Suggestion about spam and BAD members

[Vector Sigma]

Hello people,

I want to say that IPB is by far the BEST forum platform EVER.

I want to make some suggestions for the new IPB 3.0.0. I don't know if those are exist already but i really want to see them in action.

All of the forums have bad members that really mess up the board and sometimes they make the life of admin and global mods difficult.

One way to eliminate this is to install a mod called Token Of Death that will make some hard work for you but this is not very accurate all the times.

Then i had an idea. How many people in one forum have the exact same password? I mean realy if you could see the password of the users there are no many users with the same password. You even may find only 2 or 3 pair of users having the same password.

What if we used a code to alert us immediately if 2 users uses the same password? That way we could take the apropriate messures. For example a message could inform us IF

1. a members has the same IP AND
2. a members has the same pass

or a password that seems similar to others password...

example. a pass like 123456 is similar to 123456_0

I think it is a very alternate way to check for bad members. I know it is very easy for someone to change its password but think of the sitiuation a bad members would be if he has to change pass with every diferent username he enter.


Please advice if this could be make it or not.

[Jυra]

That's an interesting idea, but it makes passwords even less private. I'm not too sure about that.

[Vector Sigma]

I think that even encrypted passwords can be compared and also remain secure.


I don't know how that can be achieved but i think it would be a nice built-in feature for IPB 3.0.0

[Jυra]

I remember seeing lists of the most used passwords. Let's say there's an already good member, but then a spammer uses the same password. Then what?

[Vector Sigma]

Well password check will be like an extended part of a defense system. Not the unique part for ban a member. Usually a spammer registers multiple accounts with same password for easy to remember. If we make his life difficult then we will break his nerve and after an amount of time he will quit the trying for messing up the board.

I think it is a nice add-on for our boards.

[bfarber]

The "token of death" mod, while interesting, is not something we would include in a professional software package I'm afraid. ;) It will have to remain a mod.

And there's no way to check the passwords to see if they are the same. While the salts are available in the database, we have no way to determine (except upon login) what the original password was for comparison, thus there's no way to know if any two are the same.

Besides, that's not indicative of a bad member in my eyes. Neither are duplicate IPs if you ask me.

[X3773]

Well you can salt the password from the input then try to match it in the database.

If you tell them that someone has that password then all they need to do is go down the list of members and try each members login with that password.

[bfarber]

Well you can salt the password from the input then try to match it in the database.

If you tell them that someone has that password then all they need to do is go down the list of members and try each members login with that password.

It doesn't work that way...

We salt the password during login and confirm the user used the correct password. Now we have that user's password. Tell me....how would we then look up to see if any other user is using that password?

Every single user has a unique salt (at least pseudo-unique) and as such, it's not a matter of seeing if any of the hashes are the same...

[Morrigan]

Passwords=Don't mess with them.

I think it would maybe be best if perhaps we could blacklist password/words but otherwise IPB has the safest passwords that I can imagine.

[henke37]

If you have to do such a check, there is only one time when you both have the password and the salt, it is when logging in.

[Vector Sigma]

Well thanks everyone for putting their thoughts on this thread. I just wanted to see what people think for this. I just can't think of any new way to protect a board from spammers and members that keep register and register to mess up with the board.

I mean there should be some identicals things that a bad user has so the system can recognise him. There should be a way even if the member delete cookies, or clear cache.

[X3773]

There is no way for a computer to recognize if a user is bad or good, and if there was who is to say who is bad and who is good? So there is no way for a forum to check for this for that matter.