Home « Forum « Bug Report and Feature Requests

Forum: Bug Report and Feature Requests

Another login problem

pangor

When logging in fails, the username and password fields are both cleared. This happens to me when e.g. I use "enter" instead of "tab" to get from the username/email field to the password field (the other site where I logging without a stored password is fine with that).

It would also help if someone had a typo in the username/mail address field - one could just correct it instead of re-typing it.

Lazeez Jiddan (Webmaster)

@pangor

It would also help if someone had a typo in the username/mail address field - one could just correct it instead of re-typing it.


That would not be secure.

Replies:   pangor
pangor

@Lazeez Jiddan (Webmaster)

Why? The login process is done via https, and all you transfer back is whatever the user entered (and the login process denied). If you want to be overly careful, you can leave out the password - as its starred out, it does not make much sense to be able to edit it instead of retype it.

Lazeez Jiddan (Webmaster)

@pangor

Why?


the password thing is not secure, but for the email, more often than not, the problem is with the wrong email. So if the form returns it, the user might not notice that they've typed the wrong email address.

It's happened quite too many times.

This way is best. When a mistake is made, start over.

These days with all browsers supporting password management and there are password syncing systems, it's trivial to get it right from the first time.

sejintenej


This way is best. When a mistake is made, start over.

With 32 characters (13 plus 19) to get right in my case a hacker would not know which is wrong. I don't know the odds but it is not easy. I agree with him

Lazeez mentions password management programmes but would you trust one if somebody stole your PC/iPad?

Replies:   Dominions Son
Ernest Bywater

From a basic security perspective when a communication is sent from A to B it's a lot more secure than when a communication is sent from B to A for a minor change and sent back. As a minimum the risk of being intercepted is doubled. Also, a large part of the data is then known and the options greatly reduced.

Replies:   awnlee jawking
Ernest Bywater

Expanding on the security aspect, let's assume the logon ID and Password fields are 30 characters and 25 characters in size, and you can use only lower case letter, upper case letters, and numbers. That means you have 26 + 26 + 10 options for each location which adds up to 62 options.

In empty fields the total options is 62 to the 30th power then 62 to the 25th power - both of which are huge.

If an intercepted signal shows you use 13 characters for one field and 19 characters for the other field and shows which is which field that reduces the options a great deal to 62 to the 13th power and 62 to the 19th power. And that's before you get into the situation that most of the characters are already known.

If, like is common, the email address is the ID, knowing most of the field means that can be easily checked out and the proper address located by other means, most of which are easy. If that proves to be the reject, then it's likely they now have both.

As to a rejected email be found out, say you enter ernest.bywater@gmail.con (a common type error with the n and not the m) then the error is obvious - correction is obvious, case solved. Most such errors are damned easy to resolve through such an obvious error or sending a few emails out.

Replies:   Dominions Son
awnlee jawking

@Ernest Bywater

The version of Windows I'm using doesn't automatically initialise new windows. When my PC is maxed out on number crunching and I try to open a new window, I often get flashes of the contents of an existing or previous window. A couple of times that has included showing usernames and passwords in plain text, even though the password was hidden in the original window :(

AJ

Replies:   Ernest Bywater
Ernest Bywater

@awnlee jawking

A couple of times that has included showing usernames and passwords in plain text, even though the password was hidden in the original window :(


Maybe it's time to switch to a decent operating system _ I use Zorin Linux which has a GUI option that looks like Windows, so those who are used to the Windows look can feel at home with Linux.

Replies:   awnlee jawking
awnlee jawking

@Ernest Bywater

Maybe it's time to switch to a decent operating system


Sadly I'm stuck with the one that runs the software I use, but the way 32-bit browsers are losing support, I'll soon have to get a new PC just to surf the net.

Microsoft made the original 'no initialisation' decision for performance reasons. My understanding is that by 64-bit, PCs were fast enough for them to reverse that decision.

AJ

Replies:   Ernest Bywater
Ernest Bywater
Updated:

@awnlee jawking


I'll soon have to get a new PC just to surf the net.


I've friend who has a way of destroying any computing device they go near, and all they do is surf the net. After some discussion with my son who's more abreast of IT now than I am I decide, about a year ago, the next time that person asked me to fix their computer I'd build them a cheap special for them. We worked out a simple device based on a PINE 64 or Raspberry Pi could be built and glued to the back of a suitable monitor (even an older monitor) would be a damn cheap and simple net surfing system they couldn't mess up badly, simply due to how basic the PINE 64 and Raspberry Pi are. Maybe you should consider one to put with an old monitor you have.

Edit to add: A PINE A64 in a case about the size of your hand and an inch thick would be about US$35.00 or there about, but definitely below US$50.00, then just attach to a monitor.

Dominions Son

@sejintenej

Lazeez mentions password management programmes but would you trust one if somebody stole your PC/iPad?


There are password management systems out there that use a master password. That way you only have to remember one password.

Dominions Son

@Ernest Bywater

logon ID and Password fields are 30 characters and 25 characters in size, and you can use only lower case letter, upper case letters, and numbers.


Most password schemes these days allow the type-able symbols ~!@#$%^&*-_+=. Some even require at least one symbol.

