Sign in to follow this  
avada

Forum login is atrocious: claims to accept e-mail, but it doesn't. Locks me out only after three attempts.

Recommended Posts

Hello!

 

Since I didn't see any dedicated website bug section I post here. This really sucks. I always get screwed by it. I naturally enter the e-mail because the username is necessarily variable. (It may be taken...) By the time I figure out why can't I log in I'm always locked out from the forum, because there's only a mere 3 attempts. (As if this is web bank login or something.)

Share this post


Link to post
Share on other sites

Uh. Are you logging in or trying to re-register? When logging in I don't get a prompt to enter my email address - only Username and Password.

Share this post


Link to post
Share on other sites
1 hour ago, Ego Eram Reputo said:

When logging in I don't get a prompt to enter my email address - only Username and Password.

 

I see it.

 

forum-signin.png

Share this post


Link to post
Share on other sites
10 hours ago, avada said:

I naturally enter the e-mail because the username is necessarily variable. (It may be taken...)

 

Um no. The username is particular to you once registered. It's only five letters to enter vs your email address which is significantly more.

Share this post


Link to post
Share on other sites
On 2/7/2019 at 11:16 PM, toe_head2001 said:

 

I see it.

 

forum-signin.png

 

Yes, this. And also the same is displayed on the full login page.

 

Also the 3 tries are needlessly few. This not some website that's a target to hacking. There's no money in hacking an account.

 

23 hours ago, Ego Eram Reputo said:

 

Um no. The username is particular to you once registered. It's only five letters to enter vs your email address which is significantly more.

 

You missed my point. My usernames vary across websites so I don't always know which one to use on websites I don't visit frequently. (Especially if I can't use any of my favored ones).

Also the length of the e-mail address doesn't matter because it's in the form history, since it's a commonly used for logins.

  • Like 1

Share this post


Link to post
Share on other sites
46 minutes ago, avada said:

Also the 3 tries are needlessly few. This not some website that's a target to hacking. There's no money in hacking an account.

 

Why would someone lax security just because it's not critical? Three tries I think is a fairly standard practice for sites regardless of the content/purpose.

 

The problem appears to be that you don't remember your login details, not an issue with the forum login system. The login system here isn't much different from others on other social platforms, except lacking something like 2FA of course. 

 

To solve the actual issue here, I think you should take advantage of the username and password saving feature in Chrome (if that's what you're using) or store your login details in a place that you're most comfortable with. Some examples to look at are 1password, lastpass, or if you don't trust online mediums, a local-offline tool keepass. Or just write them down on paper/notecards.

 

However, when trying to log in with just my email it does not appear to work as you've said. Only the username appears to work. It's probably something to be brought up to the forum software InvisionCommunity which this is based off of.

Edited by SodiumEnglish
  • Upvote 1

Share this post


Link to post
Share on other sites
Quote

Also the 3 tries are needlessly few.

Wholeheartedly agreed. I'd give 4 attempts, maybe with a warning it will result in a temporary lockout, etc.

Don't forget that Avada brings up that the email address isn't accepted to log in, which is important if true.

 

Quote

Why would someone lax security just because it's not critical?

For usability. We could tighten it down to one attempt, theoretically, and permanently lock out the account on failure until an admin intervenes. That's the most secure solution, but is it good? I'd say not. I'd even go as far as to agree that 3 is too few.

 

You can read more about it; this source has a variety of answers, one of which includes 3 attempts with a 5 minute timeout on failure, and that's for logging into a user account on an operating system; surely more important than this site: https://ux.stackexchange.com/questions/73565/how-many-atempts-should-you-give-a-user-before-invalidating-his-password. So weigh on it critically from both a security and usability standpoint.

 

Probably someone will chime in that it'll be looked at or not in scope, that's fine. Just want to make sure it's known.

Edited by Joshua Lamusga

Share this post


Link to post
Share on other sites
11 hours ago, SodiumEnglish said:

The problem appears to be that you don't remember your login details, not an issue with the forum login system. The login system here isn't much different from others on other social platforms, except lacking something like 2FA of course.  

The forum login lies and that alone eats up the three tries... I just mentioned the other as a potential issue.

 

11 hours ago, SodiumEnglish said:

Three tries I think is a fairly standard practice for sites regardless of the content/purpose.

 

I'd say 5 is more the norm, from my experience. Also, usually other logins are nice enough to warn me after the first failed try that I have four tries left.

 

11 hours ago, SodiumEnglish said:

Why would someone lax security just because it's not critical?

 

The measures should be in sync with the value of what it protects as Joshua points out. The forum could force everyone to buy custom hardware keys and take fingerprints from everyone via a security firm while also mandating a 100 character password x number of letters-small-and-large/numbers/special characters. And lock out on the first failure, so you need to personally appear at whichever country/address to restore your credentials (after exhaustive biometric and DNA testing of course)

How could you think compromising this level of security for convenience and monetary reasons?

Share this post


Link to post
Share on other sites

Email address isn't accepted - it just tells you the wrong password has been used. (In Chrome at least)

 

Rights or wrongs of only 3 log in attempts is down to forum software ?

 

I'm struggling to understand tho' when you've made 27 posts why you don't just use avada knowing that the email doesn't work ?

Then you won't get locked out. ?  A lot of people say I'm lacking something so I could be missing the point here  🤔

Share this post


Link to post
Share on other sites
3 hours ago, welshblue said:

Email address isn't accepted - it just tells you the wrong password has been used. (In Chrome at least)

 

Rights or wrongs of only 3 log in attempts is down to forum software ?

 

I'm struggling to understand tho' when you've made 27 posts why you don't just use avada knowing that the email doesn't work ?

Then you won't get locked out. ?  A lot of people say I'm lacking something so I could be missing the point here  🤔

 

You would with 6000+ posts... I made those 27 over years, when I had something to ask or talk about. Usually I only remember what's wrong when I'm locked out.

 

And as you pointed out the forum lies twice. First that I can use the e-mail, and second that I used the wrong password, which also implies that he username was fine.

Share this post


Link to post
Share on other sites

If I remember correctly Invision Community uses Brute Force Protection in that it will lock accounts temporarily   if too many attempts are made 

** Maybe it's something beyond the Admin control ?

 

Now you're in maybe make a text file of Password etc ?

 

** If it is or isn',t as someone who had their ebay account hacked last year I'm grateful of strong security on any website

(Didn't cost me a penny thankfully, just a few opened cases against me  and the indignation that someone tried to buy among other things,

a set of padlocks to keep their things safe 🤨)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this