User Security

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

DavidIQ wrote:Bottom line is it WILL be a nuisance no matter how much YOU think it will not be. :roll:

I hate to break the news to you but not everyone uses FireFox (not sure if Chrome has this) so the feature you mentioned that the username field is filled in automatically will not be available on all browsers and not everyone has enabled. It certainly isn't a feature of IE. You're trying to "push" a feature that you think is going to be beneficial without stopping to think if:

1. Anybody will use it besides yourself
2. Taking into consideration the work that will be needed to both have it on a switch and have it work correctly. (this corresponds to 1...does the benefits and amount of usage outweigh the work required?)

Sorry but as I see it right now, besides saying that you think it's a good idea, you've not provided any convincing arguments of why this is even a good idea and have not provided any examples of places where this has been done and has been successful.
Yes, Firefox is wonderful, and seems to have a lot less critical hack your system flaws than IE....if you are using IE, then I can understand why you feel that security isn't an issue, since you are pretty clueless about how terrible Microsoft is about security holes.

As a matter of fact, it was a corporate security guideline at a major US Telecom that I worked for, and we ended up spending many man-hours splitting them out from each other for internal applications. Giving someone half the keys to your kingdom is just plain DUMB, no matter what YOU think. Before you start spouting off about security, maybe you should stop and think if:
1. Anybody will try to hack your systems (the answer is a RESOUNDING YES)
2. How *beep* off your users would be if their information was stolen because you didn't have adequate security in place. Forums I administer have a lot of personal information in them....not stuff that people want some hacker in China getting out and using to steal their identity. (the answer is a variable answer from a little bit for some piddly software support forum to a RESOUNDINGLY *beep* OFF for a forum that handles personal information)

Then, stop and think, is forum security worth the little bit of effort it would take for you to ALWAYS program your software to use a logon_name field that is separate from the display_name field, regardless of whether or not they are the same value (a user defined switch setting in the board configuration that can be defaulted to "Username is Displayname" with the option of "Username is not Displayname")? The answer, if you can anything about your user community's safety and security, needs to be YES.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: User Security

Post by naderman »

I think it makes sense to separate the two programming wise. We can still set loginname == username by default but then making the two separate if an admin wants to becomes much easier.

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

Nelsaidi wrote:
DavidIQ wrote:Not sure how splitting the display name and login name will be beneficial with regards to this. Not only will a user have to remember their password but also their login name because it's not the same one being displayed. That will push users away, not attract them no matter how secure YOU think it is.
Thats a fair point - and I do agree to some extent. Furtgher more many people will most likely use the same, I know I did on a few sites which already do this (running IPB), regarding CAPTCHA's perhaps to prevent brute force blocking IP's for ~15 minutes after X ammounts of failed logins may be a good method .
That is their prerogative, although I would hope that if the forum software (and the developers) is smart enough to separate the two, it will allow you to specify that they are not the same.

User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: User Security

Post by ameeck »

deer_buster: I really don't see the need to use invectives against any members of this community. Until now, everyone has been answering your replies in a calm manner stating rational arguments proving another point. The provocative tone you are using against individuals here has nothing to do with discussion that should be held here.

To sum up what I think about this, argumentation that this is a security measure is easily proved wrong - we have better ways of preventing brute force attacks launched against the online login form (the only case it can affect I can think of), which are much less intrusive and introduce less needless options to set up for most board administrators.

I have yet to see an application where this would have a provable effect. On the other hand, for example last week we have seen a feeble attempt to steal user accounts on phpBB.com using the online form. The success rate of the attack? 0%.

Apart from the factual side, I would personally like to see phpBB overhauled in terms of the sometimes cumbersome interface which could be much simpler and friendlier.
Please think before you post.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: User Security

Post by DavidIQ »

deer_buster wrote:Yes, Firefox is wonderful, and seems to have a lot less critical hack your system flaws than IE....if you are using IE, then I can understand why you feel that security isn't an issue, since you are pretty clueless about how terrible Microsoft is about security holes.
That doesn't prove much of anything really. Just proves that people use IE instead of FireFox, a fact you have to live with no matter what.

All this has proven is that you're not looking at the whole picture and you don't really care to...but, alas, you've gotten the answer you were looking for from naderman. Activating such a feature after the forum has been set up will prove to be a bit difficult but I'm sure the devs will figure that out as well if such a feature is added.
Image

deer_buster
Registered User
Posts: 8
Joined: Tue Nov 11, 2003 6:04 pm

Re: User Security

Post by deer_buster »

Personally, I don't care which browser people use. I just want the applications that they use, that are administered by me, do not betray their trust. Every day you read about some hacker hacked into this or that (such as some financial institution and stole credit information....from places that are supposed to be a heck of a lot more secure than community forum software, mind you), mostly you hear about identity theft and how people have their lives ruined because someone was able to glean enough information about someone to fraudulently obtain credit or blatantly steal money from their accounts.

As community administrators, it is our duty to our users to provide the most reasonable security possible for their identities, both for personal privacy reasons and legal reasons, when that information is stored within our community forums.

As providers of said forum software, I would expect phpBB to provide the tools necessary to do that, and thankfully, one of the developers has seen and responded.

As community support team members on this forum, I would expect that they would respect that their community has needs that may be outside of their own experience/need, and will respect such needs as being valid to the users requesting feature requests to fulfill those needs.

To any that I have offended with my remarks, I apologize.

-Fin

User avatar
Lurttinen
Registered User
Posts: 78
Joined: Mon Feb 20, 2006 7:57 am
Contact:

Re: User Security

Post by Lurttinen »

+1 to the OP and his views.
I second that we separate login- and username.

User avatar
Lurttinen
Registered User
Posts: 78
Joined: Mon Feb 20, 2006 7:57 am
Contact:

Re: User Security

Post by Lurttinen »

Forgot,

Example can be found in the Facebook.
My name is not my login and i don't find it confusing at all. :)

User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: User Security

Post by ameeck »

Lurttinen wrote:Forgot,

Example can be found in the Facebook.
My name is not my login and i don't find it confusing at all. :)
Yes, but you use your e-mail to login, which you would enter anyway. That is the difference in introducing unnecessary field for users to fill in I'm talking about.

I know this will probably go against the philosophy of deer_buster, but on many web applications I have worked on, we have actually allowed users to use their e-mail or username to login. It simplifies logging in for users which haven't been present for some time and with other preventive measures I have already described in this topic I see no weak spot security-wise.

Actually I haven't seen anyone say why using the measures I described would not work.
Please think before you post.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: User Security

Post by DavidIQ »

Lurttinen wrote:Forgot,

Example can be found in the Facebook.
My name is not my login and i don't find it confusing at all. :)
Using your email address to login would make total sense as you have to provide that information anyways and would remember that. I am all for that and it makes some sense. Having some arbitrary username to login is a bit different though. I guess having the option at configuration would not make that a problem.
Image

Post Reply