Jason Simonds Posted January 28, 2023 Posted January 28, 2023 Hello All, on about 02/07/2023 at 11:59pm pst. The forums log in will change from user name to email. Before you ask 'why are you doing this?, I'm to old for change' haha There is security risks in people being able to use your 'display' name to sign in and the forums is bugging me about is. and before you ask 'If this is a security risk why didn't you change it before?' It was answered in the 'why are you doing this' line because I didn't want to hear 'I'm to old for change' hahaha Thanks for understanding all Jason Simonds Quote
Hash Fellow robcat2075 Posted January 28, 2023 Hash Fellow Posted January 28, 2023 Hey @Jason Simonds, I just tried logging in with my email address (it's already an option) and it doesn't work. When that gets sorted out I recommend that some very visible alert to the change be added to the standard sign in screen. I think most people will not notice the mere absence of "Display Name" in this box. Quote
*A:M User* Roger Posted January 28, 2023 *A:M User* Posted January 28, 2023 While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in? I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA. Quote
Hash Fellow robcat2075 Posted January 28, 2023 Hash Fellow Posted January 28, 2023 11 minutes ago, Roger said: While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in? I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA. Here is the explanation from the makers of the forum software... Quote
*A:M User* Roger Posted January 28, 2023 *A:M User* Posted January 28, 2023 27 minutes ago, robcat2075 said: Here is the explanation from the makers of the forum software... Ah, but this isn't going to stop the real problem, which is reusing passwords across multiple websites. While 2 factor authentication that is email or SMS message based is not foolproof, it is a bit more secure if you have an option for it. Again, I'm not arguing against the change, I welcome anything that will improve security. I just don't see much of a difference between someone using the password that they found in hacked password database (that you used for a dozen other sites) to try and login to your AM account....I mean it is sort of moot at that point whether they are using it with a display name or an email address, no? Quote
Hash Fellow robcat2075 Posted January 28, 2023 Hash Fellow Posted January 28, 2023 This change doesn't end hacking attempts but it does stop providing them with half of what they need for an easy one. Quote
*A:M User* Roger Posted January 28, 2023 *A:M User* Posted January 28, 2023 I guess I better prepare for the update then. Quote
Hash Fellow robcat2075 Posted January 28, 2023 Hash Fellow Posted January 28, 2023 Since the A:M forum doesn't handle financial transactions it probably isn't a prime hacking target, but it is easy to discontinue this weak security practice. Quote
Jason Simonds Posted January 29, 2023 Author Posted January 29, 2023 @robcat2075It should have not showed 'email' as a approved log in, it's from covering the image gallery. Now it should support email log in. @Rogerwe do not store any real data(Back Cards, Addresses or things like that here). I can force a timed password reset, but since we do not store data like that I don't think it's needed. As for people using the same password here as there bank or stores DO NOT DO THAT YOU ARE A BAD PERSON!!!!!!!!! Here is some reading on passwords. I'm in no way saying what password manager you should use as we were using Lastpass and are now moving to a new one. This is a lot of work and a lot of reading. Quote
*A:M User* Roger Posted January 29, 2023 *A:M User* Posted January 29, 2023 Jason, Thanks for your comments. I am not worried about any financial data being lost, I have seen some unusual activity on number of forums I belong to lately, but that could be attributed to script kiddies jiggling the locks, or bots or other automated tools. Working in IT, I'm fairly security conscious and frequently rotate passwords to new, secure passwords. I had thought about switching to a password manager some time ago but am concerned about the ones that store the DB in the cloud. I believe at least one of the major password managers was breached in the last few years. I don't expect that we require any especially exotic security measures on our little forum here, I guess I was just playing "Devi's advocate" so to speak. Speaking of which, it's about time for me to audit my systems again. Quote
Hash Fellow robcat2075 Posted January 29, 2023 Hash Fellow Posted January 29, 2023 I never understood how giving all your passwords to someone else to manage got to be a recommended security practice. I'll do what we did at Nortel... put all my passwords on a Post-it under my mouse pad. 2 Quote
Hash Fellow robcat2075 Posted January 30, 2023 Hash Fellow Posted January 30, 2023 @Jason Simonds, I presume this change will also happen for the A:M bug tracker site? Quote
Jason Simonds Posted January 30, 2023 Author Posted January 30, 2023 1 hour ago, robcat2075 said: @Jason Simonds, I presume this change will also happen for the A:M bug tracker site? They are not the same, it may come in an update but as of now it's not supported 1 Quote
Hash Fellow robcat2075 Posted February 2, 2023 Hash Fellow Posted February 2, 2023 @Jason Simonds I've sent you a PM Quote
*A:M User* Roger Posted February 2, 2023 *A:M User* Posted February 2, 2023 So I've had to revalidate my account with my old email address because I couldn't get it validated with the NEW address, never received the validation email despite numerous attempts with 2 different email addresses. Likewise, I tried creating a whole new account with one of my alternate emails, thinking that might work. That did not work. Not sure what is going on with your validation process, but I would rather not leave things as they stand. Quote
Jason Simonds Posted February 15, 2023 Author Posted February 15, 2023 @RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road.. Quote
*A:M User* Roger Posted February 16, 2023 *A:M User* Posted February 16, 2023 1 hour ago, Jason Simonds said: @RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road.. Sounds good, no rush. I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones. Quote
Jason Simonds Posted February 19, 2023 Author Posted February 19, 2023 On 2/15/2023 at 4:38 PM, Roger said: Sounds good, no rush. I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones. I just updated the forums and tested the password reset(was not working before). I think it's because of an out of date google captcha plug in that was not showing an error Quote
Recommended Posts
Join the conversation
You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.