Login with Display Name is a bad idea

[furioussnail]

Hello.

I believe requiring users to login with their display names is a bad idea. Basically any attacker has less guessing to do. Maybe login behavior should be changed?

[Michael]

27 minutes ago, furioussnail said:

Hello.

I believe requiring users to login with their display names is a bad idea. Basically any attacker has less guessing to do. Maybe login behavior should be changed?

Display names? They can choose a Username or use their email address an attacker has to guess what the user is using?

[Paul]

This was a change that IPBoard made.. after upgrading one day, users were forced to login with display name. Not aware of any account compromises, if you have a decent password, you should be fine, and we block brute force attacks.

[furioussnail]

22 hours ago, Paul said:

This was a change that IPBoard made.. after upgrading one day, users were forced to login with display name. Not aware of any account compromises, if you have a decent password, you should be fine, and we block brute force attacks.

AFAIK the practice of displaying any details used for login helps attackers to exploit the system. The more info is provided about the internals of a system the easier it is for an attacker to exploit the system. Let's say there is a 0 day vulnerability an attacker found which allows user escalation. By investigating who is who on the forums it is super easy for the attacker to escalate to a user with extended rights.

[furioussnail]

On 5/2/2018 at 11:58 PM, Blesta.Store said:

Display names? They can choose a Username or use their email address an attacker has to guess what the user is using?

I am talking about the user name which are also used as display names. For example, can you login with Blesta.Store as user name? If yes, don't you notice an issue with that?

[Michael]

1 minute ago, furioussnail said:

I am talking about the user name which are also used as display names. For example, can you login with Blesta.Store as user name? If yes, don't you notice an issue with that?

oh you're talking about the Forum I thought you meant Blesta, the forum software does what the forum software developers do can't change that here.

[furioussnail]

2 minutes ago, Blesta.Store said:

oh you're talking about the Forum I thought you meant Blesta, the forum software does what the forum software developers do can't change that here.

Well, too bad. But maybe Blesta team would consider opening a bug with the providers of the forum software.

[Michael]

Just now, furioussnail said:

Well, too bad. But maybe Blesta team would consider opening a bug with the providers of the forum software.

A bug is something which should be fixed it's a feature they changed so it's not a bug, feel free to post it yourself: https://invisioncommunity.com/forums/ They can explain why they changed from the first username you registered with (which you can see anyway).

[Paul]

I would suggest contacting IPBoard about any concern. Most organizations do not have secret usernames.. they force the use of email addresses, or display usernames publicly. Reddit, Twitter to name a couple allow you to login with your display name. I operate under the assumption that an attacker knows my username, but I can see how you'd want that to be secret. Nothing we can do about it though.

[Tyson]

It's always assumed that attackers have any username/email/etc. about you. Security through obscurity is not an acceptable deterrent.

[furioussnail]

On 5/5/2018 at 2:54 AM, Tyson said:

It's always assumed that attackers have any username/email/etc. about you. Security through obscurity is not an acceptable deterrent.

This is not security through obscurity. This is protecting my private data. Yes, attackers may be capable of obtaining the data (depending on how you protect it), it doesn't mean it should be made easy for them. I already provided the user escalation example... Security through obscurity isn't related to one practice. It should or could always be used in combination with more secure techniques, as security by design or open security. Security through obscurity may deter less apt attackers.

[furioussnail]

On 5/5/2018 at 1:26 AM, Paul said:

I would suggest contacting IPBoard about any concern. Most organizations do not have secret usernames.. they force the use of email addresses, or display usernames publicly. Reddit, Twitter to name a couple allow you to login with your display name. I operate under the assumption that an attacker knows my username, but I can see how you'd want that to be secret. Nothing we can do about it though.

The fact that many do it in one way doesn't mean it is right. Yes, there are techniques used to prevent brute force attacks or user escalation but can you foresee any vulnerabilities? Even yesterday Twitter asked users to reset their passwords... So, not sure Twitter is a good example.

[Paul]

On 5/6/2018 at 12:26 AM, furioussnail said:

The fact that many do it in one way doesn't mean it is right. Yes, there are techniques used to prevent brute force attacks or user escalation but can you foresee any vulnerabilities? Even yesterday Twitter asked users to reset their passwords... So, not sure Twitter is a good example.

Just because Twitter made a mistake with their logging, doesn't mean that they don't know what they are doing. Twitter has some of the brightest engineers in the world on their team, many of which I'm sure, would disagree with you. Still, how IPBoard operates is outside our control and you should always assume an attacker has your username.

[Abdy]

https://invisioncommunity.com/contact-us