Some of you may remember me from such annoying diaries as July is Reset Your Password Month on Daily Kos. Some may have hoped that it didn’t mean you. Alas.
Starting today, when you log in to the site, if your password was set before early July, you’ll be asked to change it. People who are used to simply being logged in will find themselves logged out at some time in the next few days.
If you are logged in, and don’t know your current password, you will be able to reset it by email IF AND ONLY IF the email address on your account is accessible to you now. Take a moment now to review the following instructions to check your current email address and attempt a password reset.
When resetting the password on the profile, there's not a link there for Forgot Password. Instead, you’ll use the link on the login screen:
- Go to your user profile page (from the pulldown menu upper right). Click “edit profile” near the top.
- If you can’t find it that way, or are on a phone, the “edit profile” link is of the form dailykos.com/user/(username)/edit (You can also get to your user profile page by clicking on your linked username, as for example in a comment.)
- View and if necessary update your email address. Scroll to the bottom and click “Save”.
- Your email should now be up to date. BUT, to make sure, you can open a private/incognito window or a different browser than your normal logged in one, BEFORE logging out from your current session on the site.
- Go to the DK home page on this alternate browser, where you will not be logged in, and click “log in”. When you get that screen, click “Forgot your password?”
- Enter your email address, the one that should now be attached to your account, in the box that will be displayed.
- Open your email in that same alternate browser window, NOT in the window where you are logged in already to Daily Kos.
- Check your email. There should be a message from us, donotreply@dailykos.com, with a button for resetting the password. Click it.
- Enter your new password twice.
Your password is now reset, and you’ll want to go and log in on any of your regular devices while you still know it.
If you’re still having trouble, please hit us up at the helpdesk, which has a link at the top of the page.
Why would we do such a thing? The text below is from the original diary.
The world continues to advance in its weird ways to break into your privacy and infringe on your data. In light of this, we are upgrading our password security on accounts, and this means it’s time for y’all to pick a new one.
The old rules, in a kinder time, allowed for very short passwords. We upgraded the rules to a 6 character minimum for new passwords several years ago, but old passwords still could be short and work. As we’ve assessed the world around us, this is no longer okay with us.
The new rules force a minimum of 8 characters, per the latest best practices from NIST. We’re not going to force weird numbers and characters on you — for reasons rather as the XKCD cartoon suggests. They could add entropy, but they also make it hard for humans to remember, which encourages bad practices. Instead, make your password longer in a way that makes sense to you, rather than something you can’t remember or will reuse. I suggest at least 12 characters. It’s up to you how and if you want to use numbers and special characters.
A rule we DID add is that you can’t use a password on the list of the most common passwords, as collected from various breaches. “princess1,” “monkey,” and “passw0rd” are all right out, as is your username, or “dailykos”. Live a little. Go with “PrincessMonkey28forgottodoslospasswords” — but say it in your own unique way, please.
The MOST IMPORTANT RULE you can follow, and I can’t stress this enough, is DON’T REUSE PASSWORDS. Please don’t use the password you use here on any other site. And especially, make sure that your key passwords, for banking, email, unlocking your device, etc, are all unique. One of the most classic hacking techniques is to make a free porn website with login, save them in plaintext, then try the email and password combinations on other sites… often, this has allowed hackers to directly access people’s email or corporate accounts.
(Keeping track of them all is a pain, and the best advice I have for that is to use a password manager. A password managercan let you share passwords securely across your devices and it also lets you share them securely with other people when that’s a feature you need.)
We’ve added some code that will allow us to know when a password was last reset and force a reset if you haven’t. The new password standards are in place now, and we encourage you to (a) update your email address to one that will actually reach you and (b) reset your password now, while you’re still logged in to your account. You will either need a working email address you can access on record at your account or your current password to be able to reset your password. (Please note that even if you are getting Daily Kos emails, the email address on your Daily Kos profile may not be the same; those are wholly separate.) We expect to be in this Pretty Please mode for about a week. After that, we will tell the software to force a password update on login or when you return to the site.
To reset your password, or to update your email address, use the menu in the upper right to go to “View/Edit My Profile” and then click Edit Profile from the header on that page.
Note that when you change your password, this will log you out of all devices where you’re logged in. So, if you’ve got sessions on your computer, your phone, multiple browsers, etc, you’ll need to log in to all of them again with your new password. As before, it’s up to you to decide if you want your devices to remember who you are indefinitely or ask you each time you come back.
We don’t intend to use this often — NIST’s advice is that forcing people to change passwords on arbitrary timelines only causes them to choose worse passwords or implement bad practices like writing them down on a sticky note. However, we’re glad to have this as a safeguard for the future, so that if we do have a problem, or if hacker strategies require new password strategies, we will be able to force password resets quickly. It’s another measure to help keep us all safe.
A while back, we also added code that locks accounts if there are too many failed login attempts. This significantly limits anyone’s ability to use a brute force attack against our system. If your password can’t be easily guessed in a few tries, these two features together help considerably in keeping everyone’s account secure.
Remember that we will never ask you for your password except for on the site proper.
XKCD is one of my favorite comics, so if you haven’t found it and aren’t already using it for your greater acquisition of technological trivia of varying merit, I recommend you check it out: