31
alitan
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 15:16

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


I totally agree with davidl2.
My Persian Xoops Project:
http://www.MPXP.org

32
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 17:15

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


I agree with you guys calling for an end to personal insults, it’s not necessary and the purpose of this post is not to offend people, only to urge the XOOPS Team to take a REAL considered look at this new feature and its worth.

“…stopping people from changing their names if they are trouble isn’t the issue - preventing them from causing trouble is the important issue.”

I thought the issue was the actual value and worth of this new feature? What is it’s intended purpose? I’m quite sure, even though currently users are able to do so in v2.2*, that the ability to allow users to change their displayname at will was not the ultimate goal and the XOOPS Team’s reason for adding it. That feature could have more easily been added by simply making the OLD Username editable from within profiles - with no need to add an additional field (Displayname)

It seems more likely that this has been added in an attempt to increase security. In that case, what we should be asking is whether a separate Displayname ACTUALLY increases security at all versus the old username/password method. I have realized it doesn’t.

I can understand people’s mistaken immediate acceptance of this new feature. At first glance it’s very attractive. In fact, if XOOPS hadn’t got me thinking about this as a whole by allowing the Displayname to be editable and made it static, I probably would not have questioned it myself. Like many people, I would have just accepted it as a very good security measure. However, the moment you do begin to actually analyze it you begin to realize that a hidden Loginname effectively boils down to a second password. Instead of typing your password into ONE field called Password, you are splitting the password in two and typing it into TWO fields, one called Loginname and the other Password when you login.

At the end of the day this new hidden loginname *IS JUST A SECOND PASSWORD* - that is an important KEY fact to bare in mind and easy to overlook! There is no mystical magic in this hidden Loginname system…it is just a dual password system.

Now, if you can make this leap of faith and accept the truth of the matter: that Loginname IS indeed just a second password then it’s time to extend the logic and ask more questions.

The next question would be: “What benefit is there in having TWO passwords over the old ONE password system?” Since thinking about it and questioning a person with far more knowledge than myself on security matters, I have realized there is *NO* benefit in having two passwords! None whatsoever, it’s simply a “security illusion” that tricks us (admins) with its immediately appealing false sense of security.

Now the mistake that some of us in this thread are making is in thinking that somehow by a hacker not immediately being able to SEE a user’s Loginname we gain more security because they don’t know half the key and have to work harder to find our actual Loginname. This seems to be the false assumption and I’ll try to explain why it is false, WITHOUT the maths this time!

As far as hackers are concerned, the loginname is IDENTICAL in principle to the old Password we all know and will be treated in exactly the same way when they attempt to hack an account. The only difference now is that they will have TWO passwords to hack instead of one, but that will not be a problem as their scripts will simply combine Loginname and Password into ONE and treat them as one old-style “password problem”.

For example, suppose your new XOOPS Loginname is “MyLogName” and your Password is “Thumb123” then the new SINGLE password solution is: MyLogNameThumb123, which is basically equivalent to an old-style password. A hacker will simply guess at this in the old way, combining both the new Loginname and Password fields simultaneously, until he finds the correct combination of letters, words and numbers.

As I’ve just said, “MyLogNameThumb123” is equivalent to a password you might have chosen in the old password system and a hacker can just as easily find it in this new XOOPS dual-password system:-

Loginname: MyLogName
Password: Thumb123

…is no more difficult to hack then:-

Username: Tom
Password: MyLogNameThumb123

Granted, the password solution has to be SPLIT on entry in the new system (to enter it into the two separate fields) but that is no barrier to an automated hack-script or even someone just typing in the password solution manually.

Here are some equivalent comparisons between the traditional Username/Password and Xoop’s new 2.2* Displayname log-in system.

Old style log-in:-

Username: Tom
Password: Thumb123

New XOOPS style login:-

Displayname: Tom (plays no part in actual security checking)
Loginname: MyLogName
Password: Thumb123

Improved old style login:-

Username: Tom
Password: MyLogNameThumb123

Even more improved old style login:-

Username: Tom
Password: y1MgoLem2aNbm3uhT

The “Even more improved old style login” above is in fact a LOT more difficult for a hacker to hack than the “New XOOPS style login” example and is the ideal user login.

If you have read and understood all of the above then you will realize exactly WHY most other CMS’s and other highly security conscious systems (such as Unix* and Windows) do NOT bother with a separate user Displayname. It’s not because they are sloppy with their security, (Unix* systems are the most secure in the world) it’s because Displaynames add absolutely NO improvement to security and probably cause more hassle and confusion in the long-run.

The answer to improving Xoop’s login security is not to tag an additional redundant limb onto the user login process. The *REAL* solution is for admins to advise users duering registration on how to pick a Password. It should be AT LEAST 8 characters long and consist of both alphabetic AND numeric symbols, there should be NO identifiable words in a password: PasswordMy12, for example is a no no! As well as advising users, admins could also enforce a minimum password length of 8.

