Bluto Posted June 6, 2016 Posted June 6, 2016 On 6/5/2016 at 3:57 PM, tAPir said: I'm old and stupid and have difficulty remembering one password. I hope you don't use the same password for every site like Mark Zuckerberg. http://themerkle.com/even-mark-zuckerberg-uses-the-same-password-several-times/ Of course, if you do, you can always check this site out: https://www.leakedsource.com/
Jswerv3 Posted June 6, 2016 Posted June 6, 2016 23 hours ago, The Dark Wizard said: No need to be rude. Development for 3.4x ended You only get security updates now. Not really trying to be rude, but 2FA is an industry standard for any reputable company and should be included in all existing products. Security updates are fine.
Aiwa Posted June 6, 2016 Posted June 6, 2016 5 minutes ago, Jswerv3 said: Not really trying to be rude, but 2FA is an industry standard for any reputable company and should be included in all existing products. Security updates are fine. Already available via 3rd party. What you're asking is for IPS to re-open development for an End of Life branch of their software to add in a feature that's already available by a 3rd party. That's like asking apple to go back to iOS6 because you don't like the new icons, but still want the iOS7 features!
Ilya Hoilik Posted June 6, 2016 Posted June 6, 2016 4 minutes ago, Jswerv3 said: Not really trying to be rude, but 2FA is an industry standard for any reputable company and should be included in all existing products. Can you please clarify? Did you mean that IPS should make 2FA for 2.x too? And for 3.1? 3.2? Because all of these versions are the part of 'all existing products'. Any reputable companies have specific lifetime for each version. Now development of 3.4 has ended. And support of 3.4 is about to end too.
Safety1st Posted June 7, 2016 Posted June 7, 2016 On 07.11.2015 at 7:11 AM, Koby said: The admin cp is just that an admin can set a global 2nd password which all admins would have to have to be able to login to admin cp. Remind me, please, where it could be customized.
Jswerv3 Posted June 7, 2016 Posted June 7, 2016 15 hours ago, Aiwa said: Already available via 3rd party. What you're asking is for IPS to re-open development for an End of Life branch of their software to add in a feature that's already available by a 3rd party. That's like asking apple to go back to iOS6 because you don't like the new icons, but still want the iOS7 features! Yeah, not really. A 3rd party application that is updated at the discretion of a 3rd party developer is problematic (which should be obvious). Case and point, the plugin you linked has not been updated in 2 years. I think it is safe to say that an official 2FA system updated and maintained by the company that makes the forum software is the preferred solution. Not a plugin that hasnt been updated since 2014. 15 hours ago, Ilya Hoilik said: Can you please clarify? Did you mean that IPS should make 2FA for 2.x too? And for 3.1? 3.2? Because all of these versions are the part of 'all existing products'. Any reputable companies have specific lifetime for each version. Now development of 3.4 has ended. And support of 3.4 is about to end too. Mmmm no. 3.4.9 is the latest version of 3.4x which is still receiving updates for another year. So while I appreciate the sarcastic response, what you are suggesting does not really apply.
Aiwa Posted June 7, 2016 Posted June 7, 2016 1 minute ago, Jswerv3 said: Yeah, not really. A 3rd party application that is updated at the discretion of a 3rd party developer is problematic (which should be obvious). Case and point, the plugin you linked has not been updated in 2 years. I think it is safe to say that an official 2FA system updated and maintained by the company that makes the forum software is the preferred solution. Not a plugin that hasnt been updated since 2014. Mmmm no. 3.4.9 is the latest version of 3.4x which is still receiving updates for another year. So while I appreciate the sarcastic response, what you are suggesting does not really apply. 1) Why would he need to update it if it's stable and working on the latest 3.4.x branch? The version is what designed to work for and the version you appear to be using. I myself have 3.4.x mods that haven't needed updating since 2014 because they are stable and bug free. Like IPS, why spend the development time to update a mod for a version of software that's EOL... 2) You must have missed the EOL announcement. 3.4.x is no longer under development and will only receive security updates for the next year.
Jswerv3 Posted June 7, 2016 Posted June 7, 2016 14 minutes ago, Aiwa said: 1) Why would he need to update it if it's stable and working on the latest 3.4.x branch? The version is what designed to work for and the version you appear to be using. I myself have 3.4.x mods that haven't needed updating since 2014 because they are stable and bug free. Like IPS, why spend the development time to update a mod for a version of software that's EOL... 2) You must have missed the EOL announcement. 3.4.x is no longer under development and will only receive security updates for the next year. Really no way to confirm that it is indeed stable without being updated for 2 years without installing and risking some kind of issue. There have been a few plugins that worked with 3.4x that were unusable after a few updates. I didnt miss the EOL announcement.
Aiwa Posted June 7, 2016 Posted June 7, 2016 Just now, Jswerv3 said: Really no way to confirm that it is indeed stable without being updated for 2 years without installing and risking some kind of issue. There have been a few plugins that worked with 3.4x that were unusable after a few updates. I didnt miss the EOL announcement. You can always PM him and ask if it's working on the latest 3.4.x branch and if he will support if it if you run into any issues on 3.4.x. Give yourself some peace of mind. If he doesn't reply, you're not out anything if you haven't purchased it. Just saying there are other options than jumping in feet first wearing a blindfold. As IPS will not release any more updates for 3.4.x, I'd say your safe it wouldn't break on an upgrade. Then you misunderstood the announcement if you think IPS is still actively developing for that branch. Security updates != adding new features.
tAPir Posted June 7, 2016 Posted June 7, 2016 21 hours ago, Bluto said: I hope you don't use the same password for every site like Mark Zuckerberg. http://themerkle.com/even-mark-zuckerberg-uses-the-same-password-several-times/ Of course, if you do, you can always check this site out: https://www.leakedsource.com/ LOL - I ran the wife's email through that and it found one result. MySpace.com. Neither of us have a myspace account so they're welcome to it. Stranger still is the fact that she received email from myspace about the hack. I used to have a photographic memory but I ran out of film after my second stroke so I have to write them down nowadays. I'd just rather have the choice when it comes to the topic of this thread rather than it be forced on me.
Bluto Posted June 7, 2016 Posted June 7, 2016 Just now, tAPir said: LOL - I ran the wife's email through that and it found one result. MySpace.com. Neither of us have a myspace account so they're welcome to it. Stranger still is the fact that she received email from myspace about the hack. I used to have a photographic memory but I ran out of film after my second stroke so I have to write them down nowadays. I'd just rather have the choice when it comes to the topic of this thread rather than it be forced on me. Yea, same here with MySpace. You might want to try Keepass.info it's opensource and a very good password manager. Download the Professional Edition, it's 100% free. http://keepass.info/download.html
Hunter Lyons Posted July 1, 2016 Posted July 1, 2016 Just yesterday, my systems admin and I were discussing how silly it is that XenForo has 2FA but IPS does not. 2FA is core functionality and in this day and age, it is VITAL for any software or medium which can be abused. So I get home today, and find that hundreds of my forum's most important posts were deleted because someone got into a moderator's account by bruteforcing his password. The guy had a very short password, that's totally our fault, but the script kiddie in question is infamous in my part of the internet. To "get Priceflashed" is a normal occurence (the 'hacker' is named Priceflash). If 2FA existed on IPS, this could not have happened. Now I've got to wonder whether half our content is going to be gone forever, and try to scramble to find any means to restore it, be that via IPS, our host (OVH), etc. It's absolutely ludicrous that a 10+ year old product does not yet have 2FA. Also, I've been told 2FA exists on the Enterprise platform? So, are self-hosted and cloud users not as important as Enterprise users? It'd really seem like it at this point, when their security and features are prioritized.
Hunter Lyons Posted July 1, 2016 Posted July 1, 2016 Ahh. Can we get an ETA on this, IPS staff? It's almost the 2nd half of this year.
Management Lindy Posted July 4, 2016 Management Posted July 4, 2016 2FA wouldn't have helped your moderator's weak password - just FYI. It will be on the ACP, but not the front end immediately. In regards to 2FA on the enterprise platform -- it's something we want to flesh out and the managed platform is best for that as we have full control from start to finish. I understand you're frustrated your site was compromised, but in 2016, when there are about a dozen password managers, I wouldn't blame a software developer entirely because a moderator used a weak password. If anything, it also reinforces the need for password policies -- something else we have planned.
