The question is not whether it is useful or not the question is whether it is more secure or not. The answer to the latter is yes. And it should be an implementation on any secure CMS platform. Just like passwords usernames should never be displayed. It is half the combination to the safe.

I think that the idea that users not be able to change their displayname is a good one. And one I hope is implemented. But the idea of having a username for a display name should not be an argument at all.

XOOPS prides itself in security and should not turn it's back on any feature that increases that security. And to minimalize the risks as small, one needs to reevaluate what hard work they are willing to lose. No matter how long you go without being hacked, all it takes is that one time when lease prepared to change our minds.

If made optional, that is fine by me, but on (not off) by default. The username and display name need to be unique (personal opinion to prevent the username as displayname anyway). And the user should need administrator assistance to change there displayname if allowed at all.

Just voicing my opinions on this. (And this is from someone else not hacked in 4 years of websites, but refuses to let his guard down.)

Quote:

Well, I am quite young. So forgive my immaturity. Sometimes you have to make your point loudly to be heard.

It "bothers me" as you put it only because - overall - I really like XOOPS and this is infact the WORST feature I have come across in Xoops. So I'm _really_ hoping the XOOPS Team do not carry this accross in its current state to NEWER versions.

Time is limited with these things. Before too long tons of 3rd party modules will be accessing this new field and before you know it this will be cast in stone. I just want XOOPS to get it "right" and not force everyone to use this feature.

I'm sorry if PUSHING for what you regard as an improvement offends you Guardian2k1. I guess I'm just not one to express myself in a meek manner. I will try harder to please people with my tone in future

I think JD's solution (the option to prevent people from changing their displayname) is the best bet for future versions. Since it's a static field (compulsory even), it's not very likely the whole field will be made optional, especially when the whole point is to hide the login name for security reasons.

But I'm not a core developer, so I can't be certain. Maybe there will be a better way to deal with this in 2.3/2.4

Herko

Quote:

Well, quite honestly JD, I think hiding the Username from public is no more secure. It is a "security illusion" and it just makes Admins THINK things are more secure when in fact it is no more difficult to hack two seperate 8 character variables, then it is to hack one single 16 character password variable! 2*8=16 after all and 16 becomes "base" of the power in both cases.

A hacking script could apply the same hack routines to both the hidden Username AND password when trying to login. In reality the script is STILL only hacking one single password as as far as the hacking script is concerned the hidden Username and Password variables combine to effectively make ONE password "problem".

this new XOOPS system is simply... (Username+Password)^X=combinations

You can achieve the same number of possible combinations by simply increasing the minimal length of passwords at registration time.

Increasing the actual LENGTH of allowable passwords and having a limit on the number of failed login attempts would be a *REAL* security improvement and not just an illusion for Admins to FEEL things are safer.

A large password and login attempts limit is the real solution

Xoops should not force ALL admins to include an extra field in their registration forms, just to make those admins who don't know better *FEEL* safer.

The reason this hidden username feature is NOT implemented in most other CMS's is probably because they realize it is no more secure. ????

I agree with Mandlea in the sense that this should be an option for the webmaster for end users. webmasters can (and probably should, I am not a programmer so the technical discussion is beyond my knowledge) benefit from having a display name different than login name, but for end users this is confusing at least. why not make it an option? same goes for the 'remember me' feature that obviusly many people want so a hack exists, why not include it as an option and warn of the dangers? I dont say that security is not important, but for some sites is a trade off with ease of use. in my future site there is not much to be hacked, if someone gets the password of a user he/she can post on that name, change the info, the user will be pissed but no other major damage is done (if its not a webmaster accoutn w/more rights). on XOOPS for example one could ask for a display & login name, but this is a very technical community compared to most sites...

I find this very amusing to say the least and I can see arguments for both sides, but I don't think that its the fact its the information you have to give, its more the way that wording is very misleading to users when filling out a form.

The fact is, you are still only required to login with two sets of values, a login name and your password, but your username is shown when you have logged in.

TBH, I do not see the fuss over this? You still login the exact same way now, but your login name is shown all over the system. To me that is a security risk, yes! But, you are right; it does not go far enough. Windows will lock you out the system for so many minutes on 3 failed attempts for a little while. Only one user with that login name can login at one time.

As I said before, the wording on the registration form is so misleading and I can understand the confusion. Username should be replaced with login name and Display name should be your User/Display name and should be clearly defined as such. At the moment, non-technical users do not have a true understanding of the difference between them, and feel they are one of the same.

