Page 3 of 5

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 2:37 pm
by Wes of StarArmy
Lumpy Burgertushie wrote:
Mon Jun 11, 2018 1:58 pm
If phpbb were having security issues I would say maybe this was something to worry about. however, as far as I know there are none so why worry
Lack of 2FA -is- a security issue. It is industry standard these days just like TLS is.

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 2:42 pm
by Toxyy
Ger wrote:
Mon Jun 11, 2018 2:32 pm
Well, 2FA isn't really about security of the current phpBB login system itself, that's actually fine as it is. AFAIK it's never been hacked.

2FA is securing the bypasses, e.g. when your email account is hacked, somebody resetting your phpBB account linked to that email etc. Or simply somebody guessing your password or when it's retrieved through a MITM attack, a keylogger or just watching over your shoulder while you type it. 2FA is simply extending the "something you know" (password) with a "something you have" (your phone). The combination of those two required to login makes it way more difficult to breach it.
It's saved me a few times on other forums, actually.

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 3:02 pm
by david63
Why is there a presumption these days that everybody has a mobile/cell phone permanently attached to their body?

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 3:30 pm
by Lumpy Burgertushie
I think we should start a movement to at least have the cable that goes from the cell phone to the user's foot removed.

I finally figured out that must be why when they pick up the phone, their foot raised off of the gas pedal in the car.

If you can sit in your car and talk to your passenger without slowing down, why can't you talk on the phone without slowing down?


robert

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 4:18 pm
by Ger
People just shouldn't use their phone while driving, but that's another topic.

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 4:50 pm
by Lumpy Burgertushie
people who can not figure out how to talk and drive should not use their phone while driving.
remember that the ability to use the phone while driving was one of the main reasons /benefits of the invention of the cell phone.


and you are right, I pulled this off topic so I am done.

robert

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 7:11 pm
by tojag
Ger wrote:
Mon Jun 11, 2018 2:32 pm
2FA is securing the bypasses, e.g. when your email account is hacked, somebody resetting your phpBB account linked to that email etc. Or simply somebody guessing your password or when it's retrieved through a MITM attack, a keylogger or just watching over your shoulder while you type it. 2FA is simply extending the "something you know" (password) with a "something you have" (your phone). The combination of those two required to login makes it way more difficult to breach it.
Nothing more to add. I do not need anything else. Nowadays, you should protect the system from attack because you never know if the hacker no longer steals my password. Double authentication by SMS, key generator or software authenticator is a very good method of securing access recognized by IT systems, banks and others. Only phpBB is immune to changes :)
If I remember correctly, a few years ago the phpBB site was hacked, what was the reason?

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 9:07 pm
by John connor
tojag wrote:
Mon Jun 11, 2018 7:11 pm

If I remember correctly, a few years ago the phpBB site was hacked, what was the reason?
Lack of mod_security from what I read on the hacker's blog. :lol:

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 9:09 pm
by John connor
I use 2FA for everything I can use it with. PayPal, my domain, bank, E-mail provider host, Amazon AWS, CloudFlare, you name it. Then save the backup codes in Keepass, encrypt that database yet again with a 7z AES archive and store that in a cloud provider, my local FTP and on CD.

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 9:27 pm
by Lumpy Burgertushie
John connor wrote:
Mon Jun 11, 2018 9:09 pm
I use 2FA for everything I can use it with. PayPal, my domain, bank, E-mail provider host, Amazon AWS, CloudFlare, you name it. Then save the backup codes in Keepass, encrypt that database yet again with a 7z AES archive and store that in a cloud provider, my local FTP and on CD.
yes , but not everyone is as paranoid as you are. ;) :D

robert

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 9:42 pm
by John connor
I guess you don't watch or read the news.

" Hacker group steals 15 million user accounts."

" A vulnerability has allowed a hacker to gain access to such and such database."


or the future post of: "HELP! I've had my database stolen!"

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 9:47 pm
by Toxyy
I already posted this reply... oops

But really though, just because more experienced users might not find it necessary for their smaller forum doesn't mean the inexperienced web admin with a very large forum wouldn't benefit from it, or his users.

Re: Three features you would like to see in 3.3.

Posted: Mon Jun 11, 2018 10:31 pm
by Lumpy Burgertushie
John connor wrote:
Mon Jun 11, 2018 9:42 pm
I guess you don't watch or read the news.

" Hacker group steals 15 million user accounts."

" A vulnerability has allowed a hacker to gain access to such and such database."


or the future post of: "HELP! I've had my database stolen!"
and how many of those issues were related to phpbb? none? that is my point.

I was just picking at you about paranoid. no offense meant.
just because you are paranoid doesn't mean they are not out to get ya.
robert

Re: Three features you would like to see in 3.3.

Posted: Tue Jun 12, 2018 2:34 pm
by stevemaury
John connor wrote:
Mon Jun 11, 2018 9:07 pm
tojag wrote:
Mon Jun 11, 2018 7:11 pm

If I remember correctly, a few years ago the phpBB site was hacked, what was the reason?
Lack of mod_security from what I read on the hacker's blog. :lol:
This is incorrect. It is true that access was obtained to the database. However, it had nothing to do with any security vulnerability in phpBB.

Re: Three features you would like to see in 3.3.

Posted: Tue Jun 12, 2018 4:12 pm
by JimA
John connor wrote:
Mon Jun 11, 2018 9:07 pm
tojag wrote:
Mon Jun 11, 2018 7:11 pm

If I remember correctly, a few years ago the phpBB site was hacked, what was the reason?
Lack of mod_security from what I read on the hacker's blog. :lol:
It's quite a bit more complex than that. ;)

However, let's all go back to the topic this was originally about. This is about potential 3.3 features. If we want to discuss the advantages and disadvantages of 2FA, that can get its own topic.