Jump to content

Invision Community Blog


Managing successful online communities

Matt
 

4.5: Security Enhancements

Although we continuously review security within Invision Community, a major release such as 4.5 allows us to be especially proactive when it comes to keeping your community safe.

This blog entry outlines several enhancements to improve security in Invision Community 4.5.

Password Handling
Keeping your member's passwords secure is the simplest way to keep accounts safe and out of the wrong hands, so it makes sense to look at ways to ensure this doesn't happen.

Invision Community already uses strong one-way hashing when storing passwords, which means that once the password is stored in the database, there is no way to know the plain text version.

However, when creating a new member account via the AdminCP, a random password was created, and this was sent in the welcome email to the new member's email address.

As of Invision Community 4.5, this no longer happens, and the new member is invited to create a new password when visiting the community for the first time.

set-own-password.jpg

Part of your internal security procedures might be to force a reset of all passwords periodically. Invision Community 4.5 allows this on a per-member basis, or via a selection of filters to enforce a reset for many members at once.

Password-reset.jpg

This clears out any stored password hashes and emails the affected members to remind them to set up a new password.

email.jpg

AdminCP Security
The Admin Control Panel contains the most powerful tools available to Invision Community. This is already a very secure area with a separate login with an option to add two-factor authentication to the login flow.

Part of the session authentication has been a special key in the URL. While we have protection in place to prevent this special key being discoverable by a malicious user, there remains an incredibly remote theoretical chance that this could happen with a series of complicated steps. There was an additional annoyance that you are unable to share links within the AdminCP to members of your team due to the increased protection to keep URLs safe.

As of Invision Community 4.5, we have removed the special key from the URL and moved it elsewhere in the session authentication flow. This means that it's impossible to fetch the special key via the URL and links can now be shared and will survive a login action.

Text Encryption
There are a few areas within Invision Community that we use text encryption to allow us to save data in the database in a format that is encrypted when saved and decrypted when read. This protects you in the incredibly remote event of your own hosting being compromised and your database downloaded (of course, our Community in the Cloud customers do not need to worry about this!)

Invision Community 4.5 improves on this encryption by using PHP's built-in methods which give "bank-level" security to our encryption.

Security is critical to the success of your community, and we are always proactive in improving security throughout Invision Community.

Do you have any comments on this entry? Let us know below!

Edited by Matt


Comments

Recommended Comments

Important changes. Have in mind though, that user actions is usually one of the common problem for a security issue.

From my personal experience, we had to implement a way not to let users be able to use extremely easy passwords which had their accounts be compromised. Most important, not let users use their own username as a password and also some easy passwords like  sex, 12345, god, matt etc 🙂

 

Share this comment


Link to comment
Share on other sites
1 hour ago, Martin A. said:

Will this allow the member to use the same password as they had before? Kind of defeats the purpose if they can.

Agreed.

I would prefer that previous password use is prevented if possible. 

These are good changes though and I'm glad to see the removal of emailed passwords.

Share this comment


Link to comment
Share on other sites
Quote

This clears out any stored password hashes and emails the affected members to remind them to set up a new password.

It would be great if the members in the selection could be put on validation and do not get any email notifications until they change their password. This would automatically stop flood of mails to the users that are no more active and/or do not have a valid e-mail addresses. :rolleyes:

Share this comment


Link to comment
Share on other sites
12 hours ago, Clover13 said:

Any chance of adding more 2FA providers such as 1Password?

1Password works, just like any other 2FA App that support TOTP-oAuth. Just scan the QR Code in 1Password. Only the name/translation of the function, needs to be improved.

Quote

To protect the security of your account, please enter the verification code from your Google Authenticator app.

 

Share this comment


Link to comment
Share on other sites
7 hours ago, NBVF said:

1Password works, just like any other 2FA App that support TOTP-oAuth. Just scan the QR Code in 1Password. Only the name/translation of the function, needs to be improved.

 

Right, I use 1Password's 2FA already for a number of sites, it works well.  I just want to see IPS' software natively support it.  Right now there is only Authy (which costs money and I already pay for 1Password to do 2FA), Google Authenticator (which is free but buggy as hell based on the app reviews), and Q&A.

Share this comment


Link to comment
Share on other sites
8 hours ago, bfarber said:

What he's saying is that you can enable "Google Authenticator" in the AdminCP, and scan the QR code in your 1Password app. (I haven't tested)

Yes, that did work!  Using it with 1Password now!  Nice!  Agree, can just rename it Authenticator.  For some reason I thought you had it coupled to Google Authenticator.

Share this comment


Link to comment
Share on other sites

There isn't anything further to report on the suggestion at this time, no. Presently when the password is cleared out that's it, we have no record of what the previous password value was. We can take your suggestion into consideration for a future release.

Share this comment


Link to comment
Share on other sites
3 minutes ago, Monique DUFOURNY said:

When we create an account with rest-api,
an option should be offered to change the password at the first connection


 

This will be possible with 4.5 🙂

Quote

 * @apiparam    string    password        Password (standard login handler only). If not provided, the member will be emailed to set one.

 

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy