We ought to have this "mod" as a default feature. If you want to stop password hacks, one of the best options is to have the display name different to the login name. If you're going to do that, best to have the option as part of the registration form. Hey ho. :)
Word!
You and your common sense Ant...
Along those lines, we should also consider dumbing down our login form. Today we will say if its a invalid username OR invalid password on the form. Makes it easy to know if you have a valid userid and can work against that.
I think it should just say and invalid username or password was entered.
Actually, I can't agree with that. If you know whether a username is invalid or not, you can brute force it, eliminating any benefit to cloaking usernames with different display names.
Hey Arantor (and welcome)
Not sure I follow what you are indicating ... today the login form will let you know if an entered username is valid, and I was suggesting removing that potential hint with a single error along the lines of "the supplied credentials are invalid" ... is that what you are not agreeing with?
I thought you were making it more explicit than it currently is. Right now, yes, it does infer the two different states through careful wording, and IMHO it shouldn't say anything. It's something I've not been able to convince others of so much either.
But you get into the realms of usability vs security. It is undoubtedly more usable to know that the password was wrong vs the username was wrong, but it is less secure.
/me shortly looks around the topic, and purrs approvingly or something you can't distinguish very well.
The real issue is that a failed password/username is not the only (and the fastest) way to know what are the registered usernames:
http://www.elkarte.net/index.php?action=register;sa=usernamecheck;xml;username=ema
allows to brute-force all the nicks without even a spam-flood control.
Sweet ! ... any ideas ?
At least a spamFlood may help. I think.
I get the security concerns part of this, but I absolutely hate when websites tell me that one OR the other is wrong. I have so many different username combinations and passwords that I use, it's so unhelpful to the actual person to tell them that they did something wrong, but apparently the system doesn't know what that is.
It would be much better to simply require stronger passwords by default, which would make brute force attacks far more difficult. I don't necessarily mean the typical aA1! combos.
http://xkcd.com/936/
<--I tried to embed an [img] here but it didn't show up, the code/url literally disappeared from my post and didn't give me an error, what's up with that? Randall actually has a point there. Length can be just as strong of an indicator as special characters.
Thats one of my favorite comics ;D
Point taken on the generic "you messed up try again" message vs something that may actually be useful to the user. It like a spellchecker that says you have some misspellings, but does not show you where they are. Not sure we are going to do anything with those messages at this time :-\
I use keypass these days to keep track of all my ids and pas words, with a plugin for the browser, so far thats worked for me,
I think that was a preg_replace error (when we updated for php5.5) that we fixed in the repo, the site is a couple of weeks back, or its Ema's fault :P
/me :'(