This thread is to continue a good discussion started >>here<<

Question is what we can do to make xoops more secure when working with user accounts. We could make xoops safer by adding tricks like password expire, but is adding safety by coding really the way to go? Don't we forget about social engineering and educating our visitors how to prevent abuse of their identity and login credentials?

The reason why social engineering attacks work so well is because most people are lazy and use the same password on every site.

With Browsers saving your passwords this can help as long as you are the only one using your computer (Or account) and you don't have a virus.

As far as Browser issues it really doesn't matter what browser or which OS you are using.

For instance with Firefox if you use sync to sync your passwords across different computers but don't protect the password list with a secure password you might as well have the same password across all of the sites...

Other than people making sure they use different passwords on every system and that they are not easy passwords it is not simple. You can educate the users but if they don't care there is nothing short of coding that you can do to force the issue.

As an example lets look at the Xoops system and two items that have been done for security reasons.

The secure.php file that has been added as well as the whole trusted path series is a good thing. I always used something similar with my database information but who else here did? If you have a problem on your system and the web server dumps the whole directory then a hacker can get easy access to your database information without the information being outside the document root.

Another thing was putting the prefix on the database tables. This was done so even if someone had access to the database name they could not easily choose the right tables. Who would have done this if it wasn't forced?

The point is you see more and more systems forcing the users to use specific setups for their passwords for a reason.

I think, we could add some choices for the Admin in the Config, to decide how secure his XOOPS installations should be.

For example, the Admin could decide on issues like:

- what is the minimum length of the required password
- should special characters be required
- when should the password expire (e.g. every 6 months)

So by letting the Admin decide how rigid they want to be with security, we will make a better XOOPS, without forcing it on people.

Reg. education, we could add to Registration the same "password security" check as it is during installation, so the user is aware that his passwords is not secure. (BTW - to check your own password, check it on the Website from Steve Gibson, a known security expert)

To create a SUPER SECURE passwords, go to another side by Steve Gibson.

Some people are recommending longer but easy to remember passwords than short and complex. See this article, although the discussion is still going on, as you see from this article.

However, the password suggested by the first author "yummy salted peanuts" seemed to be pretty secured, as tested by Heystack Website