No display name on registration - security issue

[Sonya*]

While upgrading of my project I have noticed that display name disappeared from registration screen. Instead there is a paid mod for this now.

I see a security issue for my new members. When they register, their display names are equal to the login. They can change it, but a few of them know that they can do it. So they just use their login name and often very simple password that includes login name in it, like:

Login: member
Password: member123

The accounts can be hacked very simple. I can add a notification for new members that they should change their display name to better protect their data. Then they change it, but their login is still shown in their profile under display name history. So no protection as well.

I have looked for the reason of removing display name from the registration screen but have not found any. Why? Is IPS aware of this security issue now?

[Wolfie]

While upgrading of my project I have noticed that display name disappeared from registration screen. Instead there is a paid mod for this now.

I see a security issue for my new members. When they register, their display names are equal to the login. They can change it, but a few of them know that they can do it. So they just use their login name and often very simple password that includes login name in it, like:

Login: member
Password: member123

Only thing I can think of is to have someone make a hook that will compare the login & display name with the password and if any similarities are detected, tell them that they have to pick a different password.

The accounts can be hacked very simple. I can add a notification for new members that they should change their display name to better protect their data. Then they change it, but their login is still shown in their profile under display name history. So no protection as well.

I have looked for the reason of removing display name from the registration screen but have not found any. Why? Is IPS aware of this security issue now?

It was done because the dual "login name" and "display name" fields caused confusion. I think this was going from 3.1 to 3.2 that it was changed. Keep in mind that the display name option was added in 3.0 so in a sense, this 'security issue' existed before 3.0. Also, it exists for many other software packages as well.

Don't get me wrong, I'd love the option to enable users to pick a login name that is different from their display name, or at the very least, if they change their display name, the original name won't show if it matches their login name. (Only for their first name change though.)


Here ya go:

The registration form now consists of just 4 fields (6 if you use the Q&A and ReCaptcha features). So what's changed?

• Display Name - we no longer show the display name field upon registration. Requiring users to choose two names invites confusion, and the difference is not apparent until the user is familiar with the community. But fear not, the display name feature hasn't disappeared. Instead, we set the display name to be the same as the log in name during registration, but users are free to change their display name later in their UserCP.

Confirm Email - There's no need to confirm the email address field. It's plain text, and many users simply copy and paste the first field anyway, duplicating rather than fixing an error.

Not really relevant to what you were talking about but just had to say.. "So true..." for the copying/pasting of the email address into the second field. :lol:

[Sonya*]

@Wolfie, I see. Thank you for the explanation.

My users are women, very unexperienced and thus vulneralble with their logins. I have never heard anything about "confusion" from them. I have over 150 000 registered users now (after spam filter). I would appreciate if the option would be optional though.

I have not used IPS prior to 3.0. My decision to go with IPS (migrated from phpbb) was made basically on the wish to protect accounts of my users and do not reveal their logins to somebody else except admins.

1. With phpbb I permanently had a problem that user accounts has been hacked to place spam. On my very good visited projects it is worth to do it.

2. Women often use their office mail to register, then they get pregnant, stay at home and do not have a possibility to get new password if they do not have access to their mails any more. I have to verify them in this case and ask them to give me their login (information that only they can know), then I change their email manually.

After all, it looks like I have to pay now for the feature that was so important for me to decide for IPS. It's a pitty. :sad:

[Adriano Faria]

I see a security issue for my new members. When they register, their display names are equal to the login. They can change it, but a few of them know that they can do it. So they just use their login name and often very simple password that includes login name in it

That's why I brought it back. I have daily attempts of hacking staff accounts on my board. All my files (paid and free) are available there... Besides the inconvenience of having to unlock accounts every day.

[Sonya*]

@Adriano Faria, sorry. It's not against you and paid mod, OK? I am happy to have this mod ready instead of coding it myself. This is about a decision of IPS removing the option without possibility to have it optionally. So that admin could decide whether this feature is useful for their projects or produces confusion.

[Adriano Faria]

@Adriano Faria, sorry. It's not against you and paid mod, OK? I am happy to have this mod ready instead of coding it myself. This is about a decision of IPS removing the option without possibility to have it optionally. So that admin could decide whether this feature is useful for their projects or produces confusion.

Don't worry! :)

Never understood why it was removed. Also I'm a big fan of settings! Put it everywhere! Let admins decide what is better for their boards.

[Wolfie]

@Adriano Faria, sorry. It's not against you and paid mod, OK?

I'm sure some 3rd party developers wouldn't mind if some of their mods were no longer necessary, at least ones that they think should be part of the core code. :smile:

Not sure if this is an option for you but you could set your community to use email addresses instead of a user name.

One idea that I think might work wonders is to allow a member to change their user name (log-in ID) from within their UserCP. Then a note during the registration process (or a little (?) that when clicked) tells them that they can have a different user ID and display name, and can change it after the registration process or something.

[bfarber]

Honestly, display names are not intended to be a security feature, so we do not approach their functionality from a security standpoint. It is meant to be a convenience feature where-by users can specify a different name to show on the forums from the name they originally registered with, and nothing more. If you want users to login using an identifier that other users cannot know, just use email logins (which is an option in the ACP). This is what most websites do today, and is quickly becoming "the norm".

[Sonya*]

Honestly, display names are not intended to be a security feature, so we do not approach their functionality from a security standpoint. It is meant to be a convenience feature where-by users can specify a different name to show on the forums from the name they originally registered with, and nothing more.

I have understood your point. But still for me - it was a security feature. Not because "I think so". I had a lot of issues on phpbb because of visible logins. And I do not have these issues since I have migrated to IPS. Just my experience.

If you want users to login using an identifier that other users cannot know, just use email logins (which is an option in the ACP). This is what most websites do today, and is quickly becoming "the norm".

Then I will have usernames with all the restrictions? My projects are non-English (sigh), I need any special characters from other languages allowed in the display name. Is it possible to have no restrictions for characters allowed in usernames? A regex like [anything you can enter] ;)

[Wolfie]

Honestly, display names are not intended to be a security feature, so we do not approach their functionality from a security standpoint.

I don't think people see display names as being a security feature, but rather the ability to have a separate user name that can be different as being a security feature. Even though the user name came first, it's flipped around in a manner of speaking.

Then I will have usernames with all the restrictions? My projects are non-English (sigh), I need any special characters from other languages allowed in the display name. Is it possible to have no restrictions for characters allowed in usernames? A regex like [anything you can enter]

I am probably mistaken on this but I think the only limitations on email addresses as login ID's is if they are banned and they of course have to be valid. ie, an email id of itsme@domain isn't valid. Or look at it like this... Those who already registered, they would just use their email address as their user ID. Simple as that. If they can validate their account, then they can sign in.

[Sonya*]

@bfarber, @Wolfie, you are right! I was not aware of possibility to login with email. I have checked it now. It looks exactly what I need. Means that username can contain any characters, no restrictions. Email is used to login. And allowing display names they still can change there display name what is actually a username right after login.