Security improvement idea

[Makoto]

If anyone can attempt a brute force and get more than two or three tries your forum settings are wrong.

It's not uncommon for legitimate members to accidentally enter in the wrong password two or three times. I hate it when websites lock me out after a mere 3 attempts.

If you're actually using a password common enough that it can be brute forced after a mere 100 attempts, you are doing something wrong.

I have the limit set to 5 on my forum, and I consider that a good minimum level. You shouldn't lock accounts out after anything less than 5 failed login attempts.

Doing so doesn't realistically offer you any improved security and will just frustrate members.

[Jυra]

Because someone doesn't support one thing, they must be also against all others.

[Royzee]

It's not uncommon for legitimate members to accidentally enter in the wrong password two or three times. I hate it when websites lock me out after a mere 3 attempts.

If you're actually using a password common enough that it can be brute forced after a mere 100 attempts, you are doing something wrong.

I have the limit set to 5 on my forum, and I consider that a good minimum level. You shouldn't lock accounts out after anything less than 5 failed login attempts.

Doing so doesn't realistically offer you any improved security and will just frustrate members.

Yes, I agree on getting locked out. It is very frustrating. Setting the tries to 5 is also fine, I just prefer 3 as most people have them browser saved anyhow.

Also while member accounts are a hacking concern, SSH and root accounts are much more worthy of security concerns. Those I autoban their IP for 90 days after 2 failed attempts.

[Makoto]

Also while member accounts are a hacking concern, SSH and root accounts are much more worthy of security concerns. Those I autoban their IP for 90 days after 2 failed attempts.

A better solution is to not allow remote root SSH login and only allow key based authentication.

If you don't do that already, an autoban after only 2 failed attempts is also unnecessarily strict.

[Royzee]

A better solution is to not allow remote root SSH login and only allow key based authentication.

If you don't do that already, an autoban after only 2 failed attempts is also unnecessarily strict.

It is a fully self-managed server, so not allowing remote root SSH isn't a good option. That is why I have fail2ban set for 90 day IP ban after 2 failed attempts.

[Makoto]

It is a fully self-managed server, so not allowing remote root SSH isn't a good option. That is why I have fail2ban set for 90 day IP ban after 2 failed attempts.

Didn't we discuss this subject in another thread before? I can't remember if that was you or not.

You shouldn't allow root SSH login because it's an unnecessary security risk. You do not need to SSH under root. Log in to your server from a normal user account and su up.

SSH user@yourhost then running "su" vs. SSH root@yourhost

Your server also isn't going to be brute forced in two attempts, so setting an extremely low value is not needed. But I'm not telling you how to configure your server, I just think it's worth mentioning that there's no added benefit to locking someone out after 2 attempts vs. 5, for example. The only difference is if you ever have a bad day sometime in the future and accidentally mash your keys together twice one late evening, not having the patience to be extra precocious after your first failed attempt, you're going to end up having an even worse day.

When enforcing key authentication, it's going to be virtually impossible to brute force access to your server regardless.

[TracyIsland]

I do not support this security improvement idea and I hope IPS does not implement the feature.

[Wolfie]

I do not support this security improvement idea and I hope IPS does not implement the feature.

I suppose you're against TFA too. So what is your reason against a simple but very effective idea when you wouldn't be required to use it on your own site unless you wanted to?

[Makoto]

The effectiveness is debatable.

I've been trying to encourage offering stricter security standards for a while now.

I still would like to see some of my suggestions implemented as well. Definable minimum password lengths and giving the option to require members use a mixture of uppercase, lowercase and alphanumeric characters in their passwords, for example.

[TracyIsland]

Does anyone know what TFA means?

[Lewis P]

Does anyone know what TFA means?

Two Factor Authentication.

What do I win?

[Loren]

I think Two Step Authentication makes good sense.

[Wolfie]

The effectiveness is debatable.

If you can demonstrate to me that 'nullifying' the hash so that the original password is no longer crackable won't prevent it from being cracked, then I'll admit that it's not effective.

[TracyIsland]

Two Factor Authentication.

What do I win?

one massive high five

[skizzerz]

I could see the benefit of this in a 3rd party application for those that want it, but I would not want this built into the board software itself. It adds unnecessary bloat to the codebase that IPS will then be required to maintain, all for a feature that (based on this discussion) will not be enabled for a very large number of boards, either due to it being the default setting of disabled or due to admins not wanting the feature.

