If i am not incorrect. the user name used to login is displayed in the forum.
Isn’t is possible to add a “display name” in the profile or show the “Name” of the profile instead?
And BTW in Associated Accounts add Youtube, mastodon, slack, discord and such ?
If you use a password manager and let it concoct some random string of characters as your password, it would be very secure. You could also enable two factor authentication.
I filled in a name in “Name”. On the forum it still shows as the login name it does not use “Name”. is that correct ? if yes, what is the “Name” used for ?
I am not trying to be offensive, For example, the NAME could be used as display name and if empty anonymous. OR add a field DISPLAY NAME to the user properties that will take preference if non-blank and remove it form the detailed info of the user. At least that is they way I implemented it on my own websites. I am just not comfortable with the username display as it could be used a brute force attacks even I am sure my password is fine, for other users it may not be so. I experienced such attacks in a company I worked for and it’s real and they can come from all over the world. It’s just a way of web implementation. Understand that would be big code change. Just let’s close the discussion. thanks for the feedback and apologies if this was a post that caused annoyance.
This forum uses the off-the-shelf open source Discourse forum software. It may indeed be a big code change, and you’d have to take it up with the Discourse developers.
All forums that I am on display my login name.
I NEVER reuse passwords and they are fairly strong.
There have been way too many forum and website hacks over the years where entire username password tables have been stolen. All too often these were stored in plain text, not salted and hashed.
It should be not possible as passwords should never be stored anywhere.
Username+so called salt+password should be passed through the hash function at the side of user PC and the result of this hash should be send back to forum and it should be stored and compared for the logging in. Secret is the password - username and salt are public.
Used by user passwords should be lengthen by using this hash function many times. I have done experiments many years ago at my Windows XP PC and running SHA256 10^6 times took less then 1s. This extends password length by about 20 bits.
I have read the Fergusson, Shneier book “Cryptography in practice” written in 2002 (I have not it at hand so authors and title is from my memory and title translated from Polish). I remember one sentence from it saying something like: “there is no excuse for not using salts and password extensions on any system”. It costs only about 1s extra waiting when logging in and increases the attack cost 10^6 times.
Using salt (public but different for each one application and each username) guarantee that even the entire username hash table is stolen it is simply different than in any other system even the same username uses the same password.
As they have written it after many years of their experience then after I have read it in about 2004 I was sure that such obvious thing is used ‘since always’ in all systems where you have to login.
I am very surprised hearing from time to time that passwords were stolen form somewhere where they simply should not be stored ever.
Usernames are public and there is little advantage of making them secret.
You may be surprised but algorithms used by system should also be public by default.
In that book authors have written (in 2002) than based only on the fact that mifare Classic cards crypto algorithms are secret they predict that these cards will be soon broken.
I think in 2005 the first successes of breaking mifare Classic were published.
What you describe is standard good practice. It’s just amazing that many App and other networked software and firmware developers continue to be lazy and ignore it along with other horrors like hard coded passwords.
As an aside, Malaysia uses Mifare Classic for its toll payments and we knew it was cracked by 2002.
I remember first information about how poor is the random generator in mifare Clasic published in 2005 or 2006.
According to:
" A presentation by Henryk Plötz and Karsten Nohl[29] at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip.
20 years ago I was sure that everyone who proceeds to write software to which you have to log in, as a minimum of decency, he will know at least the basic principles before he writes such a program.
Because of this I sow absolutely no problem in using the same password in many places I had to log in. When I read the newspaper articles that you should not use the same password I was thinking:
“How stupid these journalists are. They don’t know that passwords are never stored and only what can be stolen are the salted hashes. And my password is not worth of spending big afford needed to brute force break the one-way hash function with needing to run it at least 10^6 times just to verify each of hypothetical passwords.”
Now I know how wrong I was
In this book the programmer mistake was described. He did everything as he should (probably not fully understanding the principia, but was told to do it that way) - with salt and password extending. But so that the user doesn’t have to wait an extra 1s to be informed when he entered the password incorrectly except the hash he stored password crc32 to fast find such mistakes.
So calling hash 10^6 times he extended password length by 20 bits and checking crc shorted it by 32 bits!