Morgin Posted July 4, 2016 Posted July 4, 2016 6 hours ago, Lindy said: 2FA wouldn't have helped your moderator's weak password - just FYI. It will be on the ACP, but not the front end immediately. In regards to 2FA on the enterprise platform -- it's something we want to flesh out and the managed platform is best for that as we have full control from start to finish. I understand you're frustrated your site was compromised, but in 2016, when there are about a dozen password managers, I wouldn't blame a software developer entirely because a moderator used a weak password. If anything, it also reinforces the need for password policies -- something else we have planned. Lindy, Hopefully I've posted enough rational stuff in the past that you know I don't tend to complain without having put a modicum of thought into it, but IMO this is an extremely crud position for IPS to take right now :/ I should clarify that's on 2FA not being across the entire platform (and just planned for ACP), as well as the idea that password policies are relevant or helpful in 2016 as a standalone solution. Also, for what its worth, yes having 2FA would have helped even if the moderator has a weak password, because the unauthorized user could not have got in without physical access to the moderator's token (be it on a phone, or delivered via SMS, or usb token, whatever). That would have prevented the unauthorized user from having access to mod tools, which would have prevented the data loss, which is what prompted the initial query. Almost every major platform that I use, aside from IPS, has a 2FA option or is implementing 2FA for users, and a lot are pushing it as non-optional. We've hit the point where passwords of any level of complexity are simply not enough, and it's really a matter of when (not if) there will be a data leak of some sort when passwords alone are the only lock on the door. You simply can't force moderators to use password managers, and requiring the level of password complexity to make it "uncrackable" also means it's unlikely to be remembered and the avenues for social engineering or someone being sloppy with it written down are higher. This statement "If anything, it reinforces the need for password policies -- something else we have planned" is actually not widely supported in the security community - password policies have not actually shown to have any tangible effect on securing user's accounts. That comes down to two things - platform security, and user account security. We rely on IPS for the former, but we can't do anything about the latter - there is no way even with a password policy that I can enforce a moderator not reusing a password that meets my password policy on another site that it also qualifies for, and that other site (say, linkedin) having a massive data breach and then that mod's account, notwithstanding it met the complex password requires, is ripe for unauthorized access. Google. Apple. Lastpass. Facebook. Valve. Blizzard. Slack. Sparkpost. Linode. Digital Ocean. Rackspace. Amazon. Microsoft. https://twofactorauth.org/ The list of companies that have recognized passwords in 2016 are not a solution in and of themselves (regardless of how complex you require them to be) is growing every day. I think IPS should be on that list. Please rethink this. 2FA isn't a quaint feature request. In 2016, multi-factor authentication as an option for admins should be a requirement for a social platform, and not just to secure the ACP. I know it wasn't intentional, but your reply really makes me uncomfortable in that it seems like you are speaking as if this is a done decision as not being high on the priority list. I'd really love to hear from your security team on this, because I can't believe they would agree this approach makes sense in light of how unreliable single authentication has shown itself to be. And implementing TOTP isn't (in the scheme of things) that difficult.
Colonel_mortis Posted July 4, 2016 Posted July 4, 2016 As someone who developed a 2FA application privately (and no, it is not, and will not be, available on the marketplace), I can say that implementing it for ACP is much easier than for the front end, because for the front end logins are persistent, and it's much harder to hook the auth flow. ACP is obviously far more important to protect than the front end too, because, while compromising the front end may mean that someone can delete some posts (which should be recoverable from a backup), compromising ACP would allow you do distribute malware, run arbitrary code on the server, etc. I do absolutely think that the front end should be protected by 2fa as well, and that is the case in my app, but I would say that it makes sense to release the ACP version first, then add the front end later, because the sooner ACP can be protected, the better. 2FA's effects are far less important though if you do handle passwords correctly - it is essential if you are an admin or a moderator that you use a strong password that is unique to that site only, so that if your account credentials get leaked for another site, that will not help them get into your site.
Management Lindy Posted July 4, 2016 Management Posted July 4, 2016 Your input is appreciated and you do bring up valid points, thanks. We're happy to consider front-end 2FA, but that's not on the initial deployment roadmap for various reasons. As I said, it's something we can consider, but administrator protection would be the first priority and what we are testing now. I should also clarify that this is also initially SMS based (which is another reason this isn't going to be rolled out to normal front-end users initially.) We will consider other mediums such as Google auth after the initial deployment. I know many will disagree, but SMS 2FA is really the "in" thing for most normal users. Many such as PayPal don't even offer 2FA via things like Yubikey and GA anymore. We could debate the logistics of this endlessly. I strongly disagree that passwords are irrelevant. 2FA is fantastic... I don't disagree it's not a necessity... but to say password policies are "meh" seems a bit shortsighted. No, you can't stop someone from using the same password on multiple sites. You also can't stop people from making the failover method (because you need a failover!) too easy. Being an insecure e-mail account, silly Q&A or backup codes they e-mail to themselves for reference. But using basic security tools of 2016 -- a password manager (which should support 2FA) -- is just a no brainer and there's no excuse to not use unique passwords. Make it a part of your moderator policies. You can't enforce it, no. You can't reasonably force 2FA either. I can't think of any site where users are forced to use 2FA... if I had to fumble around with 2FA to use or even moderate a forum, I'd be done. I value security -- it's an important part of my job. Nonetheless, there's a balance to be had and a many considerations. Power users/nerdy types will undoubtedly want Google Auth. Your average user has no idea what that even is and certainly doesn't want to deal with yet another app -- hence why the trend for consumer-friendly sites is SMS two-step. Again, sites like PayPal don't offer anything but SMS now. In that regard alone, there's a lot more planning for proper front-end implementation with failover protection than to secure administrator accounts.
