Page Index Toggle Pages: 1 [2] 3 4 
Topic Tools
 25 Check usernames when registering (Read 19,926 times)
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #30 - Jul 11th, 2009 at 2:42am
Post Tools
JonB wrote on Jul 10th, 2009 at 10:41pm:
Personally, I think we currently go overboard in the analysis of the userID security.

First - this isn't a financial transaction processing system.


No, it isn't a financial transaction system, but that doesn't mean people want something less secure.  IF the username is not displayed, and IF the login using username or email address is put into effect, and any settings that are required to be there are made to be there, it would be one more step towards security.

Can it be broken?  Well, gee, 3 days ago the US Secret Service network was hacked, so I'd say it would probably be child's play for hackers of that caliber to take on your ISP or host, let alone your forum, don't you think?

The question is, IS it a problem?  We've heard all about how insecure the CAPTCHA was in this version or that... but I've never seen one user in all the time I've been here complain of their Validation Code being defeated.  And once again, YaBB ships with it turned OFF by default, so I don't consider anything related to CAPTCHA to be security related, only spam-prevention related.

The theft of, or even accidental disclosure of an Admin or GMod password IS a security risk, and that risk can be minimized by removing one of the two keys needed to log in with.

Why do we NEED an online password retrieval system versus an email based one?  Is there something wrong with the system in use now?
  

 
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #29 - Jul 11th, 2009 at 12:00am
Post Tools
JonB wrote on Jul 10th, 2009 at 10:41pm:
Personally, I think we currently go overboard in the analysis of the userID security.

I wholeheartedly agree, as I hope you can tell. Smiley

JonB wrote on Jul 10th, 2009 at 10:41pm:
I hope you will find/develop a good new system that includes help for the visually impaired. (maybe I missed that in this discussion).

I don't think it was discussed, and you're absolutely right about that - there is no screenreader access to the captcha (for obvious reasons), and no audio synthesis.  This is a problem with many websites and software, not just this one... some professional captcha systems have audio access, but I don't know of any free pre-existing captcha packages with audio, so we'd have to figure something out (e.g. add an audio package that can synthesize based on text input).

JonB wrote on Jul 10th, 2009 at 10:41pm:
we need an online (not e-mail dependent) password recovery or reset system

To do this properly, we will need to implement security questions to ensure that someone isn't maliciously changing someone else's password, as that is the only means of authenticating a user without a password.  The one problem with that is that the answers will either need to be stored in plaintext (if you want the user to be able to see his/her previous answers when editing his/her profile) or need to be hashed like passwords (to ensure that they are secure from all prying eyes, but that means the user can't see the original answers - he/she can only change them).

JonB wrote on Jul 10th, 2009 at 10:41pm:
From a social engineering point of view, the Display name should be retained, but ONLY as that.

Agreed.  You would need a dupe check for that, which would happen any time the user sets/changes the display name.  (I am also in favor of removing the display name from registration, allowing it to be one of the optional profile fields; if unset, the displayname defaults to the username.)

JonB wrote on Jul 10th, 2009 at 10:41pm:
However, we should probably realize that our search for SE-friendly URLS may eliminate the need for masking entirely.

The only time userids would ever be exposed is in profile links, and I don't think that will matter for SEO, especially if those links are omitted from the "formatting-sparse" pages that should, eventually, be the ones shown to search engines.  (Guests can't access profile links anyway.)  So, masking shouldn't be a factor with SEO regardless.

That said, as I've stated previously, masking serves no useful purpose in its current implementation, and only marginal purpose even under optimal implementation (where displayname must differ from userid and is not used for login).

Just more of my thoughts. Wink
« Last Edit: Jul 11th, 2009 at 12:01am by cepheid »  
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Check usernames when registering
Reply #28 - Jul 10th, 2009 at 10:41pm
Post Tools
Personally, I think we currently go overboard in the analysis of the userID security. 

First - this isn't a financial transaction processing system.

Second - We have so beaten the matter of CAPTCHA security to death, we have completely ignored the very valid access capability issue.   I hope you will find/develop a good new system that includes help for the visually impaired. (maybe I missed that in this discussion).

Third - from a purely LOGIN (authentication) point of view, Cepheid is probably right that it should be limited to two instances, the original username and the last registered e-mail address.  They have to be unique keys, user displaynames don't (only concurrently.)

While we are at it, I'll point out that we need an online (not e-mail dependent) password recovery or reset system. Corey himself agreed on that previously.

From a social engineering point of view, the Display name should be retained, but ONLY as that.  We probably need a 'duplicate check' for that, BUT that probably should happen at first login.  That would be when we drive them to their profile page (one considerable less complex than our personal-wikipedia we have now) and they get to make some simple choices (display name, time zone, notifications maybe) to get them started.  The rest gets defaulted in, and they can revisit it when they chose.  This would also familiarize them with 'where that happens' - which seems to elude many users, even experienced ones.

People change and their lives change, the profile IS their online persona, we need to allow broad expression.  I have several forum members who have had life changing events, they are no longer that former person - period.  But the former persona is part of them as well - and we need to respect that.

