User Security

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

User Security

Post by deer_buster »

It would be nice if Rhea supported decoupling the logon username from the display name by default, so that you could specify that the username be anything that falls into a specified ruleset, but the display name on the forums is something different....that way someone that gains access to the memberlist doesn't get half of the information they need for logon attacks.


....if it doesn't already :)

idiotnesia
Registered User
Posts: 29
Joined: Thu May 22, 2008 2:46 am

Re: User Security

Post by idiotnesia »

if the purpose is just for user security as you stated, I prefer login using email address.
idiotnesia wuz here

User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: User Security

Post by ameeck »

Honestly I think this is just a UX complication. Why enter more details than fewer which suffice already. Requiring the user to provide more details during registration is just annoying, nothing less or more.

The argument about logging in is not valid considering you can enable login CAPTCHA after a set number of unsuccessful tries.
Please think before you post.

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

ameeck wrote:The argument about logging in is not valid considering you can enable login CAPTCHA after a set number of unsuccessful tries.
Yes, because CAPTCHA is the be-all, end-all answer for security, right? It will not take long for that to go bye-bye as a security measure against automated attacks....tell you what, tell me you PIN number to your bank account....that's only half the information needed, right???? I mean, your pin, by itself is useless...I have no way of knowing anything else about you....it's completely safe.... :roll:


People that are depending on CAPTCHA for security are going to wake up one morning with a GOTCHA

I point to this article as an example of the workarounds hackers/spammers have available....and this is pretty low-tech version...

http://www.geekpedia.com/news195_Spamme ... round.html

User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: User Security

Post by ameeck »

CAPTCHA was only one of many possible brute force attack prevention measures. Even when a CAPTCHA is broken like many have been in the past, success rates of cracker are still way below 100% and it requires a noticeable amount of computing time. Considering that currently, phpBB has customizable CAPTCHA protection, you can hardly create a universal tool for such a purpose. You could also easily implement other prevention mechanisms, e.g. interval time limits, preventing a bearable time needed to crack a password using HTTP requests.

While we are able to implement preventive measures which do not necessarily annoy the user, splitting a display and login name would do just that.
Please think before you post.

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

ameeck wrote:CAPTCHA was only one of many possible brute force attack prevention measures. Even when a CAPTCHA is broken like many have been in the past, success rates of cracker are still way below 100% and it requires a noticeable amount of computing time. Considering that currently, phpBB has customizable CAPTCHA protection, you can hardly create a universal tool for such a purpose. You could also easily implement other prevention mechanisms, e.g. interval time limits, preventing a bearable time needed to crack a password using HTTP requests.

While we are able to implement preventive measures which do not necessarily annoy the user, splitting a display and login name would do just that.

I disagree with you on that regard. splitting the login name and display name might annoy you, but it wouldn't annoy everyone...and some would prefer it...regardless, it should be in the control of the board administrator, not some support person just because he might be annoyed with it. it is a VALID security deterrent, regardless of your personal opinions.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: User Security

Post by DavidIQ »

deer_buster wrote:It would be nice if Rhea supported decoupling the logon username from the display name by default, so that you could specify that the username be anything that falls into a specified ruleset, but the display name on the forums is something different....that way someone that gains access to the memberlist doesn't get half of the information they need for logon attacks.
It would be pointless. Memberlist access to guests is disabled by default. If it's enabled then that's an issue the administrator of the forum created, not phpBB. You can also easily disable access to the memberlist using the newly registered user group.

Not sure how splitting the display name and login name will be beneficial with regards to this. Not only will a user have to remember their password but also their login name because it's not the same one being displayed. That will push users away, not attract them no matter how secure YOU think it is.
Image

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

DavidIQ wrote:
deer_buster wrote:It would be nice if Rhea supported decoupling the logon username from the display name by default, so that you could specify that the username be anything that falls into a specified ruleset, but the display name on the forums is something different....that way someone that gains access to the memberlist doesn't get half of the information they need for logon attacks.
It would be pointless. Memberlist access to guests is disabled by default. If it's enabled then that's an issue the administrator of the forum created, not phpBB. You can also easily disable access to the memberlist using the newly registered user group.

Not sure how splitting the display name and login name will be beneficial with regards to this. Not only will a user have to remember their password but also their login name because it's not the same one being displayed. That will push users away, not attract them no matter how secure YOU think it is.

It can be an OPTION for the administrator to setup, perhaps with feedback from his user community. Memberlists are not the only source of usernames....posts are sources of usernames. I don't know about you, but on my personal computer, I have my browser setup to automatically remember my username for each site I go to...my personal security is that at least 2 passwords are required to get to any of the websites I logon to if I am not actively at the computer....plus, PHPBB offers the ability to allow users to store cookies for logon information, so for most people it isn't an issue, no matter how much of an issue YOU think it is.

Besides, my site traffic is generated by content, not logon configuration :roll:

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: User Security

Post by DavidIQ »

Bottom line is it WILL be a nuisance no matter how much YOU think it will not be. :roll:

I hate to break the news to you but not everyone uses FireFox (not sure if Chrome has this) so the feature you mentioned that the username field is filled in automatically will not be available on all browsers and not everyone has enabled. It certainly isn't a feature of IE. You're trying to "push" a feature that you think is going to be beneficial without stopping to think if:

1. Anybody will use it besides yourself
2. Taking into consideration the work that will be needed to both have it on a switch and have it work correctly. (this corresponds to 1...does the benefits and amount of usage outweigh the work required?)

Sorry but as I see it right now, besides saying that you think it's a good idea, you've not provided any convincing arguments of why this is even a good idea and have not provided any examples of places where this has been done and has been successful.
Image

Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: User Security

Post by Nelsaidi »

DavidIQ wrote:Not sure how splitting the display name and login name will be beneficial with regards to this. Not only will a user have to remember their password but also their login name because it's not the same one being displayed. That will push users away, not attract them no matter how secure YOU think it is.
Thats a fair point - and I do agree to some extent. Furtgher more many people will most likely use the same, I know I did on a few sites which already do this (running IPB), regarding CAPTCHA's perhaps to prevent brute force blocking IP's for ~15 minutes after X ammounts of failed logins may be a good method .

Post Reply