User Security
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Re: User Security
I agree with the OP but not for the same reason, as Nils said it makes sense to separate the authentication credentials from the forum display username.
Re: User Security
i have to agree, having both a login and username is'nt IMO beneficial. Instead we should look at the issue "if there is one"...
The member list, what is its purpose? Should we keep it? maybe make some changes to it.
maybe the member list shouldn't list all members, but instead list things like, admin and staff, Top 10 users, New users, users online, maybe some statistics and have a search functionality to find users/members to add as friends "with the upcoming new and improved functionality of the friend system in 4.0". Having a list of all members IMO is pointless
Im willing to bet, if we polled the entire phpbb community, the member list isnt used often and its probably serving more of a purpose to attackers and spammers than to the users themselves.
Another idea would be, instead of logging in with your username you could log in with your email address.
The member list, what is its purpose? Should we keep it? maybe make some changes to it.
maybe the member list shouldn't list all members, but instead list things like, admin and staff, Top 10 users, New users, users online, maybe some statistics and have a search functionality to find users/members to add as friends "with the upcoming new and improved functionality of the friend system in 4.0". Having a list of all members IMO is pointless
Im willing to bet, if we polled the entire phpbb community, the member list isnt used often and its probably serving more of a purpose to attackers and spammers than to the users themselves.
Another idea would be, instead of logging in with your username you could log in with your email address.
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: User Security
I wouldn't get rid of the memberlist. If anything, make an option to disable it and/or have a separate permission setting just for the memberlist (IIRC, just one now controls profiles + memberlist).
Re: User Security
Ok but this doesnt address the usefulness of the memberlist nor the original question of user security. I say revamping the memberlist is a great idea to list;EXreaction wrote:I wouldn't get rid of the memberlist. If anything, make an option to disable it and/or have a separate permission setting just for the memberlist (IIRC, just one now controls profiles + memberlist).
Site staff.. admin and mods
Top 10-15 members by post count "possibly karma or ranking if that is in 4.0"
Top 10 newly registered members
Member and site statistics, Top Threads stuff like that
Suggested Friends determined by location, common thread activity etc etc
And a search function to find friends and add them "with the new revamped friends list functionality in 4.0"
As of login credentials.. now that a list of all our members login names isnt available it would make the need for changing how that works of little concern..... and now the member list will be useful to the community.
Re: User Security
Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.
-
- Registered User
- Posts: 8
- Joined: Tue Nov 11, 2003 6:04 pm
Re: User Security
ToonArmy wrote:Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.
Concur. If the username is separate from the displayname, this argument becomes moot....as you wouldn't be displaying the username, but the displayname in the memberlist. At all times, the username should remain behind the scenes (if the board is configured to use the username and displayname as one and the same, you'd still see the member's username there)....with only the admins and global moderators able to see user detail (for user management, etc.)
Re: User Security
agreed, i think the usefulness is still in question though but can easily be fixed with proper updates and improvements. I think having users sort through a memberlist, in this case 2600 Pages worth, is an ancient style of doing things and extremely annoying.ToonArmy wrote:Getting rid of the memberlist on the grounds of security is daft, it's nothing but security through obscurity. Those accounts you'd want to brute force are likely to be listed in your replacement, administrators etc. and you can always just go harvest addresses from all over the board. As to the usefulness, it's very useful to be able to find someone based on search criteria etc. it's not so useful as an unfiltered and unsorted list of members.
I agree, and an easy fix would be to have users login with their email address, and what is listed on the forums is their Username.ToonArmy wrote: Concur. If the username is separate from the displayname, this argument becomes moot....as you wouldn't be displaying the username, but the displayname in the memberlist. At all times, the username should remain behind the scenes (if the board is configured to use the username and displayname as one and the same, you'd still see the member's username there)....with only the admins and global moderators able to see user detail (for user management, etc.)
So we have so far two proposals,
1. Redesigning the memberlist
2. User login via Email address
Re: User Security
There goes the option to allow multiple users to have the same address.bobtheman wrote: 2. User login via Email address
Re: User Security
Depends on the authentication method doesn't it. But I really don't see the use in it anyway.Dog Cow wrote:There goes the option to allow multiple users to have the same address.bobtheman wrote: 2. User login via Email address
Re: User Security
The memberlist is fine, I'm sure the new style will have a much improved UI but essentially the purpose will remain the same, Is there a need to change it? IS there something 10 times better it can be replaced with? Discuss what exactly you would want in the new memberlist.
Email isnt much of a bad idea, mind you though its still obtainable.
Email isnt much of a bad idea, mind you though its still obtainable.