I am totally in favor of creating a secure and private environment.  I have repeatedly said so before. However, we should probably realize that our search for SE-friendly URLS may eliminate the need for masking entirely.

Just my thoughts
Wink

  

I find your lack of faith disturbing.
Back to top
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #27 - Jul 10th, 2009 at 9:18pm
Post Tools
OH Eng wrote on Jul 10th, 2009 at 8:52pm:
If I remember correctly, the original intent of two names was so that if a password was compromised, it will still be useless because the user obtaining it would also have to get the username, something only available to the user and the Admin/GMods.

Right, although the username also used to be visible to anyone because it was contained in various profile links.  Now that username cloaking can be enabled, the username is not fully exposed, but since the cloaking itself is not based on a secret key, it is entirely reversible by anyone and usernames can still be recovered, anyway, albeit with some effort.  And, of course, cloaking must be enabled by the admin, so even if login via displayname were disabled and even if cloaking weren't fully reversible by anyone, the admin must still enable cloaking to experience what (very little) added security that this feature might afford.

OH Eng wrote on Jul 10th, 2009 at 8:52pm:
It was supposed to be a type of security feature.

Yes, "security by obscurity," which as we've discussed in the past, has been shown to not only not improve security, but on occasion (as with the initial 2.2-2.4 captcha code) to actually decrease it.  The intentions are good, of course... but the implementation needs to be done very carefully.

OH Eng wrote on Jul 10th, 2009 at 8:52pm:
But I don't recall how or why it changed to allow all 3 login types.

I don't either, but it would appear that we both agree that logins should be restricted to username or email address only.

I can see only two reasons to have a displayname: in an attempt to hide the username (which is largely irrelevant right now for the reasons described above), and to allow short usernames (for user convenience) while allowing longer, more descriptive names shown on posts (for a fuller "online persona").  The latter is a legitimate UI feature (although of very subjective value, of course), while the former is not.

If login via displayname is maintained, the display name is basically just another username.  There is no reason to keep the option of requiring it to be different from the username, and there's also no reason to keep username cloaking - both of those can be disabled with absolutely no loss of security, if logins via displayname are allowed.  Of course, the displayname also reduces the available username space, since every user can now effectively have two usernames.

If login via displayname is disabled, then the options of requiring a different displayname and of cloaking the username can be kept, although as stated above, they really provide zero added security.  (At minimum, the cloaking algorithm should be based on a private key - a different one than used for the captcha - and should be enabled if and only if the displayname is required to be different from the username; if either is disabled, both should be.)

At least, that's my opinion. Smiley
« Last Edit: Jul 10th, 2009 at 9:26pm by cepheid »  
Back to top
WWW  
IP Logged
 
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #26 - Jul 10th, 2009 at 8:52pm
Post Tools
If I remember correctly, the original intent of two names was so that if a password was compromised, it will still be useless because the user obtaining it would also have to get the username, something only available to the user and the Admin/GMods.  That of course meant you could only log in with the username or email address, NOT the displayed name.  It was supposed to be a type of security feature.  But I don't recall how or why it changed to allow all 3 login types.

  

 
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #25 - Jul 10th, 2009 at 5:25pm
Post Tools
OH Eng wrote on Jul 10th, 2009 at 1:09pm:
If it didn't check both names, what would happen if these two users tried to log in, the first one using the user name, the second one using their displayed name?

Ah, I see.  That could be a problem.  So Display Names must be distinct from usernames except for the same user, it would appear.

Man, I really don't like this whole Display Name business... or, at least, I don't like that people can log in using the Display Name.  I can understand why it's done that way (for convenience of the user), but IMHO it should be username or email address - that's still two ways to log in, and it would save the headaches of having two effectively identical ID fields.

Oh well.

OH Eng wrote on Jul 10th, 2009 at 1:09pm:
Maybe we should re-think the idea of allowing logins with the displayed name unless username and displayed name are the same?

I fully support that idea!  Of course, if the username and displayed name are the same, there's no point in checking the displayed name at all (it's the same as the username), so you can just do away with the displayname check entirely and achieve the same result.
« Last Edit: Jul 10th, 2009 at 5:27pm by cepheid »  
Back to top
WWW  
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: Check usernames when registering
Reply #24 - Jul 10th, 2009 at 2:01pm
Post Tools
Indeed, you both are right, but it does not check only for username and displayname, it also checks for the email because you can log in with email too! Wink

@ Unilat
If I have a user called --#deti#-- and I try to regist other user with same name, your feature tells me that I can use this name, but if I click "Go" on the reg-page it tells me that I can't register!?!
It looks like the JS doesn't transmit the right name to the Perl-script. Can you give a look after this? I wasn't able to find the error until now. It may have to do with special characters...
Thanks!
Edited:
Probably because # is used to split the query string from the anchor.
« Last Edit: Jul 10th, 2009 at 5:29pm by deti »  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #23 - Jul 10th, 2009 at 1:16pm
Post Tools
ha, you posted while I was finishing my post.  Yes, it checks both names to make sure there are no duplicates.

