Is your Password Safe?

It really depends upon how important the password is, what people could do if they guessed your password. There ways and means of doing it that make it less taxing on the memory.

You have to have SOME place you haven't tattooed them yet.

With thousands of people moving thousands to tens of thousands of dollars every month (according to the economic stats page) I think LL should really offer RSA SecureID tokens, or similar. Thousands of dollars in credit/lindens really deserves a bit more security.

There would be costs but a fee for tokens should help and it also saves money for LL when anything is prevented.

OK how about this:

Ive opened tickets on this before, your JIRA will not accept complex passwords, if you make a very secure complex SL password containing characters like %^&*(), letters and number, caps and lower case etc that password WILL work for logging into SL and accessing your account page, it will not however be accepted to log into the JIRA.

Thus if you want to use the JIRA you have to change your main SL password to something insecure like "fred" to get into it.

If you want people to make secure passwords, all facets of the SL site should be made to accept these complex passwords.

I've seen suggestions along these lines numerous times since I joined SL and I can't understand why LL doesn't go this way.

Right now, if someone wants to attack my account they already know 2/3 of the required info... first name and last name. If we had a separate login id that was unrelated to our avatar names, then potential attackers would know nothing at all.

Being able to group avatars under a single logon id & password would be an extra bonus, but just for a start it would be nice to have our logon credentials separated from our inworld names.

LL could implement this without having to force people to resubscribe or whatever, just behind-the-scenes add another field to the database, populate it with firstname + lastname, and then make it an option on the account page of the website to change your login id. Phase it in over time. Grouping alts under one RL account can be a separate issue tackled later.

IMHO this would be a great step along the way to improved security. As has already been mentioned, for some folks we're talking about real money in the thousands of $, it's not enough to just make a feelgood post now and then to remind people about secure passwords, when there's a lot more that can be done on the service-provider's side to improve security.

-Atashi

Good thoughts on implementation. I used them in http://jira.secondlife.com/browse/MISC-2222 ... I hope you don't mind.

who needs a secure password when LL stops each sunday working?

how complicated can it be, to have a working system on sundays too?

there where a big concert for Obama, i would lilke to share inworld with my friends from all over the world.

its a software, not a secret.


please, give us back the wednesdays, maybe on mondays, because u arent able to work out ure own failures u build in before the weekend or an update.

greetings


america, america.. lol

you can listen to some of the best musicians at http://teal.neostreams.info:12902

I found that with having a secure password for the main Second Life site didn't jive with the jira site. So in order to log into the jira I had to change my passwords in their secure forms. They were originally upper case, lower case, and mixes of numerics and symbols. Unfortunately due to a difference in the way the sites handle passwords the jira will not except those types. So in order to ever log into the jira you need to change your password. At least I did anyway.

I did a variety of comparisons in the amount of security my passwords claimed to have on various sites and their password securities. I found my original passwords were at the top at a level 5. When I was done making them so they'd work on the jira they were about a 3. I really wish they'd change that.

and why the login screen still online?

sundays arent your days right, .....man man ......

Try and learn a really ancient obscure written language then pick the rarest used (long) word from that language and THEN turn it into 13375p34k.

Considering that I sat seminary I have Hebrew, Aramaic and Greek under my belt. So I am sorted at least....

Since SL is in essence a financial transaction system I think LL should place more controls around passwords.

Some controls needed are: password expiration, enforcement of strong passwords (for example, must contain at least 3 numerics and at least 3 alpha characters) and account lockout after too many wrong password attempts. There are a lot of way to make the last one work without calls to support such as using the secret question/answer pair to validate the user then e-mailing an expired new password to the user.

I agree with Loki Ball's comment about the differences in handling passwords between Second Life and Jira. In my case my SL password was too long for Jira. After I shorten it, I could login to Jira again. So perhaps add an extra tip to the password article: "Don't make them too long", till you solved this problem.