Increasing login security

Forums › Geekzone › Increasing login security

1 | 2 | 3 | 4

698 posts

Ultimate Geek

Trusted

#509134 19-Aug-2011 17:59

Thanks for that.

Yeah I get why it has been implemented, but with the number of ADSL disconnections I get it is just too annoying :(

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#509137 19-Aug-2011 18:01

Update on mobile problem: it only happens on Telecom XT, and only if your mobile device is configured to use the WAP APN or has no APN configured (in which case WAP is used by default). If you configure the Internet or Direct APNs then it works just fine.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#509158 19-Aug-2011 18:40

I can work on this for an update.

blakamin

4431 posts

Uber Geek
Inactive user

#509174 19-Aug-2011 19:28

Explains why I was about to blame my new rom when browsing on my phone while i was out today! lol.

muppet

2568 posts

Uber Geek

Trusted

#509184 19-Aug-2011 19:56

Great feature.

I use a similar feature in PHP's Suhosin patch. It'll encrypt a cookie using the IP address, you can set it to use the 1st, 1st and 2nd, 1st 2nd and 3rd or all 4 octects of an IP address for the encryption.

What this means is you can change IP within the same /24 and your cookie is still valid if you choose 3 octects, within the same /16 (255.255.0.0) if you pick two or within the same /8 (255.0.0.0) if you pick just one.

Is it possible to modify your check to do this, or make it an option? For me I found making it a /16 worked fairly well, sure it's not bullet proof but if you change ISP then you're (probably) going to fall outside the permitted range.

Just a thought.

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#509188 19-Aug-2011 20:00

I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet...

muppet

2568 posts

Uber Geek

Trusted

#509189 19-Aug-2011 20:02

freitasm: I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet...

Good point.

It could be an option though, rather than just binary on/off? Security Paranoid (IP Address), regular (/16) Relaxed (/8)

Anyway, just a suggestion. It's a good feature either way.

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

codyc1515

1598 posts

Uber Geek
Inactive user

#509199 19-Aug-2011 20:37

Paulthagerous: Thanks for that.

Yeah I get why it has been implemented, but with the number of ADSL disconnections I get it is just too annoying :(

That is a problem with your ISP, not Geekzone.

freitasm: I thought of that but the problem is if you go to a cafe, someone hijacks the cookies - and they will probably be on the same subnet...

If you go to a cafe its likely the External IP for all users is the same, in which case the session could still be hijacked, yes?

gzt

17122 posts

Uber Geek

Lifetime subscriber

#509327 20-Aug-2011 13:06

Turned mine off for now. Router restarts cause a bit of inconvenience. Glad to have the option. I like muppets suggestion also.

To what extent is cookie/session hijacking a problem?

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#509331 20-Aug-2011 13:10

I am not sure it's a problem for Geekzone users - probably more for Facebook, GMail and Windows Live users.

But we should provide the option. I actually thought of implementing a two factor authentication earlier this year. Just thought was overkill for Geekzone.

However... Another thought: I have a hidden "feature" that sends me an email if someone tries to login using my user name. Never actually received a notification, until last night, when someone tried to login on Geekzone as "freitasm" from a Chinese IP address.

Here comes the thing though: they've used a password I actually used before in another web site. So my guess is that web site was compromised and these guys were searching for all users around the Internet and when found "freitasm" on Geekzone thought they struck gold.

Lucky I don't use the same password in more than one web site.

So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)?

gzt

17122 posts

Uber Geek

Lifetime subscriber

#509341 20-Aug-2011 13:27

freitasm: So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)?

It is a feature I would like to see on many websites ; ). It will be interesting to see how often it happens.

Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while.

muppet

2568 posts

Uber Geek

Trusted

#509347 20-Aug-2011 13:58

Given that there's no ecommercse on GZ, I don't think you need to be too paranoid about such things. I mean if my account got compromised, what's the worst that they're going to do? Post a bunch of idiotic crap using my username.

You'd never know I'd been compromised in the first place!

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

dontpanic42

1574 posts

Uber Geek

#509353 20-Aug-2011 13:59

freitasm:
[snip]
So my question is: should I extend this feature as an option to everyone? As in getting an email notification (On/Off) and in which situation (Failed/Success/Both)?

+1 to email notification.
Both would be great. Also with the password they tried to log on with?

gzt: Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while.

another +1 to that as well.

blakamin

4431 posts

Uber Geek
Inactive user

#509356 20-Aug-2011 14:11

Sounds good!

muppet:

You'd never know I'd been compromised in the first place!

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#509357 20-Aug-2011 14:12

gzt: Also I'm thinking you might need a subpage called 'super-geeky options' for these kind of uber cool features - excellent, but they could build up after a while.

We try to geek the number of menu options to a minimum and even then people don't bother reading the first menu on top - I mean, check this.

muppet: Given that there's no ecommercse on GZ, I don't think you need to be too paranoid about such things. I mean if my account got compromised, what's the worst that they're going to do? Post a bunch of idiotic crap using my username.

Agreed anyone logging couldn't spend money here, but could get some personal information such as user name and email addresses, to then try logging in another websites. Lucky we don't store or show passwords in plain text, otherwise this would be another risk.

muppet: You'd never know I'd been compromised in the first place!

No joke Sherlock ;)