Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
The Devil Posted March 10, 2007 Posted March 10, 2007 Hello everybody ;)I think that it will be more secured in the ACP -> View ACP Log In Logs if you get the password field ...Normaly if you go there and click on sombody's login you will see the last letter of his password.That could help somebody to guess the pass. And we don't want that to happen do we ? :)Log in DetailBasicsUsername adminIP Address 192.168.0.1Log in Time Mar 2 2007, 08:38 PMSuccess yesPOST Data (Form Data)qstring username adminpassword ******dGET Data (URL Data)adsess act logincode login-completeExample:If you know me very well, you could guess that my password would be "bastard" and WOW .... what do you know ... my pass is bastard :)
Mark Posted March 10, 2007 Posted March 10, 2007 I posted this once before, when 2.2 first came out - I agree with you completly
Michael Posted March 10, 2007 Posted March 10, 2007 Then maybe you should pick a better password. I seriously doubt anyone is going to guess my login with what shows for my account:*************************v
stobbo Posted March 10, 2007 Posted March 10, 2007 If your password is easy enough to guess from the last letter, get a different one.
Mark Posted March 10, 2007 Posted March 10, 2007 Then maybe you should pick a better password. I seriously doubt anyone is going to guess my login with what shows for my account:*************************vWell in theory, if I had about 30 hours to spare I could eventually guess your password from that.But remember, not everyone's is that long.Anyway, it's not like we're saying "will you put x feature in?", we're saying "why the hell have you put x feature in!? Take it out!"
Digi Posted March 10, 2007 Posted March 10, 2007 Wow, I didn't even notice this feature yet. Is this for real in IPB/Converge? O_o
Working4computers Posted March 11, 2007 Posted March 11, 2007 ********************5123456789101112131415;)
The Devil Posted March 11, 2007 Posted March 11, 2007 This is going nowhere...My point is that the pass could be guessed. Yes if it's something like **********************************************************a it will take you a lot of time, but still you will need 5 minutes to write it correct :)Never mind ********************5This password could be hacked if it has only numbers ;)You will have only 51090942171709440000 combinations :lol: That means you will need about 3-4 days ;)Anyway ... I'll try finding the script that adds the password in the database and I'll edit it to send only * in the database ;)
CallumM Posted March 11, 2007 Posted March 11, 2007 Remember though, after a certain number of login attempts to the ACP (or any account?) your account gets locked.
Working4computers Posted March 11, 2007 Posted March 11, 2007 This only shows in up the ACP. Why o why would you allow a member that you don't trust within the ACP.Maybe this should only be limited to Root Admin's?
Mark Posted March 11, 2007 Posted March 11, 2007 Remember though, after a certain number of login attempts to the ACP (or any account?) your account gets locked.Unless you turn that off ;)This only shows in up the ACP. Why o why would you allow a member that you don't trust within the ACP.Maybe this should only be limited to Root Admin's?I let someone I don't know have root access to my ACP today - an IPS tech - I know they're not going to try to hack my account or anything - but some people let others into their ACP to install mods and whatnot, obviously a certain amount of trust is needed, but what is the point of having a feature that serves NO purpose other than a vunerability?
Keith J. Kacin Posted March 11, 2007 Posted March 11, 2007 Unless you turn that off ;) I let someone I don't know have root access to my ACP today - an IPS tech - I know they're not going to try to hack my account or anything - but some people let others into their ACP to install mods and whatnot, obviously a certain amount of trust is needed, but what is the point of having a feature that serves NO purpose other than a vunerability?Why would you turn it off? If someone is worried about security, I'm sure they would leave it on.As for the purpose of it... as mentioned before, one of the purposes is to see if someone got into the Admin CP by resetting the password (indicating there may be a backdoor), or using the person's actual password (indicating it was the person, or an easily guessable password). This helps determine the causes of most 'hacks'.
bfarber Posted March 12, 2007 Posted March 12, 2007 Yes, the problem is if you mask the password entirely (not show the last letter) you really have almost no way of knowing if they actually logged in with the real password, or reset it somehow. If your password is "1234567890" and the log shows "xxxxxxxxx1" you know for sure that they didn't login with the correct password - thus they must have reset it.As has been stated before, if someone can guess your password from the last character alone, that in itself is the "security issue" you should be addressing. ;)
Digi Posted March 12, 2007 Posted March 12, 2007 Ah, that is a very good idea then :D Good thinking IPS B)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.