User Security

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: User Security

Post by Dog Cow »

ToonArmy wrote:
Dog Cow wrote:
bobtheman wrote: 2. User login via Email address
There goes the option to allow multiple users to have the same address.
Depends on the authentication method doesn't it. But I really don't see the use in it anyway.
What other features are in phpBB 3 which you don't see the use for? :lol:
bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: User Security

Post by bobtheman »

Nelsaidi wrote:The memberlist is fine, I'm sure the new style will have a much improved UI but essentially the purpose will remain the same, Is there a need to change it? IS there something 10 times better it can be replaced with? Discuss what exactly you would want in the new memberlist.

Email isnt much of a bad idea, mind you though its still obtainable.
I think the only need to change the member list, besides listing usernames for security reasons, is for usability and appearance. Seems impractical for a community based software to search for users though one large list by using filters... member list should reflect the updates of the friends management system and be more user friendly. Yes the description is vague but the concept is a common agreement that the majority can relate to.

Dog Cow, maybe we could discuss the necessity or lack of multiple users using the same email address, is this common, and should we continue to support this feature compared against having users authenticate via email.

If we changed to authentication with email, and we wanted to continue to support this feature, i can think of a few easy fixes.
1. Not allowing users under the same email to have the same password allowing the password to determine what user is logging in
2. When logging in with a shared email account where multiple users are present there could be more information requested like the username
User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: User Security

Post by ameeck »

bobtheman: Those fixes might be easy, but have many drawbacks.

I see you have a lot of suggestion concerning the memberlist. It isn't directly related to this topic, do you think you would create an initial document which we can discuss?
Please think before you post.
Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: User Security

Post by Nelsaidi »

bobtheman wrote:If we changed to authentication with email, and we wanted to continue to support this feature, i can think of a few easy fixes.
1. Not allowing users under the same email to have the same password allowing the password to determine what user is logging in
2. When logging in with a shared email account where multiple users are present there could be more information requested like the username
User changes password, new password = "abc123" - Error, "existing user has this password" :/ - Having such a multi email woul;d not work, you'd have to have a unique salt/encrypt each password, but how do you know which? It isnt much of a good idea tbh - Login by email then email must be unique.
bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: User Security

Post by bobtheman »

i guess we could look into, having users share email address's with multiple usernames... is this common should we continue to support it and would changing stand to benefit?
Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: User Security

Post by Nelsaidi »

Me thinks pretty much all users will each have a unique address unless they create a second account as a replacement, etc.

Think about which is easier to type, nelsaidi or nelsaidi@domain.com ? - Security will be little enhanced, having a password like abc will be just as vulnerable in both scenarios.

But one thing I'm thinking surely the different method can be easily created/modified - To change from email to this shouldnt be difficult, likewise from a logon name to username
User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: User Security

Post by Dog Cow »

Nelsaidi wrote: Think about which is easier to type, nelsaidi or nelsaidi@domain.com ?
Good point. As an admin, I don't use auto-login, so I like not having to type in a long username to get in to my site. In fact, I even changed the login script so it will accept a user ID too. I just type '2', a tab, my password, Return, and I'm in!
User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: User Security

Post by Kellanved »

The option to have a different login name is almost certainly in. It might make its entry as a 3.1 auth plugin, but that's pending at the moment. For 4.0, this is a far too specific feature request at this point in time, as we are primarily concerned about the high-level architecture.
No support via PM.
Trust me, I'm a doctor.
Post Reply