Increasing login security

Forums › Geekzone › Increasing login security

1 | 2 | 3 | 4

546 posts

Ultimate Geek

Trusted

Reply # 509134 19-Aug-2011 17:59
Thanks for that. Yeah I get why it has been implemented, but with the number of ADSL disconnections I get it is just too annoying :(

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 509137 19-Aug-2011 18:01
Update on mobile problem: it only happens on Telecom XT, and only if your mobile device is configured to use the WAP APN or has no APN configured (in which case WAP is used by default). If you configure the Internet or Direct APNs then it works just fine. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 509158 19-Aug-2011 18:40
I can work on this for an update. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

blakamin

1250 posts

Uber Geek

Trusted

Subscriber

Reply # 509174 19-Aug-2011 19:28
Explains why I was about to blame my new rom when browsing on my phone while i was out today! lol.

muppet

1126 posts

Uber Geek

Trusted

Reply # 509184 19-Aug-2011 19:56
Great feature. I use a similar feature in PHP's Suhosin patch. It'll encrypt a cookie using the IP address, you can set it to use the 1st, 1st and 2nd, 1st 2nd and 3rd or all 4 octects of an IP address for the encryption. What this means is you can change IP within the same /24 and your cookie is still valid if you choose 3 octects, within the same /16 (255.255.0.0) if you pick two or within the same /8 (255.0.0.0) if you pick just one. Is it possible to modify your check to do this, or make it an option? For me I found making it a /16 worked fairly well, sure it's not bullet proof but if you change ISP then you're (probably) going to fall outside the permitted range. Just a thought. Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 509188 19-Aug-2011 20:00
I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet... Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

muppet

1126 posts

Uber Geek

Trusted

Reply # 509189 19-Aug-2011 20:02
freitasm: I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet... Good point. It could be an option though, rather than just binary on/off? Security Paranoid (IP Address), regular (/16) Relaxed (/8) Anyway, just a suggestion. It's a good feature either way. Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!

codyc1515

1599 posts

Uber Geek
Inactive user

Reply # 509199 19-Aug-2011 20:37
Paulthagerous: Thanks for that. Yeah I get why it has been implemented, but with the number of ADSL disconnections I get it is just too annoying :( That is a problem with your ISP, not Geekzone. freitasm: I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet... If you go to a cafe its likely the External IP for all users is the same, in which case the session could still be hijacked, yes?

gzt

3203 posts

Uber Geek

Subscriber

Reply # 509327 20-Aug-2011 13:06
Turned mine off for now. Router restarts cause a bit of inconvenience. Glad to have the option. I like muppets suggestion also. To what extent is cookie/session hijacking a problem?

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 509331 20-Aug-2011 13:10
I am not sure it's a problem for Geekzone users - probably more for Facebook, GMail and Windows Live users. But we should provide the option. I actually thought of implementing a two factor authentication earlier this year. Just thought was overkill for Geekzone. However... Another thought: I have a hidden "feature" that sends me an email if someone tries to login using my user name. Never actually received a notification, until last night, when someone tried to login on Geekzone as "freitasm" from a Chinese IP address. Here comes the thing though: they've used a password I actually used before in another web site. So my guess is that web site was compromised and these guys were searching for all users around the Internet and when found "freitasm" on Geekzone thought they struck gold. Lucky I don't use the same password in more than one web site. So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)? Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

gzt

3203 posts

Uber Geek

Subscriber

Reply # 509341 20-Aug-2011 13:27
freitasm: So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)? It is a feature I would like to see on many websites ; ). It will be interesting to see how often it happens. Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while.

muppet

1126 posts

Uber Geek

Trusted

Reply # 509347 20-Aug-2011 13:58
Given that there's no ecommercse on GZ, I don't think you need to be too paranoid about such things. I mean if my account got compromised, what's the worst that they're going to do? Post a bunch of idiotic crap using my username. You'd never know I'd been compromised in the first place! Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!

dontpanic42

1529 posts

Uber Geek

Subscriber

Reply # 509353 20-Aug-2011 13:59
freitasm: [snip] So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)? +1 to email notification. Both would be great. Also with the password they tried to log on with? gzt: Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while. another +1 to that as well.

blakamin

1250 posts

Uber Geek

Trusted

Subscriber

Reply # 509356 20-Aug-2011 14:11
Sounds good! muppet: You'd never know I'd been compromised in the first place! +1

freitasm

BDFL
43785 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 509357 20-Aug-2011 14:12
gzt: Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while. We try to geek the number of menu options to a minimum and even then people don't bother reading the first menu on top - I mean, check this. muppet: Given that there's no ecommercse on GZ, I don't think you need to be too paranoid about such things. I mean if my account got compromised, what's the worst that they're going to do? Post a bunch of idiotic crap using my username. Agreed anyone logging couldn't spend money here, but could get some personal information such as user name and email addresses, to then try logging in another websites. Lucky we don't store or show passwords in plain text, otherwise this would be another risk. muppet: You'd never know I'd been compromised in the first place! No joke Sherlock ;) Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

1 | 2 | 3 | 4