It is not a false sense of security, its a start in the right direction to keep your user information safe and right so it should be this way, but the difference between the two should be clearly defined and the user should be able (techy or not) the difference.

It’s not like your actually having to put in three different fields each time you login. You just have to know, this is the name you login in with and this is the information everyone will see you as on the system and your real name should only be shown if you feel like giving it.

ATB

Catz

John, there are *no* security advantages to this new name system. Period. After speaking to a pretty knowledgeable guy on IRC about an hour ago and thinking about it a little more, I am convinced that it's a pointless idea. Which is probably why very few systems use it and those that do simply do not *UNDERSTAND* that it does not prevent hacking anymore than a reasonable length, difficult to guess password and a login attempt limit.

The way hackers work, unless they are good enough to have accessed account details on file, is either through guessing or systematic trial-and-error. Their hacking scripts can still use this same old technique on the new XOOPS two-name system. So what EXACTLY is this new login scheme supposed to achieve? This is what I'm having difficulty understanding.

It's pure unsubstantial fluff and only makes Administrators feel warm inside because they understand very little and it makes them think they are doing something “security conscious” on their sites. The most substantial thing that can be done on this level is for admins to increase their minimum password limit, advise their users to choose a difficult to guess password and for the XOOPS Dev Team to hardcode a maximum login attempt limit routine. *THAT* would be a genuine step in the right direction.

*LONGER LOG-IN PASSWORDS & LOGIN ATTEMPT LIMITS*

Hackers have never needed to be able to SEE your password in order to hack it. By the very same token, they do not need to be able to see your login name before they begin hacking it. Unless you put a login attempts limit on users logging-in then the hackers will still be able to take pot-shots at guessing your login name all night-long until they guess correctly. In practice there is no difference between a fancy new HIDDEN login name and a traditional hidden password – even if you combine the two!

So you say: "oh, but it's more difficult to hack because they not only have to hack the password, but ALSO the hidden name!!! blah blah" Wrong!

Read my post #14 above. the loginname and password simply combine to make *ONE* single password problem in the eyes of most scripts that hackers will write.

(Loginname+Password)^X = possible combinations

X=number of ASCII character codes (256, I think?). Loginname and Password = number of actual characters that make-up each.

you can get that very same number of combinations from a password that's equal to loginname+password in length. It's not difficult Maths and the person from the XOOPS Dev Team who wrote the new login system should understand it.

Basically your security depends on LENGTH and creativity in chosing a password, not in creating another hidden loginname which will actually just be treated as another password by hackers. If XOOPS remove this silly new feature and just add a login failure limit routine it will pretty-much prevent any password hack attempts instantly...they simply will NOT be able to guess a long, creative password in, say, three attempts!

End of story, easy solution and no unnecessary potential confusion for users between Loginnames and Displaynames. (plus slightly shorter registration forms…which is always a good thing!)

I can’t really say anything more on this, it’s crystal clear to me. I just hope someone in the XOOPS Dev Team sits-up and pays attention and tries to understand the problem a little better.

I think it can only be turned into an option since it is already in use and just cutting it out now will create trouble for those that already use it. There is nothing speaking against making it optional and additionally implementing other stuff mentioned here.

I find this thread hilarious, stupid and a waste of peoples time. You can't remove a feature if its already been implemented in the core. Again, as I repeated in a previous post Xoops-2.2 is dead. If you feel this should be removed then I would suggest creating a patch for *those* that want to have this feature removed.

Most cms's I've tried have had a display name/login name. I don't see why XOOPS should be any different.

Quote:

I'm sorry, but you are a liar. I have recently tried Mambo, Drupal, e107 and Joomla - none of which use seperate usernames and display names. Also I have registered on counteless different websites over the years all of which would have been using MANY different systems - and you know what? I honestly can't remember the last time I was asked for a SEPARATE display name and login name.

Instead of laughing at threads, try to READ them and actually understand what is being said. If you read my posts maybe you'd understand WHY other CMS's do not use a separate displayname...because it's basically pointless irritating fluff that adds nothing of value to security.

The reason it should be an issue to us all NOW, even in 2.2*, is because we have no idea if the XOOPS Dev Team plan to include this in XoopsSphere. If we protest and speak-out about it NOW, hopefully they wont. But I guess you wouldn't get my way of thinking because your thoughts are probably very short-term and only about the "here and now"