Let's explore the pros and cons of this:

Pros:

• Reduced attack surface in the event of a database breach by removing hashes from the database

Cons:

• Very annoying to community members. Companies get away with password change requirements because their employees are getting paid. Communities don't pay their community members, and thus members typically don't put up with annoyances as well
• Inactive members aren't the prime targets for hackers on any given board, people with elevated access (e.g. admins) are. Your admins will still have their hashes in the database. The only thing a hacker can do with an inactive member really is post spam, and they can do that much more easily by just registering new accounts instead of cracking hashes.
• Solves a symptom, not a problem. The problem is weak passwords that are easily broken by things like dictionary attacks. Any strong password would take months if not years to crack even at 350 billion hashes per second, and in the event of a database breach you should have notified all of your users long before then so they have an opportunity to change their passwords

[Wolfie]

I could see the benefit of this in a 3rd party application for those that want it, but I would not want this built into the board software itself. It adds unnecessary bloat to the codebase that IPS will then be required to maintain, all for a feature that (based on this discussion) will not be enabled for a very large number of boards, either due to it being the default setting of disabled or due to admins not wanting the feature.

You apparently don't understand what 'bloat' means. Of all things to call 'bloat', this would be far from it. Don't let the few who don't understand the usefulness lead you to believe that it wouldn't be used by a lot of forums. Those who actually understand what I'm suggesting are either in favor of it or are 'okay' with it being installed so long as they have the choice to not use it. If you read the posts, you'll see that those against it don't realize how it would be a benefit to have it available.

Let's explore the pros and cons of this:

Pros:

• Reduced attack surface in the event of a database breach by removing hashes from the database

2. Protect inactive accounts by making it impossible to hack it

3. Protect accounts on other sites owned by the same member

4. Discourages hackers from targeting sites using IPS software

5. several more pros that aren't coming to mind at the moment...

Cons:

• Very annoying to community members. Companies get away with password change requirements because their employees are getting paid. Communities don't pay their community members, and thus members typically don't put up with annoyances as well
• Inactive members aren't the prime targets for hackers on any given board, people with elevated access (e.g. admins) are. Your admins will still have their hashes in the database. The only thing a hacker can do with an inactive member really is post spam, and they can do that much more easily by just registering new accounts instead of cracking hashes.
• Solves a symptom, not a problem. The problem is weak passwords that are easily broken by things like dictionary attacks. Any strong password would take months if not years to crack even at 350 billion hashes per second, and in the event of a database breach you should have notified all of your users long before then so they have an opportunity to change their passwords

1. People find it very annoying to have to validate an account. Should that feature be removed just because someone finds that security measure annoying? Your first point is defeated.

2. All accounts are targets for hackers. To try to play down that importance is naive, at best. Second point defeated.

3. The problem isn't the responsibility of the software nor the admins. The problem are those who actually engage in the illegal activities of hacking accounts. Third point defeated.

Not only that, but to use the argument of it being 'annoying' is a weak argument. To use that as a 'valid reason' against things...

- Sites wouldn't use captcha to prevent spammers from joining, nor would there be email validations, access restrictions, etc.

- Credit card companies would only require the card number and expiration for making a purchase (no need for name, security code, other forms of validation)

- Hospital staff wouldn't constantly ask you for your birthday to verify that they are looking at the right medical information to prevent mistakes

- Sites wouldn't have advertising on them because ads are 'annoying'

- Smoke alarms would have a button you could press if you were too busy sleeping to deal with a fire and wanted to get more sleep first

- DVDs/etc wouldn't have advertisements on them that you are forced to watch before you can watch the main feature (some players let you skip it thankfully)

- People wouldn't recycle

- so many other things that are annoying but get done even if it's not required.

Seriously, it's like people hate the idea simply because it's new.

[TracyIsland]

I do not hate the idea because it is new. I do not like the idea because I run a community. Do you run a community? I wonder ...

Do not presume that I do not understand your suggestion. It is clear that you feel this is a brilliant and obvious idea and that every owner of the IPS board should embrace it as such, and that there is simply no other possible outlook, and those who either dislike or disagree with you are simply not as "illuminated" and "brilliant." That conclusion is easily made based on your constant reply and dissection of anyone and everyone who even mildly opposes your idea

I have read the posts and I understand the idea that you have proposed. I do not feel that your idea will be a benefit to our community. Therefore, I disagree with your idea and urge IPS to not adopt your idea in the future design of their IPS suite.

You, of course, will naturally want to ask why, why, why, and I'm sure you will try to deflect by attempting to portray me, as a community owner, as not understanding and perhaps even belittling my reply in an attempt to win your argument. Unless you decide to notify Matt, Charles, Lindy, and BFarber that you would like to assume sole control for all worthy feedback ideas, you will have to accept the fact that some people to do not embrace each and every idea that you suddenly feel are essential and critical for immediate implementation.

[Wolfie]

I have read the posts and I understand the idea that you have proposed. I do not feel that your idea will be a benefit to our community. Therefore, I disagree with your idea and urge IPS to not adopt your idea in the future design of their IPS suite.

So just because you wouldn't use it on your community, you feel that it shouldn't be available for others? This is what I don't get. Great idea, but optional, so those who don't want to use it wouldn't have to. Yet those that don't want to use it are seemingly ready to blow up the planet to protest it even being available. I don't use the pre-included ability to use LDAP for authentication, yet I'm not opposed to it being there. Of all the communities out there, I wouldn't be surprised if a majority of them don't use it.

