HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Login security ideas for 2.3 core.

To help with account security could you guy's only allow users to login via their email address only plus higher the character limit for account's passwords including add some type of wrong password temporary ban system.

Comments

  • RiverRiver MVP
    edited September 2016

    only plus higher the character limit for account's passwords

    A config statement is available that sets minimum character length - $Configuration['Garden']['Registration']['MinPasswordLength']

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • @River said:

    only plus higher the character limit for account's passwords

    A config statement is available that sets minimum character length - $Configuration['Garden']['Registration']['MinPasswordLength']

    Thanks. <3

  • LincLinc Detroit Admin
    edited October 2016

    @ItsVizionTv said:
    To help with account security could you guy's only allow users to login via their email address only

    It's very important to us that if you create a new hurdle there be sound security rationale for it, and the security gain be sufficient to offset the additional experience cost.

    This is something I'm not clear what the gain is. It seems to presuppose that the email is somehow more obscure or difficult to obtain than a username, but any security person will tell you that "security by obscurity" isn't an effective security premise from the outset. So we would be adding a bump in the sidewalk to an attacker, while creating a very real hurdle for users ("Which email did I use to sign up to this site?").

  • ItsVizionTvItsVizionTv USA New
    edited October 2016

    @Linc said:

    @ItsVizionTv said:
    To help with account security could you guy's only allow users to login via their email address only

    It's very important to us that if you create a new hurdle there be sound security rationale for it, and the security gain be sufficient to offset the additional experience cost.

    This is something I'm not clear what the gain is. It seems to presuppose that the email is somehow more obscure or difficult to obtain than a username, but any security person will tell you that "security by obscurity" isn't an effective security premise from the outset. So we would be adding a bump in the sidewalk to an attacker, while creating a very real hurdle for users ("Which email did I use to sign up to this site?").

    The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their account. Plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.

    I understand your concern about making the software simple and I feel like you could make this an additional security feature for users who might want to enable it. And I feel it's a lot harder for people to get someone's email address since many people use their full name for their email but use usernames like Vizion for stuff online.

    I'm not claiming that this is going to help against a hacker group but I feel it would help with bots and annoying users since most bot's or annoying users will give up over time. Plus make many people like me who does stuff like turn on 2-factor authentication and use the different password for every account feel safer. Plus add additional security for admin accounts.

  • RiverRiver MVP
    edited October 2016

    @ItsVizionTv said:

    The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their accounts plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.

    I understand your concern about making the software simple and I feel like you could make this an additional security feature for users who might want to enable it. And I feel it's a lot hard for people to get someone email address since many people use their full name for their email but use usernames like Vizion for stuff online.

    three different discussions which may be you or your buddies.

    https://vanillaforums.org/discussion/comment/242384/#Comment_242384
    https://vanillaforums.org/discussion/comment/242483/#Comment_242483

    and there is a plugin.

    https://vanillaforums.org/discussion/32208/email-login-only

    https://vanillaforums.org/discussion/32201/login-mail-address

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • @River said:

    @ItsVizionTv said:

    The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their accounts plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.

    I understand your concern about making the software simple and I feel like you could make this an additional security feature for users who might want to enable it. And I feel it's a lot hard for people to get someone email address since many people use their full name for their email but use usernames like Vizion for stuff online.

    three different discussions which may be you or your buddies.

    https://vanillaforums.org/discussion/comment/242384/#Comment_242384
    https://vanillaforums.org/discussion/comment/242483/#Comment_242483

    and there is a plugin.

    https://vanillaforums.org/discussion/32208/email-login-only

    https://vanillaforums.org/discussion/32201/login-mail-address

    K, thanks but I was going to see if this could be add it to the core for 2.3.

  • LincLinc Detroit Admin

    @ItsVizionTv said:
    The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their account.

    Vanilla's login rate limit is so permissive I don't see how you could be hitting the limit without a bot attack.

    @ItsVizionTv said:
    Plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.

    I'm open to ideas how to approach an appropriate rate limit on forgot password if there isn't one already. I feel like it would be safer to just set an inbox rule to auto-delete them maybe.

    @ItsVizionTv said:
    Plus make many people like me who does stuff like turn on 2-factor authentication and use the different password for every account feel safer. Plus add additional security for admin accounts.

    2FA for admin accounts is on our roadmap.

  • @Linc said:

    @ItsVizionTv said:
    The point for only allowing users to login via their email is so annoying users would not temporary ban users from login to their account.

    Vanilla's login rate limit is so permissive I don't see how you could be hitting the limit without a bot attack.

    @ItsVizionTv said:
    Plus stop spam from I forget my password feature since people who do not like me use that tool a lot on my site lol.

    I'm open to ideas how to approach an appropriate rate limit on forgot password if there isn't one already. I feel like it would be safer to just set an inbox rule to auto-delete them maybe.

    @ItsVizionTv said:
    Plus make many people like me who does stuff like turn on 2-factor authentication and use the different password for every account feel safer. Plus add additional security for admin accounts.

    2FA for admin accounts is on our roadmap.

    Thank's, and for the forget password feature I'm not sure what you could do but I think something should be done to prevent users from being spam plus to help save resources since many email providers over strong limits.

    PS:
    I can't wait for the 2FA lol, VanillaForums has gone so far since 1.0!
    Keep up the great work I feel like I will be forced to soon learn PHP just for Vanilla. <3

  • Have not over lol. /\

  • LincLinc Detroit Admin

    @ItsVizionTv said:
    Keep up the great work I feel like I will be forced to soon learn PHP just for Vanilla. <3

    Forums are why I learned PHP. :chuffed:

  • @Linc said:

    @ItsVizionTv said:
    Keep up the great work I feel like I will be forced to soon learn PHP just for Vanilla. <3

    Forums are why I learned PHP. :chuffed:

    Yeah, it seems like everyone from WordPress to your guys is running PHP. I don't know why because it seems like everywhere I go PHP is getting hate lol.

  • LincLinc Detroit Admin
    edited October 2016

    @ItsVizionTv said:
    Yeah, it seems like everyone from WordPress to your guys is running PHP. I don't know why because it seems like everywhere I go PHP is getting hate lol.

    Strike that; reverse it.

    The weirdness isn't the prevalence of PHP, it's the haters. ;)

  • @Linc said:

    @ItsVizionTv said:
    Yeah, it seems like everyone from WordPress to your guys is running PHP. I don't know why because it seems like everywhere I go PHP is getting hate lol.

    Strike that; reverse it.

    The weirdness isn't the prevalence of PHP, it's the haters. ;)

    I understand now. :3

Sign In or Register to comment.