elective-stereophonic
elective-stereophonic
Keeping Your NxtForum Account Safe singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Author Topic: Keeping Your NxtForum Account Safe  (Read 8643 times)

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile
Keeping Your NxtForum Account Safe
« on: June 28, 2014, 06:45:33 pm »

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

lately there's been a lot of talk about how to increase account security in the forums, within or beyond the standard features provided by the SMF forum software. This post intends to address some of those concerns, and to give information about useful features to reinforce account security.

This message is signed using my GPG key. You can check it using gpg against the key fingerprint I have in my account forum signature. By default, I will sign from now on any announcements or updates about forum security issues.

*

1. SOME BASICS ABOUT FORUM SECURITY

- - There's of course a few security aspects that the forum software and staff cannot handle for you. Most specially, these include the risk of having malicious software in your computer like keyloggers or other trojans, and the security of the email address you registered with your forum account

- - Good security in your email is ESSENTIAL. Most of the forum security measures rely on your registered email address, and if your email is compromised, the attacker may be able to reset your forum password. Although there are ways to help prevent this even if your email is compromised (see 2) you should see your email as your first, inner defence line. Using email addresses with two-factor authentication (for example, gmail and two-step verification) is strongly recommended for sensitive accounts. And of course, password strength and secure storage/memorization.

- - Some users have asked about the possibility of adding two-factor authentication to the forum. This option is not available at this moment, since SMF discourages forum addons relying on third parties. It might be an option in the future, and in the meantime you have other tools to strengthen your account security that can be seen as a 2FA of sorts.

- - We recommend NOT using the Secret Question feature you can set in Profile > Modify Profile > Account Settings, particularly with questions and answers that could be crackable. This is potentially a shortcut for an attacker to reset your forum password, and is better left blank. If no Secret Question and Answer are defined, the feature will be simply disabled in your account.

*

2. BRUTEFORCING PREVENTION AND ADDITIONAL SECURITY: USERNAME AND NAME

Needless to say, the most important element in account security after your email is your password. A strong, private forum password is your second defence line. But if you really want as many locks as possible, there's a basic SMF feature that can be quite useful and I want to share, since it could stop impersonation attempts single-handedly.

As you can see in your Profile > Modify Profile > Account Settings page, you have both a Username and a Name. They will be the same by default, but here's the trick - they can be different.
Your Username is the handle you use when you login to the forums. Your Name is the displayed member name everyone will see in forum posts, personal messages and member lists. You can see your Username in your profile, but besides yourself, only forum administrators can see that string.

If the Username is changed so it doesn't match with the Name, an attacker trying to bruteforce your account (or who managed to somehow discover your forum password) will also need to know your Username in order to even attempt logging into your forum account.

Since that information is not displayed, that adds an extra security layer that works similar to a second password.

Example: Let's assume both my Username and Name are VanBreuk. If I change my username to a random string of characters (or to any handle difficult enough to guess with the public information in the forums), anyone trying to login with the "VanBreuk" username would receive a message saying username unknown, and even if they had my password, they wouldn't be able to log in unless they also discovered my hidden Username.

   2.1. How to change your forum Username
   - Please Note: This can only be done by a forum administrator, by specific request. Before doing this, please review your first (email) and second (password strength) primary defence lines. THIS IS NOT MEANT TO BE A REPLACEMENT FOR EMAIL OR PASSWORD SECURITY.
   - Send me a PM (or to another admin) requesting for a Username change specifying the new Username you want. Make sure that you have access to the email address you registered in your forum account.
   - I will change the Username field on your profile. Your Name (your displayed name) will not be altered.
   - The change will require a password reset. This means you will receive an email confirming your new Username, and giving you a temporary password to login to your account. Remember to use your new Username in the login field, the old one won't be recognized anymore.
   - Once you have logged into your account, you can change your password in Profile > Modify Profile > Account Settings for a password of your choice, either your previous existing password or a new one. You'll have to approve the change entering the temporary password for the last time in the bottom Account Settings field, then click "Change Profile".

