sprockets Greeting of Christmas Past by Gerry Mooney and Holmes Bryant! Learn to keyframe animate chains of bones. Gerald's 2024 Advent Calendar! The Snowman is coming! Realistic head model by Dan Skelton Vintage character and mo-cap animation by Joe Williamsen Character animation exercise by Steve Shelton
sprockets
Recent Posts | Unread Content
Jump to content
Hash, Inc. - Animation:Master

Recommended Posts

Posted

Hello All,

on about 02/07/2023 at 11:59pm pst. The forums log in will change from user name to email.

Before you ask 'why are you doing this?, I'm to old for change' haha

There is security risks in people being able to use your 'display' name to sign in and the forums is bugging me about is.

and before you ask 'If this is a security risk why didn't you change it before?' It was answered in the 'why are you doing this' line because I didn't want to hear 'I'm to old for change' hahaha

 

Thanks for understanding all
Jason Simonds

  • Hash Fellow
Posted

Hey @Jason Simonds,

I just tried logging in with my email address (it's already an option) and it doesn't work.

image.png

 

When that gets sorted out I recommend that some very visible alert to the change be added to the standard sign in screen. I think most people will not notice the mere absence of "Display Name" in this box.

image.png

  • *A:M User*
Posted

While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in?   I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA.

  • Hash Fellow
Posted
11 minutes ago, Roger said:

While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in?   I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA.

Here is the explanation from the makers of the forum software...

image.png

  • *A:M User*
Posted
27 minutes ago, robcat2075 said:

Here is the explanation from the makers of the forum software...

image.png

Ah, but this isn't going to stop the real problem, which is reusing passwords across multiple websites.    While 2 factor authentication that is email or SMS message based is not foolproof, it is a bit more secure if you have an option for it. 

Again, I'm not arguing against the change, I welcome anything that will improve security.  I just don't see much of a difference between someone using the password that they found in hacked password database (that you used for a dozen other sites) to try and login to your AM account....I mean it is sort of moot at that point whether they are using it with a display name or an email address, no?

  • Hash Fellow
Posted

This change doesn't end hacking attempts but it does stop providing them with half of what they need for an easy one.

  • Hash Fellow
Posted

Since the A:M forum doesn't handle financial transactions it probably isn't a prime hacking target, but it is easy to discontinue this weak security practice.

Posted

@robcat2075It should have not showed 'email' as a approved log in, it's from covering the image gallery.

Now it should support email log in.

@Rogerwe do not store any real data(Back Cards, Addresses or things like that here). I can force a timed password reset, but since we do not store data like that I don't think it's needed. As for people using the same password here as there bank or stores DO NOT DO THAT YOU ARE A BAD PERSON!!!!!!!!!
 

Here is some reading on passwords. I'm in no way saying what password manager you should use as we were using Lastpass and are now moving to a new one. This is a lot of work and a lot of reading.

  • *A:M User*
Posted

Jason,

Thanks for your comments.   I am not worried about any financial data being lost, I have seen some unusual activity on number of forums I belong to lately, but that could be attributed to script kiddies jiggling the locks, or bots or other automated tools.  

Working in IT, I'm fairly security conscious and frequently rotate passwords to new, secure passwords.   I had thought about switching to a password manager some time ago but am concerned about the ones that store the DB in the cloud.  I believe at least one of the major password managers was breached in the last few years.

I don't expect that we require any especially exotic security measures on our little forum here, I guess I was just playing "Devi's advocate" so to speak.  

Speaking of which, it's about time for me to audit my systems again.   :)

  • Hash Fellow
Posted

I never understood how giving all your passwords to someone else to manage got to be a recommended security practice. :dontknow:

I'll do what we did at Nortel... put all my passwords on a Post-it under my mouse pad.

  • Like 2
  • *A:M User*
Posted

So I've had to revalidate my account with my old email address because I couldn't get it validated with the NEW address, never received the validation email despite numerous attempts with 2 different email addresses.   Likewise, I tried creating a whole new account with one of my alternate emails, thinking that might work.   That did not work.  

Not sure what is going on with your validation process, but I would rather not leave things as they stand.

  • 2 weeks later...
Posted

@RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road..

  • *A:M User*
Posted
1 hour ago, Jason Simonds said:

@RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road..

Sounds good, no rush.   I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones.

Posted
On 2/15/2023 at 4:38 PM, Roger said:

Sounds good, no rush.   I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones.

I just updated the forums and tested the password reset(was not working before). I think it's because of an out of date google captcha plug in that was not showing an error

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...