet is no excuse to actually give them the plaintext of the user's password.
Along the same lines though is OPAQUE PAKE, where the server doesn't need to store a password hash, only a salt, making server compromise far less dangerous, it's quite elegant.
Yeah this is annoying. Simply consider a^b, what makes that expression grow faster, increasing a, or increasing b? b is better mathematically and for mental overhead.
The derivative with respect to b is: log(a)(a^b) or (a log(a))(a^(b-1)).
So it's better to increase b when alog(a) > b. Which is typically the case where a is 26 for lowercased letters and b is like 10 for password length.
This analysis might not be totally correct since the cost of adding one extra allowed character vs increasing password length by one is not the same but w/e.
I couldn’t imagine releasing a forum for the hn community that wasn’t also a neat software project. Using phpbb seems like the antithesis of something this community would appreciate, other than perhaps for the practicality of choosing something common.
That was kinda the point of this whole thing though. This wasn't a software project for me, this was a community project. I have no interest in developing a forum, but I do have interest in participating in one.
From what I can tell so far, what we setup seems to be working fine. If we hit a wall, I'll search out the next most practical option.
That makes sense as administrating a forum takes a significant investment of time, and you don’t necessarily have enough time to run a forum and also develop the software. However, if it became popular, I would expect some of us would want to hack on the software... but who would want to work on a phpbb theme? I’d pretty much rather be using a Google + group.
I've seen enough custom forums appear here only to die out to know that building the software and building a community are two completely different things and that one shouldn't expect that they will come if you build it.
I can see the temptation to want to hack around on it because it's a forum for hackers, but it's not as if HN is taking pull requests either.
I spun up an instance of phpBB (trying to keep costs down) and customized a ThemeForest theme to make it not ugly. I'll post a thread today that lists all of my notes from the setup process of the site for anyone interested.
I'm a huge fan of the bulletin board/flat forum model of communication, so I'm hoping this site can blossom into a community of high quality folks having high quality conversations.
EDIT: Also, this is my first foray into setting up and using phpBB, so please let me know if I need to adjust anything. I tried to keep most settings at the default because I assumed that made more sense than me tickering, but I'm all ears if things are weird.
I am thinking of starting a forum myself. How did you go about selecting phpBB of all options? I have mostly looked at nodeBB but have not taken any practical steps yet.
I would love to be corrected in this, (and in fact I'm prototyping a NodeJS+NuxtJS+VueJS forum on the weekends, but don't expect a release this year) but I think you're better off sticking with the PHP variety of forums. I think that's where maturity, stability, and extensions ecosystem shine.
Good luck. I definitely think personal webpages and self-hosted forums need to make a comeback.
However...
Your FAQ link leads to a 404 page, and the "legalese" on the registration page seems like a bit much to me. And why should I need to be registered to see the "team" page and profiles?
It's just a web forum, don't take things so seriously. You're an admin, you can literally just ban people for acting up, you don't have to expect to back it up in a court of law or anything.
I like this idea because HN mods (reasonably) discourage certain types of discussions as off-topic. But I'm actually interested to know what HNers think about various topics that may be deemed off-topic by mods. Looking forward to joining your community!
I agree, particularly when it comes to political discourse. HN is one of the most intelligent places on the internet and I think it'd be very enlightening to hear what such great minds have to say about political topics.
Thank you! I'm not quite sure how we'll deal with off topic stuff, I personally think it's fine as long as it's in an official off topic/general area. We'll see how it goes!
I see a lot of the members are appreciative of this. This venture may or may not take off, but I have to ask this: Why do we need another forum that will potentially split the community?
This is 'hacker' news after all. Can't this website release its forum software so that a bunch of interested volunteers (no me) could improve it? Wouldn't that be really meta and cool?
The main gripe I have with HN forum is lack of reply notification. Secondly, the crowd tends to overdo the hacker-nerd-geek thing by discussing unrelated minutae till the cows come home which inflates the comment count. This sort of discourages posters to post their POV fearing it will be buried amidst the 500+ comments. We have a visibility problem.
We just need a few tweaks.
Further, looking at all the passionate discussion about AI and ML that happens here, I am sure some of the regulars would like to implement a scheme that learns my 'collapse the chaff' pattern and spare me the gory boredom inside a thread.
(I think what I wrote might come across as snarky, but I assure you I am not being so.)
You are right... HN is starting to have a visibility issue. But I can't see how it can be fixed. All successful online communities have to deal with this aspect eventually. They all become too popular at one point and it's hard to maintain the quality.
Its actually quite simple - push the thread with the latest comments to the top. But in order to stop such threads from hogging the front page, there can be another tab for 'active' threads that people can visit to check out latest discussions. The current front page remains unchanged, with whatever algorithm that's used to order the threads.
This is a good idea, and I'd be very interested to see if they ever added that, as it would essentially solve the long running conversation problem that exists on HN now.
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
That is happening because you are running PHP 7.2. In that file $this->extra_headers is initialized as non-countable NULL. Basically phpBB needs to update their code base to support newer versions of PHP. A quick fix would be to change "var ... $extra_headers" at the top of the file to "protected $extra_headers = [];".
It's probably a safe assumption that they use a similar style elsewhere though, so probably better to just change PHP version rather than edit the source files?
I could be wrong, (I'm a Python guy - not PHP), just seems a safe assumption that it's likely not the only spot.
Nice idea. The biggest hurdle with starting a community site is getting the initial users and maintaining a level of activity that keeps bringing back users to the site. If activity slows down a little, you will find that traffic decreases proportionally. How do you plan to solve the chicken and egg problem? After the initial launch, what's the plan to get your site in front of potential users?
I am working on a somewhat related idea : a site like reddit, but which also has a chat room for each subreddit/topic + public moderation logs among other features. I launched with only the chat rooms part of it and I faced the issues mentioned above, so I'm interested in hearing about your approach. Good luck!
2) I'm going to write up a fairly detailed thread later today that explains in more detail the Why of setting up the site, and the How I did it (literal technical details for those interested). I'll post that here and on Reddit and a few other places to hopefully get some exposure. Cool kids call that "traffic leaking" where you get valuable content in front of active communities, so might drive some traffic.
3) I'm debating setting up a contest of sorts, where members can earn a special badge/title by actively participating in the forum. So for example, start 10 threads and post 25 replies in threads and earn a special badge on your account for eternity. Silly, sure, but could be a simple fire starter.
But yeah, overall, it's a challenging thing to do, and I've failed at it a few times over the years in trying to start forums. I still really love them though, so I wanted to try it again.
The way to solve the chicken and egg problem is through paid posters. If you hire an initial group of people to post content and reply to new users eventually visitors who come on board will see the buzz and participate. Then you can phase out paid posters when you no longer need them. Pretty easy.
Well, there are quite a few ways you can solve this issue. Namely:
1. Fake it, like on Reddit. Setup a bunch of fake users and create a ton of topics until activity really kicks in.
2. Do exchanges and deals on forum promotion and community management sites. For example, you can ask the people on Forum Promotion for exchanges, where you do five posts on their site in exchange for five posts on yours or what not.
I agree, getting that initial user base is always tricky. After that, things kinda perpetually keep themselves going.
Especially when you're likely talking about interesting topics / questions people google for. It seems in recent years that going has favored articles over forum topics in their results, but I'm sure there's still plenty of search traffic that goes to forums to bring in new users.
I've already registered. I'm super hopeful that this grows into a real forum community for extended discussions. I, like many other posters in the inspiration thread, used to have a number of forums I frequented which mostly died off between the rise of Facebook and Reddit. I'm a fan of the conversation format, and I hope enough others are as well (:
Well, I just signed up. Not sure if I'll be active here, but I always like to support forums over social media sites and other corporate silos.
That said, if I can give you a bit of advice:
Change that captcha on the registration page. It's really annoying to decipher, and likely doesn't do all that much to stop bots.
Instead, get a few questions and answers set up, and make them forum specific. Like, what startup aggregator is Hacker News associated with? What's FANG mean? What language are the frameworks React, Vue and Angular written in?
In other words, stuff a dedicated community member would know/could easily look up, but which a bot might not want to bother with.
That's much better to stop spam, and less annoying than figuring out what letters and numbers are in a captcha.
Thanks for signing up and thanks for the feedback! I agree that that captcha sucks, but it's the default so I left it for now. I'll add all this to my todo list!
I have a different problem in that the captcha will not get validated for me! I tried registering, but it seems that no matter how many times I try the captcha code shwos invalid. I'm not a bot, I swear! :)
Hmm, that is certainly possible. Hopefully instead it can just be folks who are looking for a different type of interaction that a flat forum provides over something like this site.
Another major upside to forums is the ability to easily directly connect to folks. I've made many friends that way over the years in various forums, and business partners.
I really miss a way to connect with other interesting people from HN. I'm afraid that a simple forum won't work, though, because of (social) scalability: there are good reasons why HN practically bans all banter, light exchanges, or turf wars that usually come to dominate popular subreddits and similar places.
As a matter of fact, I'm thinking about a possible solution focused on allowing remote hackers to at least do professional networking. It could become a real project; anybody interested, feel free to contact me (email in my profile).
With this said, I hope I'm wrong, so I'll subscribe and wish best of luck to this new forum :)
Regarding this: "It could become a real project; anybody interested, feel free to contact me (email in my profile)." Start a Show HF thread on the board!
No clue! Ultimately it's completely unrealistic to expect to siphon off users from anywhere, instead we should have this as a complementary community I guess.
Just a heads up, using an external password manager on Firefox for the login screen is broken. It seems that if the username or password field is selected and then Firefox is unfocused and refocused, the field is no longer selected. Works in Chromium.
Excellent initiative. However, I wish you had adopted some more compact and minimalistic system like https://www.simplemachines.org/ (also FOSS). I think the compactness is a big reason of the success of Reddit and HN with the tech crowd. UX people be damned, we don't like wasted space.
Thanks for the feedback. I briefly looked at smf but it didn’t seem as well supported as phpbb was (though it did look nice). Any specific examples of wasted space you think I should address?
UX nitpick: The form entry links (lounge, etc) have hover states for the entire row, implying they're clickable, but in reality only the name within the row is clickable. Best to make the whole row clickable for maximum ease.
Nice job. I've actually been looking for more places to hang out with the HN crowd.
I'm not sure about this approach though. Forums are too centralized and don't feel interactive enough. I'd much rather see a HN community on Matrix or something similar.
That was actually part of the point of using an "old school" software package for this. I totally understand that there are newer/arguably "better" ways to handle online conversation, but some of us grew up on forums like this so the nostalgia is just right.
Don't you think many HN posters will object to using a chat service with a fishy as-of-yet probably-not-profitable business model and a big ol' database of all the messages sent? Discord is a great service for now, but it's unclear to me what their plans are in terms of monetization and user privacy.
I don't think HN users will actually object using this service. Although I dont understand why would you call it FISHY - because what's there on Discord that's not anywhere else on Google :) or Alexa ;)
About Monetization Here you go : https://goo.gl/Af7xwR
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
'comp.misc' exists on USENet and has done since the dawn of time. It's fairly spam free these days, and a few dedicated people post stuff to it. It's in a perfect place to be used again and turned into a meaningful discussion hub.
I'm honestly not the biggest fan of discourse, though I do appreciate it as a project. I like the old school BB style.
One opportunity we have as a forum is to create continuity between the trending conversations and more "long term" discussions that are difficult to have on a platform that is churning out new content constantly and lacks notifications about replies etc
Please don't do this. Have a minimum length, but don't force me to miss it up. My password manager shouldn't have to try multiple times to generate matching passphrase.
When they don't allow spaces in passwords either, I worry.
I've inherited several ancient code bases where everyone knew silly password rules were a legacy requirement. And ultimately after a lot of digging, every time they were a "legacy limitation" because the original project manager called for it, and could easily be removed by commenting out one check. Which was never allowed to happen, because it was a "constraint that couldn't be changed".
I do accept there are databases with eight character fields for maximums, but beyond that, I'm interested in any genuine experience.
There are some other advantages that others have already mentioned, but even if that was all it did it would still be useful in inhibiting an attacker from learning the actual passphrase which many users are likely to have reused on other services.
Sending a password in plaintext over HTTPS is more secure than hashing it in javascript first and sending the hash.
If it's practical to find a hash collision, your hash algorithm is broken.
> which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used.
The security of a system should not depend at all on that information being secret.
e.g. password + client_salt => hash => send to server => (hash+server_salt)^hash2 => compare to db
By doing this you'd protect a user when their password might be accidentally logged (e.g. Twitter recently). Then if you compromise the hash you don't immediately reveal the password itself, just the text needed to authenticate, which can be changed. If you simply change the salt used client side you may not even need to have the user change their password (although obviously better if they did).
That said, I don't think this is required, but there is actually a case for it. Also obviously you should never log the password, but mistakes are made. This helps mitigate the risk of that password being exposed.
Along the same lines though is OPAQUE PAKE, where the server doesn't need to store a password hash, only a salt, making server compromise far less dangerous, it's quite elegant.
There's no implementations so far I believe.
https://eprint.iacr.org/2018/163
EDIT: Changed this to just have a minimum length restriction. Thanks for the feedback!
Please, disable cookies for HackerForums.co too.
The derivative with respect to a is: b(a^(b-1)).
The derivative with respect to b is: log(a)(a^b) or (a log(a))(a^(b-1)).
So it's better to increase b when alog(a) > b. Which is typically the case where a is 26 for lowercased letters and b is like 10 for password length.
This analysis might not be totally correct since the cost of adding one extra allowed character vs increasing password length by one is not the same but w/e.
They didn't, they just chose off the shelf PHP forum software written by idiots that does this and a million other stupid things.
From what I can tell so far, what we setup seems to be working fine. If we hit a wall, I'll search out the next most practical option.
I can see the temptation to want to hack around on it because it's a forum for hackers, but it's not as if HN is taking pull requests either.
I mistook this for being about usernames at this hacker forum
(Specifically this part of the thread: https://news.ycombinator.com/item?id=17071224)
I spun up an instance of phpBB (trying to keep costs down) and customized a ThemeForest theme to make it not ugly. I'll post a thread today that lists all of my notes from the setup process of the site for anyone interested.
I'm a huge fan of the bulletin board/flat forum model of communication, so I'm hoping this site can blossom into a community of high quality folks having high quality conversations.
EDIT: Also, this is my first foray into setting up and using phpBB, so please let me know if I need to adjust anything. I tried to keep most settings at the default because I assumed that made more sense than me tickering, but I'm all ears if things are weird.
Overall though, nodeBB looks really nice, so go for it!
I would love to be corrected in this, (and in fact I'm prototyping a NodeJS+NuxtJS+VueJS forum on the weekends, but don't expect a release this year) but I think you're better off sticking with the PHP variety of forums. I think that's where maturity, stability, and extensions ecosystem shine.
However...
Your FAQ link leads to a 404 page, and the "legalese" on the registration page seems like a bit much to me. And why should I need to be registered to see the "team" page and profiles?
It's just a web forum, don't take things so seriously. You're an admin, you can literally just ban people for acting up, you don't have to expect to back it up in a court of law or anything.
All of those items are in my todo list now!
This is 'hacker' news after all. Can't this website release its forum software so that a bunch of interested volunteers (no me) could improve it? Wouldn't that be really meta and cool?
The main gripe I have with HN forum is lack of reply notification. Secondly, the crowd tends to overdo the hacker-nerd-geek thing by discussing unrelated minutae till the cows come home which inflates the comment count. This sort of discourages posters to post their POV fearing it will be buried amidst the 500+ comments. We have a visibility problem.
We just need a few tweaks.
Further, looking at all the passionate discussion about AI and ML that happens here, I am sure some of the regulars would like to implement a scheme that learns my 'collapse the chaff' pattern and spare me the gory boredom inside a thread.
(I think what I wrote might come across as snarky, but I assure you I am not being so.)
I can't see how it can be fixed.
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
Probably best to turn off debugging statements.
Just so I'm clear, this happened immediately after registering? Or did you do anything else that triggered this?
I could be wrong, (I'm a Python guy - not PHP), just seems a safe assumption that it's likely not the only spot.
NO.
It's better to improve the code than roll back to an older and less secure version of the language.
This is PHP we're talking about, after all.
