61
m0nty
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 3:37

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


agreed.

as asked for earlier in this thread, the ability to enable/disable users from changing their displayname once set.

open up modules/profile/xoops_version.php

find:

$modversion['config'][22]['name'] = 'allowed_groups';
$modversion['config'][22]['title'] = '_PROFILE_MI_ALLOWVIEWACC';
$modversion['config'][22]['description'] = '_PROFILE_MI_ALLOWVIEWACC_DESC';
$modversion['config'][22]['formtype'] = 'group_multi';
$modversion['config'][22]['valuetype'] = 'array';
$modversion['config'][22]['default'] = array(XOOPS_GROUP_ADMINXOOPS_GROUP_USERS);
$modversion['config'][22]['category'] = 'settings';


Add Right After

$modversion['config'][23]['name'] = 'allow_chgdisplayname';
$modversion['config'][23]['title'] = '_PROFILE_MI_ALLOWCHGUNAME';
$modversion['config'][23]['description'] = '_PROFILE_MI_ALLOWCHGUNAME_DESC';
$modversion['config'][23]['formtype'] = 'yesno';
$modversion['config'][23]['valuetype'] = 'int';
$modversion['config'][23]['default'] = 0;
$modversion['config'][23]['category'] = 'settings';


Save file

Open modules/profile/language/english/modinfo.php

Add (anywhere)


define("_PROFILE_MI_ALLOWCHGDISPLAYNAME""Allow users to change their display name?");
define("_PROFILE_MI_ALLOWCHGDISPLAYNAME_DESC""");


save file

Open modules/profile/edituser.php

Find


if ($xoopsModuleConfig['allow_chgmail'] == 1) {
            
$edituser->setVar('email'$email);
        }


Add right after

if ($xoopsModuleConfig['allow_chgdisplayname'] == 1) {
            
$edituser->setVar('uname'$myts->stripSlashesGPC(trim($_POST['uname'])));
        }


Find

$edituser->setVar('name'$myts->stripSlashesGPC(trim($_POST['name'])));
        
$edituser->setVar('uname'$myts->stripSlashesGPC(trim($_POST['uname'])));


REPLACE with
$edituser->setVar('name'$myts->stripSlashesGPC(trim($_POST['name'])));


Find

$edituser->setVar('loginname'$myts->stripSlashesGPC(trim($_POST['loginname'])));
            
$edituser->setVar('email'$email);


REPLACE with

$edituser->setVar('loginname'$myts->stripSlashesGPC(trim($_POST['loginname'])));
            
$edituser->setVar('uname'$myts->stripSlashesGPC(trim($_POST['uname'])));
            
$edituser->setVar('email'$email);


SAVE File

open modules/profile/include/forms.php

Find


$elements[0][] = array('element' => new XoopsFormText(_PROFILE_MA_DISPLAYNAME'uname'2575$user->getVar('uname''e')), 'required' => 1);
    
$weights[0][] = 0;


REPLACE WITH

$uname_tray = new XoopsFormElementTray(_PROFILE_MA_DISPLAYNAME'');
    if (
$user->isNew() || $xoopsModuleConfig['allow_chgdisplayname'] == || $xoopsUser->isAdmin()) {
        
$uname_text = new XoopsFormText('''uname'3060$user->getVar('uname'));
    } else {
        
$uname_text = new XoopsFormLabel(''$user->getVar('uname'));
    }
    
$uname_tray->addElement($uname_text, ($user->isNew() || $xoopsModuleConfig['allow_chgdisplayname'] == 1));
    
$elements[0][] = array('element' => $uname_tray'required' => 0);
    
$weights[0][] = 0;


Save File.

now goto admin, and update the profiles module from the modules admin page.

you're finished!

you can now select whether users can change their display name from the extended profile general preferences screen.

62
skenow
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 4:08

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Good answer.

63
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 4:13

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


Quote:

skenow wrote:
That's a lot of math! But, I'm going to correct a few errors in assumptions -

A standard 101-keyboard has more than 36 choices for characters. And, the standard XOOPS system allows using case-sensitive passwords with alphanumeric and symbolic characters. Not all symbols are allowed, but enough are to make things interesting.

Users are funny - they don't care much about security, at least here in the US. Why do you think your Social Security number gets used for identification (it's not supposed to be, according to the Social Security Administration)? Why do banks ask for your mother's maiden name? People can't remember lots of different abstract bits of information. They need to have it relate to something. So, people pick easy to remember (and guess) passwords.

I agree that splitting the authentication into multiple fields does not increase the complexity of the 'password' (there is still only one combination that will unlock the code), but it does make it longer. I disagree that not knowing part of the 'password' doesn't make it harder. It is true the number of possibilities doesn't change, but the number of guesses does. If not knowing part doesn't matter, why do password fields use masking? As an example, this post contains my user name. Without any other information, what domain is my email address in? It could be any of over 63,364,626 domains registered worldwide. domain registrations.

The *nix argument about the root user is somewhat interesting, but not quite the same as what is being discussed here. *nix administrators know about the root user and how to prevent an attack on that user. It's there, but they do something to protect that account, and limit all other accounts from elevating themselves to greater priveleges. Those of us that have experienced attacks on our sites make #OOPS# sure we change the MySql root user password, the anonymous user access to the db, the anonymous ftp users, and protect our web directories with htaccess files, Windows user groups, etc. We're talking about general users and the vulnerability we have as site administrators when we don't put some restraints on accessing and posting content to our sites.

While there may be 'social' hackers just guessing at username/password combinations, there are a great deal more of crackers out there that are using brute force attacks and dictionary attacks on passwords, along with packet sniffers and keyloggers.

Basically, increasing security does increase inconvience, and any web or system administrator needs to be able to determine which end of the spectrum they are comfortable with, and which provides them with the best balance for the user experience and the information you are responsible for.



I actually already knew that the ASCII character-set, or UNICODE character-set (or whatever ISO has decided to call it these days) used on keyboards is made-up of more than 26 letter and 10 numbers. Come on, give me some credit here! The point was to try and make my examples as simple as possible so you could all see the basic PRINCIPLE, without being distracted by minor details.

Whether people in the States value security or not is not really important as a whole to this discussion. What is important is trying to establish whether a Displayname really adds to security for those who do value it. I have just proven that it doesn't. It's up to people to see that proof for themselves. Or not, as no doubt will be the case.

Keyloggers and packet sniffers are also not really related to this issue. They are about LOCAL user-end security - XOOPS can not really do much to solve that problem.

You said..."If not knowing part doesn't matter, why do password fields use masking?" The inverse to that is: If knowing part of a login DOES matter, why do MicroSoft, Gmail, Yahoo Mail and most all the other COMMERCIAL portals, news and mail systems still use the old Username/Password system? Just as one example: I have a Microsoft Hotmail email account which uses the old Password system. All users log into Hotmail accounts with their, generally speaking PUBLICALLY available, email addresses and the ONLY thing protecting your account is a, hopefully sensible, PASSWORD. This is common on 95% of large scale BIG BUCK COMMERCIAL systems. We are not talking small "community portals" here, these are LARGE-SCALE international corporations under constant attack from hackers who would love nothing more than to bring them and their users to their knees. They've spent BILLIONS combined on security research and even THEY have to concede that the old-style login system is most effective. They rely on USERS picking sensible passwords and login attempt limits - thats all.

You know WHY that is? because they’ve understood what I have tried to explain to you in my last post. That’s all. If you want the answer…re-read that post continually until it “clicks”. Hopefully it will and then all will become clear.

bah, bored of this thread now anyway. Unless anyone can give me a good argument

64
skenow
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 4:38

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

Mandlea wrote:
the total exponential odds are 1,296 * 1,296 = 1,679,616 !


This is what I read...

