Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options
Invalid Password inquiry
Hi there. I'm a Mod on a forum and am always getting inboxes on my FB account of users unable to get into our forum. The most common complaint is 'Password Is Invalid' - even when using their FB account to log in. PLEASE help, I'm at a loss as to what to tell people and a search of these forums haven't yielded any results. Thank you in advance for your time.
0
Answers
The only place in vanilla where 'Password Is Invalid' occurs happens when users are restting their passwords and don't enter one.
When people sign in with Facebook and have to enter a password it means that there is already an account associated with their Facebook email and they have to enter its password to link things up. They may be getting confused and are entering their Facebook password rather than the password they entered when creating the account on Vanilla.
You can ask them to sign in just to Vanilla to make sure they know their passwords and then they can sign out and re-sign in with Facebook to link their accounts.
They may also be signed into facebook pages, which causes an issue, but this is a generic fb connect problem
There was an error rendering this rich post.
I just switched from PHPBB tot Vanilla 2.1.
When I log in with incorrect credentials, Vanilla tells me "invalid password" or "user not found". Why ? Wouldn't it be better to return "Username or password invalid" or "Invalid credentials".
This is not really a security concern as the existence of a username in a public forum is no secret.
I think messages like "Username or password invalid" are less user friendly and annoying.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
In a private forum, returning whether the username/password is invalid is giving up some information.
I, personally, don't think it matters. But I don't know anything about breaking into user accounts.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
To me it's common sense to not give any up information, but I'm in QA
.
Considering many users use the same password everywhere (which they shouldn't) this could possibly be a securtiy issue. (See the recent dropbox "hack" where the user/password combinations where stolen from other services where these users used the same password. I have seen this before.)
Even if you do that, as long as registrations are not closed, a hacker can get that information on the register page.
Interesting read:
https://www.owasp.org/index.php/Testing_for_user_enumeration_(OWASP-AT-002)
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS