Anyway, i think the above post (#32) is probably the best formulation of my argument so far in this thread! It's gone through a lot of revisions, lol.

I'm quite new to XOOPS so I don't know who I'd contact to get this message home, but surely there are XOOPS Devs reading this who'd know exactly who should read this to help make a change if it possibly could be made.

So would someone mind emailing this to maybe the guy/s overseeing the "login system" section of Xoops...I'd really appretiate it.

I agree with you guys calling for an end to personal insults, it’s not necessary and the purpose of this post is not to offend people, only to urge the XOOPS Team to take a REAL considered look at this new feature and its worth.

“…stopping people from changing their names if they are trouble isn’t the issue - preventing them from causing trouble is the important issue.”

I thought the issue was the actual value and worth of this new feature? What is it’s intended purpose? I’m quite sure, even though currently users are able to do so in v2.2*, that the ability to allow users to change their displayname at will was not the ultimate goal and the XOOPS Team’s reason for adding it. That feature could have more easily been added by simply making the OLD Username editable from within profiles - with no need to add an additional field (Displayname)

It seems more likely that this has been added in an attempt to increase security. In that case, what we should be asking is whether a separate Displayname ACTUALLY increases security at all versus the old username/password method. I have realized it doesn’t.

I can understand people’s mistaken immediate acceptance of this new feature. At first glance it’s very attractive. In fact, if XOOPS hadn’t got me thinking about this as a whole by allowing the Displayname to be editable and made it static, I probably would not have questioned it myself. Like many people, I would have just accepted it as a very good security measure. However, the moment you do begin to actually analyze it you begin to realize that a hidden Loginname effectively boils down to a second password. Instead of typing your password into ONE field called Password, you are splitting the password in two and typing it into TWO fields, one called Loginname and the other Password when you login.

At the end of the day this new hidden loginname *IS JUST A SECOND PASSWORD* - that is an important KEY fact to bare in mind and easy to overlook! There is no mystical magic in this hidden Loginname system…it is just a dual password system.

Now, if you can make this leap of faith and accept the truth of the matter: that Loginname IS indeed just a second password then it’s time to extend the logic and ask more questions.

The next question would be: “What benefit is there in having TWO passwords over the old ONE password system?” Since thinking about it and questioning a person with far more knowledge than myself on security matters, I have realized there is *NO* benefit in having two passwords! None whatsoever, it’s simply a “security illusion” that tricks us (admins) with its immediately appealing false sense of security.

Now the mistake that some of us in this thread are making is in thinking that somehow by a hacker not immediately being able to SEE a user’s Loginname we gain more security because they don’t know half the key and have to work harder to find our actual Loginname. This seems to be the false assumption and I’ll try to explain why it is false, WITHOUT the maths this time!

As far as hackers are concerned, the loginname is IDENTICAL in principle to the old Password we all know and will be treated in exactly the same way when they attempt to hack an account. The only difference now is that they will have TWO passwords to hack instead of one, but that will not be a problem as their scripts will simply combine Loginname and Password into ONE and treat them as one old-style “password problem”.

For example, suppose your new XOOPS Loginname is “MyLogName” and your Password is “Thumb123” then the new SINGLE password solution is: MyLogNameThumb123, which is basically equivalent to an old-style password. A hacker will simply guess at this in the old way, combining both the new Loginname and Password fields simultaneously, until he finds the correct combination of letters, words and numbers.

As I’ve just said, “MyLogNameThumb123” is equivalent to a password you might have chosen in the old password system and a hacker can just as easily find it in this new XOOPS dual-password system:-

Loginname: MyLogName
Password: Thumb123

…is no more difficult to hack then:-

Username: Tom
Password: MyLogNameThumb123

Granted, the password solution has to be SPLIT on entry in the new system (to enter it into the two separate fields) but that is no barrier to an automated hack-script or even someone just typing in the password solution manually.

Here are some equivalent comparisons between the traditional Username/Password and Xoop’s new 2.2* Displayname log-in system.

Old style log-in:-

Username: Tom
Password: Thumb123

New XOOPS style login:-

Displayname: Tom (plays no part in actual security checking)
Loginname: MyLogName
Password: Thumb123

Improved old style login:-

Username: Tom
Password: MyLogNameThumb123

Even more improved old style login:-

Username: Tom
Password: y1MgoLem2aNbm3uhT

The “Even more improved old style login” above is in fact a LOT more difficult for a hacker to hack than the “New XOOPS style login” example and is the ideal user login.

If you have read and understood all of the above then you will realize exactly WHY most other CMS’s and other highly security conscious systems (such as Unix* and Windows) do NOT bother with a separate user Displayname. It’s not because they are sloppy with their security, (Unix* systems are the most secure in the world) it’s because Displaynames add absolutely NO improvement to security and probably cause more hassle and confusion in the long-run.