Put up or shutup.
I am working on a somewhat related idea : a site like reddit, but which also has a chat room for each subreddit/topic + public moderation logs among other features. I launched with only the chat rooms part of it and I faced the issues mentioned above, so I'm interested in hearing about your approach. Good luck!
Totally agreed that forums (and communities in general) have the cold start problem, and there's no real good solution for it.
I do have some ideas though.
1) I'm interested in whipping up a simple phpBB mod that enables Link posts (like here on HN). That will help with the News posting aspect of the community. Thread here: https://hackerforums.co/the-lounge-f3/idea-extension-for-php...
2) I'm going to write up a fairly detailed thread later today that explains in more detail the Why of setting up the site, and the How I did it (literal technical details for those interested). I'll post that here and on Reddit and a few other places to hopefully get some exposure. Cool kids call that "traffic leaking" where you get valuable content in front of active communities, so might drive some traffic.
3) I'm debating setting up a contest of sorts, where members can earn a special badge/title by actively participating in the forum. So for example, start 10 threads and post 25 replies in threads and earn a special badge on your account for eternity. Silly, sure, but could be a simple fire starter.
But yeah, overall, it's a challenging thing to do, and I've failed at it a few times over the years in trying to start forums. I still really love them though, so I wanted to try it again.
BTW: Post your project here! :) https://hackerforums.co/show-hf-f7/
1. Fake it, like on Reddit. Setup a bunch of fake users and create a ton of topics until activity really kicks in.
2. Do exchanges and deals on forum promotion and community management sites. For example, you can ask the people on Forum Promotion for exchanges, where you do five posts on their site in exchange for five posts on yours or what not.
3. Pay some sort of service for content.
One or more of those could work for this site.
Especially when you're likely talking about interesting topics / questions people google for. It seems in recent years that going has favored articles over forum topics in their results, but I'm sure there's still plenty of search traffic that goes to forums to bring in new users.
That said, if I can give you a bit of advice:
Change that captcha on the registration page. It's really annoying to decipher, and likely doesn't do all that much to stop bots.
Instead, get a few questions and answers set up, and make them forum specific. Like, what startup aggregator is Hacker News associated with? What's FANG mean? What language are the frameworks React, Vue and Angular written in?
In other words, stuff a dedicated community member would know/could easily look up, but which a bot might not want to bother with.
That's much better to stop spam, and less annoying than figuring out what letters and numbers are in a captcha.
Still, hope the forum works out well!
E.g., "Can you believe this trash got on the front page!" everyone proceeds to downvote or "hey my show hn is up!" everyone upvotes.
Worth a shot at least.
Another major upside to forums is the ability to easily directly connect to folks. I've made many friends that way over the years in various forums, and business partners.
As a matter of fact, I'm thinking about a possible solution focused on allowing remote hackers to at least do professional networking. It could become a real project; anybody interested, feel free to contact me (email in my profile).
With this said, I hope I'm wrong, so I'll subscribe and wish best of luck to this new forum :)
Regarding this: "It could become a real project; anybody interested, feel free to contact me (email in my profile)." Start a Show HF thread on the board!
I will - when I'll have something to show :)
I think that we need a forum with the good hierarchical overview of the good, old usenet clients (but with updated UI, of course).
See: https://github.com/webcompat/web-bugs/issues/16938
Discord seems to be a chat app, which is quite different than a forum and even HN itself
https://www.discourse.org/about (FWIW)
https://hackerforums.co/help/faq
I've been keep track of HN related things people have built and added this also
https://github.com/keithn/HackerNewsCommunity
also +1 to shaving that banner height by 50%
but good on you for shipping a thing
I'm not sure about this approach though. Forums are too centralized and don't feel interactive enough. I'd much rather see a HN community on Matrix or something similar.
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
Topics shouldn't be the same as those found on hackernews, those would be redundant though.
I would suggest using discourse.org instead of rolling your own phpBB instance
I'm honestly not the biggest fan of discourse, though I do appreciate it as a project. I like the old school BB style.
One opportunity we have as a forum is to create continuity between the trending conversations and more "long term" discussions that are difficult to have on a platform that is churning out new content constantly and lacks notifications about replies etc