• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

[bd] Facebook-style Password 0.9

No permission to download
Mimics Facebook's 3-password feature

xfrocks

Well-known member
#1
xfrocks submitted a new resource:

[bd] Facebook-style Password (version 0.9) - Mimics Facebook's 3-password feature

Do you know your Facebook account has 3 passwords? Read more about it here: http://www.labnol.org/internet/facebook-account-passwords/21241/. TL;DR: if your password is "passWORD". You can log into your account with "PASSword" or "PassWORD". This is done because so many people left their CAPSLOCK when they type in the password. So, this add-on will check the reversed-case password and the uncapitalized-first-letter password and let user login if they are matched.

A little bit...
Read more about this resource...
 

Robbo

Well-known member
#5
It is secure. But the fact you didn't know worries me. You should know the ins and outs of security on PHP and XenForo...

No idea why you have such terrible method names either? You don't need to prefix them with your add-on ID.

Personally I would have done it different to you. On register I would have it do the stuff you are doing on login and I would have stored additional hashes for login to compare against. Might be harder that way and probably wrong, I'm not thinking too much about it.
 

xfrocks

Well-known member
#6
It is secure. But the fact you didn't know worries me. You should know the ins and outs of security on PHP and XenForo...

No idea why you have such terrible method names either? You don't need to prefix them with your add-on ID.

Personally I would have done it different to you. On register I would have it do the stuff you are doing on login and I would have stored additional hashes for login to compare against. Might be harder that way and probably wrong, I'm not thinking too much about it.
What I mentioned in the description may be different from what you are thinking. I meant if the system accepts 3 passwords (instead of only 1), it may reduce the system's security (because it's easier to attack, brute force, etc.). Of course I know for a fact my implementation doesn't leave any back door/exploit open. About the names, I just don't want my add-on to conflict with any other add-ons now or in the future. I think it's good practice. Finally, there are many ways to achieve the same things with different trade-offs, your approach may not work with existing users + will need additional database field, etc. Life is full of choices :D
 

Robbo

Well-known member
#7
What I mentioned in the description may be different from what you are thinking. I meant if the system accepts 3 passwords (instead of only 1), it may reduce the system's security (because it's easier to attack, brute force, etc.). Of course I know for a fact my implementation doesn't leave any back door/exploit open. About the names, I just don't want my add-on to conflict with any other add-ons now or in the future. I think it's good practice. Finally, there are many ways to achieve the same things with different trade-offs, your approach may not work with existing users + will need additional database field, etc. Life is full of choices :D
Yeah true. Well existing users would already know their password works :p And yes additional database but that wouldn't hit performance however would make the add-on more complex than it needs to be I guess.

I suggest you remove the security thing from the description. If people are worried about brute forcing then they will know the risks of this and make the decision regardless.
 

xfrocks

Well-known member
#8
Yeah true. Well existing users would already know their password works :p And yes additional database but that wouldn't hit performance however would make the add-on more complex than it needs to be I guess.

I suggest you remove the security thing from the description. If people are worried about brute forcing then they will know the risks of this and make the decision regardless.
Done! :D
 

Adam Howard

Well-known member
#9
JAMES-BOND-007-ACCESS works for me.

You can view the source code if you want to.
I did something along the lines of

JAMES-bond-007-access

OR

james-bond-007-ACCESS

Upon further review... It seems to work "sometimes" ... Which is odd... But I guess that's still accepted-able ... It's odd though
 

xfrocks

Well-known member
#10
I did something along the lines of

JAMES-bond-007-access

OR

james-bond-007-ACCESS

Upon further review... It seems to work "sometimes" ... Which is odd... But I guess that's still accepted-able ... It's odd though
It should work all the time. But if your password is like a mixture of text, number and symbol like that, just put the capslock on and it should work all the time!