• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.3 Admin Security

#1
I was wondering if there was a way to change the administrators account so it can display a name and not the username to login to my Xenforo install?
 
#3
Not sure how i can elaborate anymore then i did ..

When i signed up i used a series of characters as i find that more secure then putting BOB or JOE for a username but when i post on the forums it shows the series of characters that i chose for my login,

I am wondering if there is a way I can change the display name on my account so that it will Show some other then my username.
 

Amaury

Well-known member
#4
Not sure how i can elaborate anymore then i did ..

When i signed up i used a series of characters as i find that more secure then putting BOB or JOE for a username but when i post on the forums it shows the series of characters that i chose for my login,

I am wondering if there is a way I can change the display name on my account so that it will Show some other then my username.
Pretty sure you'll need an add-on, which you can search the resource manager for.
 

Mouth

Well-known member
#8
Best practice is to never post using your admin account - keep it unknown. Use another standard or moderator account for posting and public activities.
 
#9
Better practice would be not to display the username for the Admin account (like SMF does) then you don't need to worry about that.

I don't know about other people, but i don't want to leave an admin account dormant on the net that can be access while i am using another account.

Moderators also have the same issue, there username is the name on display so someone could do brute force attempts knowing the username, hell same can be said about standard accounts. "oh sorry for saying all that crap or posting that porn, my account was hacked because my username is my display name" and its not like people are Wiz's when it comes to picking a password.

Today more then ever we need to take IT Security more serious and by fixing the small things like this that is one less item that can pose a possible problem.

It kind of blows my mind away, that a great forum software with a lot of forward thinking like Xenforo doesn't have something like changing the display names.
 
Last edited:

Mouth

Well-known member
#10
Today more then ever we need to take IT Security more serious
... and if you understood this, then you'd know that security by obscurity is no security at all.
If brute force attacks is your concern, then taking security seriously would not mean you want to hide logon/usernames.
 
#11
I am not looking to turn this into a flame post, I asked if there was a solution to what I feel is an issue and by the looks at it at least one other person in this world agrees with me.

Now you don't have to agree and to be honest i could careless if you do, by why would i want to give someone who wants to do my site harm 1/2 the puzzle to start with?

Here is the username now you just need to figure out the password. vs You don't have the username or password..

Neither are 100% secure but at least with the second method they are going to have to work for it a little harder and it might discourage some and have them move on.

And i used brute force as a basic example because ANYONE can do that, just download accessdiver or another program and within 10 minutes your off to the races.
 

erich37

Well-known member
#12
by why would i want to give someone who wants to do my site harm 1/2 the puzzle to start with?

Here is the username now you just need to figure out the password. vs You don't have the username or password..
you are absolutely correct.


There needs to be a simple way in order to achieve more security.

Things like these should be given top priority.


:cool:
 
#13
I would love to hear the thoughts from the developers on this, as i said they have a very forward thinking product here and I really like an enjoy using as I continue to use it from day to day.

Maybe there is a restriction that doesn't allow them to do this, i installed 1.3 hoping that maybe it was an upcoming change but it was not.
 

Mouth

Well-known member
#14
There needs to be a simple way in order to achieve more security.
The simple way is to not post with your Admin account and keep it hidden. Problem solved.
The OP claims that not exposing the username is not giving 1/2 the puzzle - not exposing your admin account at all is not giving any of the puzzle.
 

erich37

Well-known member
#16
The simple way is to not post with your Admin account and keep it hidden. Problem solved.
The OP claims that not exposing the username is not giving 1/2 the puzzle - not exposing your admin account at all is not giving any of the puzzle.
I have already posted a couple thousand of threads with my "Admin account".

What do you suggest to do ?

:whistle:
 

Jeremy

Well-known member
#19
Having super administrators within the configuration file is a deliberate choice. This requires access to the file system (another login they must determine) to do more damage than just ACP access.
 

xIsabel38

Well-known member
#20
Hi, not sure if this will help at all but I had an issue where a user was trying to brute force the ACP on SMF by trying to guess the password to the admin accounts.

The whole situation can be pretty nerve wrecking not knowing if the forum will be gone by the time you wake up the next morning.

So I made a post about it here and @tenants answered. Now the "fix" may not be for everyone, especially if you move around or travel a lot. But if you find yourself using your forum at just 1 or 2 locations then this add-on that @tenants made for me may be of help to you.

Check it out here:
http://xenforo.com/community/resources/xenloginsecurity-ip-address-account-login-security.1194/