*

3. NEW LOGIN SECURITY FORUM ADDON

An additional security forum modification has been installed. It's a customized variation of the "Login Security" SMF mod. It offers the current features for users:

- - Allows you to restrict access to your account to only one or several specific IP addresses. You can define them in Profile > Modify Profile > Account Settings. WARNING: This can be useful if you use a static IP or a known small set of IP addresses, but is not recommended if your IP varies impredictably between sessions.
- - Will send a warning to your email every time there's a failed login attempt in your account. The message will include the IP address that tried to access the account, and offer the possibility to report back to the forum admins.
- - Will lock temporarily your forum account when a number of failed login attempts have occurred in a short period of time, and also when there's been a login attempt from a rogue IP, in case you have defined IP login restrictions.
- - If a forum account is temporarily locked, the login page will offer to send an email with a secure login link. This will allow the legitimate user to bypass the lock clicking in the link in his/her email. This secure login link expires in 30 minutes.

*

I hope this helps everyone to feel more safe in nxtforum.org, by taking better control of your forum account security. Feel free to discuss and ask questions in this thread.

Best,

VanBreuk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJTrvlzAAoJEEXNKXeKnQG/WEMH/1doN/7uJgsOWlkQBongHFEc
PvQLQpuzIvkDyel6z5T7iPEsm7+2x/uG7bCssihNFMY4cMvnJaCcq2+BuqWTB235
8vBPO/abapjtkP6zhek7xa2cNFg05JOJL/N4X/mKyk0INfvRlbhc8ONY0fBQhLx+
377MhirG0/Y8drTudCp1iy9449qsTSofighv/rcFeh1YH/w+n1hlFqeFhttSB6XL
8I2/ng5sQ+w9A0EvTLXtLm/7qZi2CVgOOGhVhqUg8A2GifnudNG12OV69hNo2gSJ
ExwSdyCV+sm8CaHrntBtyTxYFfL4239uCNipGylFf96c97UdLY28/VX7hzmQ7ug=
=LMU5
-----END PGP SIGNATURE-----
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Keeping Your NxtForum Account Safe
« Reply #1 on: June 28, 2014, 08:10:16 pm »

- - Some users have asked about the possibility of adding two-factor authentication to the forum. This option is not available at this moment, since SMF discourages forum addons relying on third parties. It might be an option in the future, and in the meantime you have other tools to strengthen your account security that can be seen as a 2FA of sorts.

I think it's possible to implement this is a "mod"

https://github.com/PHPGangsta/GoogleAuthenticator/blob/master/PHPGangsta/GoogleAuthenticator.php

Someone has to look at SMF documentation on how to create a mod, google search reveals

http://www.simplemachines.org/community/index.php?topic=20319.0

 
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile
Re: Keeping Your NxtForum Account Safe
« Reply #2 on: June 28, 2014, 08:17:12 pm »

Possible, sure. There's been a 2 BTC bounty to do this in Bitcointalk for months, still unclaimed.

The first challenge would be to adapt that code to the SMF sql database.

The SDK link you refer to is secondary, since modifications can be applied regardless of having an xml based package. The important bit is the integration into the SMF code and database, then you could integrate it manually.
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

instacash

  • Full Member
  • ***
  • Karma: +10/-1
  • Offline Offline
  • Posts: 249
    • View Profile
Re: Keeping Your NxtForum Account Safe
« Reply #3 on: June 28, 2014, 08:18:43 pm »

There's been a 2 BTC bounty to do this in Bitcointalk for months, still unclaimed.

Hi VanBreuk, could you post a link to this please?
Logged

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile
Re: Keeping Your NxtForum Account Safe
« Reply #4 on: June 28, 2014, 08:21:57 pm »

This is the most recent thread - https://bitcointalk.org/index.php?topic=567336.0

Although there's much older discussions about this in BCT.
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

instacash

  • Full Member
  • ***
  • Karma: +10/-1
  • Offline Offline
  • Posts: 249
    • View Profile
Re: Keeping Your NxtForum Account Safe
« Reply #5 on: June 29, 2014, 02:36:23 pm »

This is the most recent thread - https://bitcointalk.org/index.php?topic=567336.0

Although there's much older discussions about this in BCT.

Thank you!
Logged
 

elective-stereophonic
elective-stereophonic
assembly
assembly