Page Index Toggle Pages: 1
Topic Tools
Hot Topic (More than 10 Replies) Displayname can't be changed to equal username (Read 4,709 times)
cepheid
Senior Member
****
Offline



Posts: 516
Displayname can't be changed to equal username
Feb 26th, 2010 at 9:34pm
Post Tools
Y2.4 includes a preference to force displaynames to be different from usernames, but this is optional.  When unchecked, displaynames are allowed to be the same as usernames.  However, this is only possible upon account creation... if a user attempts to set his/her displayname to equal his/her username after the account is established, YaBB gives an error that the name is already taken...

Try the following: make sure the "different names" box is unchecked.  Take a user with displayname different from username; change the displayname to equal the username - you'll get the "this name is already taken" error.

The "already taken" error should be bypassed if the error is thrown by the owner of the account, i.e. if a user with username "foo" tries to change his displayname from "bar" to "foo," then the error should be bypassed because foo is the owner of that username.  The error should only be thrown when a user tries to use a displayname that matches someone else's username.

The easiest change for this is simply to check if displayname == username... if yes, and if the box is checked, throw the "not allowed" error, otherwise continue with the change.  If no, then check if the name is taken, and if so, throw error.

(Of course, if the "displayname must be different from username" box is checked, then the appropriate error should be thrown... the above applies when the box is not checked.)

(I'd make this change myself but I'm in the middle of writing my thesis, so I'm super-busy right now.)
  
Back to top
WWW  
IP Logged
 
Captain John
Ex Member


Re: Displayname can't be changed to equal username
Reply #1 - Feb 27th, 2010 at 1:04am
Post Tools
mmmm the reason behind the entry of different names was security.  hiding the username helps defeating others from logging in because they could see the login (username) and only had to guess the password.
   we now allow logging in using username, display name and email addy. of course email can be hidden, "if" the user registering was smart enough to keep/set the hidden option.
   why should we now allow a user to revert to a username, just because the admin of the forum wasn't security conscious ?
  
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #2 - Feb 27th, 2010 at 1:21am
Post Tools
Quote:
why should we now allow a user to revert to a username, just because the admin of the forum wasn't security conscious ?

First, because the disallowing of displayname=username is not a security enhancement.  It may have been, at one point, when displaynames were not valid for login and usernames could be hidden (although even then, username masking was done using a completely open algorithm that anyone and everyone could undo)... since displaynames are now allowed for login, there is zero security enhancement in preventing them from being the same as the username, since knowledge of the username is no longer required for logging in.

Second, it's not up to us to determine whether an admin is "security conscious" simply because he/she chooses to enable, or not enable, that particular feature (notwithstanding the fact that it's no longer a security enhancement).

The fact of the matter is that the forum offers the ability to have the displayname be the same as the username; as long as that ability is present, the fact that it can only be set during account creation is a bug.  If displaynames are allowed to be the same (which they are), then users must be allowed to make them the same at any time, not just during account creation.  Otherwise, the feature is inconsistent.
  
Back to top
WWW  
IP Logged
 
Captain John
Ex Member


Re: Displayname can't be changed to equal username
Reply #3 - Feb 27th, 2010 at 4:48am
Post Tools
cepheid wrote on Feb 27th, 2010 at 1:21am:
because the disallowing of displayname=username is not a security enhancement.


simply disagree.
  
Back to top
 
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #4 - Feb 27th, 2010 at 5:25am
Post Tools
Quote:
simply disagree.

I understand that you do, but:
1) Most computer security experts - including Bruce Schneier, for example - will tell you that "security by obscurity" is not security.  It is not only easily defeated, it actually is a detraction because it provides a false sense of security when there is none.

Even if you don't believe me, despite my experience with computer security, I hope you would believe giants in the field of computer security such as Bruce Schneier (who was co-inventor of the RSA algorithm and pioneered the field of computer encryption).

(See, for example, http://www.schneier.com/crypto-gram-0205.html#1)

2) The way the forum software is currently implemented, then even if you believe that the "displayname != username" is more secure (i.e. ignoring point #1), the forum entirely bypasses that security - by allowing login via displayname - and therefore the feature does not enhance security.  You yourself said that the feature was implemented because, if a username is hidden, then an attacker must guess both username and password, instead of just the password.  However, now that the forum allows login via displayname, an attacker need only guess the password, just as if the username were completely exposed... because, in effect, by allowing displaynames to be used for login, they are just a second username which is always exposed.

The only way that "displayname != username" is a security enhancement, if you believe in security by obscurity, is if the forum disallows login with displayname and forces login with username (or, possibly, email address) and if usernames are cloaked.  If usernames aren't cloaked, they are exposed and there's no reason that displaynames should be restricted; if usernames are cloaked but displaynames are allowed for login, then per above, they're exposed and therefore are just like uncloaked usernames.  Only if the forum uses cloaked usernames and disallows displayname login.

However, there's no way to disable displayname login with the current release software.  Moreover, as I pointed out earlier, the username cloaking and decloaking algorithm is entirely exposed (within the open-source YaBB software).  This would not be a problem except that the cloaking is not based on any secret key - it is based on a fixed key known to anyone who looks at the code - which means that usernames can be decloaked on-the-fly by any attacker using a 1-line Perl or greasemonkey script.  Because of this, username cloaking as currently implemented is also not a security enhancement, except insofar as it requires an attacker to be a little more creative.  Relying on the concept of "most attackers are lazy" is not good - attackers are quite well-known for not being that lazy, and it's actually dead easy to defeat username cloaking the way it's currently implemented.