So why does this wonderful idea not get that same respect? "I wouldn't use it but it's a good idea for those that would." instead of "Since I wouldn't use it, I don't want it included."

[TracyIsland]

I have read the posts and I understand the idea that you have proposed. I do not feel that your idea will be a benefit to our community. Therefore, I disagree with your idea and urge IPS to not adopt your idea in the future design of their IPS suite.

[Wolfie]

I have read the posts and I understand the idea that you have proposed. I do not feel that your idea will be a benefit to our community. Therefore, I disagree with your idea and urge IPS to not adopt your idea in the future design of their IPS suite.

So then, what you are saying, in a nutshell, is that if a feature wouldn't benefit your community, then it shouldn't be included, because it's all about your community and it doesn't matter what others might want or what might benefit others? Okay, that clears it up, thanks.

[TracyIsland]

You feel this idea would be a benefit to each and every community and if we feel your idea is not a benefit to a community, then we are not embracing the greater good. What if we feel your idea does not embrace the greater good? I think that is extremely clear.

[Wolfie]

You feel this idea would be a benefit to each and every community and if we feel your idea is not a benefit to a community, then we are not embracing the greater good. What if we feel your idea does not embrace the greater good? I think that is extremely clear.

No, this would benefit the communities that use it. For those that don't want to use it, they wouldn't be required to. Just because some feel it's not right for them doesn't mean that it's not a great idea nor that it wouldn't benefit those who would make use of the feature if it were there. It would be different if I were insisting that it be added and forced to be used. But I'm suggesting a great idea to be added to the core product for those that want to make use of it.

On the flip side though, you are opposed to the feature being added at all, thus making the decision for everyone. My viewpoint and approach is to let people decide if they want to use it or not, your approach is to limit their options simply because you don't want it for your community. I don't go to your community and tell you to disable certain features that I don't like, so stop trying to control everyone elses community by not letting them choose to use a feature or not.

[TracyIsland]

The only people that are in control of Invision Power Systems are the owners of the company. You have an idea that you feel should be incorporated into the core product. I do not feel your idea should be incorporated into the core product.

So why don't you stop trying to control every single person who opposes your view point and disagrees with your feedback that this idea should and must be implemented and incorporated into the core product?

Step back for a minute and look at the replies to your topic. Clearly you cannot take any disagreement and clearly you alone know what is best for IPS and the core product and no one else should ever disagree with you.

[Wolfie]

The only people that are in control of Invision Power Systems are the owners of the company. You have an idea that you feel should be incorporated into the core product. I do not feel your idea should be incorporated into the core product.

So why don't you stop trying to control every single person who opposes your view point and disagrees with your feedback that this idea should and must be implemented and incorporated into the core product?

Step back for a minute and look at the replies to your topic. Clearly you cannot take any disagreement and clearly you alone know what is best for IPS and the core product and no one else should ever disagree with you.

You are very mistaken. The comments against adding this feature have included references to how it would be annoying, wouldn't be used for a particular community ("so don't add it"), assuming that it wouldn't serve any use or be of any benefit, assuming that it would provide a false sense of security, etc. Nothing but nonsense reasons or reasons that show that the idea wasn't understood.

YOUR reason for being against it being included is that you believe it wouldn't benefit YOUR community. To be blunt, that's a rather selfish point of view. I've seen suggestions on here that I've thought were good and commented that I liked the suggestion, even though I personally wouldn't use or benefit from it. That's because I think about the fact that it may benefit others. I've also seen ideas that I like and would probably use, but will admit that I believe it is better as an add-on instead of being part of the core product.

You made a suggestion of how I'm trying to control others. Not to be rude, but you described yourself with that. After all, you did say the following.

I do not feel that your idea will be a benefit to our community. Therefore, I disagree with your idea and urge IPS to not adopt your idea in the future design of their IPS suite.

What you said, in a nutshell, is this... "Since it wouldn't benefit our community, I don't want others to have the option for using it either."

My standpoint, which you have tried to sidestep, is "include it as an optional feature, defaulted to off so it's not forced upon people, so that those who want to use it can." In other words, control is placed into the hands of the different site owners. I'm not trying to make anyone use the feature, but you are trying to control what others can do by trying to limit their options. Just because you believe it won't benefit you doesn't mean it's not a feature that wouldn't benefit many others.

[TracyIsland]

You have made a suggestion for a feature that you feel would be of benefit to the IPS core suite. I do not feel your suggestion would be of benefit to the IPS core suite.

Therefore in your eyes, I am a controlling person because I disagree with you.

You feel your suggestion is beneficial. There are many suggestions and ideas for the IPS core suite that some people find to be beneficial. I simply do not believe IPS should add this idea to its core suite.

You cannot see beyond your own belief that your idea is the most important thing on the planet and everyone should accept your idea at face value. If anyone does not accept your idea, they are short-sighted, selfish, and if their reason does not have a valid code-based reason, it is nonsense.