Author Topic: Logging out problem  (Read 22826 times)

0 Members and 1 Guest are viewing this topic.

Offline Dungeon Master

  • Benevolent Dictator
  • Administrator
  • *
  • *
  • Posts: 392
  • Head Honcho
  • Location: Canberra
Logging out problem
« on: February 14, 2011, 09:50:37 PM »
Dear members


This topic has been discussed on the "Bug Report" thread, but deserves a thread of its own.


Some members are experiencing a problem where, although they choose the "Always Logged In" option, seem to get logged out at random times, requiring a new log-in each time. Especially frustrating when it happens frequently, and during making a post.


I have been looking into this problem. It seems that the cause is spambots accessing member usernames (but not passwords) and trying to gain access by guessing passwords. If they fail to guess (currently 3 times), the member gets logged out. If you are not familiar with what a spambot is, read this. Note that these are automated programs, that focus on particular log-in systems, in this case SMF forum. There aim is to get access to a members account, and then post Spam on the forum.


What I am doing to address this: 
  • Increased the failed login threshold so that members don't get logged out after 3 spambot attempts
  • Made memberlists invisible to non-members
  • enabled an error log database so I can track failed logins and collect their IP addresses
  • once I tally enough IP addresses, I can add them to a list of automatically denied IP addresses
 

It will takes a few days or weeks to collect the IP addresses, and add them to the list of banned addresses


What you can do in the meantime:
   
  • Make your Displayed Name different to your actual Username. You can do this in your Profile --> Account Settings. Your displayed name is shown on every post you make, but if that is not the same as your actual username (which is not displayed), the bots won't be able to try to log in with your real username. All members currently reporting problems have their displayed name the same as their username.
  • Make sure your password is complicated - definitely not the same as your username, not a dictionary word or a dictionary word with numbers attached. These are just too easy to guess.
  • Log out - clear cache - log in again
  • report back on this thread about success or otherwise.

Note that once the Spambots have your username, even if you change your Display Name, they will keep trying to access your account by repeated guessing of your password. If this is becoming a big problem for you, wend me a  PM and I can change your actual Username (the one you use to log-in). If you want me to change it, send me your preferred new Username, and don't forget to make sure your Displayed Name is different. Changing your log-in username requries a password reset which is emailed to you, so please ensure you have a valid email address on file with GMG (in your profile). Changing your username does not delete your account - your account remains intact, but with a new username for log-in purposes.

cheers
Rob (now Dungeon Master)

« Last Edit: February 15, 2011, 03:17:55 PM by Dungeon Master »
 Macs are better. They just are.

Offline Opus106

  • Veteran member
  • *
  • Posts: 9039
  • Bachafugaholic
  • Location: Chennai, India
Re: Logging out problem
« Reply #1 on: February 14, 2011, 11:13:53 PM »
Hi, Rob. Here's something I was thinking about a couple of days ago: when you provide a pair of non-existent username and password to the forum, you'll get a message back saying that "that username does not exist." This is unlike other sites, e.g. GMail, which would say something along the lines of that one or both of the entered values is/are incorrect. Now, I don't know how the forum software is coded, but if somehow the bot is given the information that the username is correct (as in the case when it attempts to login with the display name), then would it not have a foothold, so to speak, on the user's account? It then just has to run through a list of possible passwords without 'worrying' about the usename. I realise that a solution to this problem, if it exists, may not solve the issue faced by existing members, but perhaps will, at the least, decrease the chances of new members being logged out frequently. Just thinking out loud.... :)
« Last Edit: February 14, 2011, 11:15:52 PM by Opus106 »
Regards,
Navneeth

Offline Dungeon Master

  • Benevolent Dictator
  • Administrator
  • *
  • *
  • Posts: 392
  • Head Honcho
  • Location: Canberra
Re: Logging out problem
« Reply #2 on: February 14, 2011, 11:56:05 PM »
That's a good thought - I will put that to the developers, as it is beyond my programming abilities.


However, I think the current problem is that the bots have harvested existing usernames. All members reporting problems had their Username the same as the Displayed Name, and so the Username was visible to all (members, guests and bots). I did too, but luckily have not had the log-out problems. Having harvested visible usernames, all it has to do is try to guess passwords. After a set number of failed guesses, the forum logs the member out as a security measure.
 Macs are better. They just are.