In order to become an actual security enhancement, username cloaking must be based on a secret key, the same way that the captcha is now based on a secret key.  I demonstrated a few years ago how the Y2.1 captcha could be trivially broken because it wasn't based on a secret key; this was fixed in Y2.2 (and re-fixed in Y2.4) and the captcha is now much more (though not entirely) secure.  The same must be applied to username cloaking if it is to be at all effective.  Anything less merely provides a false sense of security (as did the captcha, before it was fixed).

If you're not convinced by all of the above, I guess I just can't convince you, but I hope that you'll see how, if users are allowed to login via their displayname, which is always exposed, then forcing it to be different from the username offers absolutely no additional security.

Edited:
I'll add that the entire above argument is an aside; the original issue is still a bug and IMHO needs fixing.  As long as the forum admin allows the displaynames to be the same as usernames, then users should be able to set their displaynames equal to their username (per the permission set by the admin) at any time.  Only if the admin requires displaynames to be different should users be disallowed from doing this.  Right now, if the admin allows it, then users can do it only when first creating their account, because the "duplicate name" check causes a problem when they try doing it later.  It is this check that is the bug, because it's not a "duplicate" name if it is the user's own username.

So, while the above discussion is still quite important, IMHO it does not have a bearing on whether this is a bug and should be fixed - which it is, and should be, in my opinion.  If the feature is there, it should work consistently.

I will try to find time to fix this myself if nobody else gets around to it... I'm just so swamped with schoolwork that I can't, but I'll try.
« Last Edit: Feb 27th, 2010 at 5:36am by cepheid »  
Back to top
WWW  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Displayname can't be changed to equal username
Reply #5 - Feb 27th, 2010 at 8:33am
Post Tools
Why not disable this, if you want same Displayname and username? Wink

Admin Center -> Forum Settings -> Members - Registration

Require Members to use a different Displayed Name than their User (login) Name?
« Last Edit: Feb 27th, 2010 at 8:33am by Jet Li »  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #6 - Feb 27th, 2010 at 8:38am
Post Tools
Jet Li wrote on Feb 27th, 2010 at 8:33am:
Why not disable this, if you want same Displayname and username?

I did disable it... that's not the problem.  The issue is what I stated in the OP: even if this option is disabled, a user with an existing account cannot set his displayname to equal his username, because the forum returns a "this name is already taken" error.  This is a bug - the username is taken, but belongs to the same person trying to make the change.  Hence, if the username is taken by also equals the user's username, that error should be bypassed.
  
Back to top
WWW  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Displayname can't be changed to equal username
Reply #7 - Feb 27th, 2010 at 8:51am
Post Tools
Ok confirmed. I have test and get this error. If I change it to same name as username. And option is in Admin Center unchecked.

Require Members to use a different Displayed Name than their User (login) Name? [ ]

Quote:
System Information

This displayed name is already in use by another member. (Testuser)


User with Login Name is "Testuser" and Display name was "Testuser1" and should be same if allowed.

Thanks for this report, cepheid!

« Last Edit: Feb 27th, 2010 at 8:53am by Jet Li »  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #8 - Feb 27th, 2010 at 9:30am
Post Tools
This is also a one-line fix.

In Profile.pl, find line 1436:
Code
Select All
if (lc &MemberIndex("check_exist", $member{'name'}) eq lc $member{'name'}) { &fatal_error('name_taken',"($member{'name'})"); } 



Change to:
Code
Select All
if ((lc &MemberIndex("check_exist", $member{'name'}) eq lc $member{'name'}) && (lc $member{'name'} ne $member{'username'})) { &fatal_error('name_taken',"($member{'name'})"); } 



This ensures that the error is only thrown if the name exists and belongs to someone other than the current user.  This check is OK because the check for displayname != username has already occurred, thus if equality exists but is not allowed, we already would have errored out.  Thus, if we've gotten this far and displayname = username, it must be allowed and thus can be used to bypass the "name exists" check.

Jet, this should fix the problem; can you test with your Testuser/Testuser1 account?  It should work properly with this change.
  
Back to top
WWW  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Displayname can't be changed to equal username
Reply #9 - Feb 27th, 2010 at 9:36am
Post Tools
Still no changes. Same Error.
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #10 - Feb 27th, 2010 at 9:40am
Post Tools
Jet Li wrote on Feb 27th, 2010 at 9:36am:
Still no changes. Same Error.

Because I'm an idiot.  Please prepend "lc" to the username check, i.e.

Code
Select All
if ((lc &MemberIndex("check_exist", $member{'name'}) eq lc $member{'name'}) && (lc $member{'name'} ne lc $member{'username'})) { &fatal_error('name_taken',"($member{'name'})"); } 

  
Back to top
WWW  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Displayname can't be changed to equal username
Reply #11 - Feb 27th, 2010 at 9:44am
Post Tools
Thnx. It works. Cheesy

New
Sources/Profile.pl
in CVS.
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
cepheid
Senior Member
****
Offline



Posts: 516
Re: Displayname can't be changed to equal username
Reply #12 - Feb 27th, 2010 at 9:45am
Post Tools
This should also be copied to Y3 and fixed in SVN, if this same code is still in Y3.
  
Back to top
WWW  
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: Displayname can't be changed to equal username
Reply #13 - Feb 27th, 2010 at 9:49am
Post Tools
cepheid wrote on Feb 27th, 2010 at 9:45am:
This should also be copied to Y3 and fixed in SVN, if this same code is still in Y3.

Its in my ToDo List for Y3.

Current SVN is outdated. Deti works locally on Y3.  Wink
  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top