PureBasic Forums - English

Hello!

I need help putting up a service of my own online. It'll be kind of a portal to various things like my blog, a computing oriented web-forum, picture and audio clip sharing and some other services like BlackBerry content exchange, et cetera. For obvious reasons I want to incorporate a secure login form to the portal and require the user to be registered in order to access some areas of the portal.

My goal is to make the portal as user friendly and "connected" as possible, for the broadest possible target audience and easy integration with Twitter or similar. What I am having a hard time with is the choice I should give for users to recover lost passwords.

Something I know is that security questions do not often work. If one honestly answers to the classic "What's your mother's maiden name" then it only takes a pizza delivery boy five minutes to get to know everything about your mother while delivering you the pizza and then you wonder next morning what happened to your account only to find out there's a new message in your inbox saying "This is for dissing me in high school."

Questions like what's your favorite TV show et cetera can work well, since they are not based on fact. However, if anyone is even slightly like me, my opinions change a lot in little time so while I enjoy CSI: Miami today, tomorrow it might be Law & Order: NY. That's why I feel extremely puzzled when I have to "guess" whichever TV show I liked 2 years ago when setting up my account and then forgot my password.

An option would be to send a reset password to another e-mail inbox, but again if you're like me then you'll use only one for your own personal social activities and maybe one other for school or work, which is heavily moderated and/or limited to the point that you can only read/send messages to/from persons in that school or workplace. I believe if my school blocks MySpace already, then they won't be happy about the fact that I get sent a reset password for my MySpace account into my school e-mail inbox.

Sorry for the long post, but now I'm coming to the actual subject of this message: Have you ever forgot or lost your password to something important like your e-mail and if yes then how difficult was the process to get access back to your account and how comfortable the process was? Also, if it wasn't a comfortable process, what do you believe would have been better/easier for you?

Thank you very much for any input!

I once gained access to some account guessing the right answer for "Who is your favorite superhero?". I think any sites using such a system for retrieving lost passwords are stupid and maybe even amateurish (in my opinion).

What I prefer is entering the e-mail I registered with to get an e-mail containing a "password reset" link or just the username and password in plain text.

Anyway, good luck with your project, it sure sounds interesting!
And if you need someone to test the security feel free to contact me (I've "hacked" a couple of websites).

Exactly what I wanted to hear, thank you very much. I do have a question about this e-mail option. What do you think is the better and safer method; giving an encrypted link for resetting the password, or displaying the username and password in plain text in the message body?

Both have their own problems and I remember having "hacked" some login forms myself by decrypting these password reset links to inject SQL into the database and so gain administrator access. Sometimes this "hacking" can be very simple and not even take five minutes, so it really makes me sad to see that these very websites have been paid for and that a commercial website service can provide its clients such a horribly unsecure and weak login form is beyond my understanding.

Since I'm quite addicted to "CrackBerry", most of the portal's content will be BlackBerry oriented and a BlackBerry Browser compatible interface will also be incorporated. I have been thinking of integrating the portal with BlackBerry devices by utilizing the very feature they were built for; namely e-mail. How difficult/secure/wise would it be to make a web-forum that receives new threads and posts via e-mail?

Also, since most of the services will be provided via e-mail, do you think it is good to put activation codes and the like in plain text?

Finally, if anyone is interested of this, and have a BlackBerry, can you please reply to this thread and tell me how much you are willing to sacrifice of your time for beta testing the portal? Also, which BlackBerry model you use would be interesting to know. Personally I have only limited devices to test with, currently owning both a BlackBerry 8700c and a BlackBerry Pearl 8110. It will be more challenging to make the portal optimized for the Pearl's 240x160 screen, but as I don't want to rule out trackwheel BlackBerries, the portal may not rely on horizontal scrolling as it will be difficult without a trackball. Any ideas for this?

Thank you VERY MUCH, your help is most appreciated!

You might want to consider HTTPS as well, if not you are basically sending the password in plaintext each time you log in.

http://www.startssl.com/ has free basic SSL certificates for server and email use. As far as their forum and CTO's blog says, IE support for the certificates is a few months away. (FF 3.5 and a few other browsers support them today)

Rescator wrote:You might want to consider HTTPS as well, if not you are basically sending the password in plaintext each time you log in.

http://www.startssl.com/ has free basic SSL certificates for server and email use. As far as their forum and CTO's blog says, IE support for the certificates is a few months away. (FF 3.5 and a few other browsers support them today)

I've seen that website some time ago, and I'll definitely need to think about using an SSL. If everything works as planned I might as well subscribe for a commercial SSL for added protection, but that's a matter for later.

