HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Login security ideas for 2.3 core.
ItsVizionTv
New
in Feedback
To help with account security could you guy's only allow users to login via their email address only plus higher the character limit for account's passwords including add some type of wrong password temporary ban system.
0
Comments
A config statement is available that sets minimum character length - $Configuration['Garden']['Registration']['MinPasswordLength']
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
Thanks.
It's very important to us that if you create a new hurdle there be sound security rationale for it, and the security gain be sufficient to offset the additional experience cost.
This is something I'm not clear what the gain is. It seems to presuppose that the email is somehow more obscure or difficult to obtain than a username, but any security person will tell you that "security by obscurity" isn't an effective security premise from the outset. So we would be adding a bump in the sidewalk to an attacker, while creating a very real hurdle for users ("Which email did I use to sign up to this site?").
The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their account. Plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.
I understand your concern about making the software simple and I feel like you could make this an additional security feature for users who might want to enable it. And I feel it's a lot harder for people to get someone's email address since many people use their full name for their email but use usernames like Vizion for stuff online.
I'm not claiming that this is going to help against a hacker group but I feel it would help with bots and annoying users since most bot's or annoying users will give up over time. Plus make many people like me who does stuff like turn on 2-factor authentication and use the different password for every account feel safer. Plus add additional security for admin accounts.
three different discussions which may be you or your buddies.
https://vanillaforums.org/discussion/comment/242384/#Comment_242384
https://vanillaforums.org/discussion/comment/242483/#Comment_242483
and there is a plugin.
https://vanillaforums.org/discussion/32208/email-login-only
https://vanillaforums.org/discussion/32201/login-mail-address
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
K, thanks but I was going to see if this could be add it to the core for 2.3.
Vanilla's login rate limit is so permissive I don't see how you could be hitting the limit without a bot attack.
I'm open to ideas how to approach an appropriate rate limit on forgot password if there isn't one already. I feel like it would be safer to just set an inbox rule to auto-delete them maybe.
2FA for admin accounts is on our roadmap.
Thank's, and for the forget password feature I'm not sure what you could do but I think something should be done to prevent users from being spam plus to help save resources since many email providers over strong limits.
PS:
I can't wait for the 2FA lol, VanillaForums has gone so far since 1.0!
Keep up the great work I feel like I will be forced to soon learn PHP just for Vanilla.
Have not over lol. /\
Forums are why I learned PHP.
Yeah, it seems like everyone from WordPress to your guys is running PHP. I don't know why because it seems like everywhere I go PHP is getting hate lol.
Strike that; reverse it.
The weirdness isn't the prevalence of PHP, it's the haters.
I understand now.