Imo, since understanding this issue a little better over the past couple of days, this new Displayname feature should not even be an option. It simply should not be in XOOPS because it adds nothing to the system as a whole except confusion for users and an extra field to fill during registration. But that is only my opinion. If it MUST be included, then it should be a separate module, not compulsory and embedded in the kernel of Xoops.

If we combined sensible passwords WITH an inbuilt Xoop’s maximum password attempt limit, it would be the ultimate defence against account hackers. Far more effective than a Displayname system. Displaynames are a security illusion, there’s no denying that, and I just want XOOPS to remain “Fluff free” and continue to be a non-gimmicky CMS. It’s currently one of its greatest strengths!

33
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 18:18

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


Anyway, i think the above post (#32) is probably the best formulation of my argument so far in this thread! It's gone through a lot of revisions, lol.

I'm quite new to XOOPS so I don't know who I'd contact to get this message home, but surely there are XOOPS Devs reading this who'd know exactly who should read this to help make a change if it possibly could be made.

So would someone mind emailing this to maybe the guy/s overseeing the "login system" section of Xoops...I'd really appretiate it.

34
patagon
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 18:25

  • patagon

  • Quite a regular

  • Posts: 235

  • Since: 2002/1/8 0


Mandlea, if you are hacking the files to remove this feature, and if others dont agree with you (and therefore dont make this optional, which I think is the only solution that woiuld please everybody) could you provide the files/instructions so that users who dont like this new feature have an option? I've seen many people asking to get rid of displayname, so for shure there is an interest on this. I guess more people would be interested if they were able to see how this confuses users.

35
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 18:45

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


I definitely will Pentagon. Although it's quite a long process involving editing quite a few lines in a lot of the Extended Profiles module files. So I will need to take some time to remember all the different edits I made and layout the instructions clearly.

36
mawi27
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 19:25

  • mawi27

  • Friend of XOOPS

  • Posts: 103

  • Since: 2006/1/1 1


Dear mandlea,

in a windows or unix system you have to be system administrator, to see a list of all login names.

A Hacker must in fact use brute force or social hacking to get a username and then has to do the same with the password.

In a XOOPS environment, a hacker registers himself as a new user and then takes a look at the users list. With the username=loginname he has access to all loginnames and needs only to hack through the passwords.
So your comparison between unix and XOOPS is not quite as simple as you state it here.
What kind of users do you address on your homepage, that you believe they choose passwords as komplex and secure as you have written in your example? Normal users (not internet security specialists ) tend to use name_of_my_1st_child_and_part_of_my_wifes_birthdate or similar.

I agree with you, that this feature is an additional source for confusion and therefor support issues, but i cannot follow your argumentation. This gets a bit to academic and way to aggressive for my taste.

Also I think, with your teaching wording it is fairly improbable that anyone who is in a positon to do this change has a strong motivation to do so for you.

So i suggest you calm down a bit and let people think about the pros and cons.

Marco
--
Match Dart!
Darts Ranking, News, Videos, Forum and more

37
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 20:22

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


mawi27, Root, Baron and Avator are all comoun Unix superuser defaults. I don't think many systems disable them even today. Many people know these default names, and systems only get hacked if they have poor passwords.

you are correct, you cannot expect the "average" user to choose a SECURE password.

But then, think about it, you will not be able to expect those same users to pick a secure Loginname either So where is the advantage in having a Loginname? The point is the Loginname is JUST as hackable as any password

38
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 20:36

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


I would like anyone who doubts what I'm saying to answer this simple question:

In what way is it more difficult to to guess these TWO seperate words:-

1. Apple
2. Cart

Then to guess this SINGLE word:-

1. CartApple


????


39
mawi27
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 20:42

  • mawi27

  • Friend of XOOPS

  • Posts: 103

  • Since: 2006/1/1 1


The difference is you don't have to guess the first word.
As we all by now know that your login name is Mandlea its just to guess the second word and thats a difference.

Everybody has now understood your point of view!

Marco
--
Match Dart!
Darts Ranking, News, Videos, Forum and more

40
Mandlea
Re: Protest Thread to *REMOVE* Displayname Field From Xoops...
  • 2006/2/5 20:50

  • Mandlea

  • Just popping in

  • Posts: 25

  • Since: 2006/2/3 0


you've told me the difference, but you have not explained HOW it is more difficult...

My account details could be so in the new XOOPS Displayname system:

Displayname: Mandlea
Loginname: Apple
Password: Cart

that's no more difficult to hack than:

Username: Mandlea
Password: CartApple

I think I have won

Login

Who's Online

293 user(s) are online (153 user(s) are browsing Support Forums)


Members: 0


Guests: 293


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits