~Bunbunmaru News~ > Front Page Headlines
ATTENTION: Profile changes!
ultramage:
I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
Conqueror:
--- Quote from: ultramage on February 17, 2011, 05:08:36 PM ---I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
--- End quote ---
If your login name isn't publicly visible, it can't be brute forced. That's what this is all about; making it so that the login handles aren't publicly visible.
--- Quote from: TheStupidOne on February 17, 2011, 04:44:39 PM --- Eventually I will have some sort of code that checks your display name and if they're the same will remove the tag from view.
--- End quote ---
Well that was fast. Thanks.
helvetica:
OK code in place to hide the nickname field if it matches your current display name. :3c
--- Quote from: ultramage on February 17, 2011, 05:08:36 PM ---I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
--- End quote ---
No username, no bruteforcing. There's nothing to attempt password breaks at if you can't even get the login name. We're under bruteforce attack and will continue to be for the forseeable future. I cannot block the attempts as they're coming from all over the place, so to reduce the attack surface we are keeping login names out of anything publicly viewable.
After being in IT for the past 8 years I've learned never to trust users to make secure passwords, or to use a unique password for each of their logins. Rather than enforce a password strength policy that does nothing except cause headaches, I've chosen to hide from prying eyes the big piece of the puzzle, the login name. The ONLY people attacked so far had their display name equal to their username. Without a valid login name they can sit there and spin their wheels as much as they want but will get nowhere.
--- Quote ---And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
--- End quote ---
All current user sessions are invalidated when you fail to login as a security measure. This is so active sessions cannot be hijacked if such a vulnerability surfaced. I will not be disabling this or changing the behavior.
Garlyle:
Honestly... the 'this is who it is!' type display is something I'm surprised didn't exist before!
Unassuming Squid:
--- Quote from: TheStupidOne on February 17, 2011, 05:15:03 PM ---OK code in place to hide the nickname field if it matches your current display name. :3c
--- End quote ---
Wow. That was fast.
I really have to commend you on the speed and efficiency with which this was taken care of. Great job, TSO.