(2016-10-02, 08:24 PM)thelovelyone Wrote: [ -> ]Or maybe just different passwords for specific parts of the admin cp + the default login.
Disadvantage: If you forget one, rip. 
Indeed. I may not be an Olympic Medalist, but I have a hell of a mind for remembering passwords.
I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
(2016-10-02, 11:55 PM)andrewjs18 Wrote: [ -> ]I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
You know, that sort of sounds like something we already do.
Computer: Login please
Email: Login please
Twitter: Login please
Instagram: Login please
(2016-10-03, 02:21 AM)Zaqre Wrote: [ -> ] (2016-10-02, 11:55 PM)andrewjs18 Wrote: [ -> ]I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
You know, that sort of sounds like something we already do.
Computer: Login please
Email: Login please
Twitter: Login please
Instagram: Login please
Yeah but this would be more like:
- turn on PC: login please
- click start menu: login please
- click on Chrome: login please
- go to Twitter.com: login please
- click new tweet: login please
- type your tweet and then hit send: login please
(2016-10-02, 07:59 PM)Zaqre Wrote: [ -> ] (2016-10-02, 07:21 PM)Josh H. Wrote: [ -> ]Your threat model is so far from reality that I don't know how we can get this through to you.
If you want more security:
1) Full HTTPS - if you aren't already running full HTTPS (and your signature suggests you aren't), you have far bigger problems to worry about than another 2FA PIN in the ACP.
2) HTTP Basic Auth (aka: htpasswd/"Password Protect Directories")
That, on top of having to log in with the correct credentials, will make your MyBB install pretty darn secure.
If someone gets access to your computer for enough time to run a cookie stealer, you're hosed no matter what. Keep your machine secure - encrypt your drive, set it to auto-lock after a short period of time, and have a secure user account password guarding the data on your drive.
https://docs.mybb.com/1.8/administration...rotection/ <-- if you follow this completely, you will never have any problems.
I'm not worried about my forum, I will bet $1,200 USD that no one can even guess where my ACP is at.
It was just a suggestion, and please note, I am not the OP of the thread.
$1200? I'd take that bet. Would be fairly trivial to just brute force the URL
(2016-10-03, 05:20 AM)Tom K. Wrote: [ -> ] (2016-10-03, 02:21 AM)Zaqre Wrote: [ -> ] (2016-10-02, 11:55 PM)andrewjs18 Wrote: [ -> ]I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
You know, that sort of sounds like something we already do.
Computer: Login please
Email: Login please
Twitter: Login please
Instagram: Login please
Yeah but this would be more like:
- turn on PC: login please
- click start menu: login please
- click on Chrome: login please
- go to Twitter.com: login please
- click new tweet: login please
- type your tweet and then hit send: login please
(2016-10-02, 07:59 PM)Zaqre Wrote: [ -> ] (2016-10-02, 07:21 PM)Josh H. Wrote: [ -> ]Your threat model is so far from reality that I don't know how we can get this through to you.
If you want more security:
1) Full HTTPS - if you aren't already running full HTTPS (and your signature suggests you aren't), you have far bigger problems to worry about than another 2FA PIN in the ACP.
2) HTTP Basic Auth (aka: htpasswd/"Password Protect Directories")
That, on top of having to log in with the correct credentials, will make your MyBB install pretty darn secure.
If someone gets access to your computer for enough time to run a cookie stealer, you're hosed no matter what. Keep your machine secure - encrypt your drive, set it to auto-lock after a short period of time, and have a secure user account password guarding the data on your drive.
https://docs.mybb.com/1.8/administration...rotection/ <-- if you follow this completely, you will never have any problems.
I'm not worried about my forum, I will bet $1,200 USD that no one can even guess where my ACP is at.
It was just a suggestion, and please note, I am not the OP of the thread.
$1200? I'd take that bet. Would be fairly trivial to just brute force the URL
Gotta find it, then gain access to it
Good luck
(2016-10-03, 05:38 AM)Zaqre Wrote: [ -> ] (2016-10-03, 05:20 AM)Tom K. Wrote: [ -> ] (2016-10-03, 02:21 AM)Zaqre Wrote: [ -> ] (2016-10-02, 11:55 PM)andrewjs18 Wrote: [ -> ]I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
You know, that sort of sounds like something we already do.
Computer: Login please
Email: Login please
Twitter: Login please
Instagram: Login please
Yeah but this would be more like:
- turn on PC: login please
- click start menu: login please
- click on Chrome: login please
- go to Twitter.com: login please
- click new tweet: login please
- type your tweet and then hit send: login please
(2016-10-02, 07:59 PM)Zaqre Wrote: [ -> ] (2016-10-02, 07:21 PM)Josh H. Wrote: [ -> ]Your threat model is so far from reality that I don't know how we can get this through to you.
If you want more security:
1) Full HTTPS - if you aren't already running full HTTPS (and your signature suggests you aren't), you have far bigger problems to worry about than another 2FA PIN in the ACP.
2) HTTP Basic Auth (aka: htpasswd/"Password Protect Directories")
That, on top of having to log in with the correct credentials, will make your MyBB install pretty darn secure.
If someone gets access to your computer for enough time to run a cookie stealer, you're hosed no matter what. Keep your machine secure - encrypt your drive, set it to auto-lock after a short period of time, and have a secure user account password guarding the data on your drive.
https://docs.mybb.com/1.8/administration...rotection/ <-- if you follow this completely, you will never have any problems.
I'm not worried about my forum, I will bet $1,200 USD that no one can even guess where my ACP is at.
It was just a suggestion, and please note, I am not the OP of the thread.
$1200? I'd take that bet. Would be fairly trivial to just brute force the URL
Gotta find it, then gain access to it Good luck
I'd strongly urge you to stop while you're ahead...
(2016-10-02, 11:55 PM)andrewjs18 Wrote: [ -> ]I don't know. I'd get incredibly annoyed if I'd have to keep entering passwords to access certain parts of the admin cp, on top of already having to sign in to the admin cp it self.
Seconded.
I would, however,
like to have 2FA as an option in the core...
Maybe sell a device you can incorporate to your monitor and once it detects your admin eye, you can access the admin cp.
jk lol
