Need for Security Graphic During "Your Account" Lo

Lieutenant Joined: Jan 23, 2003 Posts: 258 Location: USA

I think the security graphic used during registration is fantastic! But, does nuke really need the graphic to log into "Your Account"? It seems a little excessive and I fear it will drive users away do to the 'now' cumbersome login procedure.

Joined: Jan 31, 2004 Posts: -88

yes it does cause it's a further security measure against bots hacking the site.

Artificialintel

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

This new security code is in direct response to this news article I alerted fbc to:

http://nukecops.com/article55.html

Lieutenant Joined: Jan 23, 2003 Posts: 258 Location: USA

Doesn't it seem a little bit like fighting windmills?

The association with registration seams reasonable. But the continued requests for user identification is redundant. Their has got to be another method. Perhaps the system could send the user an email after 3 failed attempts. Something similar to all the other web communities (yahoo, aol,blah blah blah).

I think all this security is fantastic, but at what expense? You can't always expect your clients to go the extra distance to protect your website, when they don't have to go that distance at your competitor’s website. The log in process should be as simplified as possible for the everyday user.

Just my two cents.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

I'm a moderator at dslreports.com. Once a week we are asked to relogin. For a couple years that feature was not present, and now it is. The site is very busy with forum posters and it hasn't stopped folks from logging in. I'm sure in another month or two folks will get used to this feature.

Lieutenant Joined: Jan 23, 2003 Posts: 258 Location: USA

I understand the significance of the check. However, I feel a more appealing solution could be implemented. Take for example a user who has a vision disability.

1. The graphics are pretty darn small. If you’re not wearing your magnifying glasses, you might not be able to see the image. (Not all of us have perfect vision).
2. Wouldn't it be easier to throw the login screen under a cert (https://) rather that keep having this hard to read random image pop up?

What is the threat level without it on a scale of 1 to 5.

Rules of ORM (operational risk management/assessment) would place a value of concern on this threat.

Take those numbers and jumble them up with usability. If your equilibrium still mandates the 60 second check, then so be it. At least give the administrator the option to turn it off.

1. Registration image check [ yes / no ]
2. Admin login image check [ yes / no ]
3. User / "Your Account" image check [ yes / no ]

Major Joined: Jan 13, 2003 Posts: 892

I think the trouble with https is that then you start running into trouble with average nuker and unsigned certificates and the strange warning messages browsers spit out.

I didn't like the image size either so I did this to it:
http://nukedwebtree.com/modules.php?name=Your_Account

Now thats prolly too big but.. least I can read it on 1152x862 and 1280x1024 Very Happy

Joined: Jan 31, 2004 Posts: -88

look, if u don't like it, then comment it out in the Your_Account index.php

However, like I said before. Most of the security issue has been with bots trying to break into EXISTING accounts, not new ones. So, the Security Graphic has my FULL support in staying in there. It's the best idea the Nuke community has had.

I might like to also add that https isn't infalable. Sure it makes it harder for hackers to intercept people's passwords as they're being transmitted (unless ur on about the way that PostNuke does it which fails miserably cause it sends the password accross the internet b4 the https is started - oops Wink

), but that assumes that hackers want to simply intercept the password. Most go for a more direct approach and brute-force the password by bombarding the site wiht usernames and passwords.

ArtificialIntel

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

More on the newest problems with https (ssl):

http://www.computercops.biz/article-2154-flat-0-0.html

Lieutenant Joined: Jan 23, 2003 Posts: 258 Location: USA

http://www.phpnuke.org is running a new poll on this very subject.

Please go vote and leave a comment.

Elite Nuker Joined: Jan 31, 2003 Posts: 717

I don't have 6.5 yet but I have seen the login.

Not very good for handicapped people I would think and some sites might maybe get into trouble with that very difficult addition for handicapped people.

For people without disabilities it might only be a nuisance and/or annoyance.

I don't know how good it is but I have restrictions on how many pages people can access at my site.

After the preset number of pages, they get a screen to either go to another site somewhere or they have to address their browser to my site again.

Joined: Jan 31, 2004 Posts: -88

that's a really bad mod.

The whole point of the graphic login is to stop bots from breaking into the site.

You can quite easily change the size and color of the graphic if you want to, as Sixonetonoffun has pointed out and done himself.

ArtificialIntel

Elite Nuker Joined: Jan 31, 2003 Posts: 717

Quote:

that's a really bad mod.

Sorry to ask this but, I am always very eager to learn things and you did not explain why it is a 'bad mod'.

Just wonder why rejecting somebody of a site after a number of pages is a 'bad mod'

I did have a number generator previously, like in version 6.5, for people to submit that number and verify.
But because of complaints, discarded that in favour of the limit on the number of pages generated.

Major Joined: Jan 13, 2003 Posts: 892

Well I think your both right like Shrek said "Ogers are like onions." Very Happy

I think it would be simple enough to put in the admin panel as a preference. With the default on. If the site decides to disable it then that turns it into a their problem when they get flooded with new accounts or brute forced passwords.

Though I really like the 24hr activation rule better and less discussed!

Lieutenant Joined: Jan 23, 2003 Posts: 258 Location: USA

Will the image security check be part of the banners login system? I noticed its still wide open...

Also... Can someone proved a list of webhosts that have the GD library enabled? Without GD, it looks as though the new version of nuke is going to be a lot of trouble.