So it'll be plain text over a secure connection then. Next up is the registration process. How should I make it so that as few as possible spam bots get in? I hate CAPTCHAs with a passion, never going to use them. Also, is there any better way than stuff like "How much is 15 + 2" or "What animal do you see in the picture" ??? I have quite many clients, mostly asians with little skills in English language, who required assistance in signing up for services that needed the user to identify a pictured animal, for instance a cat, and have the user type "cat" in an input field in order to continue. As a non-English myself I find these types of anti-spam measures to be quite rude for people who don't have much skills in English, but would otherwise want to use or contribute to the service.

And sorry if my questions sound stupid!
- talisman

I don't think there's anything particularly wrong with the challenge question and answer system except for the way most places implement it.

One web site I visited a while back actually did it the right way by having you type the question you want asked so you could have it ask anything rather than some canned list of questions.

GWarner wrote:I don't think there's anything particularly wrong with the challenge question and answer system except for the way most places implement it.

One web site I visited a while back actually did it the right way by having you type the question you want asked so you could have it ask anything rather than some canned list of questions.

I hate CAPTCHAs with a passion and challenge questions are plain rude for non-English people. I stay with that. Never will I put up a picture of a cat and demand people to write "cat" in an input field. We are not stupid beings and this is not a Sigmund Freud type of test.

Can you link me to this website though so I can study this type of registration process more thoroughly? First time I hear such a system was in use!

Thanks!

While you wait to do SSL you might want to consider http://en.wikipedia.org/wiki/Digest_acc ... entication

HTTP Auth Digest never sends the password across the net.
It basically sends the hash of a hash combined with a nonce.

Basically you would store md5("username:realm:password") in the database, the username and real acts as a sort of salt in this case, this is known as H1.
From this point the server does not need to know the actual password any longer.

The server will tell the browser to do a HTTP Auth Digest, the browser will then ask the user for username and pass and display the realm.
The browser then makes a H1 hash like md5("username:realm:password"), then it hashes that with a nonce, url and method etc. Known as a H2. And sends that to the server.
The server will take the stored H1 of the user and then do the H2 step on it's side and compare it's H2 with the H2 sent by the browsers.
If they match then whomever this person is, knows the secret password (or at the very least the H1 hash), and it should be ok to log them in.

The cool thin is that the H1 hash is never transmitted, only the H2 is.
And best of all, after having created the account, the server can forget the password and just keep the H1 hash stored as the password.

HTTP Digest Authentication has been around for like a decade, it would be very odd if the browsers people use don't support it.
It's been kinda overlooked at times though due to HTTPS, and the fact that plain text is so easier to do.

Oh and should you use HTTPS later you won't need to change the login code as it works just as well under HTTPS as it does under HTTP.


As to captcha etc. *shrug*
Don't worry about it unless you start getting way too spammed.
I'm assuming you mean registration here, a normal temporary confirmation url sent via email should work fine for most, after x hours if the account hasn't been confirmed delete the account, also make sure you can easily evaluate accounts that are made but not used. (registration bots register, it's rare for bots to use an account, except those times they go into "post spam on forum" mode etc).

Rescator wrote:While you wait to do SSL you might want to consider http://en.wikipedia.org/wiki/Digest_acc ... entication

Very interesting. Never heard of this before, but it definitely sounds like a good system for my web portal.

Rescator wrote:As to captcha etc. *shrug*
Don't worry about it unless you start getting way too spammed.

I've been wondering... How do these bots actually work? I take it that originally they read HTML code and parsed the <form> tag by reading and filtering common IDs such as "name", "email", "address", et cetera. Bots of today might be intelligent enough to try and read the text before or after a form field, so in case an e-mail field has a form ID of "chocolate", the bot will try and see if the word "e-mail" is present before or after the form field and so identify "chocolate" as an input field for the user's e-mail address. Am I correct or just dreaming?

What if an input field, or several input fields, must be left blank in order to continue? Will bots get around this?

Some might, they more than likely use templates instead.
I.e. a phpBB template a vBulletin template etc.

If you go to my site (my sig below) you'll see I got a plain feedback form,
I get a few junk messages from that one, apparently there is a bot that thinks it's a forum or a blog or similar, with html tags urls and some weird characters or language or such.
I haven't decided what to do yet, it's not that often and so I'm collecting them to study the spam patterns.

It's worse when they not only use a template but in addition use custom parameters, they do this on very popular sites. (a few minutes adapting a template to a big site is wort the time obviously).

You still can't stop spam though, even with captcha. I've seen sites where the accounts seem to be human registered, then the lie dormant for a long time and suddenly a bunch of them starts spamming, or every once in a while one wakes up and spams. Just think about it, with a unlimited set of emails, how many accounts could you register on say this forum in um.. 4 hours? A hounded accounts maybe? Then they sell these packages with like "x thousand ready accounts at x hounded high profile sites", this is a job to these people.

The site you're planning though... It doesn't sound like such a high spam target. There is no way for a user to send a message to all other users is there? Or discussion threads they can spam in, or a publicly shown blog/comment page they can flood with links?
You'll still have registration spam using the email link verification, but they won't be so bad.

talisman wrote:
What if an input field, or several input fields, must be left blank in order to continue? Will bots get around this?

Hi i did that with my cousin's guest book, and that worked very well, before she had about 10 + bots a' day, eh. she still does, but now they are filteret out, cus they fill out field's - Id's with names like message and email that are hidden, were as the real fields that people see has some danish names.
and that's all no more porn' spam in her guestbook.

Regrads Henrik.

For password retrieval, have it so that people can either:
A. Enter their email and get sent a reset link
B. Enter their username, and get shown the part of their email address before and including the @, and get sent a reset link.

Personally I prefer to get the password in plain text, but that IS insecure.

About secret question, I always select the one with "what's your pet's name". And no, I don't put the name of my pet in the answer...

In any case, don't EVER put character restrictions on the answer to the secret question. That is just plain evil.

And don't place rigid character restrictions on the passwords either. Don't force people to have both uppercase, lowercase and numbers in the password. They will have to make a difficult password and forget it. And especially, don't ever disallow underscore!

I just use RoboForm.

Every site has a unique randomly generated password that I don't have to remember.

Rescator wrote:The site you're planning though... It doesn't sound like such a high spam target. There is no way for a user to send a message to all other users is there? Or discussion threads they can spam in, or a publicly shown blog/comment page they can flood with links?
You'll still have registration spam using the email link verification, but they won't be so bad.

There will be such a service. Because I want to make the system tightly integrated to the e-mail capabilities of BlackBerry devices, I've already developed a subscription based "push discussion" system. You choose a topic, say "Religion" and with an e-mail message you subscribe to it. Then whenever you or anyone else posts a message to this forum, all subscribed members will get to see this message via push e-mail, so it's as real time as possible. This is one of the services I'll be putting up and since there's virtually no way for me to moderate the posts, it must be as spam-free as possible. You see, unless I start hiring people to moderate any submissions before they are sent out to all subscribers, it'll make the "push discussion" slow and dependant on my own uptime.

Another service available will be a "My Universe" called web application. You set up a personalized homepage, much like iGoogle, invite others to your Universe and in an expand-collapse fashion you can instantly view others' Universes from your own Universe. To make it more interesting, there will be a "Random Universe" feature which will transport the user to a completely unknown Universe as a way of finding new "digital pen pals". This service requires registration and once your Universe has five more Universes attached to it, it's a link bath from the ground up.

The web portal is not a single service, instead it will be serving multiple services, most of them targeted at mobile phones in general and some are BlackBerry exclusive. Most of the concept is far fetched, but the idea is to start small and then develop upon once I get the time for it. I've thought of making money out of this as well by having extra add-ons commercial, such as a data sharing or content exchange service with virtual storage quota that integrates with My Universe.

Trond wrote:In any case, don't EVER put character restrictions on the answer to the secret question. That is just plain evil.

And don't place rigid character restrictions on the passwords either. Don't force people to have both uppercase, lowercase and numbers in the password. They will have to make a difficult password and forget it. And especially, don't ever disallow underscore!

Amen. So shall it be then.

Thank you for your help so far!