The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Comments |
#22
|
||||
|
||||
I have updated my version, attached in Post #17 (above), to incorporate some suggestions from Parker Clack. The change basically checks to see if the person has a secret question/answer before it tries to take the person through the process of answering the secret question.
LoveShack, I'm not sure if I understood what you meant by your Point #1 above. Whether the system uses predefined questions or lets users make up their own questions, either way, the question is going to be visible to anyone who wants to see it. I think if the user can make up his own question/answer, he/she is more likely to use something that he/she can easily remember. Either way has advantages and disadvantages. I happen to like the way I did it, which is why I did it that way; you want it another way, and are going to code that for yourself, so now, like Parker said, we will have even more choices! (BTW, the added complexity that you alluded to at the end of your post is part of the reason why I avoided going that way! ) I agree that making everything work as lower-case would be a good idea, and I'll work that in sometime tonight, and update my post again. Regarding your Point #3, I understand what you're saying...I think that using unencrypted answers might be a better idea if you're using predefined questions, per your other suggestion. But for my version, allowing the user to make up his own question, I don't think many people would be too keen on the idea of putting in a question like, "What is my mother's maiden name?" if they know that I'll be able to see the answer. I could take that answer and use it to find out all kinds of things about that person and commit all kinds of fraud. Not that I would, of course, but what I'm saying is that some people will know that that kind of thing is possible. If you use a predefined question you could make a question that people wouldn't care if the board owner could see the answer or not. This is the same kind of debate, pretty much, that raged when vBulletin switched the password system to MD5, as well. There are some advantages to being able to see the passwords. But having them be encrypted was deemed to be more important, so I figured those reasons pretty much applied here, too. |
#23
|
||||
|
||||
Hi,
Quote:
Quote:
Quote:
Quote:
Encrypting the answers would mean that Mrs. Johnson != Mrs Johnson != Harriet Johnson != Miss Johnson, simply because you couldn't visually make a determination as to what the correct answer is supposing the person e-mailed you. After evaluating this hack and taking all these situations into consideration, my development team decided that this was creating more of a problem than it was potentially solving. A good hack for those who want such a system though. Kudos for creating it. Paul |
#24
|
||||
|
||||
The "added security" that would allegedly result from making the user select a question from a drop-down box, in addition to having to correctly answer that question, is, in my opinion, not truly any more secure of a system than just having a secret word, as the original form of this hack was, except that now the user has to remember two things, the question and the answer, as opposed to just one, and let's remember, the user is doing this in the first place because he couldn't remember something. The whole point of the question, at least the way I see it, is that it's there to help jog the memory of the user. The way my version works isn't really any different from the way Parker's original version works; the user has to remember one thing, whether it's called a "secret word" or "secret answer". The question serves no practical purpose as far as how this system works is concerned; its sole purpose is to help the user remember what his secret word (or "answer") is.
Quote:
I understand what you're saying about having the answer encrypted. This debate as to the value of leaving it in plain text has already taken place, when the vB team switched the password system to use encryption. So believe me, I understand; I've seen it all before. My point of view is this. The user will be using this system because he couldn't remember his password. If he can't remember his password, why should I think he'll have better luck remembering a question that might be meaningless to him personally, and the answer to that as well? This is why I want the user to be able to make up his own question, because it will most likely be something that means something to him. And because the question means something to him, so will the answer, and it won't be something he's likely to forget. For the user to feel comfortable using such a personal question, he needs to feel secure that his answer is secure. There is no way that this can create "more of a problem" than it is solving. Without this system, if a use forgot his password, he was going to be contacting you for help. This system gives the user a fall-back system to use in case he forgets his password, that potentially allows him to recover from the situation without needing to contact you. If he can't remember his secret answer and can't get in, he's going to contact you. It's not this system is going to make people contact you when they would otherwise have had no reason to do so. So, like I said, we have choices. Anyone who likes my version can use mine; anyone who likes Parker's version can use his; anyone who likes whatever you might post can use yours; and anyone who wants something else that's slightly different from anything we've done so far can either make it themselves, or suggest it here and maybe one of us will incorporate that suggestion into a new version. |
#25
|
|||
|
|||
I have made changes to the admin/user.php file in both versions of the hack that I wrote. The only difference between the two files is that one encrypts the secret word and the other one doesn't.
If you have already installed the hack the only changes that were made were to the admin/user.php file. The rest of the hack is unchanged. This was necessary are the script as written was over writing the secret word if you used the admin control panel to change any of the member's information or after a member signed up. If this is the first time you have installed this hack then just follow it as outlined in the hack. Remember to make back ups of any of the files that you have changed. I apologize for any inconvience that this might have caused. Parker |
Thread Tools | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|