The answer to improving Xoop’s login security is not to tag an additional redundant limb onto the user login process. The *REAL* solution is for admins to advise users duering registration on how to pick a Password. It should be AT LEAST 8 characters long and consist of both alphabetic AND numeric symbols, there should be NO identifiable words in a password: PasswordMy12, for example is a no no! As well as advising users, admins could also enforce a minimum password length of 8.

Imo, since understanding this issue a little better over the past couple of days, this new Displayname feature should not even be an option. It simply should not be in XOOPS because it adds nothing to the system as a whole except confusion for users and an extra field to fill during registration. But that is only my opinion. If it MUST be included, then it should be a separate module, not compulsory and embedded in the kernel of Xoops.

If we combined sensible passwords WITH an inbuilt Xoop’s maximum password attempt limit, it would be the ultimate defence against account hackers. Far more effective than a Displayname system. Displaynames are a security illusion, there’s no denying that, and I just want XOOPS to remain “Fluff free” and continue to be a non-gimmicky CMS. It’s currently one of its greatest strengths!

Believe me, I am not trying to degrade XOOPS and I DO value and appretiate the hardwork and effort that has gone into the system as a whole. Overall I am very happy with XOOPS and I prefer it over any of the others I have tried so far. I'm not sure how I have "come across" in my posts but I am far from "angry" as you put it. Perhaps passionate and egar to see a silly/pointless feature removed or at least made optional and not have it tarnish and otherwise FANTASTIC CMS. If I didn't like XOOPS I would not be wasting my time here discussing this problem. There is no anger against XOOPS here, just passion Which is a good thing.

But surely my appretiation of XOOPS should not mean I have to totally ignore a poorly implemented new feature, which was probably coded in less than a day? I have been through all the scripts and code relating to this new Displayname field (and hacked out most of it) and I can tell you it hasn't taken a lot of work to tag this feature on. So it would not take a great deal of effort to remove it BEFORE it becomes too much a part of XOOPS and 3rd party modules forever.

Having said that, I can see there are many people - including yourself - who do see the value in this new Displayname field, eventhough in reality it adds nothing to security. So I would be happy if it stays as an optional feature, if only for the "comfort factor" it seems to produce. That I could live with

Yes, don't waste anymore time here. Because you have nothing of any value to say anyway.

Quote:

I'm sorry, but you are a liar. I have recently tried Mambo, Drupal, e107 and Joomla - none of which use seperate usernames and display names. Also I have registered on counteless different websites over the years all of which would have been using MANY different systems - and you know what? I honestly can't remember the last time I was asked for a SEPARATE display name and login name.

Instead of laughing at threads, try to READ them and actually understand what is being said. If you read my posts maybe you'd understand WHY other CMS's do not use a separate displayname...because it's basically pointless irritating fluff that adds nothing of value to security.

The reason it should be an issue to us all NOW, even in 2.2*, is because we have no idea if the XOOPS Dev Team plan to include this in XoopsSphere. If we protest and speak-out about it NOW, hopefully they wont. But I guess you wouldn't get my way of thinking because your thoughts are probably very short-term and only about the "here and now"

John, there are *no* security advantages to this new name system. Period. After speaking to a pretty knowledgeable guy on IRC about an hour ago and thinking about it a little more, I am convinced that it's a pointless idea. Which is probably why very few systems use it and those that do simply do not *UNDERSTAND* that it does not prevent hacking anymore than a reasonable length, difficult to guess password and a login attempt limit.

The way hackers work, unless they are good enough to have accessed account details on file, is either through guessing or systematic trial-and-error. Their hacking scripts can still use this same old technique on the new XOOPS two-name system. So what EXACTLY is this new login scheme supposed to achieve? This is what I'm having difficulty understanding.

It's pure unsubstantial fluff and only makes Administrators feel warm inside because they understand very little and it makes them think they are doing something “security conscious” on their sites. The most substantial thing that can be done on this level is for admins to increase their minimum password limit, advise their users to choose a difficult to guess password and for the XOOPS Dev Team to hardcode a maximum login attempt limit routine. *THAT* would be a genuine step in the right direction.

*LONGER LOG-IN PASSWORDS & LOGIN ATTEMPT LIMITS*

Hackers have never needed to be able to SEE your password in order to hack it. By the very same token, they do not need to be able to see your login name before they begin hacking it. Unless you put a login attempts limit on users logging-in then the hackers will still be able to take pot-shots at guessing your login name all night-long until they guess correctly. In practice there is no difference between a fancy new HIDDEN login name and a traditional hidden password – even if you combine the two!

