Display name on registration.

Topic: Display name on registration. (Read 9480 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Display name on registration.

January 30, 2013, 04:53:11 am

We ought to have this "mod" as a default feature. If you want to stop password hacks, one of the best options is to have the display name different to the login name. If you're going to do that, best to have the option as part of the registration form. Hey ho.

Re: Display name on registration.

Reply #1 – January 30, 2013, 11:32:34 am

Word!

You and your common sense Ant...

Re: Display name on registration.

Reply #2 – January 31, 2013, 10:22:35 am

Along those lines, we should also consider dumbing down our login form. Today we will say if its a invalid username OR invalid password on the form. Makes it easy to know if you have a valid userid and can work against that.

I think it should just say and invalid username or password was entered.

Re: Display name on registration.

Reply #3 – January 31, 2013, 02:42:48 pm

Actually, I can't agree with that. If you know whether a username is invalid or not, you can brute force it, eliminating any benefit to cloaking usernames with different display names.

Re: Display name on registration.

Reply #4 – January 31, 2013, 03:27:57 pm

Hey Arantor (and welcome)

Not sure I follow what you are indicating ... today the login form will let you know if an entered username is valid, and I was suggesting removing that potential hint with a single error along the lines of "the supplied credentials are invalid" ... is that what you are not agreeing with?

Re: Display name on registration.

Reply #5 – January 31, 2013, 04:45:08 pm

I thought you were making it more explicit than it currently is. Right now, yes, it does infer the two different states through careful wording, and IMHO it shouldn't say anything. It's something I've not been able to convince others of so much either.

But you get into the realms of usability vs security. It is undoubtedly more usable to know that the password was wrong vs the username was wrong, but it is less secure.

Re: Display name on registration.

Reply #6 – February 13, 2013, 10:51:37 am

Feature Cat shortly looks around the topic, and purrs approvingly or something you can't distinguish very well.

Re: Display name on registration.

Reply #7 – October 04, 2013, 05:45:54 am

Quote from: Arantor – January 31, 2013, 02:42:48 pmActually, I can't agree with that. If you know whether a username is invalid or not, you can brute force it, eliminating any benefit to cloaking usernames with different display names.

The real issue is that a failed password/username is not the only (and the fastest) way to know what are the registered usernames:

Code: [Select]

http://www.elkarte.net/index.php?action=register;sa=usernamecheck;xml;username=ema

allows to brute-force all the nicks without even a spam-flood control.

Re: Display name on registration.

Reply #8 – October 04, 2013, 09:27:43 am

Sweet ! ... any ideas ?

Re: Display name on registration.

Reply #9 – October 04, 2013, 10:28:31 am

At least a spamFlood may help. I think.

Re: Display name on registration.

Reply #10 – October 07, 2013, 11:28:15 pm

Quote from: Spuds – January 31, 2013, 10:22:35 amAlong those lines, we should also consider dumbing down our login form. Today we will say if its a invalid username OR invalid password on the form. Makes it easy to know if you have a valid userid and can work against that.

I think it should just say and invalid username or password was entered.

I get the security concerns part of this, but I absolutely hate when websites tell me that one OR the other is wrong. I have so many different username combinations and passwords that I use, it's so unhelpful to the actual person to tell them that they did something wrong, but apparently the system doesn't know what that is.

It would be much better to simply require stronger passwords by default, which would make brute force attacks far more difficult. I don't necessarily mean the typical aA1! combos.

http://xkcd.com/936/ <--I tried to embed an [img] here but it didn't show up, the code/url literally disappeared from my post and didn't give me an error, what's up with that?

Randall actually has a point there. Length can be just as strong of an indicator as special characters.

Re: Display name on registration.

Reply #11 – October 08, 2013, 08:30:52 am

Thats one of my favorite comics

Point taken on the generic "you messed up try again" message vs something that may actually be useful to the user. It like a spellchecker that says you have some misspellings, but does not show you where they are. Not sure we are going to do anything with those messages at this time $:-\$

I use keypass these days to keep track of all my ids and pas words, with a plugin for the browser, so far thats worked for me,

Quote<--I tried to embed an [img] here but it didn't show up, the code/url literally disappeared from my post and didn't give me an error, what's up with that?

I think that was a preg_replace error (when we updated for php5.5) that we fixed in the repo, the site is a couple of weeks back, or its Ema's fault

Re: Display name on registration.

Reply #12 – October 08, 2013, 09:00:03 am

Quote from: Spuds – October 08, 2013, 08:30:52 amits Ema's fault

Re: Display name on registration.

Reply #13 – October 08, 2013, 09:38:56 am

emanuele