Re: ERROR: Invalid Username - Is it?

Posted by Vaughan on 1294580037
my experience on Tim's site when i tried registering was that it wasn't clearly defined as to what the problem exactly was.

i couldn't register, and didn't know why. but the term invalid username just doesn't give enough detail, that and it is very confusing because we DON't have a username on any registration form.

we have Display Name & Login Name. but the error says invalid Username! so which of those was invalid? psychic head on.

it turned out it was the display name that was invalid & not the login name.

now i know that can easily be sorted by changed the Language definition, shouldn't be a problem then.

then there's the issue of external scripts, i couldn't login to a site, because the site was using uname, which is actually displayname, so i had to login using displayname and not login name. very confusing.

now onto my opinions regarding this matter, and some may disagree with what i'm about to say.

I think having Login Name & Display name is completely unneccessary, i was against it then, and i'm afraid, it hasn't changed my opinion since. i honestly can't see where the extra benefits of having them are in terms of security.

Brute force??? hmmm yeah, an unknown login name prevents it. but as far as i can tell, that is the ONLY reason for it.

silently locking the account after 3 or 5 failed attempts (either with a timer that can be set in admin, or via email asking the owner to confirm via clicking a link in the email to unlock is FAR Superior method at stopping brute force.)

my proposal to this argument.

1. ICMS users can actually log in to the system using their email address!!! <do people know this???>

2. get rid of the login name completely, just have display name for display purposes!

3. users would then use their email address/open id to login to their sites with, this can already be done anyway, so no coding changes are required on that part!.

4. create a function where after x failed attempts, the account is locked (either silently or with a notice) for either x amount of time or via an email sent to the users account which they have to confirm to unlock the account, or via admin unlocking it for them)

5. Problem Solved!

This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=4577&post_id=41421