Password Information

We recommend that you create a password consisting of between three and five random words. It must have at least 12 characters, but we don't enforce the use of numbers or punctuation characters, what matters is length. If you try to use a password that has previously been compromised and appears in the readily available rainbow tables, you will see a warning: "The password has appeared in a data leak. Please choose a different password." and you will have to choose a different password. We also re-check your password each time you login, in case it has subsequently been compromised.

If you are sufficiently interested in our reasoning and the theory behind our password policy, please read on, otherwise this is the short version of the full explanation below.

TL;DR

For years we have been told to make our passwords "hard to guess" by mixing uppercase and lowercase letters, include numbers and punctuation characters, etc. The main advocates of this practice was NIST (National Institute of Standards and Technology), the US government department that deals with cybersecurity. In 2017 they published a paper that basically says they got it wrong. You can read the original paper, along with the 2020 update here: https://pages.nist.gov/800-63-3/sp800-63-3.html

Do read it if you are sufficiently interested, but the gist of it is that their advice has caused people to get into some very bad habits with regards to their passwords. The situation has been exacerbated by well meaning, but ultimately poorly designed code, that forces people to create passwords that contain different types of characters without really checking how "crackable" the password is.

The new advice, and also our advice, is not to use a password at all, instead use a passphrase. The very word "password" implies one word, whereas several words with or without spaces between them is actually way more secure than a single word even with uppercase, lowercase, numbers, etc. So when you choose a password for this site, pick a short sentence that you will remember, you can make it all lower case if you prefer, or add one or a few capitals, to be honest it makes very little difference to the strength of your passphrase, what matters is the length. Here are some examples of really good passphrases:
  • green cows watch purple pigs
  • my chair has a wheel dog
  • BOTTLES EAT LARGE CARS
  • Fish Tunes Speak Easy
  • Paint your tea before you drive the car
The point is that you come up with a short phrase that makes no real sense but is easy to remember. Do not use phrases from published literature, make it up yourself. Do not make it too long, about 3 to 5 words is about right. Use all lowercase or all uppercase if it helps you remember it better. Here is an amusing cartoon courtesy of xkcd.com that sums it up quite well:
password strength comic image
https://xkcd.com/
This site has several mechanisms to protect against hackers trying to break in, so do not be surprised if you get locked out if you enter an incorrect password several times in a row. If you do get locked out, try again later as the lockout will time out, or use the password reset feature, this will allow you to set a new password and it resets any lockout at the same time.
If you do forget your password just use the reset feature, please do not contact us to ask what your password is, we have no way of looking it up for you. When you set your password it is not stored anywhere, instead the system runs a mathematical algorithm on it called a "hash", this creates a fingerprint of your password and it is this fingerprint that is stored in the database. When you login it runs the same algorithm on the password you type in and compares the fingerprint with the one stored in the database, if they match, you are granted access.
When you enter a password, we won't ask you to enter it twice, once is enough. However, we do offer the option to "Show Password" so you can be certain you entered it correctly. Just check no-one is looking over your shoulder before you check that box, and uncheck it once you're happy with what you typed.

Multi Factor Authentication

Just using a username and password is not very secure, this site offers a feature called 2FA (Two Factor Authentication) also known as MFA (Multi Factor Authentication). After you identify yourself by entering the correct Username & Password combination you have to enter a PIN. The PIN could be sent to you via SMS message, or it could be from an Authentication App on your smart device. As a regular user you are encouraged to use 2FA, but it is not enforced. If you are granted additional privileges, e.g. you become a coordinator, then 2FA will be enforced as it is not just your own data that is at risk. Click the link below for more information on 2FA

2FA Info Link