TCWT Posted September 20, 2006 Share Posted September 20, 2006 So, I just finally managed to login to the board after remembering my password. Like many others, I didn't realize it asked for email address as the login. :ermm: One suggestion: IPB should return an error staying whether the login or password is incorrect!!5 hours ago, I clicked on forgotten password link then proceeded to click on the link in the email, entered the security code, hit the submit button, then after that, it returns this error. The error returned was:Your password field was not complete :blink: I did this at least 7 times by clicking the forgotten password link and repeating the steps above but it still returns the same exact error!!Another change in the Password Recovery System is IPB sends you a new generated password by email. In 2.1, it allows you to create a new password when the link in the password recovery email is clicked. I would prefer the latter because what would happen if you cannot receive emails from the board, email address got deleted, or for any other reason in which you cannot access the email used to register the account.The last problem is I was unable to register after giving up on trying to recover my password. It returns a general error which doesn't tell me what is wrong. I doubled checked the email, password but still to no avail. :shifty: Link to comment Share on other sites More sharing options...
Mat Barrie Posted September 20, 2006 Share Posted September 20, 2006 So, I just finally managed to login to the board after remembering my password. Like many others, I didn't realize it asked for email address as the login. :ermm: One suggestion: IPB should return an error staying whether the login or password is incorrect!!5 hours ago, I clicked on forgotten password link then proceeded to click on the link in the email, entered the security code, hit the submit button, then after that, it returns this error. The error returned was:Your password field was not complete :blink: I did this at least 7 times by clicking the forgotten password link and repeating the steps above but it still returns the same exact error!!Another change in the Password Recovery System is IPB sends you a new generated password by email. In 2.1, it allows you to create a new password when the link in the password recovery email is clicked. I would prefer the latter because what would happen if you cannot receive emails from the board, email address got deleted, or for any other reason in which you cannot access the email used to register the account.The last problem is I was unable to register after giving up on trying to recover my password. It returns a general error which doesn't tell me what is wrong. I doubled checked the email, password but still to no avail. :shifty:Actually, there's a REASON it doesn't say whether it's the password or username that is wrong. If it does this, a brute force cracker can tell whether they have a valid username and can stop cycling usernames and start on passwords. Of course, IPS made a booboo here, because (at least in 2.1) the message is actually different - "We couldn't find a member using those login details" means the username was wrong, and "The logon details entered are incorrect" means the password was wrong. Link to comment Share on other sites More sharing options...
Management Matt Posted September 20, 2006 Management Share Posted September 20, 2006 Another change in the Password Recovery System is IPB sends you a new generated password by email. In 2.1, it allows you to create a new password when the link in the password recovery email is clicked. I would prefer the latter because what would happen if you cannot receive emails from the board, email address got deleted, or for any other reason in which you cannot access the email used to register the account.This is actually a new feature in IPB 2.2. You can go back to allowing your members to create their own password - but the new method is much more secure. An exploit in IPB 2.1.5 took advantage of being able to 'reset' the password in this method. If it had simply emailed out a new password then the worst they could have done is reset your password for you but they would never have had access to the new password.The last problem is I was unable to register after giving up on trying to recover my password. It returns a general error which doesn't tell me what is wrong. I doubled checked the email, password but still to no avail.Again, this is deliberate. Why tell the hacker that they have your username correct? This is especially important if you choose email address as your log in as this is hidden from viewers at all times. :) Link to comment Share on other sites More sharing options...
TCWT Posted September 20, 2006 Share Posted September 20, 2006 This is actually a new feature in IPB 2.2. You can go back to allowing your members to create their own password - but the new method is much more secure. An exploit in IPB 2.1.5 took advantage of being able to 'reset' the password in this method. If it had simply emailed out a new password then the worst they could have done is reset your password for you but they would never have had access to the new password.I see but what would happen if the member doesn't have access to that email address anymore? Also, this system is open to abuse, anyone could simply click forgotten password and reset it. How about adding a password hint to make it even more secure? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.