Security improvement

[cem12_merged]

Hello,

I searched in my admin panel, but couldn't find this feature; I was wondering if you can add the option to disallow potential members to signup using the same password as their username (username=password)? This is a big security issue with forums at the moment as you could just extract the member names and bruteforce the forum. The current "login security system" does not block this even if you dont use proxy servers, due to the fact that you are targeting seperate member accounts instead of the same member account.

I know that it is plain stupid to use the same username as your password, but there are just many people out there who still prefer to do that to remember their password easily.

Looking forward to your reply.

Thank you.

Cem

[Dlf]

How about an addition to this, on the registration screen let the user, choose a RANDOM generated password (based on what they want) - than have it e-mailed to them (incase they ever forget).

[mld11]

I second both ideas. :o

+REP

[Charles]

It's probably easier to just have password enforcement options the admin can set than getting into user-level options. We can look into this for a future version.

[AtariAge]

I agree, it would be nice if the software had some basic password selection enforcement, such as not allowing use of your username as your password as suggested above. Another would be not allowing single dictionary words. A settable minimum password length is another good one. Ultimately some sort of "meter" that shows your password strength, with suggestions on how to choose a good password would be ideal. :)

..Al

[DiecastX]

[quote name='AtariAge' date='06 September 2009 - 02:38 PM' timestamp='1252273118' post='1853359']
I agree, it would be nice if the software had some basic password selection enforcement, such as not allowing use of your username as your password as suggested above. Another would be not allowing single dictionary words. A settable minimum password length is another good one. Ultimately some sort of "meter" that shows your password strength, with suggestions on how to choose a good password would be ideal.

..Al



Please consider this a must for immediate development!

[rct2·com]

This topic reminds me of something I suggested in August 2007.

http://forums.invisionpower.com/topic/236575-forcing-strong-passwords/

As you'll see, it wasn't well received. :lol:

[gamer phfreak]

[quote name='rct2dotcom' date='08 September 2009 - 06:27 PM' timestamp='1252430876' post='1854050']
This topic reminds me of something I suggested in August 2007.

http://forums.invisi...rong-passwords/

As you'll see, it wasn't well received. :lol:


Funny how things change. :thumbsup:

[Luke]

I'm all for stronger passwords... just as long as the feature is suggestive, like a color coded meter showing how strong the password is. I HATE sites that force you to have at least 8 characters, contain 1 number and letter, and/or change your password every X amount of time.

[Michael]

[quote name='Luke' date='08 September 2009 - 03:36 PM' timestamp='1252438590' post='1854114']
I'm all for stronger passwords... just as long as the feature is suggestive, like a color coded meter showing how strong the password is. I HATE sites that force you to have at least 8 characters, contain 1 number and letter, and/or change your password every X amount of time.

Amen. It's requirements like that that force people to have to write down their passwords, thus defeating the purpose of the security gains you're supposed to be getting from having these requirements.

[rct2·com]

Amen Amen, my original suggestion was designed to have the CAPABILITY but to make it enforceable at the AdminCP's discretion.

[bfarber]

http://spookyet.posterous.com/passwords-are-stupid

Clarifying - the above link does not represent my opinion of the feature suggestion, or the opinion of any colleagues/coworkers here. I simply felt it relevant to the discussion, albeit in an indirect way.

[.Ian]

Would be nice to have a script that could test all passwords and email/PM the customer requesting them change their password if deemed too weak.

[Charles]

[quote name='isdoo' date='08 September 2009 - 04:55 PM' timestamp='1252443300' post='1854158']
Would be nice to have a script that could test all passwords and email/PM the customer requesting them change their password if deemed too week.


I must say that would not only be incredibly annoying if a web site sent me an email "I think your password is awfully weak" but it would be impossible as all passwords in IPB are stored hashed so IPB doesn't know what they are to begin with.

[.Ian]

If annoyance were to save your site from being hacked, then I would to prefer to be annoyed. However I would also ask 'why did your site not force me to have stronger password in the first place!'

Mind you it is academic if it is not even possible ;)

[Charles]

Your site cannot be hacked from a member account being compromised :)

If it's your account well then that's your own fault.

[Nervosa]

[quote name='Luke' date='08 September 2009 - 08:36 PM' timestamp='1252438590' post='1854114']
I'm all for stronger passwords... just as long as the feature is suggestive, like a color coded meter showing how strong the password is. I HATE sites that force you to have at least 8 characters, contain 1 number and letter, and/or change your password every X amount of time.

A color code meter would be nice, I have seen this on a few other sites.
It would detour users from making simple one word passwords.
As for forcing different characters, you could include options in the meter like "improve your password by using xxxx" and remind me to change my password every X days/months.

[quote name='bfarber' date='08 September 2009 - 09:36 PM' timestamp='1252442172' post='1854150']
http://spookyet.posterous.com/passwords-are-stupid

Clarifying - the above link does not represent my opinion of the feature suggestion, or the opinion of any colleagues/coworkers here. I simply felt it relevant to the discussion, albeit in an indirect way.

That was a good read, that myVidoop Image Shield seems really cool.
Maybe to strengthen security IPS could include ReCAPTCHA in the login (or atleast have have options to turn it on/off in the acp)
While normal users might fight it trouble some, I would like the added safety on admin/mod accounts and even on the ACP login.

[rct2·com]

[quote name='Charles' date='08 September 2009 - 10:01 PM' timestamp='1252443705' post='1854163']
Your site cannot be hacked from a member account being compromised :)

If it's your account well then that's your own fault.


Agreed, but part of the reason for not wanting member passwords and accounts to be hacked, is not just to protect the whole board, but also to avoid Admins/Moderators from being considered untrustworthy. Such suspicion can undermine confidence in a forum/community, however much Admins can point at MD5 and pas_salt and pass_hash.

So it's not just about protecting the board from hacks (low risk), it's about protecting the admins from suspicion (higher risk) and the members from themselves (highest risk) :)

[Charles]

Yes I know what you mean :) I just didn't want people freaking out because they saw the word "hack" and "site" together since that's not quite accurate.

[IPS_Fan]

I run a forum focused around older guys retiring in the Philippines. To make them change their passwords regularly, or to force them to use a password such as asdf*&$%JEOK is ridiculous. If it were possible for me to implement this feature, I wouldn't do so. But, as previously stated, it would be acceptable if we (Administrators) had control over the option:

[quote name='rct2dotcom' date='09 September 2009 - 04:03 AM' timestamp='1252440190' post='1854132']Amen Amen, my original suggestion was designed to have the CAPABILITY but to make it enforceable at the AdminCP's discretion.

In my case, my older members like the KISS (Keep It Simple Stupid) method. Older members of my forums don't like a lot of changes. Heck, I can only imagine a number of them having problems with v3.0. They have been accustomed to v2.0 for so long but now must change.

Onward. Now, if what Charles states is true:

[quote name='Charles' date='09 September 2009 - 05:01 AM' timestamp='1252443705' post='1854163']Your site cannot be hacked from a member account being compromised :)

If it's your account well then that's your own fault.

Then there is no need for that option anyway.

My two cents,

[rct2·com]

There IS a certain amount of havoc that cam be wreaked if Admins and Moderators accounts are compromised, however. And at the end of the day, they are just 'users'.