If I don't know any of the characters in a 4-character username/password, there are 1,679,616 possibilities for me to brute force guess. (more if you use all acceptable ascii characters)

If, on the other hand, I already know 2 characters (the username), I only have 1,296 combinations to guess.

Or, did I mis-interpret your example?

65
MadFish
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 4:38

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


I might argue more if you wrote shorter posts

66
Mantooth
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 16:03

  • Mantooth

  • Friend of XOOPS

  • Posts: 189

  • Since: 2004/11/2


Quote:

MadFish wrote:
I might argue more if you wrote shorter posts



for real...

most of mandlea's posts could have just said "A longer password is just as effective as the hidden login name"


Personally, I don't like the feature at all. But I don't mind it being there as long as it's optional or the users can't change their displaynames.
...


I hate Mortal Kombat

67
davidl2
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 17:57

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Quote:

Mantooth wrote:
But I don't mind it being there as long as it's optional or the users can't change their displaynames.


Likewise...

68
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 20:16

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


Quote:

Mantooth wrote:
But I don't mind it being there as long as it's optional or the users can't change their displaynames.


Likewise...[/quote]

I'm just going to ignore the complete and utter ignorance of people saying the posts were too long. Really, that's shockingly ignorant. But then I guess that's just today's society...if it's not a catchy "soundbite" they're not interested. Too much effort involved.

Anyway, I too will be COMPLETELY happy...despite all my postings...if this thing is optional. I really could not care if others have the choice to use it. As long as *I* am not forced to

That really is my last word here, just wanted to cast my vote on that one

69
m0nty
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/7 22:21

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


the thing is mandlea,

whilst you have your opinion, there are those that have a difference in opinion.. the feature you are referring to was a much asked for feature for a long while before 2.2 was even began.. in fact it was asked for many times and even pleaded for having.. and now it's done there are new members like yourself, and even not so new members who don't agree with or want the new feature. existing members really could have voiced their concerns at the time, new members obviously couldn't.. but the fact remains, it was implemented.. usually a hack would have to be made..

i have already posted the how to with regard to stopping users changing displayname..

it's a case of what 1 person likes, others may not.. and XOOPS tries to cater for every1.. so optionally i think it's a good idea to make it optional.. but i do not agree with your reasoning and process of your argument..

many of the commercial systems you refer to don't because it's a big change, they aren't exactly a CMS, and have very different login and authentication systems.. microsoft for example uses .NET authentication.

but for your information I have seen and registered on many sites that do use a hidden username and visible display name system quite effectively. both commercial and non commercial.

sure yes it forces crackers to use random strings to search with so essentially they may expose other usernames.. but hell they can do that anyway with or without. and many crackers and idiots intent on causing havoc, don't care whether they get admin usernames/passwords (it's a bonus to them if they do) but not a basic requirement to cause grief and havoc on a site.. but to be honest, cracking via brute forcing is not for advanced crackers, script kiddies and beginners yes.. but an advanced and knowledgable cracker would not waste his time, he would use other methods..

a hacker wouldn't even do that, he would write his own software and use even more advanced techniques.. a cracker is not a hacker!!

hackers are very rarely malicious, a cracker tends to be malicious and usually always is..

and another point being is if you are intent on running a website and being an admin of a site, then really you should have a bit of common sense and not have easy passwords, that alone suggests that really you have a lot more to learn about being a webmaster or running your own site.. (when i say 'you' here, i am speaking generally and not referring to you as a single person)

this of course is my own opinion.

70
skenow
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/9 2:51

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Here's a few good things that came out of this thread (good, IMHO)

* Skalpa committed to increasing the default for minimum length of username and password
* Monty provided code to keep users from changing their display name, leaving it under the control of the administrators
* Talk of including maximum attempts before being locked out (via Protector or core code)

Overall, the discussion should lead to XOOPS improvements. Exactly what we need.

Login

Who's Online

236 user(s) are online (177 user(s) are browsing Support Forums)


Members: 0


Guests: 236


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits