When you login into the Admin CP, you have to login, and it has a button that says "Forgot Password." This is an excellent way to get hacked, I heard.
I'd hate it if my website got hacked. Also, a good idea is to make it so that you have to answer a secret question to get to the Admin CP. This just adds another layer of security, and you can never have enough layers of security. Until these changes are used, I will be using Simple Machines as I don't want my website to be hacked. But as soon as it is changed, or the newest version of MyBB releases, I will try it out!
(2012-03-17, 04:24 AM)1912RamblerFan01 Wrote: [ -> ]When you login into the Admin CP, you have to login, and it has a button that says "Forgot Password." This is an excellent way to get hacked, I heard.
Only if the attacker has access to your email account, in which case you've already been hacked. Don't believe everything you're told because there is no real logic to that statement.
If you use poor passwords for either your MyBB account or email account then you're already in trouble.
The "Forgot Password" feature is not flawed unless your accounts are already compromised.
(2012-03-17, 04:24 AM)1912RamblerFan01 Wrote: [ -> ]When you login into the Admin CP, you have to login, and it has a button that says "Forgot Password." This is an excellent way to get hacked, I heard.
I'd hate it if my website got hacked. Also, a good idea is to make it so that you have to answer a secret question to get to the Admin CP. This just adds another layer of security, and you can never have enough layers of security. Until these changes are used, I will be using Simple Machines as I don't want my website to be hacked. But as soon as it is changed, or the newest version of MyBB releases, I will try it out!
I don't have to click on "forgot password" in admin CP login page to hack your account.
I can do it in the forum's login page itself. Both the ways work the same, and as others said, unless you Email account was already hacked, both the "Forgot password" won't help the hacker.
(2012-03-17, 04:24 AM)1912RamblerFan01 Wrote: [ -> ]This is an excellent way to get hacked, I heard.
No offense but I think when you end something like what I bolded it proves you probably know nothing on the subject.
Do some real research and get back to us
.
I almost want go bet it was an SMF fan that said that to you. MyBB is a very secure forum software... If that was actually a vulnerability, hackers would use it to hack every MyBB forum of the Internet (well, not quite — but...). You can add an ACP pin/extra passcode to make the admin login page more secure, set up directory authentication/protection, etc.
MyBB can be very, very secure if you take a few minutes of time to enable a few things.
Not that I don't agree that that link should not be there (someone who cannot remember their password has no business logging into the Admin CP -- this feature should only be available on the regular user level), that is some pretty ridiculous reasoning. Probably should leave those decisions to people who actually know what they are talking about.
(2012-03-17, 08:58 PM)Uncontrol Wrote: [ -> ]someone who cannot remember their password has no business logging into the Admin CP
Why? And what advantage would be gleaned from removing it anyway? What if you happen to manage a few dozen different forums with different passwords? It's just a convenient feature should anyone not remember their password, and it has literally no downside or security vulnerability.
(2012-03-18, 03:59 AM)Malphas Wrote: [ -> ] (2012-03-17, 08:58 PM)Uncontrol Wrote: [ -> ]someone who cannot remember their password has no business logging into the Admin CP
What if you happen to manage a few dozen different forums with different passwords?
Then you get a password manager.
The link is on the regular login page anyways so I don't see what your point is.