Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: daniel1212

Good to hear from you. Hope you have been well. :)

I think email confirmation after a period of non use is a good option for sure, maybe a month like was already mentioned. But you wouldn’t want to hassle everyone with it to log in every day. But making it default as “Remember me” is a big problem. On our site this is forced to expire after a set number of hours even if users choose the remember me option. We have to be honest, logging back in is not actually that much work. And a limit of login attempts and a waiting period for the wrong password three times in a row would be good. And/or an email confirmation after three failed attempts.

I think a lot of this worry comes from the habits of the users themselves. Strong passwords, clearing tracking cookies religiously, and using script blockers would go a long way to making their own accounts more secure. I don’t think the site is the problem so much as hitchhiking scripts from other websites logging usernames and passwords when we sign in. The FR can’t stop that, we have to ourselves.

Google is the worst about this as I pointed out with a post here one time. And you don’t have to go to Google. They have spyware on just about every site on the global internet. Land on one of these sites with hidden Google scripts and you are already compromised. All they have to do is hand that to a human and bingo the FR has a new user with an old name.

The problem is a difference between human users and bots. Bots can be dealt with fairly easy with a “honeypot” login which can be implemented. Same with auto AI loggin. But humans are the real problem. They are hard to deal with if they get the password. There is no way to keep them from getting the usernames because the front end is open to the public.

But now that this has been mentioned. Removing “public” access to profile details and posting history of users is a huge issue. This is how they find out who a missing user would be. To leave this information wide open to the general public without being logged in is a practice that has not been done for a long time now in the industry. It really is not the general public’s business, it is only community business. If they want to know more then join and log in...

But with all that said I was thinking about this today. First let me say I absolutely love this old light webscript still being used after all these years. It was one of my first comments after I joined here. It is the ultimate in old school simplicity and a lot of the member love it. So to keep it simple there is a way to prevent any compromises that would be pretty simple but it would take a minute of effort from admin or a mod once a week...

Assuming “Remember me” times out after a number of hours. An additional field could be added to the login page. This additional field would require an additional secret second password distributed from the site to members once a week. The distributed password for the second field would be good for the following week. A logged in member only can see and find the link to this weekly password. And if it is not also filled in correctly three times it defaults to a waiting period and/or email confirmation.

So two passwords one from the user and one secret distributed from the site it’s self. Or it defaults to a waiting period and/or email confirmation. And the second password could just be a long randomly generated number users could copy and paste to their notes for the week. Just a thought...


285 posted on 03/16/2025 4:09:35 PM PDT by Openurmind
[ Post Reply | Private Reply | To 267 | View Replies ]

To: Openurmind
But you wouldn’t want to hassle everyone with it to log in every day. But making it default as “Remember me” is a big problem.

I never have to login in to FR except with a new browser, but I have been a single user for decades.

I think a lot of this worry comes from the habits of the users themselves.

Exactly.

Google is the worst about this as I pointed out with a post here one time. And you don’t have to go to Google.

Yet Google does seem to take security seriously as regards outside threats. If I login on a different browser or PC then it tells me, and last week it told me of some of my info being on the dark web. And it has called me even on a landline with a one-time passcode sometimes.

y I absolutely love this old light webscript still being used after all these years. It was one of my first comments after I joined here. It is the ultimate in old school simplicity and a lot of the member love it. So to keep it simple

Indeed, thank God. As said, an edit feature would be good, but for a desktop user at least, it is superior to any forum I have been on.

Assuming “Remember me” times out after a number of hours. An additional field could be added to the login page. This additional field would require an additional secret second password distributed from the site to members once a week.

I think most would object.

294 posted on 03/16/2025 4:44:14 PM PDT by daniel1212 (Turn 2 the Lord Jesus who saves damned+destitute sinners on His acct, believe, b baptized+follow HIM)
[ Post Reply | Private Reply | To 285 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson