YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Page Index Toggle Pages: 1
Topic Tools
 
Username/Password (Read 4,842 times)
 Feb 9th, 2010 at 4:44am
There are no actions to perform.  
Captain John 
Ex Member


None
Username/Password
 So many users complain about not being able to login ... and it's usually hard to find out why to correct.
  Would like to see separate error messages for Login.
1.) Username not found, check spelling or try entering email address
2.) Username file corrupt, contact Administrator
3.) Password incorrect
 
 
IP Logged  
 Reply #1 - Feb 9th, 2010 at 7:08am
There are no actions to perform.  

OH Eng 
Past Team Members
Documentation Team
Offline
Posts: 4,026
Pensacola, Florida USA


None
Re: Username/Password
Good idea.  Maybe add "email address not found" as an alternative to #1 if that's what the user tries to log in with.

« Last Edit: Feb 9th, 2010 at 7:09am by OH Eng »  
 
OH Eng  
IP Logged  
 Reply #2 - Feb 12th, 2010 at 2:57pm
There are no actions to perform.  

The Boy 
Full Member
***
Offline
Posts: 338
UK


None
Re: Username/Password
Uncomfortable with it specifically saying if its username or password thats incorrect, as that gives more info to people trying to obtain details about other parties....
 
WWW  
IP Logged  
 Reply #3 - Mar 20th, 2010 at 11:24pm
There are no actions to perform.  

Matt Siegman 
YaBB Legends (Inactive)
*
Offline
Posts: 3,380
Wichita, KS


None
Re: Username/Password
TheBoy is correct. Failed logins really can only really say "The username and password combination is not valid" or they risk opening up some nasty little holes.
 
-- Matt Siegman 8) Wish List
 
IP Logged  
 Reply #4 - Mar 21st, 2010 at 1:30am
There are no actions to perform.  

OH Eng 
Past Team Members
Documentation Team
Offline
Posts: 4,026
Pensacola, Florida USA


None
Re: Username/Password
Well I can understand that.  But how about making a distinction in the forum's Error Log... bad username, bad password, bad email, etc. so when the forum Admin tries to figure out what the problem is, he knows which one is bad.  The information would only go back to the one user with that username/email/password, whereas the user getting the error might just see "Login Attempt Failed" or something like that?

 
 
OH Eng  
IP Logged  
 Reply #5 - Mar 21st, 2010 at 6:00am
There are no actions to perform.  

Matt Siegman 
YaBB Legends (Inactive)
*
Offline
Posts: 3,380
Wichita, KS


None
Re: Username/Password
That's a good idea.
 
-- Matt Siegman 8) Wish List
 
IP Logged  
 Reply #6 - Mar 21st, 2010 at 4:47pm
There are no actions to perform.  
Captain John 
Ex Member


None
Re: Username/Password
We are trying to secure something that is no longer secured.
  With Guests allowed to view ..... the Display name of who posted/replied, Newest Member is ....
  Do to us allowing single users to influence us, we now allow the ability to login using either username, email or "display name", hackers only need to figure out the password anyways.
  So why the need to worry about hiding the error of which is incorrect .... when the legit user is trying to login with his username/pwd (the only things still invisible) ?
« Last Edit: Mar 21st, 2010 at 8:35pm by N/A »  
 
IP Logged  
 Reply #7 - Mar 21st, 2010 at 10:35pm
There are no actions to perform.  

Matt Siegman 
YaBB Legends (Inactive)
*
Offline
Posts: 3,380
Wichita, KS


None
Re: Username/Password
I don't intend to allow logging in with Display Name for YaBB 3. We will probably limit it to either username or email. We need to take security more seriously.
 
-- Matt Siegman 8) Wish List
 
IP Logged  
 Reply #8 - Mar 22nd, 2010 at 11:25pm
There are no actions to perform.  

cepheid 
Senior Member
****
Offline
Posts: 516


None
Re: Username/Password
Matt Siegman wrote on Mar 21st, 2010 at 10:35pm:
We need to take security more seriously.

Amen.  It's also time to ensure that any "cloaking" or "encryption" is done based on secret keys (as the captcha is done, now) and not hardcoded ones.  As it stands now, for this reason, "username cloaking" is of zero value even if Display Name login is disabled.
 
WWW  
IP Logged  
 Reply #9 - Mar 23rd, 2010 at 3:52am
There are no actions to perform.  
Captain John 
Ex Member


None
Re: Username/Password
« Last Edit: Mar 23rd, 2010 at 3:59am by N/A »  
 
IP Logged  
 Reply #10 - Mar 23rd, 2010 at 11:09pm
There are no actions to perform.  

Matt Siegman 
YaBB Legends (Inactive)
*
Offline
Posts: 3,380
Wichita, KS


None
Re: Username/Password
Sorry, but BBS software is some of the most targeted software by hackers. We will be locking several things down, including logins.
 
-- Matt Siegman 8) Wish List
 
IP Logged  
Page Index Toggle Pages: 1
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.