That was my point.. that checking both is necessary.
« Last Edit: Jul 10th, 2009 at 1:17pm by OH Eng »  

 
Back to top
 
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Check usernames when registering
Reply #22 - Jul 10th, 2009 at 1:15pm
Post Tools
OH Eng wrote on Jul 10th, 2009 at 1:09pm:
If it didn't check both names, what would happen if these two users tried to log in, the first one using the user name, the second one using their displayed name?

It will check. Wink

I have User ID: hhh
Displayed Name: Heineken

Try it: http://www.yabbworld.com/cgi-bin/yabb_db/YaBB.pl?action=register

Try Heineken as User ID.
Try hhh as Displayed Name.

You will see both is taken.
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #21 - Jul 10th, 2009 at 1:09pm
Post Tools
cepheid wrote on Jul 9th, 2009 at 11:29pm:
Also, it appears that the Display Name checks against both displayed name AND userid... is this deliberate?


Well the login process allows a person to log in using either their user name, displayed name, or email address.  If it didn't check both names, what would happen if these two users tried to log in, the first one using the user name, the second one using their displayed name?

User 1:  username = bigdog  displayed name = Pitbull  password: 7x4pQ
User 2:  username = MJones  displayed name = bigdog  password: hd349

Which password is going to be seen as "the correct" password to allow the user to log in?

Right now, this can't happen because if you try to sign up with or modify an existing user's displayed name to match another user's displayed name OR username, you get this error:
Code
Select All
This displayed name is already in use by another member. (displayed name OR user name) 


where "in use" means it's another user's displayed name or user name.

Maybe we should re-think the idea of allowing logins with the displayed name unless username and displayed name are the same?
« Last Edit: Jul 10th, 2009 at 1:14pm by OH Eng »  

 
Back to top
 
IP Logged
 
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #20 - Jul 10th, 2009 at 1:04pm
Post Tools
Thanks, Jet.  Smiley

  

 
Back to top
 
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Check usernames when registering
Reply #19 - Jul 10th, 2009 at 10:28am
Post Tools
OH Eng wrote on Jul 10th, 2009 at 2:16am:
Can I make a recommendation that you change the file names from Cross.png and Check.png to cross.png and check.png?Right now those are the only two files in the whole image directory with names that have leading capitals.Small thing, but for consistency.

Done this morning.

New
public_html/yabbfiles/ajax.js
public_html/yabbfiles/Templates/Forum/default/check.png new
public_html/yabbfiles/Templates/Forum/default/cross.png new
public_html/yabbfiles/Templates/Forum/default/Check.png deleted
public_html/yabbfiles/Templates/Forum/default/Cross.png deleted
public_html/yabbfiles/Templates/Forum/yabb21/check.png new
public_html/yabbfiles/Templates/Forum/yabb21/cross.png new
public_html/yabbfiles/Templates/Forum/yabb21/Check.png deleted
public_html/yabbfiles/Templates/Forum/yabb21/Cross.png deleted

in SVN.
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Check usernames when registering
Reply #18 - Jul 10th, 2009 at 3:50am
Post Tools
Unilat wrote on Jul 10th, 2009 at 3:37am:
So this must be due to the change deti has made.

I think so, because I think it has to do with the behavior of the MemberList function.  Yes, I made that comment after testing on the SVN version.
« Last Edit: Jul 10th, 2009 at 3:51am by cepheid »  
Back to top
WWW  
IP Logged
 
Unilat
Development Team
Theme Team
****
Offline



Posts: 1,047
Location: Columbus Ohio, USA
Re: Check usernames when registering
Reply #17 - Jul 10th, 2009 at 3:37am
Post Tools
cepheid wrote on Jul 9th, 2009 at 11:29pm:
Also, it appears that the Display Name checks against both displayed name AND userid... is this deliberate?  For example, I tried putting a displayname of "admin" and it said it was taken, even though my admin user has a displayname of "YaBB Administrator" ...  my forum doesn't require displayname != userid, so I think the displayname should only check against displaynames, not userids.  (This would still take care of both possibilities.)


Was this tested in the new SVN or with the code on my test site? My test site, I swore  Wink, checks only against display name for the display name. In fact I just tested and "admin" in the display name does not return taken. So this must be due to the change deti has made.

And yes, I always capitalize my filenames and images, but that can be changed no issues  Smiley
« Last Edit: Jul 10th, 2009 at 3:39am by Unilat »  
Back to top
 
IP Logged
 
OH Eng
Past Team Members
Documentation Team
Offline



Posts: 4,026
Location: Pensacola, Florida USA
Re: Check usernames when registering
Reply #16 - Jul 10th, 2009 at 2:16am
Post Tools
Can I make a recommendation that you change the file names from Cross.png and Check.png to cross.png and check.png?  Right now those are the only two files in the whole image directory with names that have leading capitals.  Small thing, but for consistency.

  

 
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 [2] 3 4 
Topic Tools
 
  « Board Index ‹ Board  ^Top