You are not logged in. Please login or register.
PunBB Forums → Feature requests → Username and/or Password?
When you type in wrong login information, it says that the Username and/or Password was wrong.
My suggestion is that if the username is correct, it should output "Password was wrong" or if password was correct, but not the username: "Username was wrong". By this, people can save time by not concerning if they mispelled its username when it was infact right or vice versa.
Just my 2 cents.
the "Password was wrong" would be nice yes, but if the username was wrong than there would be no password to compare it to.
Makes sence, people can already look at the user list as guests to find out what usernames are valid, no point in trying to hide something that should be right infront of them when they make a mistake logging on.
EDIT--
@Gizzmo I think he meens if username does not exists, then print "hey no user found, buddie"
Done.
open ./lang/<languages>/login.php
Find (line 6):
// Miscellaneous 'Wrong user/pass' => 'Wrong username and/or password.',replace with:
// Miscellaneous 'Wrong user' => 'Wrong username.', 'Wrong pass' => 'Wrong password.',open ./login.php
find (line 48 or therr abouts):
$authorized = false; if (!empty($db_password_hash)) {replace with:
$authorized = false; if (!isset($user_id)) { message($lang_login['Wrong user'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>'); } if (!empty($db_password_hash)) {find (line 72 or there abouts)
if (!$authorized) message($lang_login['Wrong user/pass'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>');replace with:
if (!$authorized) message($lang_login['Wrong pass'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>');
When you type in wrong login information, it says that the Username and/or Password was wrong.
My suggestion is that if the username is correct, it should output "Password was wrong" or if password was correct, but not the username: "Username was wrong". By this, people can save time by not concerning if they mispelled its username when it was infact right or vice versa.
Just my 2 cents.
It's a security feature. You don't want to reward someone trying to brute force login to your forum by telling them that one or the other is correct.
userlist.php
...
Need I say more?
But since most web programmers aren't so savvy as to consiously use it as a security feature, yet still do it, it's usually just Security By Fortunate Laziness.
haha 
Heheh 
userlist.php
...
Need I say more?
If you try to view the userlist on my forum, all you see is this:
Info
You do not have permission to view these forums.Go back
If you try to view the userlist on my forum, all you see is this:
If you have guest viewable forums (ie: they can see posts), your giving away valid usernames. If you (or your users) re-use usernames across different systems, well... same thing.
If you truely want to stop "crackers" (ie: viruses/scrikidios) just implement something with "X fails in Y minute == block for Z minutes"
Normally preventing 5+ log-in with the same username, or from the same IP for 15 minutes at a time will slow down brute force cracking enough to fill your logs with enough info to nail the bugger using up your bandwidth to try thier latest version of 1337autocrak. That's about 480 attempts per day, 3360 per week, if you don't notice this in your logs, re-write your log parsers! If your users have passwords that can be cracked in 3360 attempts, then write a script to brute force thier passwords durring off hours, and force a password reset on the found weak passwords. Or better yet do a spell check on passwords and if a match comes up with less then 3 differences don't allow the password. Then again, unless your working for that secret world goverenment organization running the inter-galactic stargate program, I doubt you'll need this much protection. Monthly stored backups, and weekly backups (rotated monthly) and daily backups (rotated weekly) of your database can restore any damage done to a forum in less time then it takes to go for a pee (women excluded, not trying to be sexist, that just the way it is though ).
I'll admit more security is good security, but one has to understand that some people can't tell left mouse click from reset button on a computer. Limiting easy of use and accessability so that the admin doesn't have to write one more script is lazy IMHO. Course if you want your users to have image verification each time they log on, and force them to have a retinal scan to post be my guest.
It's a security feature. You don't want to reward someone trying to brute force login to your forum by telling them that one or the other is correct.
1. A manual hacker would most likely know the username/usernames anyway.
2. An automatic bot could be recognised by other functionallity.
Y'all read way too much into things. deadram tried to say that all they would need to do is view the userlist, and I responded saying that all you have to do is disable guest viewing and they won't be able to view the userlist.
What good is a username/password challenge if you are just going to tell the person that one or the other is correct? The person should know both of them, if they don't, then they shouldn't be told when one or the other is correct.
What good is a username/password challenge if you are just going to tell the person that one or the other is correct?
Weak passwords are any admins worst nightmare, especially if that password lets you in as a mod/admin. Usernames on the other hand are a dime a dozen. Forcing people to remeber thier username without at the very least giving them a hint as to thier identity forces them to re-use usernames across multiple systemsm which is just as good/bad as guest access to usernames. Now telling them that is a valid password but not for that username, well that just stupid. Telling them that's an invalid username, or that's an invalid password for said usernames is not going to give them enough information to crack your systems. Like I said before, if you are going to worry that much about usernames, then worry that much more about the users passwords.
Telling the user that thier username is a valid one is a great way for them to do some thinking about thier password without having to request a password reset; which sends a new password of unknown strength across clear text methods, allowing any mischivious site admin along the path to the users mail server to "borrow" that account. Basically I'm saying considering hiding usernames as a security feature is like predenting that putting your extra set of keys under a flower pot (instead of the door mat) is a security feature. However, letting people know about usernames (and forcing them to have decent to great passwords) is like leaving the door unlocked and having an underfeed pit-bull waiting for you to return home. I would much rather come home to a ravaged and half eatten robber then a broken flower pot.
PunBB Forums → Feature requests → Username and/or Password?
Powered by PunBB, supported by Informer Technologies, Inc.