You’d think most IT depts would grab a clue, but they keep harping on “dictionary attacks” like hacquers would know to only pick N common words and try a million or so guesses before hitting paydirt.
When properly annoyed one time at having pw after pw rejected, I came up with the most vile combination of words, which was accepted! Started an unholy trend from then on. 
I mostly agree, but I do find that +1 posts sometimes do clutter a thread, and more importantly to me, I definitely do not make +1 posts for that reason. So, while I’m firmly on the things-are-fine-as-they-are side of things, that’s a tiny bit less karma in the world. =)
That’s reasonable, I’ll look into it. What we definitely won’t have is a –1 button, because I don’t want this place to turn into Reddit.
So as a compromise, can we have a ‘0’ button?
Next best thing I can offer if clicking on the number of the post in the top right corner. You can do it all day, I won’t mind. 
Anything wrong with letting goggle pick your PWs?
Every 5th one ends up being “hitler”.
Perfect example of a post I’d +1. =)
There’s no reason for passwords to be hard. Services like BitWarden, LastPass, and even Chrome’s built-in password manager work great for both saving site passwords and generating new ones.
In Chrome, just right-click (touch-hold) inside of a password field and Chrome will generate a random password for that site. Create and remember a strong Google password and Chrome remembers the rest.
I’ve told people to use password managers for more than a decade and they just look at me like I’m crazy and mutter something about not wanting “all their eggs in one basket”. Meanwhile, you can reset the password for every account they’ve ever signed up for if you can just guess their e-mail password, which for one acquaintance was “twotimes2” and probably still is. He emphatically told me, “I don’t trust password managers”, so his judgement is obviously sound in all facets of Life :person_facepalming: .
Android has all the security of wrapping paper, so if you trust one of these phones to do banking and browse pr0n yet don’t trust proven password managers, then your brain may not be functioning quite right .
Many thanks to SB for everything he’s done and does 
.
I don’t have any complaints about the site as it’s not old-fashioned to me. I’m old-fashioned and still participate daily on an NNTP server (not on Usenet), so the forum is a place of luxury to me . If you don’t know what NNTP is, then you probably have no memories from the 1900’s 
.
However, I do accept that modern forums, such as Xenforo, have much better support for mobile devices, which are basically the computing devices of today and tomorrow. Many of today’s Internet users may never own a PC. As we don’t want BLF to eventually become just a bunch of very old men talking about flashlights, the forum will eventually need to adapt. That’s my two cents about that.
In terms of HTTPS, the issue has little to do with security as it’s a public forum, so “security” in this case mostly just means that BLF is not taken over by baddies. Be aware that your password is sent in plaintext, so don’t share it with other sites. The only risk to users is that someone could impersonate you if they capture your username/password. So long as people are aware of this, then everything’s fine.
However, the lack of HTTPS probably can’t be ignored forever. Not only does Google down-rate any HTTP-only site throughout its ecosystem, but Google has consistently stated that Chrome will eventually make it harder and harder to access non-secure web resources. By the end of 2020, Chrome will block all mixed-content downloads and Google is repeatedly warning developers to move to HTTPS.
The browsers already show a red-colored icon or “Not Secure” text in the URL bar as a warning and may pop-up a warning when entering your credentials. This trend may eventually dissuade new memberships.
Switching to HTTPS adds a lot of extra work for SB, since not only does it have to be set up and maintained, but the rules are ever-changing. Firefox 74, the current release, disables TLS 1.0/1.1 by default, but still gives users the option to continue anyway. Chrome likely did the same some time ago. Then there’s also the matter of ever-reducing certificate lifespans .
There’s nothing wrong with keeping BLF as an unencrypted website via HTTP, but the future of unencrypted websites seems pretty grim and Google’s bias towards HTTPS also costs sites lots of hits and ad revenue.
SB was telling us that many plug-ins only work on Drupal 7. Well, I found a Let’s Encrypt bash script that was supposedly being ported to Drupal 8 back in 2016, but it seems to have never been finished 
.
