User Tools

Site Tools





Visual Customization

Mystic Utilities (MUTIL)

Scripting Custom Modules

Quick Reference

What's New


User Password Policy

This section of the Mystic BBS Configuration System allows the SysOp to configure rules for users creating passwords on a Mystic BBS. The password policy allows settings for minimum password length, number of required capital letters, numbers, and symbols.

Mystic allows the option to store passwords in case insensitive cleartext and case insensitive hashing using industry standard methods for password storage. It is highly recommended to use password hashing and stop using cleartext passwords.

This example screen is from a Windows based system and displays the standard 'out of the box' settings that ship with the default installation.

              █▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ User Password Policy ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
              █                                                    █
              █  Minimum Length            │ 7                     █
              █  Minimum Capital Letters   │ 0                     █
              █  Minimum Numbers           │ 0                     █
              █  Minimum Symbols           │ 0                     █
              █  Maximum Password Attempts │ 3                     █
              █  Force Password Change     │ 0                     █
              █  Allow Password Inquiry    │ Yes                   █
              █  Allow Reset By E-mail     │ Yes                   █
              █  Password Storage Method   │ PBKDF2 SHA512 Hash    █
              █  PBKDF2 512-bit Iterations │ 1000                  █
              █                                                    █

Minimum Length

The minimum length a password can be. It is highly recommended that the minimum password length be set to at least 7 characters. Mystic user passwords can be up to 25 characters maximum.

Minimum Capital Letters

The minimum number of required capital letters in the password.

Minimum Numbers

The minimum number of required numbers in the password.

Minimum Symbols

The minimum number of required symbols in the password.

Maximum Password Attempts

The maximum number of attempts a user is allowed when entering a password.

Force Password Change

The number of days before a user is required to change their password. This looks at the 'Last PW Date' field found on page four (Statistics) of each individual user record.

Allow Password Inquiry

Allow the option for the user to contact the SysOp via BBS email after a failed login attempt.

Allow Reset By E-mail

Allow the option for the user to be sent a reset code by Internet email? (Requires sendmail functionality to be enabled)

Password Storage Method

Mystic now allows passwords to be stored using PBKDF2 with SHA512-bit hashing at variable configurable iterations. What does this mean? The biggest benefit is that when enabled, Mystic will never store a user's password anywhere in the BBS system. This system is the same system used for Password Managers such as LastPass, 1Password and operating systems such as MacOS. In fact, with its variable iterations Mystic could be considered to be more secure as those products in terms of cracking a user's password hash.

Two new options are added into the Password Policy options, the first is a password storage method which has three options:

          ClearText Case Insensitive       (This was the legacy storage method)
          ClearText Case Sensitive
          PBKDF2 SHA512 Hash               (This is also case sensitive)

PBKDF2 512-bit Iterations

This option is VERY important when using PBKDF2 and that is the number of iterations the process will use when hasing a password. The default value is 1000 and may be considered a little low in terms of enterprise level password storage but it works at a reasonable speed for most systems. In general, the higher the number of iterations the more secure it is, but the longer it will take for Mystic to store or check a password. Setting this value to 10,000 on an original Raspberry Pi for example may cause Mystic to take 10+ seconds to store or check a password and for many that may be too slow.

It is recommended that it is kept at 3000 or lower for performance reasons unless you know what you are doing. Even at this level PBKDF2 with a 512 bit hashing system is more secure than any other BBS software today. If you find the delay for 1000 is too short you can adjust the value but just beware that if you change hardware someday, those values still remain.

The way the system works is that a user's password is stored in the format configured at the time their password is set, including the iterations. The password remains stored in this format even if you change the storage method until the user changes their password or you reset it using the user editor. It is important that you do not set the iteration level too high for the hardware you are using to run your BBS now or in the future.

config_user_password_policy.txt · Last modified: 2018/12/26 15:35 by avon