Jump to content
  • 0

Login with Display Name is a bad idea


furioussnail

Question

13 answers to this question

Recommended Posts

  • 1
1 minute ago, furioussnail said:

I am talking about the user name which are also used as display names. For example, can you login with Blesta.Store as user name? If yes, don't you notice an issue with that?

oh you're talking about the Forum :) I thought you meant Blesta, the forum software does what the forum software developers do :) can't change that here.

Link to comment
Share on other sites

  • 0
27 minutes ago, furioussnail said:

Hello.

I believe requiring users to login with their display names is a bad idea. Basically any attacker has less guessing to do. Maybe login behavior should be changed?

Display names? They can choose a Username or use their email address an attacker has to guess what the user is using?

Link to comment
Share on other sites

  • 0
22 hours ago, Paul said:

This was a change that IPBoard made.. after upgrading one day, users were forced to login with display name. Not aware of any account compromises, if you have a decent password, you should be fine, and we block brute force attacks.

AFAIK the practice of displaying any details used for login helps attackers to exploit the system. The more info is provided about the internals of a system the easier it is for an attacker to exploit the system. Let's say there is a 0 day vulnerability an attacker found which allows user escalation. By investigating who is who on the forums it is super easy for the attacker to escalate to a user with extended rights.

Link to comment
Share on other sites

  • 0
On 5/2/2018 at 11:58 PM, Blesta.Store said:

Display names? They can choose a Username or use their email address an attacker has to guess what the user is using?

I am talking about the user name which are also used as display names. For example, can you login with Blesta.Store as user name? If yes, don't you notice an issue with that?

Link to comment
Share on other sites

  • 0
Just now, furioussnail said:

Well, too bad. But maybe Blesta team would consider opening a bug with the providers of the forum software.

A bug is something which should be fixed it's a feature they changed so it's not a bug, feel free to post it yourself: https://invisioncommunity.com/forums/ They can explain why they changed from the first username you registered with (which you can see anyway).

Link to comment
Share on other sites

  • 0

I would suggest contacting IPBoard about any concern. Most organizations do not have secret usernames.. they force the use of email addresses, or display usernames publicly. Reddit, Twitter to name a couple allow you to login with your display name. I operate under the assumption that an attacker knows my username, but I can see how you'd want that to be secret. Nothing we can do about it though.

Link to comment
Share on other sites

  • 0
On 5/5/2018 at 2:54 AM, Tyson said:

It's always assumed that attackers have any username/email/etc. about you. Security through obscurity is not an acceptable deterrent.

This is not security through obscurity. This is protecting my private data. Yes, attackers may be capable of obtaining the data (depending on how you protect it), it doesn't mean it should be made easy for them. I already provided the user escalation example... Security through obscurity isn't related to one practice. It should or could always be used in combination with more secure techniques, as security by design or open security. Security through obscurity may deter less apt attackers.

Link to comment
Share on other sites

  • 0
On 5/5/2018 at 1:26 AM, Paul said:

I would suggest contacting IPBoard about any concern. Most organizations do not have secret usernames.. they force the use of email addresses, or display usernames publicly. Reddit, Twitter to name a couple allow you to login with your display name. I operate under the assumption that an attacker knows my username, but I can see how you'd want that to be secret. Nothing we can do about it though.

The fact that many do it in one way doesn't mean it is right. Yes, there are techniques used to prevent brute force attacks or user escalation but can you foresee any vulnerabilities? Even yesterday Twitter asked users to reset their passwords... So, not sure Twitter is a good example.

Link to comment
Share on other sites

  • 0
On 5/6/2018 at 12:26 AM, furioussnail said:

The fact that many do it in one way doesn't mean it is right. Yes, there are techniques used to prevent brute force attacks or user escalation but can you foresee any vulnerabilities? Even yesterday Twitter asked users to reset their passwords... So, not sure Twitter is a good example.

Just because Twitter made a mistake with their logging, doesn't mean that they don't know what they are doing. Twitter has some of the brightest engineers in the world on their team, many of which I'm sure, would disagree with you. Still, how IPBoard operates is outside our control and you should always assume an attacker has your username.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...