In terms of password security specifically, yes, but in my experience the actual password is actually rather insignificant in terms of possible attack vectors. Keylogging, hijacking [notably RDP/RAT], and especially account recovery have all proven to be a far larger problem, and each one either reads off or bypasses the need for the password altogether. Account protection in my opinion should address not only cases where accounts are being attacked through the site, but also cases where mistakes on users' parts lead to an attack on the site. Any compromised account is a means toward even more trouble.
When you start talking about key loggers and the like the list of attack vectors becomes endless. I don't believe that it should be IP.Boards job to protect your members from every possible potential account compromise. IP.Board should be providing the basic tools to cover the main attack vectors (remote brute forcing and stolen databases), and then IP.Board, and us as forum admins, should be educating our members on how they can prevent getting their account hacked. Don't click strange links in emails, don't give your forum password to anyone, things like that.
You have to expect that a certain percentage of accounts will be hacked and plan accordingly by limiting the amount of damage a hacked account can do, allowing a member to easily recover a hacked account, and ensuring that whatever damage is done (in the case of moderator / admin accounts being hacked), can be un-done in the least destructive way.
IP.Board already addresses online brute-force attacks sufficiently in my opinion, although it does use a temporary locking mechanism which you seem to dislike.
I'm not a fan of the locked account mechanism because it's unnecessary. There are better options than blocking a legitimate member from using your forum for 15 minutes because someone tried to guess their password.
A fair point regarding international implementation. I'm honestly not sure what complications might arise, though to my understanding SMS standards are international. As long as the message can get out onto the phone networks, the rest should be irrelevant. Your concerns regarding maintenance and administrative setup are probably not significant--the most probable setup I can think of is having a single [okay, or redundant] node hosted at IPS itself responsible for dispatching the keys. Pricing is irrelevant, as only SMS is involved and most providers offer unlimited texting for a flat monthly fee.
To send a SMS from your forum to a user, you have to use a SMS gateway. They all vary in price, and they all cover different parts of the world (some only send to USA numbers, some to all or Europe, some worldwide, etc). But the common factor is that they all charge you to send a SMS through their gateway. If IPS where to host a SMS gateway themselves, they would be charged by their upstream gateway to send SMS messages, so IPS in turn would pass the costs on to us, either through an increased licence fee or as an add-on service. Either way, you can't just hook your mobile phone up to your forum and have it start sending messages for free, someone has to pay for it
As there are so many SMS gateways available (14+ million from a quick google), IPS would need to pick one or two and develop around their APIs. As those APIs evolve, and change, and companies merge and shutdown, IPS would need to constantly update and test their SMS sending code.
If they where to go down the two-step authentication route, I would much rather they do something along the lines of the Battle.Net Authenticator - http://itunes.apple....d306862897?mt=8
Blizzard use it as a two-step login system for their games and it works great. It's just a simple app to download to your smartphone (they also used to sell physical authenticators, not sure if they still do). It would cut out the SMS gateway hassles and IPS would have much more control. It does of course limit itself to members with smartphones.
...First, in the event of a compromise, there is a huge pressure to quickly gain control after discovery. You probably don't know how it happened or how far it may have spread--the ability to lock all of your staff out (or particular groups) until you can establish the situation and verify identities would be immensely helpful.
I would have thought that the best option in this case would be to shut down the forum completely while you figure out what has happened, and how to recover from it? I'm not sure why you would want to keep your site online after it has been compromised.
In my opinion, security is by far significant enough to warrant core inclusion, especially in this case. The cost of development for such a thing is fairly low, probably only a couple hours depending on how extensive the implementation is. The benefits are that every single IPS-powered community is able to improve their own security, potentially drastically.
Although the final code might look like it only took an hour or two to write, the reality is far different A feature like this, which impacts every user on every forum needs a lot of discussion to start. How should it be implemented, were should it be implemented, how will it affect existing users, what about password changes for existing users, what about 3rd party users, via Converge or social networks, what happens to existing passwords if the admin changes the rules a week later. All of these things, and more, need to be discussed by the IPS developers, then written plans need to be made to document it all, then someone needs to start working on the implementation. They may end up with 200 lines of perfectly crafted code but to get to that point they probably wrote 2,000 lines of awful buggy code and refined the hell out of it Then it needs to be tested against every possible item that was brought up in the planning stage, probably via unit tests but also with manual testing.
So whilst it looks to us like someone knocked out a bit of code in 2 hours, the reality is that it took an IPS developer a week to plan, implement and test
By some means, an administrator loses control of their email account--or maybe they registered with an old email that was since deleted and can be re-registered. [Yes, I've seen it happen.] By means of a simple recovery request, the person who once had only an email account suddenly has full access to the entire community and even the Admin CP.
It's an interesting situation, it has never occurred to me that something like this would happen. Does having this option then open up other admins to social engineering attacks? It would be simple for me to create a hotmail account under the name of one of your moderators, find the stupidest looking admin I could, then email them pretending to be your mod and asking for a password reset.
I've a feeling that having a human link in the reset chain could cause a lot more problems than it would solve.
Staff members are people who are plugged in and almost certainly know other staff members well regardless. In the odd case that they do somehow lose their password, it is far preferable to have them go to another administrator and be personally vetted in order to regain access.
Would they personally vet them though? These are the same people that don't bother to update their email addresses or use strong passwords. I've a feeling that most admins would either ignore an email asking for a password reset or just blindly do it when presented with a well-forged email.
...Although yes, that information is most likely also logged by other means, in my experience it is far less accessible if even accessible at all. In our case, our servers have always been managed for us, and even if the access logs are available, there's simply too much volume to produce much useful information.
Is this just a case of not using the right tool for the job though? Many years ago I worked as Server Operations Manager for a managed hosting company in the UK and we wrote a bunch of tools that allowed us to quickly, and visually, search, and extract information from log files. Our servers got hacked daily so we put a lot of effort in to writing the tools we needed to make sure our customers could recover quickly.
This is definitely an interesting topic, a discussion on how to improve security is always a worthwhile one
- Maxxius likes this