Forums change coming

[Jason Simonds]

Hello All,

on about 02/07/2023 at 11:59pm pst. The forums log in will change from user name to email.

Before you ask 'why are you doing this?, I'm to old for change' haha

There is security risks in people being able to use your 'display' name to sign in and the forums is bugging me about is.

and before you ask 'If this is a security risk why didn't you change it before?' It was answered in the 'why are you doing this' line because I didn't want to hear 'I'm to old for change' hahaha

 

Thanks for understanding all
Jason Simonds

[Wildsided]

Fair play

[robcat2075]

Hey @Jason Simonds,

I just tried logging in with my email address (it's already an option) and it doesn't work.

 

When that gets sorted out I recommend that some very visible alert to the change be added to the standard sign in screen. I think most people will not notice the mere absence of "Display Name" in this box.

[Roger]

While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in?   I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA.

[robcat2075]

11 minutes ago, Roger said:

While I don't have a problem with this in theory, wouldn't someone already have to have your password in order to sign in?   I'm not sure how switching to the email address makes it any more secure, unless you're going to set up an option for 2FA.

Here is the explanation from the makers of the forum software...

[Roger]

27 minutes ago, robcat2075 said:

Here is the explanation from the makers of the forum software...

Ah, but this isn't going to stop the real problem, which is reusing passwords across multiple websites.    While 2 factor authentication that is email or SMS message based is not foolproof, it is a bit more secure if you have an option for it. 

Again, I'm not arguing against the change, I welcome anything that will improve security.  I just don't see much of a difference between someone using the password that they found in hacked password database (that you used for a dozen other sites) to try and login to your AM account....I mean it is sort of moot at that point whether they are using it with a display name or an email address, no?

[robcat2075]

This change doesn't end hacking attempts but it does stop providing them with half of what they need for an easy one.

[Roger]

I guess I better prepare for the update then.

[robcat2075]

Since the A:M forum doesn't handle financial transactions it probably isn't a prime hacking target, but it is easy to discontinue this weak security practice.

[Jason Simonds]

@robcat2075It should have not showed 'email' as a approved log in, it's from covering the image gallery.

Now it should support email log in.

@Rogerwe do not store any real data(Back Cards, Addresses or things like that here). I can force a timed password reset, but since we do not store data like that I don't think it's needed. As for people using the same password here as there bank or stores DO NOT DO THAT YOU ARE A BAD PERSON!!!!!!!!!
 

Here is some reading on passwords. I'm in no way saying what password manager you should use as we were using Lastpass and are now moving to a new one. This is a lot of work and a lot of reading.

[Roger]

Jason,

Thanks for your comments.   I am not worried about any financial data being lost, I have seen some unusual activity on number of forums I belong to lately, but that could be attributed to script kiddies jiggling the locks, or bots or other automated tools.  

Working in IT, I'm fairly security conscious and frequently rotate passwords to new, secure passwords.   I had thought about switching to a password manager some time ago but am concerned about the ones that store the DB in the cloud.  I believe at least one of the major password managers was breached in the last few years.

I don't expect that we require any especially exotic security measures on our little forum here, I guess I was just playing "Devi's advocate" so to speak.  

Speaking of which, it's about time for me to audit my systems again.  

[robcat2075]

I never understood how giving all your passwords to someone else to manage got to be a recommended security practice.

I'll do what we did at Nortel... put all my passwords on a Post-it under my mouse pad.

[robcat2075]

@Jason Simonds, I presume this change will also happen for the A:M bug tracker site?

[Jason Simonds]

1 hour ago, robcat2075 said:

@Jason Simonds, I presume this change will also happen for the A:M bug tracker site?

They are not the same, it  may come in an update but as of now it's not supported

[robcat2075]

@Jason Simonds I've sent you a PM

[Roger]

So I've had to revalidate my account with my old email address because I couldn't get it validated with the NEW address, never received the validation email despite numerous attempts with 2 different email addresses.   Likewise, I tried creating a whole new account with one of my alternate emails, thinking that might work.   That did not work.  

Not sure what is going on with your validation process, but I would rather not leave things as they stand.

[Jason Simonds]

@RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road..

[Roger]

1 hour ago, Jason Simonds said:

@RogerI'm starting to think something is not working, but it's not giving an error. I'm going to look deeper into this over the next few days, but with no errors it's going to be a long road..

Sounds good, no rush.   I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones.

[Jason Simonds]

On 2/15/2023 at 4:38 PM, Roger said:

Sounds good, no rush.   I just wanted to alert you to a potential problem, that could affect new users in addition to existing ones.

I just updated the forums and tested the password reset(was not working before). I think it's because of an out of date google captcha plug in that was not showing an error