1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.3 Admin Security

Discussion in 'XenForo Questions and Support' started by MITK, Feb 13, 2014.

  1. MITK

    MITK Member

    I was wondering if there was a way to change the administrators account so it can display a name and not the username to login to my Xenforo install?
     
  2. Amaury

    Amaury Well-Known Member

    Can you elaborate?
     
  3. MITK

    MITK Member

    Not sure how i can elaborate anymore then i did ..

    When i signed up i used a series of characters as i find that more secure then putting BOB or JOE for a username but when i post on the forums it shows the series of characters that i chose for my login,

    I am wondering if there is a way I can change the display name on my account so that it will Show some other then my username.
     
  4. Amaury

    Amaury Well-Known Member

    Pretty sure you'll need an add-on, which you can search the resource manager for.
     
  5. MITK

    MITK Member

    Thank you
     
  6. RoldanLT

    RoldanLT Well-Known Member

    I'm intrested on this also.
    But sadly there's no addon available for this.
     
  7. erich37

    erich37 Well-Known Member

  8. Mouth

    Mouth Well-Known Member

    Best practice is to never post using your admin account - keep it unknown. Use another standard or moderator account for posting and public activities.
     
  9. MITK

    MITK Member

    Better practice would be not to display the username for the Admin account (like SMF does) then you don't need to worry about that.

    I don't know about other people, but i don't want to leave an admin account dormant on the net that can be access while i am using another account.

    Moderators also have the same issue, there username is the name on display so someone could do brute force attempts knowing the username, hell same can be said about standard accounts. "oh sorry for saying all that crap or posting that porn, my account was hacked because my username is my display name" and its not like people are Wiz's when it comes to picking a password.

    Today more then ever we need to take IT Security more serious and by fixing the small things like this that is one less item that can pose a possible problem.

    It kind of blows my mind away, that a great forum software with a lot of forward thinking like Xenforo doesn't have something like changing the display names.
     
    Last edited: Feb 14, 2014
    erich37 likes this.
  10. Mouth

    Mouth Well-Known Member

    ... and if you understood this, then you'd know that security by obscurity is no security at all.
    If brute force attacks is your concern, then taking security seriously would not mean you want to hide logon/usernames.
     
    Amaury likes this.
  11. MITK

    MITK Member

    I am not looking to turn this into a flame post, I asked if there was a solution to what I feel is an issue and by the looks at it at least one other person in this world agrees with me.

    Now you don't have to agree and to be honest i could careless if you do, by why would i want to give someone who wants to do my site harm 1/2 the puzzle to start with?

    Here is the username now you just need to figure out the password. vs You don't have the username or password..

    Neither are 100% secure but at least with the second method they are going to have to work for it a little harder and it might discourage some and have them move on.

    And i used brute force as a basic example because ANYONE can do that, just download accessdiver or another program and within 10 minutes your off to the races.
     
    erich37 and RoldanLT like this.
  12. erich37

    erich37 Well-Known Member

    you are absolutely correct.


    There needs to be a simple way in order to achieve more security.

    Things like these should be given top priority.


    :cool:
     
    MITK likes this.
  13. MITK

    MITK Member

    I would love to hear the thoughts from the developers on this, as i said they have a very forward thinking product here and I really like an enjoy using as I continue to use it from day to day.

    Maybe there is a restriction that doesn't allow them to do this, i installed 1.3 hoping that maybe it was an upcoming change but it was not.
     
    erich37 likes this.
  14. Mouth

    Mouth Well-Known Member

    The simple way is to not post with your Admin account and keep it hidden. Problem solved.
    The OP claims that not exposing the username is not giving 1/2 the puzzle - not exposing your admin account at all is not giving any of the puzzle.
     
  15. Brogan

    Brogan XenForo Moderator Staff Member

  16. erich37

    erich37 Well-Known Member

    I have already posted a couple thousand of threads with my "Admin account".

    What do you suggest to do ?

    :whistle:
     
  17. Brogan

    Brogan XenForo Moderator Staff Member

    Demote it and create a new administrator account.
     
    Amaury and Mouth like this.
  18. erich37

    erich37 Well-Known Member

    So you are saying I should change my current "Admin account" towards a "Moderator account" ?
    And then create a new "Super Admin Account" which I am not using for posting, but just for "Admin-Login" ?


    It is quite uncomfortable to mess around in config.php-files........
    http://xenforo.com/community/thread...ser-to-super-administrator.33274/#post-379632

    :coffee:
     
  19. Jeremy

    Jeremy XenForo Moderator Staff Member

    Having super administrators within the configuration file is a deliberate choice. This requires access to the file system (another login they must determine) to do more damage than just ACP access.
     
  20. xIsabel38

    xIsabel38 Well-Known Member

    Hi, not sure if this will help at all but I had an issue where a user was trying to brute force the ACP on SMF by trying to guess the password to the admin accounts.

    The whole situation can be pretty nerve wrecking not knowing if the forum will be gone by the time you wake up the next morning.

    So I made a post about it here and @tenants answered. Now the "fix" may not be for everyone, especially if you move around or travel a lot. But if you find yourself using your forum at just 1 or 2 locations then this add-on that @tenants made for me may be of help to you.

    Check it out here:
    http://xenforo.com/community/resources/xenloginsecurity-ip-address-account-login-security.1194/
     
    wedgar likes this.

Share This Page