Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
  • Register
Welcome to the Q&A for Question2Answer.

If you have questions about the platform, click here to ask and please use English.

If you just want to try Q2A, please use the demo, which also grants admin access.

Apr 29: Q2A 1.5.2

Related questions

Higher security?

+1 vote
Currently, login is allowed by email or username. When writing the username correctly but the password incorrectly, the error which will be shown will tell you that the password is incorrect (obviously, because you already know the username).

But, in a security aspect, this might hurt our websites. A hacker can take usernames right out of questions and answers, and start bruteforcing for the password.

My suggestion is: enable logging in only via email and not by username. This way, each user can know only his own email - a hacker cannot know the email of other users, and therefore he has two things to figure out in order to hack an account - both email and password. Then, after completing this step, once someone enters wrong information (either email or password) when trying to log in, the message which will show should be very general (In example: "Information which was entered is incorrect"), in order to not show the hacker which information he got right and which didn't.

What do you think?
asked Nov 8, 2011 in Q2A Core by webtom

3 Answers

+2 votes

It is not easy to use brute force as long as you have login attempts limit (20 per hour by default) in Admin->Spam. You can just make it more strict.

So maybe there is no need to hide usernames while logging in?
answered Nov 8, 2011 by Krzysztof Kielce
Show 3 previous comments
I don't think it's really a security issue. The majority of sites on the internet use a public username to log in with and user's accounts are not hacked constantly. I think you underestimate *how difficult it is* to brute-force a password over the internet, even without all the IP-switching.
commented Jan 14 by DisgruntledGoat
I agree with DisgruntledGoat. If you create a strong password, it will take thousands of years to brute force your password.
commented Jan 14 by edward
+2 votes
It's a good idea for sites that are more concerned about security. I'll try to add this as an option in the final release of Q2A 1.5.
answered Jan 14 by gidgreen
Sounds great!
thank you for your time and work.
commented Jan 14 by webtom
+2 votes
Alternatively, how about after 5 failed login attempts, a Captcha form needs to be filled out in order to log in?
answered Jan 14 by edward
The simpler the better.
commented Jan 16 by Krzysztof Kielce
Powered by Question2Answer