Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+2 votes
1.7k views
in Q2A Core by
Currently, login is allowed by email or username. When writing the username correctly but the password incorrectly, the error which will be shown will tell you that the password is incorrect (obviously, because you already know the username).

But, in a security aspect, this might hurt our websites. A hacker can take usernames right out of questions and answers, and start bruteforcing for the password.

My suggestion is: enable logging in only via email and not by username. This way, each user can know only his own email - a hacker cannot know the email of other users, and therefore he has two things to figure out in order to hack an account - both email and password. Then, after completing this step, once someone enters wrong information (either email or password) when trying to log in, the message which will show should be very general (In example: "Information which was entered is incorrect"), in order to not show the hacker which information he got right and which didn't.

What do you think?

3 Answers

+3 votes
by

It is not easy to use brute force as long as you have login attempts limit (20 per hour by default) in Admin->Spam. You can just make it more strict.

So maybe there is no need to hide usernames while logging in?
by
The limit will help if the attacker uses only 1 ip. In most cases, this is not the scenario. Most hackers know how to use proxies and attack via multiple ips (hundreds, thousands).

The scariest attack is on the super admin user - if they hack the password, they own the website. Therefore, it is crucial to defend it at all costs.

I think we should hide the usernames, and allow this double protection as I suggested.
by
Yes, I second above suggestion. Majority of the website follows this strategy and I believe it is way secured. It is always best not to tell which one is incorrect!
by
I third the above suggestion. The current log in process with username etc. is a serious security flaw in Q2A. Any hacker can see the usersnames on the "users" page. Very easy to figure out the super admin username also. Then your site is finished. The log in process should be changed ASAP as per the above suggestions.
by
I don't think it's really a security issue. The majority of sites on the internet use a public username to log in with and user's accounts are not hacked constantly. I think you underestimate *how difficult it is* to brute-force a password over the internet, even without all the IP-switching.
by
I agree with DisgruntledGoat. If you create a strong password, it will take thousands of years to brute force your password.
+3 votes
by
It's a good idea for sites that are more concerned about security. I'll try to add this as an option in the final release of Q2A 1.5.
by
Sounds great!
thank you for your time and work.
+3 votes
by
Alternatively, how about after 5 failed login attempts, a Captcha form needs to be filled out in order to log in?
by
The simpler the better.
...