Forum login is atrocious: claims to accept e-mail, but it doesn't. Locks me out only after three attempts.

[avada]

Hello!

 

Since I didn't see any dedicated website bug section I post here. This really sucks. I always get screwed by it. I naturally enter the e-mail because the username is necessarily variable. (It may be taken...) By the time I figure out why can't I log in I'm always locked out from the forum, because there's only a mere 3 attempts. (As if this is web bank login or something.)

[Ego Eram Reputo]

Uh. Are you logging in or trying to re-register? When logging in I don't get a prompt to enter my email address - only Username and Password.

[toe_head2001]

1 hour ago, Ego Eram Reputo said:

When logging in I don't get a prompt to enter my email address - only Username and Password.

 

I see it.

 

[Ego Eram Reputo]

10 hours ago, avada said:

I naturally enter the e-mail because the username is necessarily variable. (It may be taken...)

 

Um no. The username is particular to you once registered. It's only five letters to enter vs your email address which is significantly more.

[Ego Eram Reputo]

53 minutes ago, toe_head2001 said:

I see it.

 

Ah yes. I've got FF remembering my Username - so I don't see the email prompt.

[avada]

On 2/7/2019 at 11:16 PM, toe_head2001 said:

 

I see it.

 

 

Yes, this. And also the same is displayed on the full login page.

 

Also the 3 tries are needlessly few. This not some website that's a target to hacking. There's no money in hacking an account.

 

23 hours ago, Ego Eram Reputo said:

 

Um no. The username is particular to you once registered. It's only five letters to enter vs your email address which is significantly more.

 

You missed my point. My usernames vary across websites so I don't always know which one to use on websites I don't visit frequently. (Especially if I can't use any of my favored ones).

Also the length of the e-mail address doesn't matter because it's in the form history, since it's a commonly used for logins.

[SodiumEnglish]

46 minutes ago, avada said:

Also the 3 tries are needlessly few. This not some website that's a target to hacking. There's no money in hacking an account.

 

Why would someone lax security just because it's not critical? Three tries I think is a fairly standard practice for sites regardless of the content/purpose.

 

The problem appears to be that you don't remember your login details, not an issue with the forum login system. The login system here isn't much different from others on other social platforms, except lacking something like 2FA of course. 

 

To solve the actual issue here, I think you should take advantage of the username and password saving feature in Chrome (if that's what you're using) or store your login details in a place that you're most comfortable with. Some examples to look at are 1password, lastpass, or if you don't trust online mediums, a local-offline tool keepass. Or just write them down on paper/notecards.

 

However, when trying to log in with just my email it does not appear to work as you've said. Only the username appears to work. It's probably something to be brought up to the forum software InvisionCommunity which this is based off of.

Edited February 8, 2019 by SodiumEnglish

[NinthDesertDude]

Quote

Also the 3 tries are needlessly few.

Wholeheartedly agreed. I'd give 4 attempts, maybe with a warning it will result in a temporary lockout, etc.

Don't forget that Avada brings up that the email address isn't accepted to log in, which is important if true.

 

Quote

Why would someone lax security just because it's not critical?

For usability. We could tighten it down to one attempt, theoretically, and permanently lock out the account on failure until an admin intervenes. That's the most secure solution, but is it good? I'd say not. I'd even go as far as to agree that 3 is too few.

 

You can read more about it; this source has a variety of answers, one of which includes 3 attempts with a 5 minute timeout on failure, and that's for logging into a user account on an operating system; surely more important than this site: https://ux.stackexchange.com/questions/73565/how-many-atempts-should-you-give-a-user-before-invalidating-his-password. So weigh on it critically from both a security and usability standpoint.

 

Probably someone will chime in that it'll be looked at or not in scope, that's fine. Just want to make sure it's known.

Edited February 9, 2019 by Joshua Lamusga

[avada]

11 hours ago, SodiumEnglish said:

The problem appears to be that you don't remember your login details, not an issue with the forum login system. The login system here isn't much different from others on other social platforms, except lacking something like 2FA of course.  

The forum login lies and that alone eats up the three tries... I just mentioned the other as a potential issue.

 

11 hours ago, SodiumEnglish said:

Three tries I think is a fairly standard practice for sites regardless of the content/purpose.

 

I'd say 5 is more the norm, from my experience. Also, usually other logins are nice enough to warn me after the first failed try that I have four tries left.

 

11 hours ago, SodiumEnglish said:

Why would someone lax security just because it's not critical?

 

The measures should be in sync with the value of what it protects as Joshua points out. The forum could force everyone to buy custom hardware keys and take fingerprints from everyone via a security firm while also mandating a 100 character password x number of letters-small-and-large/numbers/special characters. And lock out on the first failure, so you need to personally appear at whichever country/address to restore your credentials (after exhaustive biometric and DNA testing of course)

How could you think compromising this level of security for convenience and monetary reasons?

[avada]

3 hours ago, welshblue said:

Email address isn't accepted - it just tells you the wrong password has been used. (In Chrome at least)

 

Rights or wrongs of only 3 log in attempts is down to forum software ?

 

I'm struggling to understand tho' when you've made 27 posts why you don't just use avada knowing that the email doesn't work ?

Then you won't get locked out. ?  A lot of people say I'm lacking something so I could be missing the point here  🤔

 

You would with 6000+ posts... I made those 27 over years, when I had something to ask or talk about. Usually I only remember what's wrong when I'm locked out.

 

And as you pointed out the forum lies twice. First that I can use the e-mail, and second that I used the wrong password, which also implies that he username was fine.