Morgin Posted July 4, 2016 Posted July 4, 2016 7 minutes ago, Lindy said: Your input is appreciated and you do bring up valid points, thanks. We're happy to consider front-end 2FA, but that's not on the initial deployment roadmap for various reasons. As I said, it's something we can consider, but administrator protection would be the first priority and what we are testing now. I should also clarify that this is also initially SMS based (which is another reason this isn't going to be rolled out to normal front-end users initially.) We will consider other mediums such as Google auth after the initial deployment. I know many will disagree, but SMS 2FA is really the "in" thing for most normal users. Many such as PayPal don't even offer 2FA via things like Yubikey and GA anymore. We could debate the logistics of this endlessly. I strongly disagree that passwords are irrelevant. 2FA is fantastic... I don't disagree it's not a necessity... but to say password policies are "meh" seems a bit shortsighted. No, you can't stop someone from using the same password on multiple sites. You also can't stop people from making the failover method (because you need a failover!) too easy. Being an insecure e-mail account, silly Q&A or backup codes they e-mail to themselves for reference. But using basic security tools of 2016 -- a password manager (which should support 2FA) -- is just a no brainer and there's no excuse to not use unique passwords. Make it a part of your moderator policies. You can't enforce it, no. You can't reasonably force 2FA either. I can't think of any site where users are forced to use 2FA... if I had to fumble around with 2FA to use or even moderate a forum, I'd be done. I value security -- it's an important part of my job. Nonetheless, there's a balance to be had and a many considerations. Power users/nerdy types will undoubtedly want Google Auth. Your average user has no idea what that even is and certainly doesn't want to deal with yet another app -- hence why the trend for consumer-friendly sites is SMS two-step. Again, sites like PayPal don't offer anything but SMS now. In that regard alone, there's a lot more planning for proper front-end implementation with failover protection than to secure administrator accounts. Anecdotal evidence time (if you had boring work stuff to catch up on, now would be the time!) but my extremely non-techy wife who can't even figure out password managers (no really, lastpass is too complicated so she won't use it) somehow figured out how to enable sms 2fa on her gmail. I was so proud! I agree sms 2fa is pretty ubiquitous, and I think is going to be pretty much be regularly used by mainstream non-power users more often than not the more that people get exposed to it.
Management Lindy Posted July 5, 2016 Management Posted July 5, 2016 Go wife! I agree, SMS 2SV, while not perfect, is a good compromise. GA is an option for those who want to go to the next level, but I can virtually guarantee, most won't.
RevengeFNF Posted July 5, 2016 Posted July 5, 2016 I believe GA will be better for us. How many of us can afford a service that will send thousands of sms's? I don't even imagine the cost of that. Anyone with Android, iOS or Blackbarry can install GA and its done. No waiting for a sms to arrive.
The Dark Wizard Posted July 5, 2016 Posted July 5, 2016 1 hour ago, RevengeFNF said: I believe GA will be better for us. How many of us can afford a service that will send thousands of sms's? I don't even imagine the cost of that. Anyone with Android, iOS or Blackbarry can install GA and its done. No waiting for a sms to arrive. Amazon's SNS service is priced as follows, which can do SMS, Emails or Push Notifications and a couple of other things. There is also the fact that pubnub and other competing services exist which might be even cheaper. I doubt that even with thousands of users logging in regularly that you could exhaust the free 1 million per month. Users like to keep "stay logged in" available which any 2factor should respect.
Management Lindy Posted July 5, 2016 Management Posted July 5, 2016 3 hours ago, RevengeFNF said: I believe GA will be better for us. How many of us can afford a service that will send thousands of sms's? I don't even imagine the cost of that. Anyone with Android, iOS or Blackbarry can install GA and its done. No waiting for a sms to arrive. I wouldn't say you just "install GA and it's done" as there is a bit more setup for the novice. So, while GA is better for you, is it necessarily better for your users (depending on your demographic, it may very well be?) To be honest, I use 2SV on virtually everything and I don't even have GA installed anymore. I do unfortunately have to use RSA SecurID (which is actual 2FA) on a couple of things, however. I can envision GA being integrated, but we are testing SMS now and I suspect it will be our first target offering for reasons beyond just authentication... Think long-term things like order notifications in Commerce. We still need to iron out a few wrinkles that wouldn't necessarily be a concern for a third party -- such as how IPS is to provide support in a 2SV protected environment, failover methods, etc. It is coming though - we're looking forward to it as much as you are.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.