Jump to content

This security theater is unappreciated as it results in more typing

Baenwort

By Baenwort
in Non-Emby General Discussion

 Share

Recommended Posts

Baenwort

Baenwort   97

Posted
Posted

This security theater is unappreciated as it results in more typing.

  The reuse of both emails and passwords means that attackers performing a spray attack don't scrape user names but use breach DBs that already have emails.

I can show links and evidence to use of compiled email and password pairs in breaches and account theft. Can you provide evidence that user name log in being the attack method? 

If you are actually trying to improve account security making MFA easier and more widely supported would be a true improvement. This change is just window dressing that make people type more without chanimg actual security.

Link to comment
Share on other sites
Baenwort

Baenwort   97

Posted
  • Author
Posted

It would also be more useful if the back end compared entered passwords against breach databases. HIBP has an API (https://haveibeenpwned.com/API/v3) and although I don't know your forum software, the one I use has a plugin that does that checking.

This would improve both old and new accounts against the kind of spam attack you are guarding against and keep you protected without having to do this purge periodically. 

Link to comment
Share on other sites
Abobader Emby Team

Abobader   2942

Posted
Posted

Good day,

You still not getting what we been explaining all week long.

We among many others sites from the past month found out that some spammer groups using old account none active zero post, so as it seem and high likely these accounts owners been using same password/user/email everywhere for many sites, then you get the picture.

As explain in announcement forum, what is "Member" group and only we force password set for only zero post for that group.

For the record, for the past 11 years since we open this community, we never apply force password reset for anyone here.

I agree with many, as we used the forum default email wrapper that come from the company for the software, we should modify it for better explain for why password reset need, as will, to just simply direct member to the community forum.

Again thank you all for the consideration and suggestion.

Thread close.

My best

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...