Offline mc ukrneal

  • Veteran member
  • *
  • Posts: 9138
Re: Logging out problem
« Reply #3 on: February 15, 2011, 12:29:04 AM »
   
  • Increased the failed login threshold so that members don't get logged out after 3 spambot attempts
Rob (now Dungeon Master)
I am out of depths here, but is it possible to set things up so that anyone who tries to login when someone is not logged out cannot even get in? That would get rid of the probllem. Of course, I have no idea if what I am suggesting is a major programming task -I guess you'll let us know.   :) After that... :-X
Be kind to your fellow posters!!

Offline George

  • Veteran member
  • *
  • Posts: 6394
  • Hey Bert!
Re: Logging out problem
« Reply #4 on: February 15, 2011, 03:58:00 AM »
Note that once the Spambots have your username, even if you change your Display Name, they will keep trying to access your account by repeated guessing of your password. If this is becoming a big problem for you, wend me a  PM and I can change your actual Username (the one you use to log-in). If you want me to change it, send me your preferred new Username, and don't forget to make sure your Displayed Name is different.

PM sent.

"I can't live without music, because music is life." - Yvonne Lefébure

Offline The new erato

  • Veteran member
  • *
  • Posts: 15322
Re: Logging out problem
« Reply #5 on: February 15, 2011, 04:11:29 AM »

Harry

  • Guest
Re: Logging out problem
« Reply #6 on: February 15, 2011, 07:23:28 AM »
PM sent

Offline mc ukrneal

  • Veteran member
  • *
  • Posts: 9138
Re: Logging out problem
« Reply #7 on: February 15, 2011, 07:42:45 AM »
Do you think it is safe to assume that the username is still ok if the logging out has only occurred a few times? Or would you suggest changing the username with even that small number? I have upped the security of my password to include numbers, symbols, and capital letters, so they are highly unlikely to hit upon the combination, but still. Better to be safe than sorry.
Be kind to your fellow posters!!

Offline DavidRoss

  • Veteran member
  • *
  • Posts: 7590
  • Location: Northern California
Re: Logging out problem
« Reply #8 on: February 15, 2011, 09:39:18 AM »
Well, I tried the name change but I'm still getting logged out by the system.  Just a minor irritant, no big deal.
"Maybe the problem most of you have ... is that you're not listening to Barbirolli." ~Sarge

"The problem with socialism is that sooner or later you run out of other people's money." ~Margaret Thatcher

Offline Gurn Blanston

  • Haydn: that genius of vulgar music who induces an inordinate thirst for beer - Mily Balakirev (1860)
  • Global Moderator
  • *
  • Posts: 32211
  • Support your local Haydn Society
    • Gurn's Haydn Blog
  • Location: Texas, where else?
  • Currently Listening to:
    Haydn, I reckon.
Re: Logging out problem
« Reply #9 on: February 15, 2011, 11:05:46 AM »
Do you think it is safe to assume that the username is still ok if the logging out has only occurred a few times? Or would you suggest changing the username with even that small number? I have upped the security of my password to include numbers, symbols, and capital letters, so they are highly unlikely to hit upon the combination, but still. Better to be safe than sorry.

Neal,
Well, I can only speak from my dim understanding, but they already know your and my user names, having gleaned them earlier, so they will keep hacking away at those. They are welcome to some good luck with my combination 12 character password though, according to the Business Week password guide, a mixed 9 character password takes about 44,000 years to crack. 12 should be exponentially better. Shit, I hope I don't forget it! :o :o   :D

8)
« Last Edit: February 15, 2011, 11:36:57 AM by Gurnatron5500 »
Help support GMG by purchasing from Amazon using this link

Visit my Haydn blog: HaydnSeek

Follow me on Twitter @GurnBlanston106

Offline Gurn Blanston

  • Haydn: that genius of vulgar music who induces an inordinate thirst for beer - Mily Balakirev (1860)
  • Global Moderator
  • *
  • Posts: 32211
  • Support your local Haydn Society
    • Gurn's Haydn Blog
  • Location: Texas, where else?
  • Currently Listening to:
    Haydn, I reckon.
Re: Logging out problem
« Reply #10 on: February 15, 2011, 11:07:06 AM »
Well, I tried the name change but I'm still getting logged out by the system.  Just a minor irritant, no big deal.