Yes, the image hosting here is painful, but it can get expensive for forums to host their own media. Yes, users are generally limited to maximum files sizes, but those files can still add up to a lot of hosting cost. You don’t just need to store photos and videos, but you also have to deliver those files, which can eat up a lot of monthly bandwidth. Currently, those costs are covered by the third-parties that host such files.
It’s far cheaper to host text.
I’m changing my password right now because of this information.
Beer, liquor and etc. is bad. O:)
How is Xenforo actually implemented? Examples?
I will tell you of a couple other forums I like, for example, as I believe they look and behave fine in my ≈8.45" apparent screen size (reduced dpi, 5.2" actual) smartphone: XDA Developers and E-Cigarette Forum.
I tend to dislike anything which looks dumbarsely big in my screen. I prefer for it to look “small”, this is because I like to have a flight view / bird's eye view of a site, and then zoom / focus at will over where I want.
I love the way many things were done in the past, and when something is well done it is best for it to remain that way.
If someone comes to BLF and doesn't likes it, it's essentialy their problem.
G00gl€ is not the internet, they're already biased enough overall wise and as a search engine. I don't care if they down-rate their arseholes, they're free to do 
so. Don't take me wrong, what I mean is http is still fine for certain stuff, and it is wrong to unnecessarily “enforce” certain changes be it by spreading lies about what you don't like or whatever.
Chrome will what? Uninstall Chrome. Problem solved. ;-)
I don’t use Chrome, but most people do (66% market share), so BLF cannot simply ignore what Chrome does. Opinions don’t matter when you live in a feudal society and the Internet is a feudal society, partly because of the need to monetize (the pre-Google web was largely paid for by Universities and DARPA before that) and partly because there are so many “raiders” that users must live within the gates of their chosen lords (Facebook, Google, Twitter, etc).
People like to hate Google, but they’ve largely been a benevolent lord; they’ve been so rich that they can afford to be nice. Still, they unilaterally make decisions that were not a consensus opinion of the W3C or users.
Safari’s recent proclamation that they would soon limit certificate lifespans to 1 year was made despite that proposal being voted down at the last W3C convention, so Apple is also acting unilaterally. Some conspiracy theories hold that Google, Mozilla, and Apple drew straws on this to see who would announce the change and thus take the heat . At <4% market share, Mozilla no longer had the clout to do it anyway .
That’s the problem with lords; they may hold elections when convenient, but they can then do whatever the h*ll they want.
I use Tapatalk for forums.
Oh wait, BLF isn’t available there...
I guess i’ll use freaking anoying web browsers then, any
I’d prefer BLF to have SSL but I understand the additional CPU load from the crypto could be prohibitive for a non-commercial project.
The last time I looked at Drupal was in 2010 or thereabouts. I ended up running away in gibbering horror to WordPress, but I didn’t have to support a forum.
Thanks @leftdisconnected for the insight. Yes, you’re absolutely right on those points, and it’s not that I have my head in the sand. I just don’t see it as strictly necessary yet. But with that said, hopefully I’ll have a bit more free time soon to test and improve some things.
Thanks for being realistic, that’s exactly my main concern. At the end it might be a non-issue, but it definitely doesn’t come for free in terms of computing resources. Another stop-gap measure I thought about was simply removing the quick login box from the left column of all pages and replacing it with a link to a single encrypted login page.
Ha! I know the feeling. Drupal was definitely not a cozy and welcoming place for newcomers back in 2010 (also when I started BLF with Drupal 6), and it’s getting worse. But then again, I don’t like WordPress’s security posture very much.
Forgot to answer this before, but one example is the SQRL forums. I think it’s a very nice looking forum on both pc and mobile.
+1 on the image issues. But otherwise good.
I only have Dropbox at my disposal, and I have been told some people can’t see my images. I have no way of knowing what percentage see my images. Do most see them? Do most people not see them? Idk.