So you say: "oh, but it's more difficult to hack because they not only have to hack the password, but ALSO the hidden name!!! blah blah" Wrong!

Read my post #14 above. the loginname and password simply combine to make *ONE* single password problem in the eyes of most scripts that hackers will write.

(Loginname+Password)^X = possible combinations

X=number of ASCII character codes (256, I think?). Loginname and Password = number of actual characters that make-up each.

you can get that very same number of combinations from a password that's equal to loginname+password in length. It's not difficult Maths and the person from the XOOPS Dev Team who wrote the new login system should understand it.

Basically your security depends on LENGTH and creativity in chosing a password, not in creating another hidden loginname which will actually just be treated as another password by hackers. If XOOPS remove this silly new feature and just add a login failure limit routine it will pretty-much prevent any password hack attempts instantly...they simply will NOT be able to guess a long, creative password in, say, three attempts!

End of story, easy solution and no unnecessary potential confusion for users between Loginnames and Displaynames. (plus slightly shorter registration forms…which is always a good thing!)

I can’t really say anything more on this, it’s crystal clear to me. I just hope someone in the XOOPS Dev Team sits-up and pays attention and tries to understand the problem a little better.

Quote:

Well, quite honestly JD, I think hiding the Username from public is no more secure. It is a "security illusion" and it just makes Admins THINK things are more secure when in fact it is no more difficult to hack two seperate 8 character variables, then it is to hack one single 16 character password variable! 2*8=16 after all and 16 becomes "base" of the power in both cases.

A hacking script could apply the same hack routines to both the hidden Username AND password when trying to login. In reality the script is STILL only hacking one single password as as far as the hacking script is concerned the hidden Username and Password variables combine to effectively make ONE password "problem".

this new XOOPS system is simply... (Username+Password)^X=combinations

You can achieve the same number of possible combinations by simply increasing the minimal length of passwords at registration time.

Increasing the actual LENGTH of allowable passwords and having a limit on the number of failed login attempts would be a *REAL* security improvement and not just an illusion for Admins to FEEL things are safer.

A large password and login attempts limit is the real solution

Xoops should not force ALL admins to include an extra field in their registration forms, just to make those admins who don't know better *FEEL* safer.

The reason this hidden username feature is NOT implemented in most other CMS's is probably because they realize it is no more secure. ????

Quote:

Well, I am quite young. So forgive my immaturity. Sometimes you have to make your point loudly to be heard.

It "bothers me" as you put it only because - overall - I really like XOOPS and this is infact the WORST feature I have come across in Xoops. So I'm _really_ hoping the XOOPS Team do not carry this accross in its current state to NEWER versions.

Time is limited with these things. Before too long tons of 3rd party modules will be accessing this new field and before you know it this will be cast in stone. I just want XOOPS to get it "right" and not force everyone to use this feature.

I'm sorry if PUSHING for what you regard as an improvement offends you Guardian2k1. I guess I'm just not one to express myself in a meek manner. I will try harder to please people with my tone in future

Quote:

I feel, no matter what, there _definitely_ needs to be the option to prevent users CHANGING their display name. That is a given and I really have a difficult time understanding quite how the XOOPS team could possibly have implimented this feature without enabling Admins to be able to PREVENT users from changing their Displayname.

I think there will be a divide amoung XOOPS users as to whether this "feature" is useful or not. Both sides have valid reasons. Some, like you, will want to make use of it but others (and I guess the majority) will see this as an INTRUSION of their registration process. It will simply be an annoying, unecessary field to them; cluttering-up what they want to be a MINIMAL/QUICK registration process.

My argument is that sites have managed PERFECTLY well without this extra field for decades. I'm not denying that hackers CAN be a problem and anything to prevent them is welcome, but - in all honestly - for MOST sites, they are not an issue. Birdseed's post above is a prime example - running a site with 20000 since 2002 and no hacking attempts. I myself have never had a problem with account hackers them either.

And please note I DO actually think this is an EXCELLENT idea for ADMIN and MOD accounts, but for user accounts on most sites it is nothing more than annoying overkill.

If XOOPS insist on having this Displayname field than it should be implimented in a TOTALLY optional way for Admins. That way those who want to increase security can and those grown-up enough to understand the "risks" (which are very minimal) involved in NOT using it are not *FORCED* to do so.

This is an obscure feature, not the NORM in CMS's, so please do not make us use this when many will see no need for it. If XOOPS do not impliment this feature in an optional manner they will force people, like me, to HACK the XOOPS Profile modules. If people, like me, are not exactly expert PHP coders this will be an even BIGGER security risk than single user names!

there is a new protest thread / discussion to encourage the XOOPS Development Team to REMOVE this displayname "feature" here

just post and ask for it to be removed. hopefully the dev-team will listen and resolve this in their next XOOPS update