Wedge
Public area => The Pub => Features => Topic started by: Arantor on March 20th, 2012, 02:42 AM
-
I'm not sure how I feel about this one.
Here's the deal: when you present a username/password box, you're expecting a username and password. Either being absent is fair game to report to the user, and if the password is wrong, again, fair game to admit it.
But what should happen if the username is invalid?
SMF, and currently Wedge, report that the username does not exist. Note that this will be the same for email addresses, which means it's possible to brute force email addresses out of the system with work.
If it isn't obvious what I'm getting at, let me explain. If you type in a username and password, but the username doesn't exist, it will tell you so, regardless of what the password is. If you type in a valid username (or email address), but a useless password, you get told the password is wrong. Given that information it is possible to use the login feature to validate email addresses against your forum's userbase to a degree. All because you're telling them something about the data they have.
Here's the catch: it is better user experience to tell them what's wrong with their information, but by doing so you give away something in security that it might be better not to do.
So I'm on the fence about what I should do; the current approach is not wrong but neither is right. It's certainly a better experience than it blandly stating 'The username or password is wrong', but it is less secure. How important is this security, especially in light of privacy laws?
-
But what should happen if the username is invalid?
However, if a correct username is entered but an incorrect password is supplied (say) three times, then password recovery could be offered if further conditions are met:
- The user is attempting to log-in from the same country from where he originally registered .
- The email address supplied matches that recorded for the username
- The user supplied the correct answers to (at least one) security question -- and I suggest that, upon registration, users must supply at least two security Q and As
- The username, current IP address and email address pass the validation tests of a service such as Stop Spammer (and the same validation should also be performed on registration).
A user who forgets his username should really be made to re-register.
Having "lurked" for a while now, I think you'd be against making services such as Stop Spammer, Bad Behavio(u)r and Akismet part of the core but I do believe these should be standard plug-ins that are included by default and activated by their respective API keys.
Finally - and slightly related - please provide the option for the prospective member to choose the language used by reCaptcha. Google tries to be helpful by automatically using the language according to the country of access. Problem is that an English person accessing from Moscow won't necessarily understand the reCaptcha instructions.
Mark
-
So it all depends on the website on which should be uses. I say keep the better user experience and have a security guide for those who want to shore things like that up.
-
In that specific case, I'd suggest simply re-display the log-in form ad infinitum. username the one of the two things a genuine user is less likely to forget than his password.
It's still a side issue in the fact that you don't know they're doing it: it's not recorded anywhere that an invalid username is used. I also know from experience that the number of times it happens is probably higher than you think.However, if a correct username is entered but an incorrect password is supplied (say) three times, then password recovery could be offered if further conditions are met:
The username, current IP address and email address pass the validation tests of a service such as Stop Spammer (and the same validation should also be performed on registration).
Having "lurked" for a while now, I think you'd be against making services such as Stop Spammer, Bad Behavio(u)r and Akismet part of the core but I do believe these should be standard plug-ins that are included by default and activated by their respective API keys.
Finally - and slightly related - please provide the option for the prospective member to choose the language used by reCaptcha.
-
It's a tricky question. The Daily Express / paranoid side of me thinks yes we should have this due to the risks and protection against those foreign hackfactories, whereas the more level headed real world admin in me knows we rarely get spammers or hackers so why make it inconvenient for the members.
I suppose you could make it an option so that, if in future we get bigger, draw more attention and get more hacking attempts, we can switch it on?
In the mean time I want to make clear I do not read the daily express.
-
To put it into context, arantor.org has been logging these requests for 15 months or so and even though there haven't been posts for months, I still see these requests daily, it's currently in the realm of 2-3 per day but it used to be dozens per day.
Also, I fully understand your opinion regarding the Daily Express ;) It reminds me of this T-shirt(http://dailymash.shotdeadinthehead.com/product_view.aspx?pid=3736) ;)
-
:lol: That site's quite funny - I also like the dinosaur one "Not so tough now are you".
Actually I'm amazed that we never get any spam - maybe two or three posts since we switched to SMF in September. I turned off the capture thing as we were getting 10s of new members a day. The reg page now asks the user to type a word in the box and, hey presto, hardly any false new members!!!
-
Yeah, anti spam questions are awesome like that :)
-
Except for non English speakers ;)
I should really add support for a language BBC tag... Like on noisen.
-
The Daily Express side of me doesn't want non-English speakers thank you very much "...and we will build Jerusalem in England's green and pleasant land because the real Jerusalem has all those foreigners in it"
-
Interesting topic. I'd go for the "security side". If a user has troubles logging in he can always use the recovery feature!
-
Interesting topic. I'd go for the "security side". If a user has troubles logging in he can always use the recovery feature!
I just discovered that any subjects with double quotes in them will get cut off at the first quote.
(Fixed, of course. Although I sure hope my fix will be scrutinized for security, too!)
-
And this is why we htmlspecialchars the subject and never, ever un_htmlspecialchars it for any reason ;)
-
And this is why we htmlspecialchars the subject and never, ever un_htmlspecialchars it for any reason ;)
So we get value="\"Something\"" which in turn some browsers will see as '' (empty), and others as \, but never as "Something".
So I got rid of the addcslashes.
-
I don't recall SMF adding slashes there...
-
Personally, I would want the security; don't divulge any information at login other than "one or both of the things you entered is wrong". The forgotten login details process can (and would) be more specific, and would necessarily "leak" if an email address is associated with an account on the forum.
-
I don't recall SMF adding slashes there...
SMF does it in two passes: htmlspecialchars, then addcslashes.
Wedge retains the addcslashes. I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace). It's at Post.php:1024 if you're interested. It also does an un_htmlspecialchars on the message body... The code block also has a //!! in it, so I suspect you stopped working on it in the middle.
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
-
Nice Project. I would love to see the outcome of this.
I think user feedback is great for those who rarely use a computer.
So I think they should be prompted if the username is invalid.
I think it really does depend on the type of website and user base.
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.
I would love to get involved with this sometime ;) I am full of ideas and creations XD
-
Make sure to check Post.php out when you have some time to look into rev 1503
I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace).
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.
I would love to get involved with this sometime ;) I am full of ideas and creations XD
-
Make sure to check Post.php out when you have some time to look into rev 1503
That's sort of how I implemented it. The drafts don't need to have the same level of protection that normal posts do, just enough to prevent XSS injections.
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
-
The draft code should at least preparse, though, right? As far as I remember, it should htmlspecialchars and preparsecode, like the post code flow, which would handle the quot conversion.
I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.
-
The draft code should at least preparse, though, right?
I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.