Can I change my password ?

General info, hints, guidelines and rules for all XnView forums. Guests and new users please read here first.

Moderators: XnTriq, helmut, xnview

minkowski
Posts: 29
Joined: Tue Dec 07, 2010 8:38 am

Can I change my password ?

Post by minkowski »

Where is my profile so I can change my password ?
I tried login with incorrect passw and was immediately denied new attempt !
Why only one attempt allowed ??
User avatar
oops66
XnThusiast
Posts: 2005
Joined: Tue Jul 17, 2007 1:17 am
Location: France

Re: Can I change my password ?

Post by oops66 »

minkowski wrote:Where is my profile so I can change my password ?
I tried login with incorrect passw and was immediately denied new attempt !
Why only one attempt allowed ??
Probably to better prevent the identity usurpation !
XnViewMP Linux X64 - Debian - X64
User avatar
XnTriq
Moderator & Librarian
Posts: 6374
Joined: Sun Sep 25, 2005 3:00 am
Location: Ref Desk

Re: Can I change my password ?

Post by XnTriq »

minkowski wrote:Where is my profile so I can change my password ?
:arrow: User Control Panel » Profile » Edit account settings
minkowski wrote:Why only one attempt allowed ??
You've actually got three shots to get it right. They are probably used up by a bot that's trying to log into your account.
The admins have already been notified, but there's little they can do:
XnTriq (29/Dec/2010) wrote:Since yesterday phpBB tells me that I've “exceeded the maximum allowed number of login attempts”. Obviously some troll is trying to break into my account. :evil:

I was wondering, if you guys have observed this too.
ToonArmy (phpBB Community forums: [url=http://www.phpbb.com/community/viewtopic.php?t=1947925]Password brute force attacks[/url]) wrote:Hello,

Within the last week, it has come to our attention that phpBB.com was unsuccessfully attacked by a malicious party attempting to brute-force account login credentials. This attack was facilitated by a query for "powered by phpbb" on a search engine. Though this attack was not successful as phpBB includes several features to ensure it is not vulnerable to such attacks, users should take measures to ensure that their forums are properly protected.

Attack anatomy

To perform the attack, the attacker registers an account on the forum and tests that the memberlist is available for them to obtain lists of users. The attacker then uses an automated process to login and download thousands of user names from the memberlist, the attacker here grabbed a little over 5000 user names. After collecting this data the attacker attempts to brute-force account credentials by repeatedly sending login requests to the forum. As the attack does not attempt to solve the invalid login attempts CAPTCHA, it is limited to the amount of attempts specified in the "Maximum number of login attempts" configuration option.

Signs

Visible signs of this attack include:
  • Users being required to enter a CAPTCHA after an initial login attempt.
  • Increased server load.
  • Repeated POST requests to ucp.php?mode=login from the same IP address.
Prevention

phpBB provides several tools that enable users to mitigate these efforts.
  • To prevent successful brute-forcing, an administrator may ensure that "Maximum number of login attempts" (accessible via the Administration Control Panel under "Security settings") to a small number (the default of 3), ensuring that a CAPTCHA will be required if an excessive number of failed login attempts occur.
  • Furthermore, an administrator may wish to prevent Newly Registered Users from viewing the memberlist. To do this, ensure that the Newly Registered Users group is enabled (accessible via "User registration settings"; ensure that the "New member post limit" is greater than 0), then navigate to Permissions -> User roles -> "Newly registered user" -> Profile -> set "Can view profiles, memberlist and online list" to Never.
  • Additionally, this attack may be mitigated by proper password selection. Ensure that your password (and the passwords of your users) contain letters and numbers and are not common words, phrases, combinations (password, 1234, etc.). Requirements for password complexity for your forum may be set on the "User registration settings" page of the Administration Control Panel.
While it should again be stressed that this attack was not successful, administrators should take the above measures to ensure the safety of their forum and their users.

If you have any questions regarding these implementation of these processes, please create a new topic in the Support Forum.
minkowski
Posts: 29
Joined: Tue Dec 07, 2010 8:38 am

Re: Can I change my password ?

Post by minkowski »

Since there is no way to change the user name, the login could be annoying
I do not see any reason for thsi policy
If you forget your user name and password, you cannot log in
If you forget only your password you can request a new one and that goes fairly quickly to login again, yet it would be more
convenient to be able to create my own password
User avatar
XnTriq
Moderator & Librarian
Posts: 6374
Joined: Sun Sep 25, 2005 3:00 am
Location: Ref Desk

Re: Can I change my password ?

Post by XnTriq »

minkowski wrote:Since there is no way to change the user name, the login could be annoying
I do not see any reason for thsi policy
If you forget your user name and password, you cannot log in
If you forget only your password you can request a new one and that goes fairly quickly to login again, yet it would be more
convenient to be able to create my own password
:shock: You'd like to change your username, because you don't remember it?
:mrgreen: Is that what you're saying?
User avatar
helmut
Posts: 8705
Joined: Sun Oct 12, 2003 6:47 pm
Location: Frankfurt, Germany

Re: Can I change my password ?

Post by helmut »

As written before, the forum experienced brute force attacks, this is why for some people logging in was only available using a captcha. See XnTriqs long quote above for details.

We use the free forum software phpBB. The way this forum works is the way phpBB works. Please note that due to the brute force attacks we have reduced the number of login attempts to 2.