Logging in with Email Addresses (rather than username)

[Marc]

Members , to ensure our community is up with all the best security measures possible, it will no longer be possible to login with Display Names. Instead, you will need to use the email address associated with your account (there are exceptions to this where you use Google or Facebook to login to StereoNET).

 

Predominantly, this change is inline with preventing what is called User Enumeration and a growing problem with online identity hijacking.

This change will also serve as a reminder to users when their email addresses associated with StereoNET change or become redundant. One of the biggest problems we had when StereoNET had a security breach earlier this year was the number of members that could not log back in, as they no longer had access to that email account.

 

What Is User Enumeration?

User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site's login page and its ‘Forgot Password' functionality.

 

More information: https://www.rapid7.com/blog/post/2017/06/15/about-user-enumeration/

 

[Marc]

This change is effective immediately. I don't foresee too many issues with existing logins but if so, we will revert the change, and will need to email all users prior to reenabling this. 

[Bunno77]

Is it possible to change from Facebook login to email?

Thanks

[Marc]

I haven't tried to do that personally so can't answer with 100% confidence. 
Best thing to do would be to try Disassociating your FB account from within your profile.
My hope would be that it comes up and asks you to then enter an email address or similar.

FB does pass through your email to your account registration here, so disassociating alone may just do the trick.

Try it, and if you get stuck at all contact me via email to sort it out. 

[anandpkumar]

Happy to hear of more measures to safeguard our security on this forum

[eman]

My username here now changed to my Facebook actual real name. Don't really want that. 

Not allowed to change 'Display Name' for a day it says.

 

 

 

[Guest thathifiguy]

On 7/22/2021 at 9:43 AM, Bunno77 said:

Is it possible to change from Facebook login to email?

Thanks

This can be done as I did it, though I can't remember how I did it unfortunately.

[tubularbells]

Something's happened in the last handful of hours as my display name has been changed by someone/something and im unable to correct it to what it was so any assistance is appreciated.

 

 

[Marc]

Looks like you were linked with your Facebook account @Doug Johansson?

[tubularbells]

Maybe but have cleared cookies etc, closed browser and re-logged on (using SNA) with the same result. Ive also noticed another member with the same issue so isolated not just to me. anything I can do to fix ASAP as I don't particularly want my full name splashed for all to see. Thanks.

[Marc]

Fixed. PM incoming.

[Jakeyb77_Redux]

9 minutes ago, Tubularbells said:

Maybe but have cleared cookies etc, closed browser and re-logged on (using SNA) with the same result. Ive also noticed another member with the same issue so isolated not just to me. anything I can do to fix ASAP as I don't particularly want my full name splashed for all to see. Thanks.

Satan, Mr Morningstar, Beelzebub? 

[emesbee]

I just logged out and logged back in after clearing cookies, cache, history etc.

 

I'm not having any problems, but it still gives me the options of logging in with my display name or email address. Tried my display name and it still works with that. I am using Chrome browser so I assume that is considered an exception, being a google product?

 

 

Edited July 23, 2021 by emesbee

[tubularbells]

it's reverted back to my full name again and I don't have permission to change.  I haven't done anything since Marc changed for me yesterday so does anyone have any suggestions on how I might prevent this from happening in the future?

[Jakeyb77_Redux]

20 minutes ago, Doug Johansson said:

it's reverted back to my full name again and I don't have permission to change.  I haven't done anything since Marc changed for me yesterday so does anyone have any suggestions on how I might prevent this from happening in the future?

Have you gone into Facebook and deleted the association with Facebook and StereoNet? 
Then log in using your email address and normal password. 

Edited July 24, 2021 by Jack Goff

[Marc]

Getting tempted to remove the FB integration I think. I don't like the fact that FB has the ability to make changes on their end that affects us, without us even knowing or having control over.

27 minutes ago, Doug Johansson said:

it's reverted back to my full name again and I don't have permission to change.  I haven't done anything since Marc changed for me yesterday so does anyone have any suggestions on how I might prevent this from happening in the future?

 

My guess is each time you log back in, it is syncing with FB and pulling your name through. Looking further into it.

[Martykt]

5 minutes ago, Marc said:

Getting tempted to remove the FB integration I think. I don't like the fact that FB has the ability to make changes on their end that affects us, without us even knowing or having control over.

Speaking as someone who doesn't have a Facebook page and doesn't want one or anything to do with them for that matter, what else does Facebook have access too?

 

I was always a little unsure about the Facebook integration and it would be good to have some clarification about this as I certainly don't want Facebook having access to any of my information or SNA account in anyway.

[Marc]

Facebook cannot access anything unless you manually associate your account with an active FB account.

So in your case @Martykt you have absolutely nothing that FB can access.

 

As for what FB can actually access - it's merely passing your FB credentials on to our database for authentication to allow you to use your FB account to login.

On our end, we can't even see what those FB credentials look like nor are they actually stored in our database.

We have a ticket open now with Invision about this ongoing FB sync to prevent it from happening.

[sir sanders zingmore]

1 minute ago, Marc said:

Facebook cannot access anything unless you manually associate your account with an active FB account.

Call me paranoid but I doubt very much if that’s true. Facebook is very very insidious. 

[Marc]

Just now, sir sanders zingmore said:

Call me paranoid but I doubt very much if that’s true. Facebook is very very insidious. 

 

You are correct as my answer was only based on what FB says in its integration guide. I would happily remove the FB integration entirely, however there are many thousands of users using this process.