My employer has moved on to a pass phrase, increasing the max size significantly and allowing all type-able characters including spaces.

Ernest Bywater

@Dominions Son

Most password schemes these days allow the type-able symbols


true, and the more types of characters the system allows, the higher the options. However, once you have any information that reduces the range, it's easier to break. Even knowing you only need 13 characters and not 25 characters reduces the options an attacker has to work through.

Replies:   Dominions Son
Dominions Son

@Ernest Bywater

However, once you have any information that reduces the range, it's easier to break.


True, however, brute force password cracking is not the big threat and is easily prevented on the server end (lock the account after x wrong tries).

The big threats are phishing and social engineering to get people to give you their user-id and password. Password complexity is no protection against these threats.

Ernest Bywater

@Dominions Son

The big threats are phishing and social engineering to get people to give you their user-id and password. Password complexity is no protection against these threats.


very true, and that's why the issue we starts on this side thread is happening. When the password and ID fails you have to enter it all again instead of having what you entered returned for you to fix. Sending the data back for a fix is just as damaging as most phishing activities, because it includes almost all of the valid data, thus it isn't a normal blind brute force attack at all.

Lazeez Jiddan (Webmaster)

@Dominions Son

My employer has moved on to a pass phrase, increasing the max size significantly and allowing all type-able characters including spaces.


Our log in system requires 8 characters minimum and allows up to 256 characters. Any character is acceptable, including spaces. No silly requirement like must have one capital letter and a number and a symbol. I find those counter productive.

You don't even need a password! You can log in by requesting a one time use link by email. And then the security falls to the security you have with your email address provider.

On the admin section of the site, we use a double password, as in user name and two separate passwords.

I'm a big fan of pass phrases. As a multi-lingual person, my pass phrases (when I can use them) are multi-word and multi-language ones.

Replies:   Dominions Son  sejintenej  Zom
Dominions Son

@Lazeez Jiddan (Webmaster)

No silly requirement like must have one capital letter and a number and a symbol. I find those counter productive.


My bank is really annoying. 8 character minimum have to have at least one letter, one numeric digit, and one symbol. And to be super extra annoying, you can't have more than 2 consecutive letters, numbers or symbols.

Capt. Zapp

@Dominions Son

The big threats are phishing and social engineering


Isn't it amazing how many people willingly give up that information by completing those 'twenty questions' things on (anti)social media?

Replies:   REP  Dominions Son
REP

@Capt. Zapp

And at the same time scream about the Government invading their privacy.

Dominions Son

@Capt. Zapp

Isn't it amazing how many people willingly give up that information by completing those 'twenty questions' things on (anti)social media?


No the biggest idiots are the ones that respond to emails that say Hi, we are your bank's (or employer's) IT department and we need to confirm your user id and password. Please email them to us.

sejintenej

@Lazeez Jiddan (Webmaster)

I'm a big fan of pass phrases. As a multi-lingual person, my pass phrases (when I can use them) are multi-word and multi-language ones.

I like that especially as I use both a multilanguage word, a comparatively rare other phrase and capitals and non-letter/number characters. I also work on others using whatever "looks" right to confuse them.
I don't consider my SOL combination to be ultra private (I don't stand to lose anything if someone works it out) so my email etc. are even more complex (sorry Lazeez) . As for bank security - another story again.

Lazeez Jiddan (Webmaster)

@sejintenej

I don't consider my SOL combination to be ultra private (I don't stand to lose anything if someone works it out) so my email etc. are even more complex (sorry Lazeez) .


I'm never under the illusion that an account created at a story site needs high security, but I still follow the best practices as a matter of principle.

The site's database doesn't contain the actual passwords used, only sha256 hashes. Also for paying members, we never keep full credit card number, no expiry and no security code. So even if somebody manages to hack the site (never happened so far) there is no usable info in the database that could benefit the hackers.

Although, for my book sales site, I created a credit card info vault and gave 2000 sample entries from the storage table to a bunch of hackers and they've yet to break the encoding that I created and they've been wracking their brains for the last three months. I might use it on sol to allow members to have recurring memberships (many ask for it).

Zom
Updated:

@Lazeez Jiddan (Webmaster)


No silly requirement like must have one capital letter and a number and a symbol.


Glad to hear it. I have watched with child-like wonder as the "secure password" myth has grown and grown over the decades.

Anyone with any systems experience, like yourself, knows that the secret to foiling brute force and dictionary attacks is to put a meaningful temporal limit on attempts, keyed to the user name and the source address. This approach makes even 6 alphanumeric characters impossible to break in any useful time frame.

Stupid passwords are impossible to protect against without two-factor implementations, but then stupid passwords belong to stupid people who, perhaps, should get what they deserve.

Key logging attacks are very rare, but when done are again only securable by two factor.

I have yet to see any reasonable justification for the current fad of mandatory mixed characters, cases and symbols. In fact such fancy passwording usually reduces security, because the average poor user has to write them down somewhere to remember them, given most users these days use dozens of passwords.

Thank His Noodliness that mandatory periodic password changing has fallen out of favour.

Back to Top