~~~ Please read before posting. ~~~
Important: We need your Club Number at a minimum, and as many details as possible.
For further info please read
This page
before posting.
Do not show pop-up with users on the login screen
- tm123
-
Topic Author
- Offline
- New Member
-
- Posts: 4
- Thanks: 0
Do not show pop-up with users on the login screen
9 months 2 weeks ago
When loggin in there is this functionality that shows member names after typing first 4 characters:Enter your E-mail, Name, or Username, then select your Name or Username from the pop-up list that displays.
I don't think it's a good idea - it's leaking the names of all the members, even if they choose not to make their name public.
I didn't find anything in the settings to disable this behaviour.
I would suggest to remove it completely.
I don't think it's a good idea - it's leaking the names of all the members, even if they choose not to make their name public.
I didn't find anything in the settings to disable this behaviour.
I would suggest to remove it completely.
Please Log in or Create an account to join the conversation.
- NotLiable
-
- Offline
- FreeToastHost Ambassador
-
- Posts: 249
- Thanks: 37
Re: Do not show pop-up with users on the login screen
9 months 2 weeks ago
The pop-up list that displays is an auto-complete feature in the underlying code. While yes, it does show names of members who have chosen not to make their profile public (which only shows name and member/officer status as a minimum), I don't see where this is terribly problematic. Are those members, for whatever reason, totally reluctant to even admit that they are club members?
Yes, you are correct, that there is presently no disable setting, but again, I fail to see how this make-it-faster-and-easier-for-me-to-log-in feature is so troubling.
Yes, you are correct, that there is presently no disable setting, but again, I fail to see how this make-it-faster-and-easier-for-me-to-log-in feature is so troubling.
Please Log in or Create an account to join the conversation.
- tm123
-
Topic Author
- Offline
- New Member
-
- Posts: 4
- Thanks: 0
Re: Do not show pop-up with users on the login screen
9 months 2 weeks ago
To make it simple - it is not about user's preference - it is a security risk. It allows potential attacker to gather valid user names and then use another attack (ie password staffing) to break into that account.
Do not just believe me - have a look at "Account Enumeration" vulnerability, for example:
owasp.org/www-project-web-security-testi...essable_User_Account
www.virtuesecurity.com/kb/username-enumeration/
Please consider removing it from the code completely.
Do not just believe me - have a look at "Account Enumeration" vulnerability, for example:
owasp.org/www-project-web-security-testi...essable_User_Account
www.virtuesecurity.com/kb/username-enumeration/
Please consider removing it from the code completely.
Please Log in or Create an account to join the conversation.
- Brian
-
- Offline
- Administrator
-
- Posts: 10602
- Thanks: 3566
Re: Do not show pop-up with users on the login screen
9 months 2 weeks ago - 9 months 2 weeks ago
Your issue has already been addressed. Those who do not want their name exposed can use the Username option.
Last edit: 9 months 2 weeks ago by Jane Atkinson.
The following user(s) said Thank You: Jane Atkinson
Please Log in or Create an account to join the conversation.
Moderators: Brian, Pam, rhtaylor3, marc33, NotLiable, jgavin, Lcala305, Jane Atkinson, peterb323
Time to create page: 0.646 seconds
Copyright © 2025 FreeToastHost 3 Support. All Rights Reserved.