RSS 2.0
Browse posts:
Unanswered |
Mark all read
RSS 2.0
Browse posts:
Unanswered |
Mark all read
|
|
| Author | Message |
|---|---|
|
Monkeybrain Nucleus PhD  Joined: 15 Dec 2005 Posts: 525 Location: Kristiansand, Norway |
Posted: Sat Feb 21, 2009 7:12 pm Post subject: Screen name and login name
Reading a very good article on writing secure php scripts, I suddenly realised that the way Nucleus is actualy showing the "login name" for each user that has access to login to a site, would be a great resource for anyone with bad intentions. It would limit their "brute-force" attack to just a few, or even one, username, and the passwords can easily be worked out with the right software. So my suggestion would be, could we include a screen-name (nick) that would be what is actualy shown on the site? Keep the username for login-info and use the "nick" for whatever is shown on the site. And then making sure the users can't choose to make their "nick" the same as their username? Just my 2cents on top of my brain... 
_________________ Is your question not solved yet? Search our FAQ, read the Documentation, or browse the list of available plugins. |
  
|
|
|
ftruscot Nucleus Guru  Joined: 22 Feb 2006 Posts: 7449 Location: Massachusetts |
Posted: Sat Feb 21, 2009 9:01 pm Post subject:
I think a better defense against brute force attacks would be to implement something where the account gets locked out for a period of time after X number of failed login attempts. It makes brute force attacks less worthwhile. Another useful thing would be to enforce some kind of password complexity. I've got some code to check passwords for complexity as an option in NP_Profile. Separating the displayname from the login would be good, but tough for the user to need to remember two things. If the email address, or other known field was used for the login it might not be too bad for the user. That's the great balance in security between actual security and usability. I'll look into implementing something for 3.5. _________________ Is your question not solved yet? Search our FAQ, read the Documentation, or browse the list of available plugins. Check out my plugins |
|
|
|
|
Monkeybrain Nucleus PhD Joined: 15 Dec 2005 Posts: 525 Location: Kristiansand, Norway |
Posted: Sat Feb 21, 2009 10:34 pm Post subject:
Good points on the usability issue, I can clearly see that one coming. Tho, you don't actualy need to "remember" the nick that is show'n when you make a post, it's just that, a nickname, that is shown instead of your login-name, and will only be entered once trough the registration process. Locking the user from making successive login-attempts would be another good adition, I agree on that one. The password complexity can be another issue with the usability, as most users tend to choose a common word or phrase as their password, just because it's easier to remember. Forcing your users to create a complex password with a mix of letters, numbers and signs, would make it even harder for the medicore users to remember. It's a fine line to balance... _________________ Is your question not solved yet? Search our FAQ, read the Documentation, or browse the list of available plugins. |
|
|
|
|
|
|
|
|
|
|
All times are GMT + 1 Hour
You cannot post new topics in this forum |
|