You should feel loved, they are still hacking away at you. If your password is decent, you shouldn't have a problem. I have the same issue. it gives me a warm and fuzzy.... :)

8)
Help support GMG by purchasing from Amazon using this link

Visit my Haydn blog: HaydnSeek

Follow me on Twitter @GurnBlanston106

Offline DavidRoss

  • Veteran member
  • *
  • Posts: 7590
  • Location: Northern California
Re: Logging out problem
« Reply #11 on: February 15, 2011, 11:26:23 AM »
You should feel loved, they are still hacking away at you. If your password is decent, you shouldn't have a problem. I have the same issue. it gives me a warm and fuzzy.... :)



Uh, "password" is a good password, right?
"Maybe the problem most of you have ... is that you're not listening to Barbirolli." ~Sarge

"The problem with socialism is that sooner or later you run out of other people's money." ~Margaret Thatcher

Offline Gurn Blanston

  • Haydn: that genius of vulgar music who induces an inordinate thirst for beer - Mily Balakirev (1860)
  • Global Moderator
  • *
  • Posts: 32211
  • Support your local Haydn Society
    • Gurn's Haydn Blog
  • Location: Texas, where else?
  • Currently Listening to:
    Haydn, I reckon.
Re: Logging out problem
« Reply #12 on: February 15, 2011, 11:35:59 AM »


Uh, "password" is a good password, right?

I prefer 'default' but 'password' should work. Who would guess that?

:D

8)
Help support GMG by purchasing from Amazon using this link

Visit my Haydn blog: HaydnSeek

Follow me on Twitter @GurnBlanston106

Scarpia

  • Guest
Re: Logging out problem
« Reply #13 on: February 15, 2011, 12:15:25 PM »
Neal,
Well, I can only speak from my dim understanding, but they already know your and my user names, having gleaned them earlier, so they will keep hacking away at those. They are welcome to some good luck with my combination 12 character password though, according to the Business Week password guide, a mixed 9 character password takes about 44,000 years to crack. 12 should be exponentially better. Shit, I hope I don't forget it! :o :o   :D

8)

By telling them your password is 12 characters you have made it dramatically easier for them to guess.   :P

Offline Gurn Blanston

  • Haydn: that genius of vulgar music who induces an inordinate thirst for beer - Mily Balakirev (1860)
  • Global Moderator
  • *
  • Posts: 32211
  • Support your local Haydn Society
    • Gurn's Haydn Blog
  • Location: Texas, where else?
  • Currently Listening to:
    Haydn, I reckon.
Re: Logging out problem
« Reply #14 on: February 15, 2011, 12:38:45 PM »
By telling them your password is 12 characters you have made it dramatically easier for them to guess.   :P

Not if I was lying...  $:)

8)
Help support GMG by purchasing from Amazon using this link

Visit my Haydn blog: HaydnSeek

Follow me on Twitter @GurnBlanston106

Offline Dungeon Master

  • Benevolent Dictator
  • Administrator
  • *
  • *
  • Posts: 392
  • Head Honcho
  • Location: Canberra
Re: Logging out problem
« Reply #15 on: February 18, 2011, 04:58:40 PM »
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob
 Macs are better. They just are.

Offline George

  • Veteran member
  • *
  • Posts: 6394
  • Hey Bert!
Re: Logging out problem
« Reply #16 on: February 18, 2011, 05:09:40 PM »
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob

Indeed, it is, I am happy to report. Much thanks, Rob!  :)
"I can't live without music, because music is life." - Yvonne Lefébure

Offline Gurn Blanston

  • Haydn: that genius of vulgar music who induces an inordinate thirst for beer - Mily Balakirev (1860)
  • Global Moderator
  • *
  • Posts: 32211
  • Support your local Haydn Society
    • Gurn's Haydn Blog
  • Location: Texas, where else?
  • Currently Listening to:
    Haydn, I reckon.
Re: Logging out problem
« Reply #17 on: February 18, 2011, 06:06:29 PM »
Those of you for whom I have changed your log-in username, can you tell me if the log-out problem is now solved?


cheers
Rob

Oddly enough, I now have the problem, when I didn't have it previously. I have to re-log in 3 or 4 times a day now. :)

8)

----------------
Now playing:
Christine Schornsheim - Schulz Op 1 #6 Larghetto con Variazioni for Keyboard
Help support GMG by purchasing from Amazon using this link

Visit my Haydn blog: HaydnSeek

Follow me on Twitter @GurnBlanston106

Willoughby earl of Itacarius

  • Guest
Re: Logging out problem
« Reply #18 on: February 18, 2011, 11:22:28 PM »
The problem is solved Rob. :)

Offline Holden

  • Veteran member
  • *
  • *
  • Posts: 2064
Re: Logging out problem
« Reply #19 on: February 18, 2011, 11:59:13 PM »
The problem is solved Rob. :)
.....but not for me.

adsI use the 'go to unread topics' option and while I can read all threads on page one, when I click on page two I get asked for my logon and password and then get nothing on page two. Is it possible to resolve this? It's annoying  me to the point where I just want to walk away from the forum.
Cheers

Holden