User Security

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: User Security

Post by ToonArmy »

I agree with the OP but not for the same reason, as Nils said it makes sense to separate the authentication credentials from the forum display username.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: User Security

Post by bobtheman »

i have to agree, having both a login and username is'nt IMO beneficial. Instead we should look at the issue "if there is one"...

The member list, what is its purpose? Should we keep it? maybe make some changes to it.

maybe the member list shouldn't list all members, but instead list things like, admin and staff, Top 10 users, New users, users online, maybe some statistics and have a search functionality to find users/members to add as friends "with the upcoming new and improved functionality of the friend system in 4.0". Having a list of all members IMO is pointless

Im willing to bet, if we polled the entire phpbb community, the member list isnt used often and its probably serving more of a purpose to attackers and spammers than to the users themselves.

Another idea would be, instead of logging in with your username you could log in with your email address.

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: User Security

Post by EXreaction »

I wouldn't get rid of the memberlist. If anything, make an option to disable it and/or have a separate permission setting just for the memberlist (IIRC, just one now controls profiles + memberlist).

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: User Security

Post by bobtheman »

EXreaction wrote:I wouldn't get rid of the memberlist. If anything, make an option to disable it and/or have a separate permission setting just for the memberlist (IIRC, just one now controls profiles + memberlist).
Ok but this doesnt address the usefulness of the memberlist nor the original question of user security. I say revamping the memberlist is a great idea to list;

Site staff.. admin and mods
Top 10-15 members by post count "possibly karma or ranking if that is in 4.0"
Top 10 newly registered members
Member and site statistics, Top Threads stuff like that
Suggested Friends determined by location, common thread activity etc etc
And a search function to find friends and add them "with the new revamped friends list functionality in 4.0"

As of login credentials.. now that a list of all our members login names isnt available it would make the need for changing how that works of little concern..... and now the member list will be useful to the community. :D

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: User Security

Post by ToonArmy »

Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

ToonArmy wrote:Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.

Concur. If the username is separate from the displayname, this argument becomes moot....as you wouldn't be displaying the username, but the displayname in the memberlist. At all times, the username should remain behind the scenes (if the board is configured to use the username and displayname as one and the same, you'd still see the member's username there)....with only the admins and global moderators able to see user detail (for user management, etc.)

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: User Security

Post by bobtheman »

ToonArmy wrote:Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.
agreed, i think the usefulness is still in question though but can easily be fixed with proper updates and improvements. I think having users sort through a memberlist, in this case 2600 Pages worth, is an ancient style of doing things and extremely annoying.
ToonArmy wrote: Concur. If the username is separate from the displayname, this argument becomes moot....as you wouldn't be displaying the username, but the displayname in the memberlist. At all times, the username should remain behind the scenes (if the board is configured to use the username and displayname as one and the same, you'd still see the member's username there)....with only the admins and global moderators able to see user detail (for user management, etc.)
I agree, and an easy fix would be to have users login with their email address, and what is listed on the forums is their Username.

So we have so far two proposals,
1. Redesigning the memberlist
2. User login via Email address

User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: User Security

Post by Dog Cow »

bobtheman wrote: 2. User login via Email address
There goes the option to allow multiple users to have the same address.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: User Security

Post by ToonArmy »

Dog Cow wrote:
bobtheman wrote: 2. User login via Email address
There goes the option to allow multiple users to have the same address.
Depends on the authentication method doesn't it. But I really don't see the use in it anyway.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: User Security

Post by Nelsaidi »

The memberlist is fine, I'm sure the new style will have a much improved UI but essentially the purpose will remain the same, Is there a need to change it? IS there something 10 times better it can be replaced with? Discuss what exactly you would want in the new memberlist.

Email isnt much of a bad idea, mind you though its still obtainable.

Post Reply